RFC Errata
Found 10 records.
Status: Verified (8)
RFC 4757, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", December 2006
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 1372
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Kevin Coffman
Date Reported: 2008-03-14
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.3 says:
// Generate checksum of message -
// SGN_CKSUM + Token.Confounder
// Key derivation salt = 15
Sgn_Cksum = MD5((int32)15, Token.Header,
Token.Confounder);
It should say:
// Generate checksum of message -
// SGN_CKSUM + Token.Confounder
// Key derivation salt = 13
Sgn_Cksum = MD5((int32)13, Token.Header,
Token.Confounder);
Notes:
The final RFC appears to have cut-and-paste typo regarding the salt value used when generating the checksum for a WRAP token. The value used for a MIC token is 15, the value used for a WRAP token is 13.
Love Hörnquist Åstrand <lha@kth.se> pointed out that an earlier draft shows the values actually in use:
http://tools.ietf.org/html/draft-brezak-win2k-krb-rc4-hmac-02
Errata ID: 1646
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Luke Howard
Date Reported: 2008-12-29
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.2 7.3 says:
Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null
memset(Kseq+7, 0xab, 7)
It should say:
Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null
memset(Kseq+7, 0xab, 9)
Notes:
applies both to section 7.2 and 7.3, confirmed by Larry Zhu
Errata ID: 1674
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-30
Verifier Name: Sean Turner
Date Verified: 2011-06-28
Section 7.3 says:
if (encrypt)
RC4(Kcrypt, Token.Confounder);
// Sum the data buffer
Sgn_Cksum += MD5(data); // Append to checksum
// Encrypt the data (if encrypting)
if (encrypt)
RC4(Kcrypt, data);
It should say:
// Sum the data buffer
Sgn_Cksum += MD5(data); // Append to checksum
// Encrypt the Confounder + data (if encrypting)
tmp=concat(Token.Confounder,data);
if (encrypt)
RC4(Kcrypt, tmp); /* tmp=Confounder + data */
memcpy(Token.Confounder,tmp,8);
memcpy(data,tmp+8,(tmp.len-8));
Notes:
Notes : 1.Verified RC4 Encryption and Decryption on (Token.Confounder+Data) with Kcrypt key .
2.Verified RC4(K,x+y) !=RC4(K,x);RC4(K,y)
3.Reporting this issue after Larry's Feedback.
Errata ID: 1675
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-30
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.3 says:
// Create the sequence number
if (direction == sender_is_initiator)
{
memset(&Token.SEND_SEQ[4], 0xff, 4)
}
else if (direction == sender_is_acceptor)
{
memset(&Token.SEND_SEQ[4], 0, 4)
}
It should say:
// Create the sequence number
if (direction == sender_is_initiator)
{
memset(&Token.SEND_SEQ[4], 0, 4)
}
else if (direction == sender_is_acceptor)
{
memset(&Token.SEND_SEQ[4], 0xff, 4)
}
Notes:
SEND_SEQ values are interchanged .
Errata ID: 2562
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Michiko Short
Date Reported: 2010-10-13
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 3 says:
9. TGS-REP encrypted part (includes application session key),
encrypted with the TGS authenticator subkey (T=8)
It should say:
9. TGS-REP encrypted part (includes application session key),
encrypted with the TGS authenticator subkey (T=9)
Notes:
Typo
Errata ID: 2628
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Schertler
Date Reported: 2010-11-12
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 5 says:
nonce (edata.Confounder, 8); memcpy (edata.Data, data); edata.Checksum = HMAC (K2, edata);
It should say:
nonce (edata.Confounder, 8); memcpy (edata.Data, data); edata.Checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
Errata ID: 1647
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2008-12-31
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.2 and 7.3 says:
In 7.2:
if (exportable)
{
Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null
memset(Kseq+7, 0xab, 7)
}
In 7.3:
if (exportable)
{
Kcrypt = HMAC(Klocal, "fortybits", (int32)0);
// len includes terminating null
memset(Kcrypt+7, 0xab, 7);
}
Again in 7.3:
if (exportable)
{
Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null
memset(Kseq+7, 0xab, 7)
}
It should say:
In 7.2:
if (export)
{
Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null
memset(Kseq+7, 0xab, 7)
}
In 7.3:
if (export)
{
Kcrypt = HMAC(Klocal, "fortybits", (int32)0);
// len includes terminating null
memset(Kcrypt+7, 0xab, 7);
}
Again in 7.3:
if (export)
{
Kseq = HMAC(Kss, "fortybits", (int32)0);
// len includes terminating null
memset(Kseq+7, 0xab, 7)
}
Notes:
misnamed "export" argument . Larry Zhu confirmed this issue
Sean Turner add (as pointed out by Magnus Nystrom) that there were actually three exportable/export replacements needed: 1 in Section 7.2 and two in Section 7.3.
Errata ID: 1651
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-10
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.3 says:
// new encryption key salted with seq Kcrypt = HMAC(Kcrypt, (int32)seq);
It should say:
// new encryption key salted with seq Kcrypt = HMAC(Kcrypt, (int32)seq_num);
Notes:
misnamed "seq" argument in HMAC function .
Status: Rejected (2)
RFC 4757, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", December 2006
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 1648
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2008-12-31
Rejected by: Sean Turner
Date Rejected: 2011-06-28
Section 7.3 says:
Kcrypt = HMAC(Klocal, "fortybits", (int32)0); // len includes terminating null Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null
It should say:
Kcrypt = HMAC(Klocal,(int32)0, "fortybits"); // len includes terminating null Kseq = HMAC(Kss, (int32)0,"fortybits"); // len includes terminating null
Notes:
Larry Zhu confirmed this issue.Misordered arguments in HMAC function.
--VERIFIER NOTES--
I checked with Magnus Nystrom. He said their implementation is equal to the RFC.
Errata ID: 2067
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Michiko Short
Date Reported: 2010-03-05
Rejected by: Sean Turner
Date Rejected: 2011-06-28
Section 7.3 says:
// Encrypt the data (if encrypting)
if (encrypt)
RC4(Kcrypt, data);
// Save first 8 octets of HMAC Sgn_Cksum
Sgn_Cksum = HMAC(Ksign, Sgn_Cksum);
memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);
It should say:
// Encrypt the data (if encrypting)
if (encrypt)
RC4(Kcrypt, data);
// Sum the padding buffer
Sgn_Cksum += MD5(padding);
// Encrypt the padding (if encrypting)
if (padding)
RC4(Kcrypt, padding);
// Save first 8 octets of HMAC Sgn_Cksum
Sgn_Cksum = HMAC(Ksign, Sgn_Cksum);
memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);
Notes:
WRAP missing padding
--VERIFIER NOTES--
Turns out padding is already included in data, so Errata 1674, which I just approved, covers this. I verified this with Magnus Nystrom.
