[16303] in Kerberos-V5-bugs
[krbdev.mit.edu #8808] Remove single-DES support
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu May 23 12:05:20 2019
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: Greg Hudson via RT <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8808@krbdev.mit.edu>
Message-ID: <rt-8808-49441.6.84795699818771@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8808'":;
Date: Thu, 23 May 2019 12:03:41 -0400
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Release 1.8 began a transition away from single-DES support by
requiring "allow_weak_crypto = true". Due to the 56-bit key size of
single-DES, an unknown key can be recovered via brute-force attack
with a small investment in cloud computing resources.
This ticket removes single-DES support for release 1.18.
Specifically, it removes:
* The afs3 and v4 salt types. The afs3 salt type indicates an AFS-
specific string-to-key function which only applies to single-DES
keys. The v4 salt type (indicating the empty salt) was a
transitional measure for converting krb4 databases; although it was
not restricted for use with single-DES keys, it is not useful for
other key types.
* The des-cbc-crc, des-cbc-md4, des-cbc-md5, and des-hmac-sha1
encryption types.
* The crc32, des-cbc, md4-des, and md5-des checksum types.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
