potential for harm in DES AD/MIT trust

Brian Davidson bdavids1 at gmu.edu
Fri Jul 22 13:37:35 EDT 2005


On Jun 4, 2005, at 11:27 AM, Jeffrey Altman wrote:

> The MIT Kerberos team worked with the Microsoft Windows Security team
> to make sure that RC4-HMAC could be used for cross-realm authentication
> by Windows Server specificly because of the concerns you raise.   DES
> keys are very weak and if they must be used because that is all that is
> supported, then they keys must be replaced on a very regular basis
> until such time as they no longer need to be used.
>
> With 2003 Server SP1 there should no longer be a reason to use DES keys
> for anything but compatibility with Java 1.5 and earlier.

Has anyone had success with this?  I just tried to use RC4-HMAC for a 
cross-realm trust with Server 2003 SP1, and it didn't work.  I could 
only get the trust to work with a DES key.

Do you know if Microsoft has any of this documented anywhere?  I didn't 
see any mention of this in the "Windows Server 2003 Service Pack 1 list 
of updates"

I'm hoping there's just a registry setting that needs to be made to 
enable this...

Thanks,

Brian Davidson
George Mason University



More information about the Kerberos mailing list