[OpenAFS] AES Support ?

Marcus Watts mdw@spam.ifs.umich.edu
Wed, 26 Sep 2007 12:31:58 -0400

> Date:    Wed, 26 Sep 2007 08:38:05 CDT
> To:      jaltman@secure-endpoints.com
> cc:      Marcus Watts <mdw@spam.ifs.umich.edu>, openafs-info@openafs.org
> From:    John Hascall <john@iastate.edu>
> Subject: Re: [OpenAFS] AES Support ? 
> Jeffrey Altman
> > John Hascall wrote:
> > >>        What makes your cell "rxk5" capable is if you have an
> > >> "afs-k5@YOUR-REALM" service key.
> > > 
> > > That seems icky.  Why does it have to have a different name?
> > So that the clients have a way of knowing whether or not the cell
> > supports the rxk5 protocol.
> Wouldn't the normal Kerberos enctype negotiation do that?
> That is, if the client asks for {AES,DES} and if it gets
> back AES it knows it can use rxk5?
> John

Doesn't quite work.  If the kdc knows the service supports {AES,RC4,DES}
then when a v5 client says it only does {DES}, the kdc will make up a
session key using DES, *and* then encrypts it using AES.  The client is
now happy, but the existing server side rxkad v5 support can't hack that;
it errors out right away when it gets that.  In fact, it can't easily
do anything better either - hacking up the KeyFile logic to support AES
would be ugly.

Equating enctype with protocol seems unwise anyways.

				-Marcus Watts