On Tue, 2004-11-09 at 15:31 +1100, Toliman wrote: > Ken Foskey wrote: > > >On Mon, 2004-11-08 at 23:27 +1100, James Gregory wrote: > > > >Foes anyone know the ciphers that kerberos uses? I was going to ask the > >person that did cryptography in Uni recently :-) > > > Kerberos uses DES, but the encryption method can be negotiated in > versions >v4. DES is still used in a lot of operational cryptographic > applications,and it is 'relatively' secure, in that it would hopefully > take a p4 a few hours to brute force... more likely in minutes. Which is > why DES has been phased out for at least 5 years, replaced by AES in > secure applications.
OK this echos my research today (cost me a coffee :-) Kerberos by default uses DES encryption so a fully encrypted Kerberos telnet would use DES encryption by default. It is possible to put additional ciphers into kerberos but it is not part of the standard. By comparison ssh uses 3DES by default here are the cipher options from one version of ssh itself. For those that do not know 3DES is literally encrypt in DES three times, very secure, the man page notes that DES is insecure. AnyCipher: Any available cipher (apart from none) can be used. AnyStdCipher: Allows only standard ciphers, i.e. those ciphers mentioned in the IETF-SecSH-draft (excluding none). This is the default cipher value. AES128 Use 128-bit Advanced Encryption Standard (Rijndael) encryption. AES192 Use 192-bit Advanced Encryption Standard (Rijndael) encryption. AES256 Use 256-bit Advanced Encryption Standard (Rijndael) encryption. 3DES Use 3DES encryption. Blowfish: Use Blowfish encryption. Twofish: Use Twofish encryption. Arcfour: Use Arcfour encryption. CAST: Use CAST encryption. DES: Use DES encryption. DES is generally considered a very weak cipher, and its use is not recommended. It is offered as a fallback option only. none: Don't use encryption. Use this option for testing purposes only! OK my research is that using kerberos is NO MORE security that ssh but is significantly less secure than ssh by default. My apologies for being painful however but sometimes the likelihood of someone being right is inversely proportional to the number of people shouting them down. Here endeth the lesson on security. If someone tells you something is more secure you simply must do your own homework. What they are saying may be dated information which appears to be the case here, DES is certainly a dated protocol in security terms. -- Ken Foskey -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
