Yeah, we need to catch up with latest updates in this aspect and deprecate some of encryption and checksum types for security considerations. I think this can done prior to 1.0.0, aligning with both MIT Kerberos and Oracle Java.
Regards, Kai -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Friday, January 08, 2016 8:10 PM To: [email protected] Subject: Cheskum types Hi, as I'm reviewing the ChecksumType enum, I think there is a bit of work to do here. This enum is a copy of the krb5.hin file, which is a bit old. I was able to find most of the RFCs where the various checksums are defined, mostly RFC 3961, but some other RFC are also in use (RFC 3962, RFC 4757 updated by RFC 6649). 1 CRC32 /** Defined in RFC 3961, section 6.1.3 */ 2 RSA_MD4 /** Defined in RFC 3961, section 6.1.2 */ 3 RSA_MD4_DES /** Defined in RFC 3961, section 6.2.5 */ 4 DES_CBC ??? 4 DES_MAC /** Defined in RFC 3961, section 6.2.7 */ 5 DES_MAC_K undefined 6 RSA_MD4_DES_K undefined 7 RSA_MD5 /** Defined in RFC 3961, section 6.1.1 */ 8 RSA_MD5_DES /** Defined in RFC 3961, section 6.2.4 */ 9 RSA_MD5_DES3 undefined 9 NIST_SHA ??? 12 HMAC_SHA1_DES3 /** Defined in RFC 3961, section 6.3 */ 12 HMAC_SHA1_DES3_KD same 15 HMAC_SHA1_96_AES128 /** Defined in RFC 3962, section 7 */ 16 HMAC_SHA1_96_AES256 /** Defined in RFC 3962, section 7 */ 17 CMAC_CAMELLIA128 /** Defined in RFC 6803, section 9 */ 18 CMAC_CAMELLIA256 /** Defined in RFC 6803, section 9 */ //Microsoft netlogon cksumtype -137 MD5_HMAC_ARCFOUR //Microsoft md5 hmac cksumtype -138 HMAC_MD5_ARCFOUR /** Defined in RFC 4757, section 4 */ -138 HMAC_MD5_ENC /** Defined in RFC 4757, section 4 */ -138 HMAC_MD5_RC4 /** Defined in RFC 4757, section 4 */ So here, we have two things : the MD5_HMAC_ARCFOUR checkusm type is for an old M$ Protocol (NT 4.0) and I'm not sure we should use it, and the RFC 6649 proposes to deprecate checksum type CRC32(1), RSA-MD4(2), RSA-MD4-DES(3), DES-MAC(4), DES-MAC-K(5), RSA-MD4-DES-K(6), RSA-MD5-DES(8). What should we do regarding those recent recommandations ?
