2 Replies Latest reply on Jul 19, 2010 12:37 PM by 843810

    Kerberos & Java GSS (JGSS) - Server side - Checksum failed !

      Hi again,

      now the client side works fine, he can do a login on kdc and save to a file the cripted token.
      the server-side program should read the encrypted file and then logging in to the KDC to determine who is the user that generated this token, and greet him.
      But when i run the server-side program,i've an issue.. as always.. here the output :

      Found key for krbadm/admin@EVIL.IT(3)
      Found key for krbadm/admin@EVIL.IT(23)
      Found key for krbadm/admin@EVIL.IT(18)
      Found key for krbadm/admin@EVIL.IT(17)
      Found key for krbadm/admin@EVIL.IT(1)
      Found key for krbadm/admin@EVIL.IT(16)
      Entered Krb5Context.acceptSecContext with state=STATE_NEW
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      Checksum failed !
      GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
           at it.evil.kerberos.KerberosServer$1.run(KerberosServer.java:140)
           at it.evil.kerberos.KerberosServer$1.run(KerberosServer.java:1)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.Subject.doAs(Subject.java:357)
           at it.evil.kerberos.KerberosServer.acceptSecurityContext(KerberosServer.java:123)
           at it.evil.kerberos.KerberosServer.main(KerberosServer.java:58)
      Caused by: KrbException: Checksum failed
           at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
           at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
           at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
           at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
           at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
           at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
           ... 8 more
      Caused by: java.security.GeneralSecurityException: Checksum failed
           at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446)
           at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269)
           at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
           at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
           ... 14 more

      it seams that he can read the token with BASE64Decoder but when he try to accept the context and return the client principal name go to error.

      this is the linecode where the error is :

           return Subject.doAs( subject, new PrivilegedAction<String>()

      here is the main :
                 // Login to the KDC.
                 server.login( password);
                 byte serviceTicket[] = loadTokenFromDisk();
                 // Request the service ticket.
                 String clientName = server.acceptSecurityContext( serviceTicket);
      he pass the loadTokenFromDisk and crash on server.acceptSecurityContext( serviceTicket);

      here's the decript:
      // Load the security token from disk and decode it. Return the raw GSS token.
      private static byte[] loadTokenFromDisk() throws IOException 
           BufferedReader in = new BufferedReader( new FileReader( "security.token"));
           System.out.println( new File( "security.token").getAbsolutePath());
           String str;
           StringBuffer buffer = new StringBuffer();
           while ((str = in.readLine()) != null) 
                  buffer.append( str + "\n");
           System.out.println( buffer.toString());
           BASE64Decoder decoder = new BASE64Decoder();
           return decoder.decodeBuffer( buffer.toString());
      and this is the function with the problem:
      private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException 
           krb5Oid = new Oid( "1.2.840.113554.1.2.2");
           return Subject.doAs( subject, new PrivilegedAction<String>() 
                public String run() 
                                  GSSManager manager = GSSManager.getInstance();
                                  GSSContext context = manager.createContext( (GSSCredential) null);
                                  context.acceptSecContext( serviceTicket, 0, serviceTicket.length);
                                  return context.getSrcName().toString();
                        catch ( Exception e) 
                                  return null;
      the error is clear : Checksum failed !

      but I can not tell if it is a problem of decryption or authentication token.

      thanks for any reply.
        • 1. Re: Kerberos & Java GSS (JGSS) - Server side - Checksum failed !
          Normally a key error.

          What's the service principal name? How did you generate its keytab file? How did you specified the service name on the client side?
          • 2. Re: Kerberos & Java GSS (JGSS) - Server side - Checksum failed !

            thx for the reply,

            the service.principal.name=krbtgt/EVIL.IT@EVIL.IT
            the useKeyTab=false in the jaas.conf, in the guide that I found the value is set to false.
            for the client side i read the

            client.properties file :
            this is the main of the SERVER-SIDE program :
             // Setup up the Kerberos properties.
                       Properties props = new Properties();
                       props.load( new FileInputStream( "server.properties"));
                       System.setProperty( "sun.security.krb5.debug", "true");
                       System.setProperty( "java.security.krb5.realm", props.getProperty( "realm"));
                       System.setProperty( "java.security.krb5.kdc", props.getProperty( "kdc"));
                       System.setProperty( "java.security.auth.login.config", "./jaas.conf");
                       System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true");
                       String password = props.getProperty( "service.password");
                       // Oid mechanism = use Kerberos V5 as the security mechanism.
                       krb5Oid = new Oid( "1.2.840.113554.1.2.2");
                       KerberosServer server = new KerberosServer();
                       // Login to the KDC.
                       server.login( password);
                       byte serviceTicket[] = loadTokenFromDisk();
                       // Request the service ticket.
                       String clientName = server.acceptSecurityContext( serviceTicket);
                       System.out.println( "\nSecurity context successfully initialised!");
                       System.out.println( "\nHello World " + clientName + "!");
            here the jaas file where i read the flags:
                 Client {
            com.sun.security.auth.module.Krb5LoginModule required
            Server {
            com.sun.security.auth.module.Krb5LoginModule required
            the server.properties that i read for the parameters
            from what I understand the program client-side authenticates the user and request a ticket, which is then stored on file cripted. And the server-side program authenticates the admin and reading the ticket understands what the user credentials is and say "hello" to the user.

            i run the 2 program under eclipse, in 2 different time, first client and once it is finish i run server.

            ok is a key error, but I can't understand where i do the mistake..

            Edited by: evil_kerberos on Jul 19, 2010 5:37 AM