3DES or equivalent telnet encryption with kerberos

Jeffrey Altman jaltman2 at nyc.rr.com
Sun Sep 21 01:44:58 EDT 2003


Markus:

Your patch is close to the correct way to do this.  The primary issue is 
the question of the encryption key to use.  You want to use the 3DES 
session key if it is available.

However, there is a bigger problem.  The existing Kerberos 5 telnet code 
base always takes the first 8 bytes of the key regardless of length and 
uses it for both the inbound and outbound keys.  This is in violation of 
the current Telnet Encryption draft.  That is why there is a restriction 
for Kerberos 5 that it can only use single DES session keys.  If a 
session key with greater than 8 bytes of key data were used, the 
truncation applied in the current code would make the communication 
between the client and server incompatible if single DES were ever 
negotiated.

- Jeffrey Altman



Markus Moeller wrote:
> I would like to encrypt a kerberised telnet session stronger then with DES.
> I assume that this has been done in the past, but I haven't found any
> example. But I found the below telnet client/server source from the srp
> project which has 3DES/CAST128 encryption and modified the kerberos5.c file
> to allow 3DES encryption.
> 
> The source can be found at http://srp.stanford.edu/source/srp-2.0.0.tar.gz
> together with the attached patch and the below configure command I got it to
> work on Suse Linux with MIT 1.3.1 and a W2k kdc and RC4-hmac cipher.
> 
> LDFLAGS="-Wl,-R/usr/kerberos/lib" \
> ./configure  --with-krb5=/src/mitk5-131/kerberos/src --without-srp
> --without-cast --disable-tls
> 
> As I am not an expert in cryptography I would like to know if this is
> correctly implemented.
> 
> Thank you for any help/suggestions.
> 
> Markus
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list