Comments on the checksum vulnerabilities
Greg Hudson
ghudson at MIT.EDU
Fri Dec 3 17:16:48 EST 2010
On Fri, 2010-12-03 at 13:37 -0500, Sam Hartman wrote:h
> We might be able to get away with changing behavior for the
> krb5_k_interface and adding a way to set on a krb5 key object whether
> unkeyed checksums are permitted. That's probably more ugly than a new
> API.
Or in the krb5_context, but yeah, ugly either way.
> We could potentially have a flag to or-in with keyusages. Or have a set
> of key usages for which unkeyed checksums are permitted.
I like this idea. libk5crypto already knows a little bit about key
usages (RC4 key usage translations, as well as the workaround for the AD
TGS subkey RC4 key usage bug).
More information about the krbdev
mailing list