6.4.3. RSA MD4 Cryptographic Checksum Using DES (rsa-md4des)

The RSA-MD4-DES checksum calculates a keyed collisionproof checksum by prepending an 8 octet confounder before the text, applying the RSA MD4 checksum algorithm, and encrypting the confounder and the checksum using DES in cipher-block-chaining (CBC) mode using a variant of the key, where the variant is computed by eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0 (A variant of the key is used to limit the use of a key to a particular function, separating the functions of generating a checksum from other encryption performed using the session key. The constant F0F0F0F0F0F0F0F0 was chosen because it maintains key parity. The properties of DES precluded the use of the complement. The same constant is used for similar purpose in the Message Integrity Check in the Privacy Enhanced Mail standard.). The initialization vector should be zero. The resulting checksum is 24 octets long (8 octets of which are redundant). This checksum is tamper-proof and believed to be collision-proof.

The DES specifications identify some "weak keys"; those keys shall not be used for generating RSA-MD4 checksums for use in Kerberos.

The format for the checksum is described in the following diagram:

      +--+--+--+--+--+--+--+--
      |  des-cbc(confounder
      +--+--+--+--+--+--+--+--

                    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
                        rsa-md4(confounder+msg),key=var(key),iv=0)  |
                    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

The format cannot be described in ASN.1, but for those who prefer an ASN.1-like notation:

   rsa-md4-des-checksum ::=   ENCRYPTED       UNTAGGED SEQUENCE {
                              confounder[0]   UNTAGGED OCTET STRING(8),
                              check[1]        UNTAGGED OCTET STRING(16)
   }