[13] RFR 8226719: Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"

Weijun Wang weijun.wang at oracle.com
Wed Jul 3 01:34:48 UTC 2019


More justification from https://tools.ietf.org/html/rfc3961#section-6.1:

  6.1.  Unkeyed Checksums

   These checksum types use no encryption keys and thus can be used in
   combination with any encryption type, but they may only be used with
   caution, in limited circumstances where the lack of a key does not
   provide a window for an attack, preferably as part of an encrypted
   message [6].  Keyed checksum algorithms are recommended.

Here the PA_REQ_ENC_PA_REP is a part of an encrypted message EncKDCRepPart.

Thanks,
Max



> On Jul 2, 2019, at 11:13 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
> 
> Please take a review at
> 
> http://cr.openjdk.java.net/~weijun/8226719/webrev.00/
> 
> This happens when authenticating to a Windows 2000 Server using DES encryption type. The PA_REQ_ENC_PA_REP in the reply is using RsaMd5CksumType but it is treated unsafe and rejected.
> 
> Here, unsafe means un-keyed. While it's unsafe to use it as a standalone checksum but in this case the PA_REQ_ENC_PA_REP is embedded inside EncKDCRepPart which is already encrypted. Therefore an attacker will not be able to modify it without knowing the key. (Please note that when a keyed checksum is used, the key is exactly the same as the one used to encrypt the EncKDCRepPart field).
> 
> This fix added a new method verifyAnyChecksum() that can verify both a keyed and an un-keyed checksum. The method is currently only used by the PA_REQ_ENC_PA_REP verification.
> 
> Noreg-hard. Only reproducible when accessing a Windows 2000 Server, which is exactly how our internal SQE test caught it.
> 
> Thanks,
> Max
> 
> 
> 



More information about the security-dev mailing list