Fwd: etypes - weak vs medium vs strong
Nicolas.Williams at sun.com
Mon Apr 6 18:56:57 EDT 2009
On Mon, Apr 06, 2009 at 06:36:21PM -0400, Zhanna Tsitkova wrote:
> > From: Zhanna Tsitkova <tsitkova at MIT.EDU>
> > Date: April 6, 2009 6:15:12 PM EDT
> > To: krbcore at mit.edu
> > Subject: etypes - weak vs medium vs strong
> > Hi!
> > I was looking @ etypes.c and found that some of the enc types are
> > marked as ETYPE_WEAK ( des-cbc and friends ) while the others are
> > not classified at all. I think it would be a good idea to
> > categorize them as weak-medium-strong and in the config file allow
> > to indicate just a type, for example
> > default_tgs_enctypes = ETYPE_HIGH
> > I'm coming from OpenSSL approach (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
> > ). In my opinion it make the config file more readable.
> > OpenSSL classifies them by
> > High - AES128-AES256 - key length > 128
> > Medium - 3DES - key length == 128 bits ( currently, our's des3-
> > cbc-raw is ETYPE_WEAK)
> > Low - DES - key length < 128
I'm of the opinion that enctypes' relative strength varies over time as
cryptanalysis advances are uneven.
Therefore this sort of thing should be configurable. Applications and
users should deal in "fast" and "strong" but the actual meanings of
those labels should be configurable.
More information about the krbdev