Re: Kerberos DES encryption

---

• From: DaveMo <david.mowers@xxxxxxxxx>
• Date: 23 Apr 2007 11:42:32 -0700

---

On Apr 22, 11:39 pm, Nick Domukhovsky <ndomukhov...@xxxxx> wrote:

Most integration guides recommend using DES encryption for Kerberos tickets
in UNIX/Linux interoperability scenarios.

I wonder what is the risk. It can be brute forced; probably even in the
lifetime of the ticket. But I'm not familiar with Kerberos specification
good enough to identify what the potential exposure will be.

Opinions appreciated.

There are only two encryption types supported by Windows:

DES-CBC-MD5 (CRC)
RC4-CBC-SHA1

First is "vanilla" MIT method and should be supported by all platforms.
It uses 3DES so it not so weak as you think (and you always can change
lifetime of ticket, this is not a problem if you have long renew time -
user will not see any difference).

If you are sure, that your version of Kerberos library supports RC4
encryption - use it.

--
With best regards
Nickolay Domukhovsky, MCSA

Nickolay

According to my understanding the DES cipher strength for DES-CBC-MD5
is 56 bits. There is a distinct 3DES-CBC-MD5 but I'm not sure
Microsoft ever implemented it and I don't think it was ever widely
available for UNIX either.

Dave

.

---

• Follow-Ups:
  • Re: Kerberos DES encryption
    • From: Nick Domukhovsky

• References:
  • Re: [Q] Kerberos DES encryption
    • From: Nick Domukhovsky

• Prev by Date: Domain Controller Certificates and moving to a new server or removing them?
• Next by Date: Windows Media Player Remote Code Execution (923689)
• Previous by thread: Re: [Q] Kerberos DES encryption
• Next by thread: Re: Kerberos DES encryption
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [Q] Kerberos DES encryption ... I wonder what is the risk. ... lifetime of the ticket. ... But I'm not familiar with Kerberos specification ... lifetime of ticket, this is not a problem if you have long renew time - ... (microsoft.public.windows.server.security) Re: College degree is worth $23K/yr more... ... is basically a "hunting license" and NOT a ticket to a job. ... In reality, however, the pieces of paper the students got after their studies were finished, combined with their transcripts, really tickets to an interview, not necessarily gainful employment. ... Another was that by teaching them "too much", their knowledge/education/whatever would have an excessively long lifetime, reducing the need to return for "upgrading", thus denying such institutions of future revenue. ... (sci.research.careers) Re: Sudden end to "life" at Killington ... came like gangbusters and announced everything they ... $70 on every lift ticket sold (the price is $76) ... Under ASC they realized $49 on every ticket when the ... honored the lifetime passes, that may have set some sort of precedent. ... (rec.skiing.alpine) Re: And your 2008 Democratic Presidential Ticket is: ... party in our lifetime. ... but I'd pay good money to see that ticket happen. ... (rec.sport.pro-wrestling)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2007-04