[6987] in Kerberos
Re: kerberos security
daemon@ATHENA.MIT.EDU (Richard Basch)
Tue Apr 2 19:31:08 1996
Date: Tue, 2 Apr 1996 19:08:59 -0500
To: Frank Jansen <Frank.Jansen@vuw.ac.nz>
Cc: hartmans@MIT.EDU, kerberos@MIT.EDU
In-Reply-To: <199604022308.XAA01836@kauri.vuw.ac.nz>
From: "Richard Basch" <basch@lehman.com>
Ok, since I was the one who first started investigating Triple-DES
integration into Kerberos V5, I'll chime in...
Basically, the session keys are determined by the KDC based on the what
the user says he can support and what the KDC believes the service can
support. If the service can support 3-DES and the user has allowed the
use of 3-DES, 3-DES session keys may be returned by the KDC, thus
increasing session security.
At the moment, I viewed 3-DES as something that would certainly be
necessary in the near term to avoid the compromise of service keys and
user keys, rather than short-lived session keys. I don't believe there
is much of a belief that the short session lifetimes are readily
compromised today if they still employ DES security. However, since we
invested the time into integrating 3-DES into Kerberos V5, we also took
the proactive approach to employing 3-DES even at the session level,
when possible.
On Tue, 2-April-1996, "Frank Jansen" wrote to "hartmans@MIT.EDU, kerberos@MIT.EDU" saying:
> Greetings Sam,
> Thanks for telling me about the exportability but at the moment
> I'm mainly concerned about how secure it is. Triple DES sounds nice but what
> about the session keys ? how secure are these ? Thanks.
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
