Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009

[Tom Yu]

Sam Hartman <hartmans at MIT.EDU> writes:

> Tom, I have a couple of concerns here.
>
> First, I don't understand what the use case is or functional
> requirements are.
>
> I mean we all know that we'd like to stop using DES.  However I'd like
> to understand the drivers for this to understand what the right
> functionality is?

Motivation: make preparations for completely removing single-DES
support in the krb5-1.8 release.  Note that Heimdal implements
complete disabling of single-DES using "allow_weak_crypto" (which
defaults to false).  We can debate (and indeed seem to be doing so
quite actively) whether this strategy is deployable.

> The main questions I have that would be answered by functional
> requirements surround  what the security/interoperability tradeoff is.
>
> For example, much of the value of disabling DES could be accomplished
> by disabling DES at the KDC.  If the KDC does not issue tickets keyed
> with DES or using DES as a session key, then for the most part clients
> and servers will not use DES.  ((Clients may still try to use DES for
> string2key).

As I mentioned elsewhere, disabling DES at the KDC is probably a
reasonable interim step.

> Also, the current project write up does not describe how the
> krb5_c_weak_enctype will be used.  If we're planning on moving to
> something like permitted_enctypes = default - des then shouldn't that
> be krb5int_c_weak_enctype instead?

It could be krb5int_c_weak_enctype, and it is currently not exported.
We have appear to have precedent for having internal crypto functions
with a krb5_c_ prefix rather than a krb5int_c_ prefix.