|
|
| Previous | Table of Contents | Next |
A keyed checksum requires a key to perturb or initialize the algorithm. Keyed checksums are usually cryptographically based. This makes them collision-proof, because the randomizing effect of the encryption makes it impossible to predict the change to the checksum of any change in the message.
To prevent message-stream modification by an active attacker, unkeyed checksums should be used only when the checksum and message will be subsequently encrypted. For example, the checksums defined as part of the encryption algorithms covered earlier in this section are encrypted.
Collision-proof checksums can be made tamperproof as well if the checksum value is encrypted before inclusion in a message. In such cases, combining the checksum and the encryption algorithm is considered a separate checksum algorithm. RSA-MD5 encrypted using DES is a new checksum algorithm of type RSA-MD5-DES. For most keyed checksums, as well as for the encrypted forms of collision-proof checksums, Kerberos prepends a confounder before calculating the checksum.
The CRC-32 Checksum (crc32)
The CRC-32 checksum calculates a checksum based on a cyclic redundancy check as described in ISO 3309. The resulting checksum is four bytes long. The CRC-32 is neither keyed nor collision-proof. Using this checksum is not recommended, because an attacker might be able to generate an alternative message that satisfies the checksum. Use collision-proof checksums for environments in which such attacks represent a significant threat such as the Internet, or an application with high value information.
The RSA MD4 Checksum (rsa-md4)
The RSA-MD4 checksum uses the RSA MD4 algorithm to calculate a checksum. The algorithm takes a message of arbitrary length as input and outputs a 128-bit (16-byte) checksum. RSA-MD4 is collision-proof.
RSA MD4 Cryptographic Checksum Using DES (rsa-md4-des)
The RSA-MD4-DES checksum calculates a keyed collision-proof checksum and requires an 8-byte confounder before the text. The calculation applies the RSA MD4 checksum algorithm, and encrypts the confounder and the checksum using DES in Cipher Block Chaining (CBC) mode. It uses a variant of the session key, where the variant is computed by eXclusive-ORing—the key with the constant F0F0F0F0F0F0F0F0. A variant of the key is used to limit the use of a key to a particular function, separating the function of generating a checksum from other encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The initialization vector should be zero. The resulting checksum is 24 bytes long, 8 bytes of which are redundant. This checksum is tamperproof and collision-proof.
The RSA MD5 Checksum (rsa-md5)
The RSA-MD5 checksum uses the RSA MD5 algorithm to calculate a checksum. The algorithm takes a message of arbitrary length as input and outputs a 128-bit (16-byte) checksum. RSA-MD5 is collision-proof.
RSA MD5 Cryptographic Checksum Using DES (rsa-md5-des)
The RSA-MD5-DES checksum calculates a keyed collision-proof checksum, the same way the RSA-MD4-DES checksum is calculated, except using RSA-MD5 rather than RSA-MD4. The resulting checksum is 24 bytes long, 8 bytes of which are redundant. This checksum is tamper-proof and collision-proof.
DES Cipher Block Chained Checksum (des-mac)
The DES-MAC checksum is computed by prepending an 8-byte confounder to the plaintext and using the session key to perform a DES CBC-mode encryption on the result. The initialization vector should be zero. It encrypts the same confounder and the last 8-byte block of the ciphertext using DES in Cipher Block Chaining mode and a variant of the key as described in rsa-md4-des. The initialization vector should be zero. The resulting checksum is 128 bits (16 bytes) long, 64 bits of which are redundant. This checksum is tamperproof and collision-proof.
RSA MD4 Cryptographic Checksum Using DES Alternative (rsa-md4-des-k)
The RSA-MD4-DES-K checksum calculates a keyed collision-proof checksum. It uses the RSA MD4 checksum algorithm and encrypts the result using DES in Cipher Block Chaining mode. The DES key is used as both key and initialization vector. The resulting checksum is 16 bytes long. This checksum is tamperproof and collision-proof. This checksum type is the old method for encoding the RSA-MD4-DES checksum and is no longer recommended. It is supported to provide backward compatibility.
DES Cipher-Block Chained Checksum Alternative (des-mac-k)
The DES-MAC-K checksum is computed by performing a DES CBC-mode encryption of the plaintext. The last block of the ciphertext is used as the checksum value. It is keyed with an encryption key and an initialization vector. Any uses that do not specify an additional initialization vector will use the key as both key and initialization vector. The resulting checksum is 64 bits (8 bytes) long. This checksum is tamperproof and collision-proof. This checksum type is the old method for encoding the DES-MAC checksum and is no longer recommended. It is supported to provide backward compatibility.
Several different versions and distributions of Kerberos are available. Most of them are based on MIT distributions in one form or another, but the lineage isn’t always simple to trace. The newest version of MIT Kerberos is version 5. Versions 4 and 5 are based on completely different protocols. The MIT Kerberos version 5 distribution contains some compatibility code to support conversion from version 4:
Some distributions are freely available, some are stand-alone commercial products, and others are part of a larger free or commercial system.
There are several version 4 distributions available. Because version 4 is not totally compatible with version 5, organizations starting new Kerberos installations should consider starting at version 5.
MIT Kerberos Version 4 Availability
MIT version 4 is freely available in the U.S. and Canada through anonymous FTP from athena-dist.mit.edu (18.71.0.38). For specific instructions, change to the pub/Kerberos directory and download the file README.KRB4 (for version 4) or README.KRB5 (for version 5), both of which are text files that explain the export restrictions and contain detailed instructions on how to download the source code via anonymous FTP. Locations outside North America may use the Bones version.
| Previous | Table of Contents | Next |