Ken Foskey wrote:
i suppose its a good engough reason to break out the Applied Cryptography Book i havent even loked at in oh, 3 years.On Mon, 2004-11-08 at 23:27 +1100, James Gregory wrote:
faster (and just as secure) block cipher algorithms like DES or Blowfish
Foes anyone know the ciphers that kerberos uses? I was going to ask the
person that did cryptography in Uni recently :-)
i had a look for the protocol data, the RFC is woeful but extreme, and complete ...
<http://www.faqs.org/rfcs/rfc1510.html>
<http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html>
<http://www.nata2.info/misc/Wireless/A_Real-World_Analysis_of_Kerberos_Password_Security-MIRROR.html>
Kerberos uses DES, but the encryption method can be negotiated in versions >v4. DES is still used in a lot of operational cryptographic applications,and it is 'relatively' secure, in that it would hopefully take a p4 a few hours to brute force... more likely in minutes. Which is why DES has been phased out for at least 5 years, replaced by AES in secure applications.
The major thing is, in Krb v5, you can specify the salt, the algorithm and a few other variables to make the TGS/KDC give out more secure keys if you have a need for it. it depends on your KDC, the machine you get your ticket from, so its not something easily modified unless you can replace a working Kerberos system.
Suffice to say, Krb is relatively secure for a large scale network. more secure methods are available now, but they all have their inconvenient security-based provisions and features that will make client adoption difficult. there's always the addition of biometric data and variable challenge authentication methods, etc. but its still relying on making the process visibly painful as a reminder of the need for security, etc.
Toliman -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
