Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009

[Ken Hornstein]

>From a realm management perspective it is not going to be possible to
>simply turn off 1DES.

I respectfully disagree.

We were required to turn off 1DES a long time ago, and any exceptions
we had to document.  We have only two documented 1DES applications:
AFS, and some crappy local Java application that only works with 1DES
(I know, I know ... newer Java implementations supposedly support more
enctypes, but there is some reason that these applications cannot use a
newer Java.  I don't really pretend to know what's going on there, but
the whole thing makes me want to kick the implementer of Java-GSS in
the balls repeatedly, along with whomever thought Java was a good idea
for this application in the first place).

However ... we are actually the exception.  A number of DoD realms that
I work with do not run AFS, and as a result they have zero 1DES keys.
And they get regular audits from people who peer over their KDC databases
LOOKING for 1DES keys, so it's not like they're going to be able to sneak
1DES keys in there.

So I think a blanket statement saying it's not possible for ALL realms to
turn off 1DES is simply untrue.

Now certainly there are plenty of realms that still have single-DES
applications.  But aside from AFS, I think those applications are
a pretty small list.  The ones that come to mind are Kerberos telnet,
that double-secret Kerberos authenticated Oracle, Java (dammit dammit DAMMIT
WHAT THE HELL?!?!?!?), Kerberos-authenticated NFS (note: more ball-kicking
in order here).  I'm sure there are others, but still ... I think the large
majority of apps can work fine without single-DES.  I can imagine that
a number of realms can work without any single-DES at all; if you allow
AFS as the single exception, I bet the number goes way up.

--Ken