[20462] in Kerberos_V5_Development
Re: KDC TGT enctype selection question
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Mon Dec 4 17:07:50 2023
Date: Mon, 4 Dec 2023 14:07:25 -0800
From: "Benjamin Kaduk" <kaduk@mit.edu>
To: Nico Williams <nico@cryptonector.com>
CC: Ken Hornstein <kenneth.hornstein.ctr@nrl.navy.mil>, <krbdev@mit.edu>
Message-ID: <ZW5NeKSnrWjvHUYZ@pleonasm.mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ZW5IWVm0hPFj6gKV@ubby21>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Dec 04, 2023 at 03:44:57PM -0600, Nico Williams wrote:
> On Mon, Dec 04, 2023 at 04:23:08PM -0500, Ken Hornstein wrote:
> > I understand the convention, but it doesn't really answer my question:
> > this is a very explicit coding choice and I can't really see WHY it
> > exists. For one it could make it difficult to upgrade enctypes when
> > you had geographically-distributed KDCs that were managed by different
> > organizations. Also, it doesn't really match the expected behavior
> > in terms of other Kerberos enctype negotations and I am trying to
> > understand why. I am perfectly willing to believe there is something
> > I don't understand!
>
> It's a very simple convention. I would strongly advise running the same
> configuration on all the KDCs of any given realm.
I would go even further and say that it is a design assumption of MIT krb5
that all KDCs are just separate instances of the same logical instance and are
assumed to behave "identically" (i.e., with identical configuration).
As Nico says, this particular case seems like the KDC knowing that the enctype
list is sorted strongest-to-weakest, and also knowing that "the KDC" is the
only entity that can create this ciphertext, so enforcing that the strongest
key is being used and preventing by construction any brute-force or other
attacks on krbtgt keys of other enctypes.
-Ben
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
