API for verifying authenticator checksum?
Greg Hudson
ghudson at mit.edu
Mon Dec 1 01:00:48 EST 2014
On 11/27/2014 02:34 AM, Peter Mogensen wrote:
> I was looking at libkrb5 for the public API mirroring "in_data" in
> krb5_mk_req()
> http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html
I have noticed myself the asymmetry between mk_req taking application
data to checksum and rd_req not taking any to verify.
> It looks like you're supposed to get the Authenticator and then the
> checksum from the Authenticator manually and compare it against a
> checksum you manually build.
That's probably the best you can do for now.
> But many of the needed call are either listed as deprecated or not to be
> called directly and the comp_cksum() call that the KDC uses for TGS-REQs
> aren't even public.
What is listed as deprecated? I wouldn't worry too much about the
"should not be called directly" designation; those are still public and
stable APIs. comp_cksum doesn't do a lot; it shouldn't be difficult to
do the same things yourself. (The call to krb5_c_valid_cksumtype is
probably redundant with the other two checks.)
> Have I missed some part of the API or are there really no easy way to
> verify the cksum created by mk_req() in_data ?
Most applications are written to the GSSAPI, which uses the
authenticator checksum for its own purposes. So this may not be a
glaring need.
Be aware that integrity-protecting application data using the
authenticator checksum increases a protocol's dependency on the replay
cache, which is inherently imperfect.
More information about the Kerberos
mailing list