Re: Kerberos Question

[Richard Scott]

Hi, Enrique - Thanks for the response!  Glad to know who's been involved here.  Yes, MIT is dropping support for Version 4 of Kerberos where DES was the only algorithm supported.  While I know you are technically correct that it is still available in KRB5, I thought they were attempting to discourage its use.  (It's been 10 years since I've been deep in that code, though, so I probably should be careful in my assertions.)  Nevertheless, it's a fact that the DES is insecure, and that once the FIPS is withdrawn, it's use won't be sanctioned by any government or financial institution.  Products used by financial institutions (and I work with a large one) have moved well-away from DES (in the same way that the original S/MIME specs required support for 40-bit RC2.  Nowdays, you don't hear that come up in a conversation!) When you say DES plays a key role in MS environments, I have to admit I'm out of my comfort zone there.  Does MS not even support 3DES?   (I know there was a "bruhaha" some time back when MS decided to "branch" from MIT, but at the time I didn't care what MS did so didn't pay close attention.) Appreciate the offer to help steer me around the code, and I'm sure I'll take advantage of the offer once I have a chance to look at it a bit more. Thanks, Richard Enrique Rodriguez wrote: Richard Scott wrote: ... So, my question (to whomever it should be addressed - and I have no clue who has been working in this area!) is are there plans underway to drop support for DES in this implementation as well? Hi, Richard, We don't have any plans to drop support for DES.  Despite problems with DES, it is still widely used.  In fact, DES plays a key role in Microsoft environments, as the primary cipher for interoperability.  If you can point to some information where other distros are dropping DES, I'd love to read more.  I believe what you mean is that MIT Kerberos is dropping support for Version 4 of the Kerberos protocol.  From an MIT Kerberos announcement [1]: "The Data Encryption Standard (DES) has reached the end of its useful life.  DES is the only encryption algorithm supported by Kerberos 4, and the increasingly obvious inadequacy of DES motivates the retirement of the Kerberos 4 protocol." We already don't support the Kerberos 4 protocol and because of its age, vulnerability, and lack of deployment, we had never planned on adding it. Who are the folks working on Kerberos? It's good to have someone new looking at the Kerberos code.  I am intimately familiar with the Kerberos protocol-provider, so please let me know if you have any questions. Enrique [1] http://www.secure-endpoints.com/kfw/kfw-3-0-announce.txt