[36023] in Kerberos
Re: Crypto backends for MIT Kerberos V5
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Apr 10 13:25:42 2014
Message-ID: <5346D401.1090806@mit.edu>
Date: Thu, 10 Apr 2014 13:25:21 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Arpit Srivastava <arpit.orb@gmail.com>, kerberos <kerberos@mit.edu>
In-Reply-To: <CAEvOXU4-bw=gCDLziqY0_cFZbbwi8xRP-hO=sYAre23KfgmPsw@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 04/10/2014 12:42 PM, Arpit Srivastava wrote:
> 1. Can somebody enumerate what are the differences between OpenSSL and
> builin crypto backends ? What benefits do I have if I use OpenSSL and not
> the builtin version.
There shouldn't be any easily observable benefits or drawbacks except
perhaps for performance. Because of API impedance mismatches, I think
the built-in module typically gets the best performance in software, but
the story may change if OpenSSL is configured to use hardware accelerators.
We have selectable crypto modules because some downstream users have an
interest in consolidating crypto implementations for certificational
reasons or to more easily address the risk of side-channel attacks.
> 2. Is builtin crypto backend completely interoperable with Windows
> infrastructure (AD etc) ?
There should be no functional differences between the different crypto
modules, so to the extent that we are interoperable with Windows on one
back end, we should be interoperable with Windows on all of them.
> 5. What version of OpenSSL is compliant with krb-1.10 onwards - because I
> found some updates relates to Camellia cipher etc.
I believe OpenSSL 1.0 or later is required for the openssl crypto module
because we use CRYPTO_cts128_encrypt and CRYPTO_cts128_decrypt.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
