[36642] in Kerberos
Re: API for verifying authenticator checksum?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 1 01:01:40 2014
Message-ID: <547C0410.8070401@mit.edu>
Date: Mon, 01 Dec 2014 01:00:48 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Peter Mogensen <apm@one.com>, kerberos@mit.edu
In-Reply-To: <5476D41A.5070208@one.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/27/2014 02:34 AM, Peter Mogensen wrote:
> I was looking at libkrb5 for the public API mirroring "in_data" in
> krb5_mk_req()
> http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html
I have noticed myself the asymmetry between mk_req taking application
data to checksum and rd_req not taking any to verify.
> It looks like you're supposed to get the Authenticator and then the
> checksum from the Authenticator manually and compare it against a
> checksum you manually build.
That's probably the best you can do for now.
> But many of the needed call are either listed as deprecated or not to be
> called directly and the comp_cksum() call that the KDC uses for TGS-REQs
> aren't even public.
What is listed as deprecated? I wouldn't worry too much about the
"should not be called directly" designation; those are still public and
stable APIs. comp_cksum doesn't do a lot; it shouldn't be difficult to
do the same things yourself. (The call to krb5_c_valid_cksumtype is
probably redundant with the other two checks.)
> Have I missed some part of the API or are there really no easy way to
> verify the cksum created by mk_req() in_data ?
Most applications are written to the GSSAPI, which uses the
authenticator checksum for its own purposes. So this may not be a
glaring need.
Be aware that integrity-protecting application data using the
authenticator checksum increases a protocol's dependency on the replay
cache, which is inherently imperfect.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
