3DES or equivalent telnet encryption with kerberos

Markus Moeller markus_moeller at compuserve.com
Sun Sep 21 08:46:47 EDT 2003


Jeffrey,

What must I change to handle the session keys correctly ?

Thank you
Markus

----- Original Message ----- 
From: "Jeffrey Altman" <jaltman2 at nyc.rr.com>
To: "Markus Moeller" <markus_moeller at compuserve.com>
Cc: <kerberos at mit.edu>
Sent: Sunday, September 21, 2003 6:44 AM
Subject: Re: 3DES or equivalent telnet encryption with kerberos


>
> Markus:
>
> Your patch is close to the correct way to do this.  The primary issue is
> the question of the encryption key to use.  You want to use the 3DES
> session key if it is available.
>
> However, there is a bigger problem.  The existing Kerberos 5 telnet code
> base always takes the first 8 bytes of the key regardless of length and
> uses it for both the inbound and outbound keys.  This is in violation of
> the current Telnet Encryption draft.  That is why there is a restriction
> for Kerberos 5 that it can only use single DES session keys.  If a
> session key with greater than 8 bytes of key data were used, the
> truncation applied in the current code would make the communication
> between the client and server incompatible if single DES were ever
> negotiated.
>
> - Jeffrey Altman
>
>
>
> Markus Moeller wrote:
> > I would like to encrypt a kerberised telnet session stronger then with
DES.
> > I assume that this has been done in the past, but I haven't found any
> > example. But I found the below telnet client/server source from the srp
> > project which has 3DES/CAST128 encryption and modified the kerberos5.c
file
> > to allow 3DES encryption.
> >
> > The source can be found at
http://srp.stanford.edu/source/srp-2.0.0.tar.gz
> > together with the attached patch and the below configure command I got
it to
> > work on Suse Linux with MIT 1.3.1 and a W2k kdc and RC4-hmac cipher.
> >
> > LDFLAGS="-Wl,-R/usr/kerberos/lib" \
> > ./configure  --with-krb5=/src/mitk5-131/kerberos/src --without-srp
> > --without-cast --disable-tls
> >
> > As I am not an expert in cryptography I would like to know if this is
> > correctly implemented.
> >
> > Thank you for any help/suggestions.
> >
> > Markus
> >
> >
> > ------------------------------------------------------------------------
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list