RFC Errata
Found 10 records.
Status: Verified (8)
RFC 4757, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", December 2006
Note: This RFC has been updated by RFC 6649
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 1372
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Kevin Coffman
Date Reported: 2008-03-14
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.3 says:
// Generate checksum of message - // SGN_CKSUM + Token.Confounder // Key derivation salt = 15 Sgn_Cksum = MD5((int32)15, Token.Header, Token.Confounder);
It should say:
// Generate checksum of message - // SGN_CKSUM + Token.Confounder // Key derivation salt = 13 Sgn_Cksum = MD5((int32)13, Token.Header, Token.Confounder);
Notes:
The final RFC appears to have cut-and-paste typo regarding the salt value used when generating the checksum for a WRAP token. The value used for a MIC token is 15, the value used for a WRAP token is 13.
Love Hörnquist Åstrand <lha@kth.se> pointed out that an earlier draft shows the values actually in use:
http://tools.ietf.org/html/draft-brezak-win2k-krb-rc4-hmac-02
Errata ID: 1646
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Luke Howard
Date Reported: 2008-12-29
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.2 7.3 says:
Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null memset(Kseq+7, 0xab, 7)
It should say:
Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null memset(Kseq+7, 0xab, 9)
Notes:
applies both to section 7.2 and 7.3, confirmed by Larry Zhu
Errata ID: 1674
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-30
Verifier Name: Sean Turner
Date Verified: 2011-06-28
Section 7.3 says:
if (encrypt) RC4(Kcrypt, Token.Confounder); // Sum the data buffer Sgn_Cksum += MD5(data); // Append to checksum // Encrypt the data (if encrypting) if (encrypt) RC4(Kcrypt, data);
It should say:
// Sum the data buffer Sgn_Cksum += MD5(data); // Append to checksum // Encrypt the Confounder + data (if encrypting) tmp=concat(Token.Confounder,data); if (encrypt) RC4(Kcrypt, tmp); /* tmp=Confounder + data */ memcpy(Token.Confounder,tmp,8); memcpy(data,tmp+8,(tmp.len-8));
Notes:
Notes : 1.Verified RC4 Encryption and Decryption on (Token.Confounder+Data) with Kcrypt key .
2.Verified RC4(K,x+y) !=RC4(K,x);RC4(K,y)
3.Reporting this issue after Larry's Feedback.
Errata ID: 1675
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-30
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.3 says:
// Create the sequence number if (direction == sender_is_initiator) { memset(&Token.SEND_SEQ[4], 0xff, 4) } else if (direction == sender_is_acceptor) { memset(&Token.SEND_SEQ[4], 0, 4) }
It should say:
// Create the sequence number if (direction == sender_is_initiator) { memset(&Token.SEND_SEQ[4], 0, 4) } else if (direction == sender_is_acceptor) { memset(&Token.SEND_SEQ[4], 0xff, 4) }
Notes:
SEND_SEQ values are interchanged .
Errata ID: 2562
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Michiko Short
Date Reported: 2010-10-13
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 3 says:
9. TGS-REP encrypted part (includes application session key), encrypted with the TGS authenticator subkey (T=8)
It should say:
9. TGS-REP encrypted part (includes application session key), encrypted with the TGS authenticator subkey (T=9)
Notes:
Typo
Errata ID: 2628
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Matthias Schertler
Date Reported: 2010-11-12
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 5 says:
nonce (edata.Confounder, 8); memcpy (edata.Data, data); edata.Checksum = HMAC (K2, edata);
It should say:
nonce (edata.Confounder, 8); memcpy (edata.Data, data); edata.Checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
Errata ID: 1647
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2008-12-31
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.2 and 7.3 says:
In 7.2: if (exportable) { Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null memset(Kseq+7, 0xab, 7) } In 7.3: if (exportable) { Kcrypt = HMAC(Klocal, "fortybits", (int32)0); // len includes terminating null memset(Kcrypt+7, 0xab, 7); } Again in 7.3: if (exportable) { Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null memset(Kseq+7, 0xab, 7) }
It should say:
In 7.2: if (export) { Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null memset(Kseq+7, 0xab, 7) } In 7.3: if (export) { Kcrypt = HMAC(Klocal, "fortybits", (int32)0); // len includes terminating null memset(Kcrypt+7, 0xab, 7); } Again in 7.3: if (export) { Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null memset(Kseq+7, 0xab, 7) }
Notes:
misnamed "export" argument . Larry Zhu confirmed this issue
Sean Turner add (as pointed out by Magnus Nystrom) that there were actually three exportable/export replacements needed: 1 in Section 7.2 and two in Section 7.3.
Errata ID: 1651
Status: Verified
Type: Editorial
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2009-01-10
Verifier Name: Sean Turner
Date Verified: 2011-06-01
Section 7.3 says:
// new encryption key salted with seq Kcrypt = HMAC(Kcrypt, (int32)seq);
It should say:
// new encryption key salted with seq Kcrypt = HMAC(Kcrypt, (int32)seq_num);
Notes:
misnamed "seq" argument in HMAC function .
Status: Rejected (2)
RFC 4757, "The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows", December 2006
Note: This RFC has been updated by RFC 6649
Source of RFC: IETF - NON WORKING GROUPArea Assignment: sec
Errata ID: 1648
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Ganga Mahesh Siddem
Date Reported: 2008-12-31
Rejected by: Sean Turner
Date Rejected: 2011-06-28
Section 7.3 says:
Kcrypt = HMAC(Klocal, "fortybits", (int32)0); // len includes terminating null Kseq = HMAC(Kss, "fortybits", (int32)0); // len includes terminating null
It should say:
Kcrypt = HMAC(Klocal,(int32)0, "fortybits"); // len includes terminating null Kseq = HMAC(Kss, (int32)0,"fortybits"); // len includes terminating null
Notes:
Larry Zhu confirmed this issue.Misordered arguments in HMAC function.
--VERIFIER NOTES--
I checked with Magnus Nystrom. He said their implementation is equal to the RFC.
Errata ID: 2067
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Michiko Short
Date Reported: 2010-03-05
Rejected by: Sean Turner
Date Rejected: 2011-06-28
Section 7.3 says:
// Encrypt the data (if encrypting) if (encrypt) RC4(Kcrypt, data); // Save first 8 octets of HMAC Sgn_Cksum Sgn_Cksum = HMAC(Ksign, Sgn_Cksum); memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);
It should say:
// Encrypt the data (if encrypting) if (encrypt) RC4(Kcrypt, data); // Sum the padding buffer Sgn_Cksum += MD5(padding); // Encrypt the padding (if encrypting) if (padding) RC4(Kcrypt, padding); // Save first 8 octets of HMAC Sgn_Cksum Sgn_Cksum = HMAC(Ksign, Sgn_Cksum); memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);
Notes:
WRAP missing padding
--VERIFIER NOTES--
Turns out padding is already included in data, so Errata 1674, which I just approved, covers this. I verified this with Magnus Nystrom.