[24330] in Kerberos
Re: potential for harm in DES AD/MIT trust
daemon@ATHENA.MIT.EDU (Brian Davidson)
Fri Jul 22 13:38:47 2005
Date: Fri, 22 Jul 2005 13:37:35 -0400
From: Brian Davidson <bdavids1@gmu.edu>
In-reply-to: <zLjoe.3221$XB2.1692314@twister.nyc.rr.com>
To: kerberos@mit.edu
Message-id: <63ac616db3f104965ed4214e054314a2@gmu.edu>
MIME-version: 1.0
Content-type: text/plain; charset=US-ASCII; format=flowed
Content-transfer-encoding: 7BIT
Errors-To: kerberos-bounces@mit.edu
On Jun 4, 2005, at 11:27 AM, Jeffrey Altman wrote:
> The MIT Kerberos team worked with the Microsoft Windows Security team
> to make sure that RC4-HMAC could be used for cross-realm authentication
> by Windows Server specificly because of the concerns you raise. DES
> keys are very weak and if they must be used because that is all that is
> supported, then they keys must be replaced on a very regular basis
> until such time as they no longer need to be used.
>
> With 2003 Server SP1 there should no longer be a reason to use DES keys
> for anything but compatibility with Java 1.5 and earlier.
Has anyone had success with this? I just tried to use RC4-HMAC for a
cross-realm trust with Server 2003 SP1, and it didn't work. I could
only get the trust to work with a DES key.
Do you know if Microsoft has any of this documented anywhere? I didn't
see any mention of this in the "Windows Server 2003 Service Pack 1 list
of updates"
I'm hoping there's just a registry setting that needs to be made to
enable this...
Thanks,
Brian Davidson
George Mason University
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
