Skip to main content

Deprecate Use of 1024-bit Diffie-Hellman Moduli in Public Key Cryptography for Initial Authentication in Kerberos
draft-harwood-krb-pkinit-dh-upsize-01

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Robbie Harwood
Last updated 2022-02-07 (Latest revision 2021-08-06)
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) permits a client and a Kerberos Domain Controller (KDC) to use a Diffie-Hellman (DH) exchange to derive an encryption key. The group with minimum modulus size permitted for this exchange is 1024 bits, which recent security research has shown to provide insufficient protection against organizations with sufficient computing resources, such as state-sponsored actors. This document updates RFC 4556 to increase the minimum group size to 2048 bits and define permitted groups of size larger than 4096-bits.

Authors

Robbie Harwood

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)