[OpenAFS-announce] ANNOUNCE: OpenAFS is Migrating Away From Single DES; 'kaserver' is Deprecated

Jeffrey Altman openafs-info@openafs.org
Thu, 28 Dec 2006 19:36:13 -0500


This is a cryptographically signed message in MIME format.

--------------ms050905000909010106000704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

AFS version 3 was designed and implemented during the late 80s and early
90s when the state of the art in distributed computer authentication and
data security was Kerberos 4 and single DES. The 'rxkad' security class
was specified to use a single DES key and the 'kauth' authentication
protocol is a derivative of MIT's Kerberos 4 protocol.

For the better part of the last decade there has been concern regarding
the cryptographic strength of the DES cipher when used as a building
block within systems intended to prove authentication and/or data
integrity and privacy. Kerberos 4 and 'rxkad' are not extensible and
cannot negotiate non-DES key types. As a result efforts to migrate away
from Kerberos 4 based authentication at higher risk organizations have
been underway since the mid to late 90s. Ken Hornstein issued the first
of his Kerberos 5 migration kits for AFS in May 1999.

In March 2003, the continued use of single DES and 'kauth' as the basis
for OpenAFS security became a real-world threat when a significant
Kerberos 4 cross-realm vulnerability was published. The OpenAFS
community was notified in security advisory OPENAFS-SA-2003-001 which
can be found at http://www.openafs.org/security.

As a result of the mounting concerns regarding the strength of DES, NIST
announced in May 2003 the withdrawal of FIPS 43-3 "Data Encryption
Standard (DES)" as well as the associated FIPS 74 and FIPS 81. In other
words, NIST announced that DES and its derivatives could no longer be
used by the United States Government and should no longer by those that
trust its lead.

In July 2003 MIT announced the end of life of the Kerberos 4 protocol
which is distributed for backward compatibility as part of the MIT
Kerberos 5 distribution. A copy of that announcement can be found at
http://web.mit.edu/kerberos/krb4-end-of-life.html.

Since then the OpenAFS gatekeepers and the development community have
continued to strengthen the support for Kerberos 5. By 1.2.11 protocol
support for the use of Kerberos 5 tickets within the 'rxkad' security
class was complete for all of the Kerberos 5 DES enctypes. As part of
the OpenAFS 1.4 series integrated support for 'aklog' and 'asetkey' as
well as support for the large Kerberos 5 tickets generated by
Microsoft's Active Directory were added.

With the release of 1.4, OpenAFS can be used with Kerberos 5 KDCs
without any externally supported packages other than the Kerberos 5
library.  Either MIT or Heimdal Kerberos 5 libraries can be used to
build the support tools.  For the KDC, you can use any Kerberos 5 KDC
implementation (MIT, Heimdal, Microsoft Active Directory, ...)

The 2004, 2005, and 2006 workshops contained presentations from various
organizations on how to migrate your cell to Kerberos 5 or install a new
cell using Kerberos 5 in place of 'kaserver'. The 2005 and 2006
workshops had one day tutorials on Kerberos 5 installation,
configuration, and administration.

  # 2004: http://www-conf.slac.stanford.edu/AFSBestPractices
  # 2005: http://www.pmw.org/afsbpw05/
  # 2006: http://www.pmw.org/afsbpw06/

With this historical foundation in place, the OpenAFS Elders are
officially announcing the deprecation of 'kaserver' and endorsing the
following road map for transitioning from single DES to stronger ciphers:

  # Effective immediately, 'kaserver' releases will log a warning at
    startup stating that 'kaserver' support has been deprecated and that
    a migration to a Kerberos 5 solution should begin.
  # Before the 1.6 release, the build system will be modified to
    optionally enable OpenAFS without 'kaserver'.
  # After the 1.6 release, the build system will be modified to build
    OpenAFS without 'kaserver' unless it is specifically requested.
  # The OpenAFS Elders encourage volunteers to assist in updating the
    OpenAFS documentation to include instructions on installing or
    migrating to Kerberos 5 KDCs (MIT, Heimdal, Active Directory, ...)
  # The OpenAFS Elders endorse the development of new PAM AFS solutions
    maintained outside the OpenAFS source tree.
  # The OpenAFS Elders endorse the development of the 'rxk5' and 'rxgk'
    security classes in order to enable the use of Kerberos 5 ciphers
    other than single DES for both authentication and data security
    between AFS clients and servers.
  # When OpenAFS is capable of supporting Kerberos 5 with non-DES
    ciphers the major version number will be changed to "2".
  # The 'kaserver' will be removed from the source tree no sooner than
    one year after the OpenAFS 2.0 release.
  # The 'kauth' security class will become deprecated no sooner than one
    year after the OpenAFS 2.0 release. It will first be disabled by
    default on clients, then disabled by default on servers, and
    eventually it will be removed from the source tree. Further details
    will be announced as part of the OpenAFS 2.0 release.

If a significant security hole is identified in either 'kaserver' or DES
prior to its removal from the OpenAFS source tree, the OpenAFS Elders
reserve the right to accelerate this time table.

Signed,

The OpenAFS Elders.

--------------ms050905000909010106000704
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEBW00lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloX
DTA3MDUyNzIyMDMzMlowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC19SD7DncCP/+wfQlLzAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0o
fGCucDfcQbSIrkhHD9z4TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U
8uN3kLyqXAFIGWKO8DJVGTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0
ma0H7PiFJ2kLfOf///07E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCD
A9bNErMiOXA3dudaNNzXlN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQQFAAOBgQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4Vbo
pA7BAR4ihAPibv7j7ZaxmyMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03v
L3EVETiGFqTB2sLp5MLc6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAxcwggKAoAMCAQICEBW0
0lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloXDTA3MDUyNzIyMDMzMlow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC19SD7DncCP/+wfQlL
zAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0ofGCucDfcQbSIrkhHD9z4
TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U8uN3kLyqXAFIGWKO8DJV
GTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0ma0H7PiFJ2kLfOf///07
E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCDA9bNErMiOXA3dudaNNzX
lN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOB
gQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4VbopA7BAR4ihAPibv7j7Zax
myMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03vL3EVETiGFqTB2sLp5MLc
6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIID
YAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
FbTSUrChYle3zBuZOXUzSTAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNjEyMjkwMDM2MTNaMCMGCSqGSIb3DQEJBDEWBBSFOMuF
BagOyFAgnzXlAve4mA1g1DBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYB
BAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0ECEBW00lKwoWJXt8wbmTl1M0kwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEBW00lKwoWJXt8wbmTl1M0kwDQYJ
KoZIhvcNAQEBBQAEggEAsKrcQ3a0MFRYpnACiNxvAqvZZyKzcVJMTg/Ku7GovRi8/b2SS2bk
5Xf6VEw/RL/2zofvRPbnw1chaFxFe4GrD/jWpz7E05JeeAJFJofPi8Ts87/jTLxcELFdBUfQ
knK/7OjXHylUQM8ZKRSN4s854OaAtVAYbMKv6PEt0QgPwyrEajJ2Pi3vStbLjU97jcPI4il2
wKmGnLm7HI8TuN+TY0WTi6Y9f9ifYuFZlOKoQ1tqu/L/sj4YmUm1Hj1atsNIrQ5mbyKlHzZo
4hbejSiQ324snTRyUWtivGwA2xCUQpJfbLL+VGDV7U7pqD9v0F6JZqG2XsdskCgmzJon0AHV
sQAAAAAAAA==
--------------ms050905000909010106000704--