Fwd: Kerb5 features
Dennis Davis
D.H.Davis at bath.ac.uk
Thu Apr 18 08:34:07 EDT 2013
On Wed, 17 Apr 2013, Mengjia Ding wrote:
> From: Mengjia Ding <md771 at york.ac.uk>
> To: kerberos at mit.edu
> Date: Wed, 17 Apr 2013 21:02:48
> Subject: Fwd: Kerb5 features
>
> I'm a student from University of York. Now I'm planning for
> a paper about the modifications from kerb4 to kerb5. I was
> searching some useful imformation on your website. Unfortunately,
> I couldn't find anything about kerb4 which can help me to find
> the differences or improvement between kerb4 and kerb5. So can
> you support me some information about the features of kerb5,
> especially for thoses modifications countering threats addressed
> by each change?
See:
http://web.mit.edu/kerberos/krb4-end-of-life.html
I'd have thought the switch away from enforced "weak" DES encryption
was significant. See:
http://www.schneier.com/paper-keylength.html
for some background.
Kerberos5 introduced a framework which allowed for an exanding list
of encryption types. For example the introduction of the camellia
family of encryption types in recent versions of Kerberos5.
Also Reference[2] from the above might prove useful.
I'm sure I've only touched on the surface of this subject and more
capable others could chime in.
As a site we started with Kerberos4 in 1991 (I think) and migrated
to Kerberos5 in 2004. We now have good interoperability with
heimdal (My OpenBSD machines work well with our MIT kerberos-based
machines) and, at least in theory, Microsoft's Active Directory.
Shudder, I wouldn't want to go back.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk Phone: +44 1225 386101
More information about the Kerberos
mailing list