[20470] in Kerberos_V5_Development
Re: KDC TGT enctype selection question
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Dec 6 19:58:11 2023
Message-ID: <9fbbdb92-9707-4218-8fbc-b22110243c9a@mit.edu>
Date: Wed, 6 Dec 2023 19:51:04 -0500
MIME-Version: 1.0
Content-Language: en-US
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
CC: <krbdev@mit.edu>
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <202312061907.3B6J7wWr001445@hedwig.cmf.nrl.navy.mil>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
On 12/6/23 14:07, Ken Hornstein via krbdev wrote:
> what is the reason the AES2 enctypes
> are later in the list of default enctypes than the SHA1 AES enctypes?
It helps mitigate the problem that don't make it perfectly easy to match
the enctypes supported by a service to the enctypes present in the
long-term keys for that service. (Nico has advocated for making kadmin
randkey use the kadmin client's supported_enctypes value instead of the
KDC's, and I think that would be a good change, but it still wouldn't
make us perfect.)
This problem gets less important over time (although to my knowledge
Microsoft hasn't implemented aes-sha2), and would not outweigh a
serious difference in security if there were one. But since SHA-1's
collision weaknesses don't impact HMACs, the advantage of aes-sha2
enctypes is more about conformance than security. (There are admittedly
cases where the 96-bit size of aes-sha1 checksums can impact
security--this came up in a recent set of PAC vulnerabilities, although
it was overshadowed by larger vulnerabilities in RC4 enctypes.
Basically, if you checksum over a checksum and your protocol has a
checksum oracle, you become subject to the birthday bound of the inner
checksum size. So far I'm modeling this as an unusual confluence of
protocol properties and not an aes-sha1 enctype weakness.)
Less importantly, the aes-sha1 enctypes are proposed standard and the
aes-sha2 enctypes are informational.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
