[1078] in Kerberos_V5_Development
Re: 3des question
daemon@ATHENA.MIT.EDU (Richard Basch)
Thu Apr 18 08:53:09 1996
Date: Thu, 18 Apr 1996 08:52:19 -0400
To: Marc Horowitz <marc@MIT.EDU>
Cc: krbdev@MIT.EDU, perry@piermont.com
In-Reply-To: <9604180806.AA27133@beeblebrox.MIT.EDU>
From: "Richard Basch" <basch@lehman.com>
Ah... you discovered the section of code where the spec was violated.
Basically, for the DES-MD5 case, the spec calls for an MD5 digest to be
computed and then for a DES MAC to be computed on the MD5 digest with a
zero ivec. The old implementation was using the DES key as the
ivec. Anyway, looking at the spec for DES MAC, you will note that it is
simply the last block of a DES CBC operation (thus, my subsetting code).
I didn't want to change the cbc_cksum routine because I didn't know who
else used it (eg. OSF/DCE), so I kludged the code a little... I knew
that someone had to revisit this section because of all the
compatibility issues and the violation of the spec.
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
