Re: [Curdle] [kitten] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-03.txt
Benjamin Kaduk <kaduk@mit.edu> Wed, 21 June 2017 17:46 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B11F126CF6; Wed, 21 Jun 2017 10:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eg02z1t07UG8; Wed, 21 Jun 2017 10:46:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 302CC128656; Wed, 21 Jun 2017 10:46:05 -0700 (PDT)
X-AuditID: 12074425-7d5ff70000003ab1-32-594ab0db6c46
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id A6.92.15025.BD0BA495; Wed, 21 Jun 2017 13:46:04 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v5LHk2is023738; Wed, 21 Jun 2017 13:46:03 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v5LHjw4h012961 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Jun 2017 13:46:01 -0400
Date: Wed, 21 Jun 2017 12:45:58 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Martin Rex <mrex@sap.com>
Cc: kitten@ietf.org, curdle@ietf.org
Message-ID: <20170621174558.GK39245@kduck.kaduk.org>
References: <20170621034615.GH39245@kduck.kaduk.org> <20170621094935.AF6161A6BF@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170621094935.AF6161A6BF@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.7.1 (2016-10-04)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLIsWRmVeSWpSXmKPExsUixCmqrHtng1ekwY5vjBZbF85itji6eRWL Re/vHcwOzB5Llvxk8pjyeStjAFMUl01Kak5mWWqRvl0CV8a6Y5+YC66IVCz+c4m9gfGQQBcj J4eEgInEor/vGbsYuTiEBBYzSUzbs44RJCEksJFRYtEVLojEVSaJVW0r2UASLAKqEjNXPmIH sdkEVCQaui8zg9giArIS0669AWtmBopvetrECmILC8RKnPrxnaWLkYODF2hb20owU0ggTeL/ ZbAbeAUEJU7OfMIC0aklcePfSyaQEmYBaYnl/zhAwpwCNhI7fn5jArFFBZQl/h6+xzKBUWAW ku5ZSLpnIXQvYGRexSibklulm5uYmVOcmqxbnJyYl5dapGuhl5tZopeaUrqJERSq7C6qOxjn /PU6xCjAwajEw2tR5xUpxJpYVlyZe4hRkoNJSZS3YxlQiC8pP6UyI7E4I76oNCe1+BCjBAez kgjvnXVAOd6UxMqq1KJ8mJQ0B4uSOK+4RmOEkEB6YklqdmpqQWoRTFaGg0NJgtd5PVCjYFFq empFWmZOCUKaiYMTZDgP0HCdNSDDiwsSc4sz0yHypxgVpcR5X4FsFQBJZJTmwfWCUolE9v6a V4ziQK8I82oAE4sQDzANwXW/AhrMBDT4xREPkMEliQgpqQZGua2hVU3v+85Vtze6fJy0NuXe qiU+P4sW5X/+LZHMuiDu7ZVVTdm8TNnXAlqf1Ni9eirLvPsDz+vbZkvEpv110zX8cFhf2PmN wbxVt9rSnD0j7EJzP7utnWvhdv7PpLXTM7Zkym0OkWeMeju/2uFcrJf63DUH/Y/YbHTb2Cfs yHTE7UPlc9Z3SizFGYmGWsxFxYkAaYfDZwADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/6BUxs8iJz6Byx2P2QtzkAbq1zqE>
Subject: Re: [Curdle] [kitten] I-D Action: draft-ietf-curdle-des-des-des-die-die-die-03.txt
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2017 17:46:08 -0000
Adding curdle@ for discussion of potential content changes to the draft... On Wed, Jun 21, 2017 at 11:49:35AM +0200, Martin Rex wrote: > Benjamin Kaduk wrote: > > On Mon, Jun 19, 2017 at 06:43:31PM +0200, Martin Rex wrote: > >> > >> I have always been wondering about the following issue about > >> Microsoft Kerberos and the RC4-enctype: > > > > Just to note explicitly: I am listed in the To: line of this message > > but am definitely not the right person to answer the questions here. > > Partially true, it would be good to get some light shed on that > issue from *all* Kerberos implementors (not just Microsoft). > > The new paragraph that you quoted as having been added to the I-D > currently _only_ talks about support for Kerberos AES enctypes in code. > The new text fails to mention the issue of availability of longterm secrets > in the Kerberos KDC database that are properly encoded for AES enctypes > --as a prerequisite of actually _using_ AES enctypes. > > It's not just about availability of sufficiently recent code, > but also a necessity for re-keying all accounts in the Kerberos KDC database > _after_ sufficiently recend code has been deployed. And it may not be > the deployment of new code on the KDC alone, there may be additonal > administrative changes necessary on the KDC to acutally enable use of > AES enctypes (e.g. changing the domain functional level in Active Directory) It sounds like you are asking for the addition of some text along the lines of: Software support is only a bare minimum requirement for deprecating RC4 enctypes; there may be additional logistical considerations involved such as provisioning AES keys for all principals and updating software configuration to enable AES and disable deprecated encryption types. Is that something you are asking for? Thanks, Ben > The necessity for rekeying as a prerequisite of using new entypes is > AFAIK caused by salting string2key differently in all Kerberos enctypes > (except for RC4-HMAC) and storing only the resulting outputs, and this > seems to apply to most, if not all Kerberos implementations, I believe. > > While many users in "managed" environments have traditionally been > pestered to change their user passwords on a regular basis, the same > might not be true for service accounts, which typically have plaintext > passwords configured in the registry on Windows Servers, or file-based > keytabs for traditional MIT Kerberos, and may not be subject to the > same regular re-keying as end user accounts in typical installations. > > > -Martin
- [Curdle] I-D Action: draft-ietf-curdle-des-des-de… internet-drafts
- Re: [Curdle] I-D Action: draft-ietf-curdle-des-de… Benjamin Kaduk
- Re: [Curdle] [kitten] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [Curdle] [kitten] I-D Action: draft-ietf-curd… Jeffrey Altman
- Re: [Curdle] [kitten] I-D Action: draft-ietf-curd… Martin Rex
- Re: [Curdle] [kitten] I-D Action: draft-ietf-curd… Benjamin Kaduk
- Re: [Curdle] [kitten] I-D Action: draft-ietf-curd… Daniel Migault
- Re: [Curdle] [kitten] I-D Action: draft-ietf-curd… Benjamin Kaduk