Fwd: etypes - weak vs medium vs strong
Zhanna Tsitkova
tsitkova at MIT.EDU
Mon Apr 6 18:36:21 EDT 2009
medium slot is for 3DES
Begin forwarded message:
> From: Sam Hartman <hartmans at MIT.EDU>
> Date: April 6, 2009 6:29:11 PM EDT
> To: Zhanna Tsitkova <tsitkova at mit.edu>
> Cc: krbcore at mit.edu
> Subject: Re: etypes - weak vs medium vs strong
>
> Unless there is some security or other sensitive issue I'm unaware of,
> it would probably be a good idea to move this to krbdev. We had the
> previous round of discussions of the weak encryption project there
> back in January and some of your ideas are consistent with proposals
> brought up there.
>
> What criteria would you use for medium vs strong. Weak seems fairly
> easy at least for the current instances: an enctype is weak if it has
> been brute forced.
>
> --Sam
>
Begin forwarded message:
> From: Zhanna Tsitkova <tsitkova at MIT.EDU>
> Date: April 6, 2009 6:15:12 PM EDT
> To: krbcore at mit.edu
> Subject: etypes - weak vs medium vs strong
>
> Hi!
> I was looking @ etypes.c and found that some of the enc types are
> marked as ETYPE_WEAK ( des-cbc and friends ) while the others are
> not classified at all. I think it would be a good idea to
> categorize them as weak-medium-strong and in the config file allow
> to indicate just a type, for example
> default_tgs_enctypes = ETYPE_HIGH
>
> I'm coming from OpenSSL approach (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
> ). In my opinion it make the config file more readable.
>
> OpenSSL classifies them by
> High - AES128-AES256 - key length > 128
> Medium - 3DES - key length == 128 bits ( currently, our's des3-
> cbc-raw is ETYPE_WEAK)
> Low - DES - key length < 128
>
> Thanks,
> Zhanna
>
>
More information about the krbdev
mailing list