3DES or equivalent telnet encryption with kerberos
Jeffrey Altman
jaltman2 at nyc.rr.com
Sun Sep 21 01:44:58 EDT 2003
Markus:
Your patch is close to the correct way to do this. The primary issue is
the question of the encryption key to use. You want to use the 3DES
session key if it is available.
However, there is a bigger problem. The existing Kerberos 5 telnet code
base always takes the first 8 bytes of the key regardless of length and
uses it for both the inbound and outbound keys. This is in violation of
the current Telnet Encryption draft. That is why there is a restriction
for Kerberos 5 that it can only use single DES session keys. If a
session key with greater than 8 bytes of key data were used, the
truncation applied in the current code would make the communication
between the client and server incompatible if single DES were ever
negotiated.
- Jeffrey Altman
Markus Moeller wrote:
> I would like to encrypt a kerberised telnet session stronger then with DES.
> I assume that this has been done in the past, but I haven't found any
> example. But I found the below telnet client/server source from the srp
> project which has 3DES/CAST128 encryption and modified the kerberos5.c file
> to allow 3DES encryption.
>
> The source can be found at http://srp.stanford.edu/source/srp-2.0.0.tar.gz
> together with the attached patch and the below configure command I got it to
> work on Suse Linux with MIT 1.3.1 and a W2k kdc and RC4-hmac cipher.
>
> LDFLAGS="-Wl,-R/usr/kerberos/lib" \
> ./configure --with-krb5=/src/mitk5-131/kerberos/src --without-srp
> --without-cast --disable-tls
>
> As I am not an expert in cryptography I would like to know if this is
> correctly implemented.
>
> Thank you for any help/suggestions.
>
> Markus
>
>
> ------------------------------------------------------------------------
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list