DES keyspace inadequate for continued use

Benjamin Kaduk kaduk at MIT.EDU
Wed Jul 24 10:35:55 EDT 2013

Hash: SHA1

DES keyspace inadequate for continued use

This is an update on a long-known weakness of the DES cipher, it is not
a security advisory.

No CVE is assigned, as there is no specific vulnerability, just a continued
degradation of security.


Advances in computing power have made the 56-bit key space of the DES
cipher increasingly vulnerable to a brute-force attack.  What was strong
cryptography at its introduction in 1977 is very weak 35 years later.

In 2013, cloud services provide the functionality of dedicated DES cracking
devices for as little as $20, providing results in on the order of a day.


An authenticated remote attacker can recover the long-term secret key of
any service with only a DES long-term key, and impersonate any user to that
service or impersonate that service.

An unauthenticated remote attacker can recover the long-term secret key of
any principal which is configured to not require preauthentication and
has a DES long-term key (even if long-term keys of other enctypes are
present), and impersonate that principal or impersonate any user to that


This is a cipher weakness, not a software weakness.  Particularly vulnerable
are software which do not support other enctypes.

* MIT krb5 prior to 1.3 supported only DES and triple-DES; triple-DES is not
   interoperable with Microsoft Active Directory.

* MIT krb5 prior to 1.1 supported only DES.

* Microsoft Windows prior to Windows Vista and Windows Server 2008 only
   supported DES and RC4.

* Heimdal has always supported triple-DES, and gained support for RC4 in
   release 0.3a.


There is no fix for this cipher weakness.  We recommend that you update
all principals to stronger encryption types immediately, starting with
high-value principals such as krbtgt/REALM, kadmin/admin, and kadmin/changepw.
Setting the requires_preauth flag on a principal reduces the exposure of
that principal to only authenticated remote attackers, as opposed to all
remote attackers.  Setting the disallow_svr flag on a principal removes
the access vector for authenticated remote attackers, but this flag cannot
be set on service principals.

A document describing the procedure to upgrade away from DES is available at:


OpenAFS has published a security advisory for this issue, as the AFS protocol
is inherently tied to DES encryption keys.  The OpenAFS advisory has been
issued the identifier CVE-2013-4134.


The particular figures for the time and money needed to crack a DES key
were determined as part of the MIT Computer Systems Security course, by
Alex Chernyakhovsky, Christy Dennison, Patrick Hurst, and Peter Iannucci.


The MIT Kerberos Team security contact address is
<krbcore-security at>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/AB278DE6 2013-01-30 [expires: 2014-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security at>


The weakness of DES has long been recognized.  RSA Security began a series of
DES challenges in 1997, with the EFF building a dedicated machine in 1998 for
under $250,000 which could decrypt a DES message in 56 hours of work.  By
1999, such dedicated hardware could decyprt a DES message in 22 hours and
15 minutes.  As the available computational power increases with Moore's Law,
the resources needed to break DES encryption grow smaller and smaller.

DES was withdrawn as a federal encryption standard in 2005.  All MIT krb5
releases since 1.7 (in 2009) have been accompanied by a notice that DES is
widely regarded as weak.  Beginning with MIT krb5 1.8 (2010), MIT krb5 has
disabled weak encryption types (including DES) by default.

Beginning with Microsoft Windows 7 and Windows Server 2008 R2, DES is
disabled by default.

Heimdal has marked DES as deprecated since release 1.3.
Version: GnuPG v2.0.19 (FreeBSD)

kerberos-announce mailing list
kerberos-announce at

More information about the krbdev mailing list