The RSA-MD5-DES checksum calculates a keyed collisionproof checksum by prepending an 8 octet confounder before the text, applying the RSA MD5 checksum algorithm, and encrypting the confounder and the checksum using DES in cipher-block-chaining (CBC) mode using a variant of the key, where the variant is computed by eXclusive-ORing the key with the constant F0F0F0F0F0F0F0F0. The initialization vector should be zero. The resulting checksum is 24 octets long (8 octets of which are redundant). This checksum is tamper-proof and believed to be collision-proof.
The DES specifications identify some "weak keys"; those keys shall not be used for encrypting RSA-MD5 checksums for use in Kerberos.
The format for the checksum is described in the following diagram:
+--+--+--+--+--+--+--+-- | des-cbc(confounder +--+--+--+--+--+--+--+-- +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ rsa-md5(confounder+msg),key=var(key),iv=0) | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
The format cannot be described in ASN.1, but for those who prefer an ASN.1-like notation:
rsa-md5-des-checksum ::= ENCRYPTED UNTAGGED SEQUENCE { confounder[0] UNTAGGED OCTET STRING(8), check[1] UNTAGGED OCTET STRING(16) }