Kerberos etype des3-cbc-md5
Sam Hartman
hartmans at MIT.EDU
Tue Aug 13 07:46:09 EDT 2002
>>>>> "Srinivas" == Srinivas Cheruku <csri at sonata-software.com> writes:
Srinivas> Hi, Does MIT Kerberos support des3-cbc-md5? I didn't
Srinivas> find the Kerberos etype des3-cbc-md5 in the Kerberos
Srinivas> source. Can anyone help me out in this regard? If
Srinivas> anyone has implemented this etype, Please can you share
Srinivas> your code?
No, we do not. We used to support it in a #if 0 block, because it was
highly experimental . Some people started implementing it even though
the standard was not complete, and we thought this implementation was
due in part to our code so we removed our code.
As it turns out des3-cbc-md5 is a lot weaker than the KD enctypes the
IETF seems to have consensus on. I would not feel comfortable using
des3-cbc-md5 in production in environments where des3 was being used
for security reasons.
More information about the Kerberos
mailing list