6.4.6. DES cipher-block chained checksum (des-mac)

The DES-MAC checksum is computed by prepending an 8 octet confounder to the plaintext, performing a DES CBC-mode encryption on the result using the key and an initialization vector of zero, taking the last block of the ciphertext, prepending the same confounder and encrypting the pair using DES in cipher-block-chaining (CBC) mode using a a variant of the key, where the variant is computed by eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting checksum is 128 bits (16 octets) long, 64 bits of which are redundant. This checksum is tamper-proof and collision-proof.

The format for the checksum is described in the following diagram:

      +--+--+--+--+--+--+--+--
      |   des-cbc(confounder
      +--+--+--+--+--+--+--+--

                     +-----+-----+-----+-----+-----+-----+-----+-----+
                       des-mac(conf+msg,iv=0,key),key=var(key),iv=0) |
                     +-----+-----+-----+-----+-----+-----+-----+-----+

The format cannot be described in ASN.1, but for those who prefer an ASN.1-like notation:

   des-mac-checksum ::=    ENCRYPTED       UNTAGGED SEQUENCE {
                           confounder[0]   UNTAGGED OCTET STRING(8),
                           check[1]        UNTAGGED OCTET STRING(8)
   }

The DES specifications identify some "weak" and "semiweak" keys; those keys shall not be used for generating DES-MAC checksums for use in Kerberos, nor shall a key be used whose veriant is "weak" or "semi-weak".