[1035] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

GSS confusion

daemon@ATHENA.MIT.EDU (Richard Basch)
Thu Mar 28 10:29:02 1996

Date: Thu, 28 Mar 1996 10:27:52 -0500
To: tytso@MIT.EDU
Cc: krbdev@MIT.EDU
From: "Richard Basch" <basch@lehman.com>

I have only briefly read the specs, so I have a few questions as it
relates to 3-des integration.

Are there any requirements that the checksum only be 8 bytes?  I don't
particularly relish the concept of doing cbc encryptions of the md5
digest and tossing subsets.  With DES, that may be ok, but with 3-DES,
at least I would rather have the encrypted 16 byte digest.

Do you mind if I restructure the code somewhat so that it actually calls
the raw des & des3 cbc encryption functions?  Or would you rather go
through the supported libcrypto interface, in which case, can you
register ENCTYPE_DES3_CBC_RAW?  However, before we force the creation of
yet another enctype, I should point out that libgssapi already calls the
raw md5 routines in libcrypto, instead of using the regular interface.

Preferably, the libcrypto function should be restructured to have
interfaces like:
	encrypt_message(message, DES-CBC)
	encrypt_message(message, DES3-CBC)
	...
	compute_checksum(message, DES-MAC)
	compute_checksum(message, MD5)
	compute_checksum(message, MD5-DES-MAC)
	...
	compute_crypto_checksum(message, MD5, DES-CBC)
	compute_crypto_checksum(message, MD5, DES3-CBC)
	(this allows arbitrary encryption schemes and checksums)
	compute_crypto_checksum(message, MD5, DES-MAC)	<-- debatable...

This type of modularity provides more flexibility and avoids some of the
hair we have been faced with.  Sure, krb5 may have internal
representations of the enctype that can be represented as before, but
libcrypto should be simpler and generally more flexible.  We still have
to consider streams in the encryption and checksum routines, so that
people can stream the message into the function, as is often done with
md5.

Richard Basch                   
Sr. Developer/Analyst           URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc.           Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor      Fax:   +1-201-524-5828
Jersey City, NJ 07302-3988      Voice: +1-201-524-5049
home help back first fref pref prev next nref lref last post