[1040] in Kerberos_V5_Development
Re: GSS confusion
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Sun Mar 31 18:14:37 1996
To: "Richard Basch" <basch@lehman.com>
Cc: krbdev@MIT.EDU, tytso@MIT.EDU
Date: Sun, 31 Mar 1996 18:14:22 EST
From: Marc Horowitz <marc@MIT.EDU>
>> Are there any requirements that the checksum only be 8 bytes? I don't
>> particularly relish the concept of doing cbc encryptions of the md5
>> digest and tossing subsets. With DES, that may be ok, but with 3-DES,
>> at least I would rather have the encrypted 16 byte digest.
John Wray has as an internal agenda item minimizing differences
between krb5 and dce. He will likely complain at this change. IMHO,
this limits us too much, and as I have never seen a public dce gssapi
document, I'm not tempted to care very much.
>> Like the DES MAC case, the MD5 digest will have a cbc encrypt operation
>> (except in this case it is the 3-des cbc encrypt operation) done with a
>> zero ivec, and the last 64 bits will be used as the 8 byte checksum.
Can you say that again? If I read that right, it means that the
checksum you've defined will be quite slow. I'd like to see something
faster.
Marc
