Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Nicolas.Williams at sun.com
Thu Jan 29 12:53:38 EST 2009
On Wed, Jan 28, 2009 at 09:16:18PM -0500, Tom Yu wrote:
> This project aims to disable single-DES cryptosystems by default. The
> "allow_weak_crypto" libdefaults setting (which is compatible with
> Heimdal) will override this disabling. Note that a more general means
> of configuring enctypes, allowing for explicit inclusions and
> exclusions, is out of scope for this project for time reasons but is
> clearly a better way to accomplish this functionality.
> An initial implementation is already committed to the trunk.
Sam comments that this should be mostly driven by the KDC, and I agree.
I'd certainly have no problem with defaulting kadmind to not allow use
of 1DES enctypes for new key/password changes, but having clients/
servers stop using 1DES enctypes because of a software upgrade seems
much more problematic, even though also desirable.
We've recently learned, in the context of SSHv2 and its broken CBC mode
ciphers, just how painful simply disabling weak ciphers can be.
That said, because an attacker could spoof PA-ETYPE-INFO any client that
allows weak long-term keys can be caused to send PA-ENC-TIMESTAMP
encrypted with weak keys, and that's bad. Sam hinted at this.
So... I'm of two minds on this.
Q: Which deployment is more common: clients with [hostbased] principals
for themselves, or clients without any machine credentials?
A decision to locally exclude 1DES enctypes can be made at realm-join
time. But in the case of unkeyed clients there's no obvious time at
which a krb5.conf could get written that reflects a user's realm's
I do think that syntax for including/excluding ciphers in krb5.conf
would be very useful though. And it doesn't strike me as too complex a
More information about the krbdev