[16523] in Kerberos_V5_Development
Re: Comments on the checksum vulnerabilities
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Dec 3 17:16:54 2010
From: Greg Hudson <ghudson@mit.edu>
To: Sam Hartman <hartmans@mit.edu>
In-Reply-To: <tsl4oaupurg.fsf@carter-zimmerman.suchdamage.org>
Date: Fri, 03 Dec 2010 17:16:48 -0500
Message-ID: <1291414608.20307.250.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, 2010-12-03 at 13:37 -0500, Sam Hartman wrote:h
> We might be able to get away with changing behavior for the
> krb5_k_interface and adding a way to set on a krb5 key object whether
> unkeyed checksums are permitted. That's probably more ugly than a new
> API.
Or in the krb5_context, but yeah, ugly either way.
> We could potentially have a flag to or-in with keyusages. Or have a set
> of key usages for which unkeyed checksums are permitted.
I like this idea. libk5crypto already knows a little bit about key
usages (RC4 key usage translations, as well as the workaround for the AD
TGS subkey RC4 key usage bug).
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
