diff options
Diffstat (limited to 'crypto/krb5/doc/html/admin/advanced/retiring-des.html')
| -rw-r--r-- | crypto/krb5/doc/html/admin/advanced/retiring-des.html | 44 |
1 files changed, 21 insertions, 23 deletions
diff --git a/crypto/krb5/doc/html/admin/advanced/retiring-des.html b/crypto/krb5/doc/html/admin/advanced/retiring-des.html index 40ba435f4ab4..8dec27ded0a4 100644 --- a/crypto/krb5/doc/html/admin/advanced/retiring-des.html +++ b/crypto/krb5/doc/html/admin/advanced/retiring-des.html @@ -1,19 +1,17 @@ - <!DOCTYPE html> -<html> +<html lang="en" data-content_root="../../"> <head> <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> + <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" /> <title>Retiring DES — MIT Kerberos Documentation</title> - <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" /> - <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" /> - <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> - <script src="../../_static/jquery.js"></script> - <script src="../../_static/underscore.js"></script> - <script src="../../_static/doctools.js"></script> + <link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=fa44fd50" /> + <link rel="stylesheet" type="text/css" href="../../_static/agogo.css?v=879f3c71" /> + <link rel="stylesheet" type="text/css" href="../../_static/kerb.css?v=6a0b3979" /> + <script src="../../_static/documentation_options.js?v=236fef3b"></script> + <script src="../../_static/doctools.js?v=888ff710"></script> + <script src="../../_static/sphinx_highlight.js?v=dc90522c"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="index" title="Index" href="../../genindex.html" /> <link rel="search" title="Search" href="../../search.html" /> @@ -53,15 +51,15 @@ <div class="body" role="main"> <section id="retiring-des"> -<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Permalink to this headline">¶</a></h1> +<span id="id1"></span><h1>Retiring DES<a class="headerlink" href="#retiring-des" title="Link to this heading">¶</a></h1> <p>Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be -used (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://tools.ietf.org/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> +used (<span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc6649.html"><strong>RFC 6649</strong></a>).</p> <section id="history"> -<h2>History<a class="headerlink" href="#history" title="Permalink to this headline">¶</a></h2> +<h2>History<a class="headerlink" href="#history" title="Link to this heading">¶</a></h2> <p>DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was added in version 1.1, with full support following in version 1.2. @@ -76,7 +74,7 @@ consequence, a release prior to 1.18 is required to perform these migrations.</p> </section> <section id="types-of-keys"> -<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Permalink to this headline">¶</a></h2> +<h2>Types of keys<a class="headerlink" href="#types-of-keys" title="Link to this heading">¶</a></h2> <ul class="simple"> <li><p>The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos @@ -112,7 +110,7 @@ are created in the Kerberos database for those server principals.</p> </div> </section> <section id="upgrade-procedure"> -<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Permalink to this headline">¶</a></h2> +<h2>Upgrade procedure<a class="headerlink" href="#upgrade-procedure" title="Link to this heading">¶</a></h2> <p>This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non-DES keys, so that the only remaining task is to update the actual keys used to service requests. @@ -154,7 +152,7 @@ and the database entries for some “high-value” principals were:</p> <p>The <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code> key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key.</p> <section id="the-krbtgt-key-and-kdc-keys"> -<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Permalink to this headline">¶</a></h3> +<h3>The krbtgt key and KDC keys<a class="headerlink" href="#the-krbtgt-key-and-kdc-keys" title="Link to this heading">¶</a></h3> <p>Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>—if this principal’s key is compromised, so is the @@ -240,7 +238,7 @@ are rekeyed to non-DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action.</p> </section> <section id="adding-strong-keys-to-application-servers"> -<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Permalink to this headline">¶</a></h3> +<h3>Adding strong keys to application servers<a class="headerlink" href="#adding-strong-keys-to-application-servers" title="Link to this heading">¶</a></h3> <p>Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This @@ -267,7 +265,7 @@ practice.</p> </div> </section> <section id="adding-strong-keys-by-default"> -<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Permalink to this headline">¶</a></h3> +<h3>Adding strong keys by default<a class="headerlink" href="#adding-strong-keys-by-default" title="Link to this heading">¶</a></h3> <p>Once the high-visibility services have been rekeyed, it is probably appropriate to change <a class="reference internal" href="../conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a> to generate keys with the new encryption types by default. This enables server administrators to generate @@ -321,7 +319,7 @@ or adjust the population in the load-balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption.</p> </section> <section id="removing-des-keys-from-usage"> -<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Permalink to this headline">¶</a></h3> +<h3>Removing DES keys from usage<a class="headerlink" href="#removing-des-keys-from-usage" title="Link to this heading">¶</a></h3> <p>This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC @@ -397,7 +395,7 @@ all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when <strong>allow_weak_crypto = false</strong>.</p> </section> <section id="support-for-legacy-services"> -<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Permalink to this headline">¶</a></h3> +<h3>Support for legacy services<a class="headerlink" href="#support-for-legacy-services" title="Link to this heading">¶</a></h3> <p>If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), <strong>allow_weak_crypto</strong> must remain enabled on the KDC. Client machines need not have this setting, @@ -418,7 +416,7 @@ user to contact the helpdesk for access.</p> </section> </section> <section id="the-database-master-key"> -<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Permalink to this headline">¶</a></h2> +<h2>The Database Master Key<a class="headerlink" href="#the-database-master-key" title="Link to this heading">¶</a></h2> <p>This procedure does not alter <code class="docutils literal notranslate"><span class="pre">K/M@REALM</span></code>, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of @@ -524,8 +522,8 @@ converted to the new master key.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.21.3</i><br /> - © <a href="../../copyright.html">Copyright</a> 1985-2024, MIT. + <div class="right" ><i>Release: 1.22-final</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2025, MIT. </div> <div class="left"> |