[OpenAFS-devel] configurable cryptosystem support

[Marcus Watts]

jaltman@secure-endpoints.com writes:
> Message-ID: <45AF4F33.5030004@secure-endpoints.com>
> From: Jeffrey Altman <jaltman@secure-endpoints.com>
> To: Marcus Watts <mdw@umich.edu>
> Cc: openafs-devel@openafs.org
> Subject: Re: [OpenAFS-devel] configurable cryptosystem support
> Date: Thu, 18 Jan 2007 05:42:59 -0500
> 
> Marcus Watts wrote:
> > I'm in the process of adding "configurable crypto support" to k5ssl,
> > part of rxk5 for openafs.  I have the configuration logic working with
> > all the features listed below, I just have to merge it in with other
> > changes also in the queue (such as windows support, verifykt, etc...)
> 
> "kvno -k keytab"  and krb5_server_decrypt_ticket_keytab() have been
> committed to the MIT Kerberos tree for 1.7.

Good.  I doubt kvno -k does exactly what I have, but still good.

Good to hear about krb5_server_decrypt_ticket_keytab too.

> 
> > rc4exp is a degraded version of rc4 has an effective key space of 40 bits,
> > done by microsoft for export purposes.  I don't know if microsoft still
> > does this, but I believe neither heimdal nor mit support this anymore.
> > There's certainly no reason to advertise or use this
> > with openafs.
> 
> Please do not implement this.  Microsoft implemented this in the 90s
> prior to receiving world-wide export permission for RC4-HMAC.  There
> is no public implementation of this cipher suite.

There is or was a public implementation in MIT for this.  It's
certainly in 1.5, and I recall first finding it in some much
earlier version.  I'm not completely sure that they don't have
it today.  I agree it's not very desirable.

				-Marcus