OpenSSL in FIPS mode - MD5 hash in replay cache

Greg Hudson ghudson at
Tue Dec 22 13:29:32 EST 2015

On 12/18/2015 07:56 AM, Tomas Kuthan wrote:
> rcache uses an unkeyed MD5 hash of the authenticator to distinguish 
> between different request with equal client principal, server principal 
> and microsecond time.
> Would it be possible to use SHA-1 instead of MD5?

I might be okay with just changing the hash function, and deciding that
if you mix versions of MIT krb5 with the same replay cache, you will get
false negatives.  (That sounds bad, but the story for sharing the same
replay cache among concurrent processes is already pretty bad.)  I think
a proper phased transition would be pretty complicated, based on how the
current code is structured.

It would be nice to use SHA-256 rather than SHA-1, as SHA-1 is itself
being phased out.  Unfortunately we do not currently have a libk5crypto
interface for SHA-256 (there is no unkeyed SHA-256 checksum type, and no
alternative API), so we would have to address that first.

We would like to make more extensive changes to the reply cache (see ) but
do not currently have a timetable.

More information about the krbdev mailing list