logo_kerberos.gif

Difference between revisions of "Projects/Disable DES"

From K5Wiki
Jump to: navigation, search
Line 1: Line 1:
{{project-early}}
+
{{project-review|2009-02-13}}
 
This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES.
 
This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES.
   
For now, the '''allow_weak_crypto''' libdefault boolean will control whether "weak" crypto is allowed. The crypto library will gain an internal API, krb5_c_weak_enctype(), which will indicate whether a given enctype is "weak". The krb5_keytypes structure will have a flags word that will contain a bit indicating whether a given enctype is weak.
+
For now, the '''allow_weak_crypto''' libdefault boolean (which aligns with Heimdal) will control whether "weak" crypto is allowed. The crypto library will gain an internal API, krb5_c_weak_enctype(), which will indicate whether a given enctype is "weak". The krb5_keytypes structure will have a flags word that will contain a bit indicating whether a given enctype is weak.
   
In the future, in order to make this more future-proof, the configuration of enctypes will be enhanced to allow for inclusions and exclusions, e.g.
+
In the future, in a separate project, in order to make this more future-proof, the configuration of enctypes will be enhanced to allow for inclusions and exclusions, e.g.
   
 
<pre>
 
<pre>
Line 16: Line 16:
   
 
where <code>DEFAULT</code> designates the default set of enctypes.
 
where <code>DEFAULT</code> designates the default set of enctypes.
  +
  +
  +
==Review==
  +
  +
This section documents the review of the project according to [[Project policy]].
  +
It is divided into multiple sections. First, approvals should be listed. To list an approval type
  +
:<nowiki>#~~~~</nowiki>
  +
on its own line.
  +
The next section is for discussion. Use standard [http://en.wikipedia.org/wiki/Wikipedia:Tutorial_%28Talk_pages%29 talk page conventions]. In particular, sign comments with
  +
:<nowiki>--~~~~</nowiki>
  +
and indent replies.
  +
  +
Members of Krbcore raising Blocking objections should preface their comment with <nowiki>{{project-block}}</nowiki>. The member who raised the objection should remove this markup when their objection is handled.
  +
  +
===Approvals===
  +
  +
===Discussion===

Revision as of 21:01, 28 January 2009

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on 2009-02-13.

Comments can be sent to krbdev@mit.edu.

This project will disable the single-DES encryption algorithms by default. A future (post-1.7) release will remove the code that supports single-DES.

For now, the allow_weak_crypto libdefault boolean (which aligns with Heimdal) will control whether "weak" crypto is allowed. The crypto library will gain an internal API, krb5_c_weak_enctype(), which will indicate whether a given enctype is "weak". The krb5_keytypes structure will have a flags word that will contain a bit indicating whether a given enctype is weak.

In the future, in a separate project, in order to make this more future-proof, the configuration of enctypes will be enhanced to allow for inclusions and exclusions, e.g.

permitted_enctypes = DEFAULT +des-cbc-crc

or

permitted_enctypes = DEFAULT -arcfour-hmac

where DEFAULT designates the default set of enctypes.


Review

This section documents the review of the project according to Project policy. It is divided into multiple sections. First, approvals should be listed. To list an approval type

#~~~~

on its own line. The next section is for discussion. Use standard talk page conventions. In particular, sign comments with

--~~~~

and indent replies.

Members of Krbcore raising Blocking objections should preface their comment with {{project-block}}. The member who raised the objection should remove this markup when their objection is handled.

Approvals

Discussion