cisco & krb5
Sam Hartman
hartmans at MIT.EDU
Thu Mar 25 12:52:28 EST 2004
>>>>> "Mihai" == Mihai RUSU <dizzy at roedu.net> writes:
Mihai> On Wed, 24 Mar 2004, Sam Hartman wrote:
>> Try ktadd -e des-cbc-crc:normal principalname
Mihai> Yes, works perfectly, thank you all for your
Mihai> answer. Another question whould be which method is "more
Mihai> secore(tm)" des-cbc-crc or des-cbc-md5 ? ;)
This is a briefly considered opinion; I may be overlooking something.
I expect it doesn't matter that much. We've seen at least one attack
where des-cbc-md5 was more vulnerable than des-cbc-crc. However md5
was intended to be a cryptographic hash and crc is not. Crc is also a
shorter value (32 bits) so the chance of a random collision is much
higher. But there is a confounder added to the encryption, so in many
cases such random collisions won't help an attacker much.
Perhaps the right answer is that DES isn't particularly secure these
days.
More information about the Kerberos
mailing list