Re: [Q] Kerberos DES encryption

From: Nick Domukhovsky <ndomukhovsky@xxxxx>
Date: Mon, 23 Apr 2007 12:39:36 +0600

Most integration guides recommend using DES encryption for Kerberos tickets
in UNIX/Linux interoperability scenarios.

I wonder what is the risk. It can be brute forced; probably even in the
lifetime of the ticket. But I'm not familiar with Kerberos specification
good enough to identify what the potential exposure will be.

Opinions appreciated.

There are only two encryption types supported by Windows:

DES-CBC-MD5 (CRC)
RC4-CBC-SHA1

First is "vanilla" MIT method and should be supported by all platforms.
It uses 3DES so it not so weak as you think (and you always can change
lifetime of ticket, this is not a problem if you have long renew time -
user will not see any difference).

If you are sure, that your version of Kerberos library supports RC4
encryption - use it.

--
With best regards
Nickolay Domukhovsky, MCSA
.

Follow-Ups:
- Re: Kerberos DES encryption
  - From: DaveMo

Prev by Date: Re: how can I make money off my ultimate security solution for servers
Next by Date: Domain Controller Certificates and moving to a new server or removing them?
Previous by thread: Re: Kerberos DES encryption
Next by thread: Re: Kerberos DES encryption
Index(es):
- Date
- Thread

Relevant Pages

Re: Kerberos DES encryption
... lifetime of the ticket. ... But I'm not familiar with Kerberos specification ... good enough to identify what the potential exposure will be. ... lifetime of ticket, this is not a problem if you have long renew time - ...
(microsoft.public.windows.server.security)
Re: Kerberos DES encryption
... in UNIX/Linux interoperability scenarios. ... I wonder what is the risk. ... lifetime of the ticket. ...
(microsoft.public.windows.server.security)
Re: Kerberos DES encryption
... lifetime of the ticket. ... You are correct in the risk. ... DES key, so one approach would be to crack the key, retrieve the clear ... lifetime, you could simply change the lifetime. ...
(microsoft.public.windows.server.security)
Re: How do I change the ticket lifetime in the default policy?
... requested lifetime in the ticket request ... (You will have to alter other service principals if ... you may need to specify a longer requested lifetime there ("kinit -l ...
(comp.protocols.kerberos)
Re: College degree is worth $23K/yr more...
... is basically a "hunting license" and NOT a ticket to a job. ... In reality, however, the pieces of paper the students got after their studies were finished, combined with their transcripts, really tickets to an interview, not necessarily gainful employment. ... Another was that by teaching them "too much", their knowledge/education/whatever would have an excessively long lifetime, reducing the need to return for "upgrading", thus denying such institutions of future revenue. ...
(sci.research.careers)