potential for harm in DES AD/MIT trust
Jeffrey Altman
jaltman2 at nyc.rr.com
Sat Jun 4 11:27:27 EDT 2005
David Ressman wrote:
> As it's been pointed out to me, many of our peer institutions have
> accepted the risk and have set up trusts in their production domains
> using des-cbc keys. What do they know that I don't?
David:
The MIT Kerberos team worked with the Microsoft Windows Security team
to make sure that RC4-HMAC could be used for cross-realm authentication
by Windows Server specificly because of the concerns you raise. DES
keys are very weak and if they must be used because that is all that is
supported, then they keys must be replaced on a very regular basis
until such time as they no longer need to be used.
With 2003 Server SP1 there should no longer be a reason to use DES keys
for anything but compatibility with Java 1.5 and earlier.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list