[OpenAFS-devel] Aklog/krb5 mappings

[Ken Hornstein]

>I thought the k4 attack worked because the kdc would give an encrypted tgt
>to anyone who asks for it, which allows offline dictionary attacks.  This
>works with any encryption algorithm.  In fact the use of des makes you more
>resistant to attack, because it's slower than the alternatives.  K5 fixes
>this by optionally requiring pre-authentication.

I was under the impression that he was worrying about brute-force attacks
against DES (specifically, the AFS service key), which we don't have a
defense against yet.  I haven't yet seen brute-force attacks against DES
in the wild, but I'm computers are getting faster all of the time; I'm
sure it's only a matter of time.

--Ken