support out-of-header-authentication

[andersk-auto]

There is an idea by jhutz & cg2v to establish session keys using
an authenticator in the message body and rely on checksums for subsequent auth.

[andersk-auto]

Imported from trac issue 124. Created by kcr@ATHENA.MIT.EDU on 2013-10-06T23:44:36, last modified: 2013-10-06T23:44:44