Meeting the InCommon Assurance profile criteria using Active Directory

[David Walker <>]

Jeff,

Yes, I'm pretty sure it should be RC4; I've changed the document.  (Eric, do you concur?)

FYI, I won't be in tomorrow's call, as I'm on vacation.  Hopefully, I'll return to find you guys have resolved everything without me.

David

On Thu, 2013-08-22 at 19:54 +0000, Capehart,Jeffrey D wrote:

David,

 

Under risks, you have “Microsoft's implementation of Kerberos uses the MD4-HMAC encryption algorithm…”

 

Should that be RC4?  The MD4 algorithm is used with the NT hash (one way function) which I suppose is technically related since I recall that the actual Kerberos key is generated using the String2Key of the plain text password doing the MD4 of the Unicode of that plaintext.  It is basically the same as the Windows NT key as used in NTLM / NTLMv2.  And then, per the Kerberos protocol, the timestamp, ticket, or other data is encrypted using the RC4-HMAC algorithm with the key as derived/generated.

 

It can be quite confusing because I think the HMAC algorithm uses MD5 hash so you get three unapproved algorithms for the price of one.  (RC4, MD4, MD5).

 

Jeff

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882


http://oia.ufl.edu