Revisiting weak enctypes off by default

Sam Hartman hartmans at MIT.EDU
Thu Apr 9 16:25:24 EDT 2009

>>>>> "ghudson" == ghudson  <ghudson at MIT.EDU> writes:

    ghudson> 2. Appeasing concerns that a client, server, or KDC might
    ghudson> be manipulated into using DES via some kind of
    ghudson> man-in-the-middle attack or bug.  (Even if there is no
    ghudson> specific attack or bug which would do this, the simple
    ghudson> fact that the code exists and is available for use is a
    ghudson> legitimate concern.)  Turning off allow_weak_crypto
    ghudson> eliminates most of that risk, but again, I am not sure
    ghudson> that the use case justifies the default given the
    ghudson> possibility of breaking legacy applications.

I have no problem at all with your conclusions.

For completeness, I'll point out that absent FAST, nothing protectes
the list of enctypes the client sends in the as-req.  So, a
man-in-the-middle can change this list or change the etype-info2
packet in the preauth_required error.  That is sufficient to convince
a client or KDC with DES enabled to use it.

FAST defends against this attack.  While it is definitely not in the
1.7 time frame, Larry does have a proposal for protecting the
negotiation to FAST.

More information about the krbdev mailing list