[OpenAFS] ADS and MIT Kerberos transition auth continued

Russ Allbery rra@stanford.edu
Thu, 09 Jul 2009 07:56:10 -0700


Eric Chris Garrison <ecgarris@iupui.edu> writes:
> Jeffrey Altman wrote:

>> The answer is right above.  AES-256 is not DES-CBC-CRC
>
> I'm told by our ADS admin that DES3 isn't supported,

That wouldn't help; AFS doesn't support DES3 anyway.

> and DES-CBC-CRC is somewhat weak by modern standards.  How concerned
> should I be?

About as concerned as everyone else running AFS.  It's a known weakness,
and there are various efforts underway to address it over time, such as
the rxk5 work which is available on a branch for testing.  There isn't
any solution ready yet for production use.

> Is there another option that's secure and supported in AD?

No.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>