[24019] in Kerberos
Re: potential for harm in DES AD/MIT trust
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Sat Jun 4 11:42:49 2005
From: Jeffrey Altman <jaltman2@nyc.rr.com>
Message-ID: <zLjoe.3221$XB2.1692314@twister.nyc.rr.com>
Date: Sat, 04 Jun 2005 15:27:27 GMT
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
David Ressman wrote:
> As it's been pointed out to me, many of our peer institutions have
> accepted the risk and have set up trusts in their production domains
> using des-cbc keys. What do they know that I don't?
David:
The MIT Kerberos team worked with the Microsoft Windows Security team
to make sure that RC4-HMAC could be used for cross-realm authentication
by Windows Server specificly because of the concerns you raise. DES
keys are very weak and if they must be used because that is all that is
supported, then they keys must be replaced on a very regular basis
until such time as they no longer need to be used.
With 2003 Server SP1 there should no longer be a reason to use DES keys
for anything but compatibility with Java 1.5 and earlier.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
