MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4
Mike Friedman
mikef at ack.Berkeley.EDU
Mon Mar 17 11:58:53 EST 2003
In relation to MITKRB5-SA-2003-004 announced today, I have a question
about my potential vulnerability.
My KDC (1.2.5) supports V4 only to the extent that it will issue a V4
(as well as a V5) TGT. I've been planning to turn this off anyway
(subject to investigation of whether we have any V4 applications floating
around), but I wonder if supporting this feature is sufficient to make
us vulnerable. I don't support DES3 keys at all (V4 or V5) and my only
cross-realm arrangement is with a local Win2k Active Directory KDC (which,
of course, is V5).
So, my question is:
Is it *necessary* for me to turn off issuance of V4 TGTs in my KDC in order
to completely protect myself from the latest announced vulnerability?
Thanks.
Mike
------------------------------------------------------------------------------
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
------------------------------------------------------------------------------
More information about the Kerberos
mailing list