krb5-1.14-beta1 is available
Tom Yu
tlyu at mit.edu
Fri Oct 9 21:13:55 EDT 2015
This is a challenging to explain concisely, but basically in Kerberos,
3DES and RC4 are still reasonably strong for randomly generated keys but
not for password-derived ones.
krb5-devel/doc is master, not the release branch, but it's close enough
for now.
-Tom
Wang Weijun <weijun.wang at oracle.com> writes:
> You mean all 3DES and RC4 etypes as described in https://tools.ietf.org/html/draft-kaduk-kitten-des-des-des-die-die-die-00? I see 16 and 23 still not marked weak in http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/kdc_conf.html#encryption-types.
>
> BTW, is the krb5-devel/doc pages always synced with the latest public beta?
>
> Thanks
> Max
>
>> On Oct 10, 2015, at 4:44 AM, Tom Yu <tlyu at mit.edu> wrote:
>>
>>
>> * Remove the triple-DES and RC4 encryption types from the default
>> value of supported_enctypes, which determines the default key and
>> salt types for new password-derived keys. By default, keys will
>> only created only for AES128 and AES256. This mitigates some types
>> of password guessing attacks.
More information about the krbdev
mailing list