Is RC4 encryption still strong enough?

Russ Allbery eagle at eyrie.org
Wed Nov 13 14:24:17 EST 2013


"Edgecombe, Jason" <jwedgeco at uncc.edu> writes:

> Is the rc4-hmac cipher in MIT Kerberos still OK to use?

The RC4 cipher as implemented by anyone is certainly less than ideal.
It's theoretically weaker than AES, and while Kerberos's use of the cipher
is probably not vulnerable to most of the successful attacks against RC4
in the TLS context, they shouldn't be making anyone feel comfortable.  It
also has the very long-standing problem that the RC4 string-to-key
function is not salted, which by itself is a very good reason to never use
the cipher.

I would be making plans to retire it as soon as you can (which in practice
means as soon as you've retired Windows XP and Windows Server 2003, which
can only do RC4 and DES).  We are.

Note that if you serve RADIUS with the MS-CHAPv2 protocol from a Kerberos
KDC (unlikely if you're using MIT Kerberos, but I don't know what glue
FreeRADIUS may have), my understanding is that version of the RADIUS
protocol sends RC4 keys as the user's authentication token and therefore
may require that you have those keys in the KDB.  The solution is probably
to switch to a different RADIUS protocol.

> BTW, I'm still in the process of retiring DES encryption on my KDC. MY
> KDC is upgraded to 1.11 and I'm using the default supported_enctypes,
> including rc4-hmac.

Retiring DES is considerably more urgent than retiring RC4.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list