Revisiting weak enctypes off by default
hartmans at MIT.EDU
Thu Apr 9 16:25:24 EDT 2009
>>>>> "ghudson" == ghudson <ghudson at MIT.EDU> writes:
ghudson> 2. Appeasing concerns that a client, server, or KDC might
ghudson> be manipulated into using DES via some kind of
ghudson> man-in-the-middle attack or bug. (Even if there is no
ghudson> specific attack or bug which would do this, the simple
ghudson> fact that the code exists and is available for use is a
ghudson> legitimate concern.) Turning off allow_weak_crypto
ghudson> eliminates most of that risk, but again, I am not sure
ghudson> that the use case justifies the default given the
ghudson> possibility of breaking legacy applications.
I have no problem at all with your conclusions.
For completeness, I'll point out that absent FAST, nothing protectes
the list of enctypes the client sends in the as-req. So, a
man-in-the-middle can change this list or change the etype-info2
packet in the preauth_required error. That is sufficient to convince
a client or KDC with DES enabled to use it.
FAST defends against this attack. While it is definitely not in the
1.7 time frame, Larry does have a proposal for protecting the
negotiation to FAST.
More information about the krbdev