Jeffrey, What must I change to handle the session keys correctly ?
Thank you Markus ----- Original Message ----- From: "Jeffrey Altman" <[EMAIL PROTECTED]> To: "Markus Moeller" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Sunday, September 21, 2003 6:44 AM Subject: Re: 3DES or equivalent telnet encryption with kerberos > > Markus: > > Your patch is close to the correct way to do this. The primary issue is > the question of the encryption key to use. You want to use the 3DES > session key if it is available. > > However, there is a bigger problem. The existing Kerberos 5 telnet code > base always takes the first 8 bytes of the key regardless of length and > uses it for both the inbound and outbound keys. This is in violation of > the current Telnet Encryption draft. That is why there is a restriction > for Kerberos 5 that it can only use single DES session keys. If a > session key with greater than 8 bytes of key data were used, the > truncation applied in the current code would make the communication > between the client and server incompatible if single DES were ever > negotiated. > > - Jeffrey Altman > > > > Markus Moeller wrote: > > I would like to encrypt a kerberised telnet session stronger then with DES. > > I assume that this has been done in the past, but I haven't found any > > example. But I found the below telnet client/server source from the srp > > project which has 3DES/CAST128 encryption and modified the kerberos5.c file > > to allow 3DES encryption. > > > > The source can be found at http://srp.stanford.edu/source/srp-2.0.0.tar.gz > > together with the attached patch and the below configure command I got it to > > work on Suse Linux with MIT 1.3.1 and a W2k kdc and RC4-hmac cipher. > > > > LDFLAGS="-Wl,-R/usr/kerberos/lib" \ > > ./configure --with-krb5=/src/mitk5-131/kerberos/src --without-srp > > --without-cast --disable-tls > > > > As I am not an expert in cryptography I would like to know if this is > > correctly implemented. > > > > Thank you for any help/suggestions. > > > > Markus > > > > > > ------------------------------------------------------------------------ > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
