[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

Andrew Deason adeason@sinenomine.net
Thu, 25 Jul 2013 14:47:02 -0500

On Thu, 25 Jul 2013 15:16:37 -0400 (EDT)
Benjamin Kaduk <kaduk@MIT.EDU> wrote:

> > I know in draft-kaduk-afs3-rxkad-kdf-03 you/we explicitly say that
> > KDCs need to not issue non-DES session keys when we only have a DES
> > long-term key, but do they all actually do that? Is the reasoning
> > there that a KDC
> As jhutz said, MIT and Heimdal do.

(except for the exception, which is why I was confused)

> I assume that AD has some mechanism to cope with application servers
> that don't speak AES, though I don't know what exactly the mechanism
> is.

While AD doesn't store "keys" like Heimdal and MIT do, it does have a
separate setting for "these are the enctypes supported by this princ",
which for the current conversation serves the same purpose as the key
list for MIT or Heimdal. Like MIT, it appears to only issue session keys
with enctypes in that enctype list, with the sole exception of single
DES, which is always allowed if DES is turned on for the KDC. (It is
turned off by default in Server 2008 or 2008 R2 or somewhere around

> Asking for a DES session key first would unnecessarily weaken the
> session key for some clients.

You're deriving a DES key either way... but yes, the point is moot, I

Andrew Deason