[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    Re: KDC TGT enctype selection question
From:       "Greg Hudson" <ghudson () mit ! edu>
Date:       2023-12-07 0:51:04
Message-ID: 9fbbdb92-9707-4218-8fbc-b22110243c9a () mit ! edu
[Download RAW message or body]

On 12/6/23 14:07, Ken Hornstein via krbdev wrote:
> what is the reason the AES2 enctypes
> are later in the list of default enctypes than the SHA1 AES enctypes?

It helps mitigate the problem that don't make it perfectly easy to match 
the enctypes supported by a service to the enctypes present in the 
long-term keys for that service.  (Nico has advocated for making kadmin 
randkey use the kadmin client's supported_enctypes value instead of the 
KDC's, and I think that would be a good change, but it still wouldn't 
make us perfect.)

This problem gets less important over time (although to my knowledge 
Microsoft hasn't implemented aes-sha2), and would not outweigh a 
serious difference in security if there were one.  But since SHA-1's 
collision weaknesses don't impact HMACs, the advantage of aes-sha2 
enctypes is more about conformance than security.  (There are admittedly 
cases where the 96-bit size of aes-sha1 checksums can impact 
security--this came up in a recent set of PAC vulnerabilities, although 
it was overshadowed by larger vulnerabilities in RC4 enctypes. 
Basically, if you checksum over a checksum and your protocol has a 
checksum oracle, you become subject to the birthday bound of the inner 
checksum size.  So far I'm modeling this as an unusual confluence of 
protocol properties and not an aes-sha1 enctype weakness.)

Less importantly, the aes-sha1 enctypes are proposed standard and the 
aes-sha2 enctypes are informational.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic