On Wed, 2014-05-14 at 13:24 -0700, Russ Allbery wrote: > Greg Hudson <ghud...@mit.edu> writes: > > > * The AES enctypes have an intentionally expensive string-to-key > > function, making brute-force password attacks more expensive by a > > significant but constant factor. > > The one caveat I'll add to this, though, is that "intentionally expensive" > changes over time. Current crypto best practices would use about 3x as > many rounds as the AES enctype specifies as the default, and would use > per-principal salt. > > The Kerberos protocol permits the server to tell the client both the salt > and the rounds, so you could dynamically adjust the rounds and use > per-principal salt within the protocol (or, even better, randomize the > salt on every password change). However, I don't know if anyone > implements the tools required to manage this properly, or if typical > clients would cope.
The FreeIPA project uses random salts since when we started, it seem all clients we know of cope just fine. We do not change rounds, so I can't speak about changing that. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos