API for verifying authenticator checksum?

Greg Hudson ghudson at mit.edu
Mon Dec 1 01:00:48 EST 2014

On 11/27/2014 02:34 AM, Peter Mogensen wrote:
> I was looking at libkrb5 for the public API mirroring "in_data" in 
> krb5_mk_req()
> http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html

I have noticed myself the asymmetry between mk_req taking application
data to checksum and rd_req not taking any to verify.

> It looks like you're supposed to get the Authenticator and  then the 
> checksum from the Authenticator manually and compare it against a 
> checksum you manually build.

That's probably the best you can do for now.

> But many of the needed call are either listed as deprecated or not to be 
> called directly and the comp_cksum() call that the KDC uses for TGS-REQs 
> aren't even public.

What is listed as deprecated?  I wouldn't worry too much about the
"should not be called directly" designation; those are still public and
stable APIs.  comp_cksum doesn't do a lot; it shouldn't be difficult to
do the same things yourself.  (The call to krb5_c_valid_cksumtype is
probably redundant with the other two checks.)

> Have I missed some part of the API or are there really no easy way to 
> verify the cksum created by mk_req() in_data ?

Most applications are written to the GSSAPI, which uses the
authenticator checksum for its own purposes.  So this may not be a
glaring need.

Be aware that integrity-protecting application data using the
authenticator  checksum increases a protocol's dependency on the replay
cache, which is inherently imperfect.

More information about the Kerberos mailing list