One document matched: draft-ietf-krb-wg-des-die-die-die-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc PUBLIC "-//IETF//DTD RFC 2629//EN" "rfc2629.dtd" [
<!ENTITY rfc1964 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1964.xml'>
<!ENTITY rfc1510 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1510.xml'>
<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc3961 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3961.xml'>
<!ENTITY rfc4120 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml'>
<!ENTITY rfc4121 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4121.xml'>
<!ENTITY rfc4772 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4772.xml'>
]>
<rfc category="std"
ipr="trust200902"
docName="draft-ietf-krb-wg-des-die-die-die-00"
updates="1510, 1964, 3961, 4120, 4121">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="no" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<front>
<title>Deprecate DES support for Kerberos</title>
<author initials='L' surname="Hornquist Astrand" fullname='Love Hornquist Astrand'>
<organization>Apple, Inc</organization>
<address>
<postal>
<street/>
<city>Cupertino</city> <code/>
<country>USA</country>
</postal>
<email>lha@apple.com</email>
</address>
</author>
<author fullname="Tom Yu" initials="T." surname="Yu">
<organization>MIT Kerberos Consortium</organization>
<address>
<email>tlyu@mit.edu</email>
</address>
</author>
<date month="February" year="2012"/>
<abstract>
<t>
The Kerberos 5 network authentication protocol originally used
the Data Encryption Standard (DES) for encryption. Almost 30
years it introduced the first DES standard, the National
Institute of Standards and Technology (NIST) finally withdrew
the DES standard in 2005, reflecting a long-established
consensus that DES no longer provides adequate security. In
2006, it cost less than EUR 10,000 to build a machine to brute
force DES keys in an average of 8.7 days. By 2008, it was
possible to buy commercial hardware that breaks DES keys in
less than a day on average. DES is long past its sell-by
date. Accordingly, this document updates RFC1964, RFC4120, and
RFC4121 to deprecate the use of DES in Kerberos. Because the
original Kerberos 5 specification, RFC1510 (obsoleted by RFC
4120), supports only DES, this document also reclassifies
RFC1510 as Historic.
</t>
</abstract>
</front>
<middle>
<section title="Requirements Notation">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in <xref target="RFC2119"/>.</t>
</section>
<section title="Introduction">
<t>
The original specification of the Kerberos 5 network
authentication protocol <xref target="RFC1510"/> supports only
the Data Encryption Standard (DES) for encryption. For many
years, cryptographic community has regarded DES as providing
inadequate security. This document reclassifies <xref
target="RFC1510"/> as Historic, and updates current
Kerberos-related specifications <xref target="RFC1964"/>,
<xref target="RFC4120"/>, and <xref target="RFC4121"/> to
deprecate the use of DES in Kerberos.
</t>
</section>
<section title="Affected specifications">
<t>
The initial IETF specification of the Kerberos 5 network
authentication protocol <xref target="RFC1510"/> supports only
the Data Encryption Standard (DES) for encryption. <xref
target="RFC4120"/> updates the Kerberos specification to
include additional cryptographic algorithms. <xref
target="RFC3961"/> describes the Kerberos cryptographic system
and includes support for Data Encryption Standard (DES)
encryption types.
</t>
<t>
DES no longer provides adequate cryptographic protection. This
document updates <xref target="RFC1964"/>, <xref
target="RFC4120"/>, and <xref target="RFC4121"/> to deprecate
the use of DES in Kerberos. Because the version of Kerberos
specified in <xref target="RFC1510"/> supports only DES, and
<xref target="RFC4120"/> supersedes it, this document
reclassifies <xref target="RFC1510"/> as Historic.
</t>
<t>
The specification of the Kerberos Generic Security Services
Application Programming Interface (GSS-API) mechanism <xref
target="RFC1964"/> and its updated version <xref
target="RFC4121"/> define checksum and encryption mechanisms
based on DES. With the existence of newer encryption types for
Kerberos GSS-API defined in <xref target="RFC4121"/>,
Microsoft's ARCFOUR-HMAC based GSS-API mechanism, and MIT's
DES3, there is no need to support the old DES based integrity
(SGN) and confidentiality (SEAL) types.
</t>
</section>
<section title="DES insecurity">
<t>
The insecurity of DES has been evident for many years. The
National Institute of Standards and Technology (NIST)
officially withdrew DES in 2005 <xref
target="DES-Withdrawal"/>, and also announced a transition
period that ended on May 19, 2007 <xref
target="DES-Transition-Plan"/>. The IETF has also published
its position in <xref target="RFC4772"/>, in which the
recommendation summary is very clear: "don't use DES".
</t>
<t>
In 2006, researchers demonstrated the ability to brute force a
DES key in an average of less than 9 days using less than EUR
10,000 worth of hardware <xref target="Break-DES"/>. By 2008,
a company was offering hardware capable of breaking a DES key
in less than a day on average <xref target="DES-1day"/>. Brute
force key searches of DES will only get faster and
cheaper. (The aforementioned company markets its device for
one-click recovery of lost DES keys.) It is clear that it is
well past time to retire the use of DES in Kerberos.
</t>
</section>
<section title="Recommendations">
<t>
This document removes the following RECOMMENDED types from
<xref target="RFC4120"/>:
<list style='empty'>
<t>Encryption: DES-CBC-MD5(3)</t>
<t>Checksums: DES-MD5 (8, RSA-MD5-DES from <xref target="RFC3961"/>).</t>
</list>
</t>
<t>
Kerberos implementation and deployments SHOULD NOT implement
the single DES encryption types: DES-CBC-CRC(1),
DES-CBC-MD4(2), DES-CBC-MD5(3).
</t>
<t>
Kerberos implementation and deployments SHOULD NOT implement
the checksum types: CRC32(1), RSA-MD4(2), RSA-MD4-DES(3),
DES-MAC(4), DES-MAC-K(5), RSA-MD4-MAC-K(6), DES-MD5(7),
RSA-MD5-DES(8).
</t>
<t>
Note that RSA-MD5 might be used with non-DES encryption types,
for example, when doing a TGS-REQ with ARCFOUR-HMAC-MD5, some
clients use RSA-MD5 for the checksum that is stored inside the
encrypted part of the authenticator. This use of RSA-MD5 is to
be considered safe, so Kerberos implementations MAY allow this
usage when used with legacy systems that can't handle newer
checksum types.
</t>
<t>
Kerberos GSS mechanism implementation and deployments SHOULD
NOT implement the SGN ALG: DES MAC MD5(0000), MD2.5(0100), DES
MAC(0200) (updates <xref target="RFC1964"/>).
</t>
<t>
Kerberos GSS mechanism implementation and deployments SHOULD
NOT implement the SEAL ALG: DES(0000) (updates <xref target="RFC1964"/>).
</t>
<t>
The effect of the two last sentences is that this document
deprecates section 1.2 in <xref target="RFC1964"/>.
</t>
<t>
This document hereby reclassifies <xref target="RFC1510"/> as
Historic.
</t>
</section>
<section title="Other old enctypes">
<t>
The following older encryption types and checksum types should
not be deployed and can be disabled by default by
implementations:
</t>
<t>XXX add list here</t>
</section>
<section title="Acknowledgements">
<t>
Jeffrey Hutzelman, Simon Josefsson, Mattias Amnefelt, Leif
Johansson, and Ran Atkinson have read the document and
provided suggestions for improvements. Sam Hartman proposed
moving <xref target="RFC1510"/> to Historic.
</t>
</section>
<section title="Security Considerations">
<t>
Removing support for single DES improves security since DES is
considered to be insecure.
</t>
<t>
Kerberos defines some encryption types that are either
underspecified or that were only allocated a number in the
specifications. Implementations should make sure that they
only implement and enable secure encryption types.
</t>
<t>
RC4, used in ARCFOUR-HMAC, is considered weak; however, the
use in Kerberos is vetted and considered secure for now. The
main reason to not actively discourage the use of
ARCFOUR-HMAC is that it is the only encryption type that
interoperates with older versions of Microsoft Windows once
DES is removed.
</t>
</section>
<section title="IANA Considerations">
<t>
There are no IANA Considerations for this document
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc1964;
&rfc2119;
&rfc3961;
&rfc4120;
&rfc4121;
</references>
<references title="Informative References">
&rfc1510;
&rfc4772;
<reference anchor="Break-DES">
<front>
<title>
How to break DES for EUR 8,980 - SHARCS workshop 2006
</title>
<author initials="S." surname="Kumar" fullname="Sandeep Kumar"/>
<author initials="C." surname="Paar" fullname="Christof Paar"/>
<author initials="J." surname="Pelzl" fullname="Jan Pelzl"/>
<author initials="G." surname="Pfeiffer" fullname="Gerd Pfeiffer"/>
<author initials="A." surname="Rupp" fullname="Andy Rupp"/>
<author initials="M." surname="Schimmler" fullname="Manfred Schimmler"/>
<date year="2006" month="April"/>
</front>
</reference>
<reference anchor="DES-1day"
target="http://www.sciengines.com/company/news-a-events/74-des-in-1-day.html">
<front>
<title>Break DES in less than a single day</title>
<author>
<organization>SciEngines GmbH</organization>
</author>
<date/>
</front>
</reference>
<reference anchor="DES-Transition-Plan"
target="http://csrc.nist.gov/groups/STM/common_documents/DESTranPlan.pdf">
<front>
<title>DES Transition Plan</title>
<author>
<organization>
National Institute of Standards and Technology
</organization>
</author>
<date year='2005' month='May'/>
</front>
</reference>
<reference anchor="DES-Withdrawal"
target="http://www.gpo.gov/fdsys/pkg/FR-2005-05-19/pdf/05-9945.pdf">
<front>
<title>
Announcing Approval of the Withdrawal of Federal
Information Processing Standard (FIPS) 46-3, Data
Encryption Standard (DES); FIPS 74, Guidelines for
Implementing and Using the NBS Data Encryption Standard;
and FIPS 81, DES Modes of Operation - Federal Register
Document 05-9945, 70 FR 28907-28908
</title>
<author>
<organization>
National Institute of Standards and Technology
</organization>
</author>
<date year='2005' month='May'/>
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 12:34:25 |