code review request: 7030180: AES 128/256 decrypt exception
Weijun Wang
weijun.wang at oracle.com
Fri Apr 1 04:38:07 UTC 2011
Hi Valerie
http://cr.openjdk.java.net/~weijun/7030180/webrev.00/
A bug in MIT krb5 1.8 triggers this exception (read evaluation below).
They will fix it in 1.8.4 and 1.9. At the mean time, we can check both
the session key and the subkey on the acceptor side.
I think this does not deserve a backport to 6u releases. Your opinion?
Thanks
Max
-------- Original Message --------
*Change Request ID*: 7030180
*Synopsis*: AES 128/256 decrypt exception
=== *Description*
============================================================
I tried to use SPNEGO.
When I use DES3 It works for a principal. When I try to use AES 128/256
It crashes.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed)
at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
....
=== *Evaluation*
=============================================================
The customer is using krb5 1.8 on the client side. There is a known
issue that KRB-CRED inside AP-REQ is encrypted with the authenticator
subkey instead of the ticket session key:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6768&user=guest&pass=guest
At the same time, we can try both the session key and the sub key in
Java, this is also what MIT and Heimdal have done for years.
More information about the security-dev
mailing list