This discussion is archived
2 Replies Latest reply: Jul 19, 2010 5:37 AM by 843810 RSS

Kerberos & Java GSS (JGSS) - Server side - Checksum failed !

843810 Newbie
Currently Being Moderated
Hi again,

now the client side works fine, he can do a login on kdc and save to a file the cripted token.
the server-side program should read the encrypted file and then logging in to the KDC to determine who is the user that generated this token, and greet him.
But when i run the server-side program,i've an issue.. as always.. here the output :

Found key for krbadm/admin@EVIL.IT(3)
Found key for krbadm/admin@EVIL.IT(23)
Found key for krbadm/admin@EVIL.IT(18)
Found key for krbadm/admin@EVIL.IT(17)
Found key for krbadm/admin@EVIL.IT(1)
Found key for krbadm/admin@EVIL.IT(16)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Checksum failed !
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
     at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
     at it.evil.kerberos.KerberosServer$1.run(KerberosServer.java:140)
     at it.evil.kerberos.KerberosServer$1.run(KerberosServer.java:1)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.Subject.doAs(Subject.java:357)
     at it.evil.kerberos.KerberosServer.acceptSecurityContext(KerberosServer.java:123)
     at it.evil.kerberos.KerberosServer.main(KerberosServer.java:58)
Caused by: KrbException: Checksum failed
     at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
     at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
     at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
     at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
     at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
     at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
     at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
     ... 8 more
Caused by: java.security.GeneralSecurityException: Checksum failed
     at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446)
     at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269)
     at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
     at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
     ... 14 more



it seams that he can read the token with BASE64Decoder but when he try to accept the context and return the client principal name go to error.

this is the linecode where the error is :

     return Subject.doAs( subject, new PrivilegedAction<String>()




here is the main :
           // Login to the KDC.
           server.login( password);
           byte serviceTicket[] = loadTokenFromDisk();
           // Request the service ticket.
           String clientName = server.acceptSecurityContext( serviceTicket);
he pass the loadTokenFromDisk and crash on server.acceptSecurityContext( serviceTicket);


here's the decript:
// Load the security token from disk and decode it. Return the raw GSS token.
private static byte[] loadTokenFromDisk() throws IOException 
{
     BufferedReader in = new BufferedReader( new FileReader( "security.token"));
     System.out.println( new File( "security.token").getAbsolutePath());
     String str;
     StringBuffer buffer = new StringBuffer();
     while ((str = in.readLine()) != null) 
     {
            buffer.append( str + "\n");
     }
         
     in.close();
     System.out.println( buffer.toString());
         
     BASE64Decoder decoder = new BASE64Decoder();
     return decoder.decodeBuffer( buffer.toString());
}
      
and this is the function with the problem:
private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException 
{
     krb5Oid = new Oid( "1.2.840.113554.1.2.2");
     return Subject.doAs( subject, new PrivilegedAction<String>() 
     {
          public String run() 
               {
                  try 
                       {
                            GSSManager manager = GSSManager.getInstance();
                            GSSContext context = manager.createContext( (GSSCredential) null);
                            context.acceptSecContext( serviceTicket, 0, serviceTicket.length);
                            return context.getSrcName().toString();
                       }
                  catch ( Exception e) 
                       {
                            e.printStackTrace();
                            return null;
                       }
               }
      });
the error is clear : Checksum failed !

but I can not tell if it is a problem of decryption or authentication token.

thanks for any reply.
  • 1. Re: Kerberos & Java GSS (JGSS) - Server side - Checksum failed !
    843810 Newbie
    Currently Being Moderated
    Normally a key error.

    What's the service principal name? How did you generate its keytab file? How did you specified the service name on the client side?
  • 2. Re: Kerberos & Java GSS (JGSS) - Server side - Checksum failed !
    843810 Newbie
    Currently Being Moderated
    Hi,

    thx for the reply,

    the service.principal.name=krbtgt/EVIL.IT@EVIL.IT
    the useKeyTab=false in the jaas.conf, in the guide that I found the value is set to false.
    for the client side i read the

    client.properties file :
    realm=EVIL.IT
    kdc=192.168.1.100
    client.principal.name=krbadm/admin
    client.password=XXXX
    service.principal.name=krbtgt/EVIL.IT@EVIL.IT
    this is the main of the SERVER-SIDE program :
     // Setup up the Kerberos properties.
               Properties props = new Properties();
               props.load( new FileInputStream( "server.properties"));
               System.setProperty( "sun.security.krb5.debug", "true");
               System.setProperty( "java.security.krb5.realm", props.getProperty( "realm"));
               System.setProperty( "java.security.krb5.kdc", props.getProperty( "kdc"));
               System.setProperty( "java.security.auth.login.config", "./jaas.conf");
               System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true");
               String password = props.getProperty( "service.password");
               // Oid mechanism = use Kerberos V5 as the security mechanism.
               krb5Oid = new Oid( "1.2.840.113554.1.2.2");
               KerberosServer server = new KerberosServer();
               // Login to the KDC.
               server.login( password);
               byte serviceTicket[] = loadTokenFromDisk();
               // Request the service ticket.
               String clientName = server.acceptSecurityContext( serviceTicket);
               System.out.println( "\nSecurity context successfully initialised!");
               System.out.println( "\nHello World " + clientName + "!");
    here the jaas file where i read the flags:
         Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=false;
    };
    
    Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=false
    storeKey=true
    useTicketCache=true
    principal="krbadm/admin@EVIL.IT";
    };
    the server.properties that i read for the parameters
    realm=EVIL.IT
    kdc=192.168.1.100
    service.password=XXXX
    from what I understand the program client-side authenticates the user and request a ticket, which is then stored on file cripted. And the server-side program authenticates the admin and reading the ticket understands what the user credentials is and say "hello" to the user.

    i run the 2 program under eclipse, in 2 different time, first client and once it is finish i run server.



    ok is a key error, but I can't understand where i do the mistake..

    Edited by: evil_kerberos on Jul 19, 2010 5:37 AM