Crypto backends for MIT Kerberos V5
Arpit Srivastava
arpit.orb at gmail.com
Mon Apr 14 07:41:50 EDT 2014
Thanks Greg,
1. Is built-in crypto backend enough for PKINIT to work or do we need
anything else in addition for that ?
2. Has built-in crypto backend been tested against vulnerabilities and how
abt support offered by the community if any issue related to builtin crypto
backend is reported in future ?
Arpit
On Thu, Apr 10, 2014 at 10:55 PM, Greg Hudson <ghudson at mit.edu> wrote:
> On 04/10/2014 12:42 PM, Arpit Srivastava wrote:
> > 1. Can somebody enumerate what are the differences between OpenSSL and
> > builin crypto backends ? What benefits do I have if I use OpenSSL and not
> > the builtin version.
>
> There shouldn't be any easily observable benefits or drawbacks except
> perhaps for performance. Because of API impedance mismatches, I think
> the built-in module typically gets the best performance in software, but
> the story may change if OpenSSL is configured to use hardware accelerators.
>
> We have selectable crypto modules because some downstream users have an
> interest in consolidating crypto implementations for certificational
> reasons or to more easily address the risk of side-channel attacks.
>
> > 2. Is builtin crypto backend completely interoperable with Windows
> > infrastructure (AD etc) ?
>
> There should be no functional differences between the different crypto
> modules, so to the extent that we are interoperable with Windows on one
> back end, we should be interoperable with Windows on all of them.
>
> > 5. What version of OpenSSL is compliant with krb-1.10 onwards - because I
> > found some updates relates to Camellia cipher etc.
>
> I believe OpenSSL 1.0 or later is required for the openssl crypto module
> because we use CRYPTO_cts128_encrypt and CRYPTO_cts128_decrypt.
>
More information about the Kerberos
mailing list