logo_kerberos.gif

Difference between revisions of "Projects/Disable DES"

From K5Wiki
Jump to: navigation, search
(New page: {{project-early}} This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES. In order to make t...)
 
Line 2: Line 2:
 
This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES.
 
This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES.
   
In order to make this more future-proof, the configuration of enctypes will be enhanced to allow for inclusions and exclusions, e.g.
 
  +
For now, the '''allow_weak_crypto''' libdefault boolean will control whether "weak" crypto is allowed. The crypto library will gain an internal API, krb5_c_weak_enctype(), which will indicate whether a given enctype is "weak". The krb5_keytypes structure will have a flags word that will contain a bit indicating whether a given enctype is weak.
  +
 
In the future, in order to make this more future-proof, the configuration of enctypes will be enhanced to allow for inclusions and exclusions, e.g.
   
 
<pre>
 
<pre>
Line 14: Line 16:
   
 
where <code>DEFAULT</code> designates the default set of enctypes.
 
where <code>DEFAULT</code> designates the default set of enctypes.
 
Not included are facilities to enable or disable groups of enctypes, e.g. all DES-based enctypes. That will be a separate project.
 

Revision as of 21:39, 26 January 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES.

For now, the allow_weak_crypto libdefault boolean will control whether "weak" crypto is allowed. The crypto library will gain an internal API, krb5_c_weak_enctype(), which will indicate whether a given enctype is "weak". The krb5_keytypes structure will have a flags word that will contain a bit indicating whether a given enctype is weak.

In the future, in order to make this more future-proof, the configuration of enctypes will be enhanced to allow for inclusions and exclusions, e.g.

permitted_enctypes = DEFAULT +des-cbc-crc

or

permitted_enctypes = DEFAULT -arcfour-hmac

where DEFAULT designates the default set of enctypes.