errata logo graphic

Found 10 records.

Status: Verified (8)

RFC4757, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", December 2006

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 1372

Status: Verified
Type: Technical

Reported By: Kevin Coffman
Date Reported: 2008-03-14
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 7.3 says:

 // Generate checksum of message -
 //  SGN_CKSUM + Token.Confounder
 //   Key derivation salt = 15

 Sgn_Cksum = MD5((int32)15, Token.Header,
                Token.Confounder);


It should say:

 // Generate checksum of message -
 //  SGN_CKSUM + Token.Confounder
 //   Key derivation salt = 13

 Sgn_Cksum = MD5((int32)13, Token.Header,
                Token.Confounder);


Notes:

The final RFC appears to have cut-and-paste typo regarding the salt value used when generating the checksum for a WRAP token. The value used for a MIC token is 15, the value used for a WRAP token is 13.

Love Hörnquist Åstrand <lha@kth.se> pointed out that an earlier draft shows the values actually in use:

http://tools.ietf.org/html/draft-brezak-win2k-krb-rc4-hmac-02


Errata ID: 1646

Status: Verified
Type: Technical

Reported By: Luke Howard
Date Reported: 2008-12-29
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 7.2 7.3 says:

                           Kseq = HMAC(Kss, "fortybits", (int32)0);
                                        // len includes terminating null
                           memset(Kseq+7, 0xab, 7)

It should say:

                           Kseq = HMAC(Kss, "fortybits", (int32)0);
                                        // len includes terminating null
                           memset(Kseq+7, 0xab, 9)

Notes:

applies both to section 7.2 and 7.3, confirmed by Larry Zhu


Errata ID: 1674

Status: Verified
Type: Technical

Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-30
Verifier Name: Sean Turner
Date Verified: 2011-06-28

Section 7.3 says:

                   if (encrypt)
                           RC4(Kcrypt, Token.Confounder);

                   // Sum the data buffer

                   Sgn_Cksum += MD5(data);         // Append to checksum

                   // Encrypt the data (if encrypting)

                   if (encrypt)
                           RC4(Kcrypt, data);


It should say:

                   // Sum the data buffer

                   Sgn_Cksum += MD5(data);         // Append to checksum

                   // Encrypt the  Confounder + data (if encrypting)

                   tmp=concat(Token.Confounder,data);

                   if (encrypt)
                           RC4(Kcrypt, tmp); /* tmp=Confounder + data */
               
                   memcpy(Token.Confounder,tmp,8);

                   memcpy(data,tmp+8,(tmp.len-8));             

Notes:

Notes : 1.Verified RC4 Encryption and Decryption on (Token.Confounder+Data) with Kcrypt key .
2.Verified RC4(K,x+y) !=RC4(K,x);RC4(K,y)
3.Reporting this issue after Larry's Feedback.


Errata ID: 1675

Status: Verified
Type: Technical

Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-30
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 7.3 says:

                 // Create the sequence number

                   if (direction == sender_is_initiator)
                   {
                           memset(&Token.SEND_SEQ[4], 0xff, 4)
                   }
                   else if (direction == sender_is_acceptor)
                   {
                           memset(&Token.SEND_SEQ[4], 0, 4)
                   }


It should say:

                                            // Create the sequence number

                   if (direction == sender_is_initiator)
                   {
                           memset(&Token.SEND_SEQ[4], 0, 4)
                   }
                   else if (direction == sender_is_acceptor)
                   {
                           memset(&Token.SEND_SEQ[4], 0xff, 4)
                   }

Notes:

SEND_SEQ values are interchanged .


Errata ID: 2562

Status: Verified
Type: Technical

Reported By: Michiko Short
Date Reported: 2010-10-13
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 3 says:

9.  TGS-REP encrypted part (includes application session key),
          encrypted with the TGS authenticator subkey (T=8)


It should say:

9.  TGS-REP encrypted part (includes application session key),
          encrypted with the TGS authenticator subkey (T=9)


Notes:

Typo


Errata ID: 2628

Status: Verified
Type: Technical

Reported By: Matthias Schertler
Date Reported: 2010-11-12
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 5 says:

nonce (edata.Confounder, 8);
memcpy (edata.Data, data);
edata.Checksum = HMAC (K2, edata);

It should say:

nonce (edata.Confounder, 8);
memcpy (edata.Data, data);
edata.Checksum = HMAC (K2, concat(edata.Confounder, edata.Data));

Errata ID: 1647

Status: Verified
Type: Editorial

Reported By: Ganga Mahesh Siddem
Date Reported: 2008-12-31
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 7.2 and 7.3 says:

In 7.2:

if (exportable)
                   {
                           Kseq = HMAC(Kss, "fortybits", (int32)0);
                                        // len includes terminating null
                           memset(Kseq+7, 0xab, 7)
                   }

In 7.3:
 
if (exportable)
                   {

                           Kcrypt = HMAC(Klocal, "fortybits", (int32)0);
                                       // len includes terminating null
                           memset(Kcrypt+7, 0xab, 7);
                   }

Again in 7.3:

if (exportable)
                   {
                           Kseq = HMAC(Kss, "fortybits", (int32)0);
                                       // len includes terminating null
                           memset(Kseq+7, 0xab, 7)
                   }

It should say:

In 7.2:

if (export)
                   {
                           Kseq = HMAC(Kss, "fortybits", (int32)0);
                                        // len includes terminating null
                           memset(Kseq+7, 0xab, 7)
                   }

In 7.3:
 
if (export)
                   {

                           Kcrypt = HMAC(Klocal, "fortybits", (int32)0);
                                       // len includes terminating null
                           memset(Kcrypt+7, 0xab, 7);
                   }

Again in 7.3:

if (export)
                   {
                           Kseq = HMAC(Kss, "fortybits", (int32)0);
                                       // len includes terminating null
                           memset(Kseq+7, 0xab, 7)
                   }

Notes:

misnamed "export" argument . Larry Zhu confirmed this issue

Sean Turner add (as pointed out by Magnus Nystrom) that there were actually three exportable/export replacements needed: 1 in Section 7.2 and two in Section 7.3.


Errata ID: 1651

Status: Verified
Type: Editorial

Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-10
Verifier Name: Sean Turner
Date Verified: 2011-06-01

Section 7.3 says:

// new encryption key salted with seq
  Kcrypt = HMAC(Kcrypt, (int32)seq);



It should say:

// new encryption key salted with seq
  Kcrypt = HMAC(Kcrypt, (int32)seq_num);

Notes:

misnamed "seq" argument in HMAC function .


Status: Rejected (2)

RFC4757, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", December 2006

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 1648

Status: Rejected
Type: Technical

Reported By: Ganga Mahesh Siddem
Date Reported: 2008-12-31
Rejected by: Sean Turner
Date Rejected: 2011-06-28

Section 7.3 says:

Kcrypt = HMAC(Klocal, "fortybits", (int32)0);
// len includes terminating null

Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null

It should say:

Kcrypt = HMAC(Klocal,(int32)0, "fortybits");
// len includes terminating null

Kseq = HMAC(Kss, (int32)0,"fortybits");
// len includes terminating null

Notes:

Larry Zhu confirmed this issue.Misordered arguments in HMAC function.
--VERIFIER NOTES--
I checked with Magnus Nystrom. He said their implementation is equal to the RFC.


Errata ID: 2067

Status: Rejected
Type: Technical

Reported By: Michiko Short
Date Reported: 2010-03-05
Rejected by: Sean Turner
Date Rejected: 2011-06-28

Section 7.3 says:

// Encrypt the data (if encrypting)

                   if (encrypt)
                           RC4(Kcrypt, data);

                   // Save first 8 octets of HMAC Sgn_Cksum

                   Sgn_Cksum = HMAC(Ksign, Sgn_Cksum);
                   memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);

It should say:

// Encrypt the data (if encrypting)

                   if (encrypt)
                           RC4(Kcrypt, data);

                    // Sum the padding buffer
 
                   Sgn_Cksum += MD5(padding);

                   // Encrypt the padding (if encrypting)

                   if (padding)
                           RC4(Kcrypt, padding);

                  // Save first 8 octets of HMAC Sgn_Cksum

                   Sgn_Cksum = HMAC(Ksign, Sgn_Cksum);
                   memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);

Notes:

WRAP missing padding
--VERIFIER NOTES--
Turns out padding is already included in data, so Errata 1674, which I just approved, covers this. I verified this with Magnus Nystrom.


Report New Errata