draft-lha-des-die-die-die-00

Network Working Group                               L. Hornquist Astrand
Internet-Draft                                                Apple, Inc
Intended status: Standards Track                           July 31, 2009
Expires: February 1, 2010


                Move DES to Historic Status for Kerberos
                      draft-lha-des-die-die-die-00

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on February 1, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.









Hornquist Astrand       Expires February 1, 2010                [Page 1]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


Abstract

   A long long time ago DES was standardized.  Some 30 years later
   (2003) is was withdrawn as a standard by NIST, today 6 years later,
   its time for DES to finally die.  By 2008 it was possible to brute
   force DES keys in 6.4 days using less than USD 10k worth of hardware.
   So by 2008 DES had passsed its sell-by date.  Use in Kerberos should
   therefore stop.











































Hornquist Astrand       Expires February 1, 2010                [Page 2]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


1.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].














































Hornquist Astrand       Expires February 1, 2010                [Page 3]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


2.  Background

   Kerberos 5 was defined in [RFC1510] and updated in [RFC4120], the
   Kerberos crypto system is defined by [RFC3961] and includes support
   for DES encryption types.  This document move all of the DES
   encryption types to historic.

   DES was withdrawn in [DES-Transition-Plan] by NIST.











































Hornquist Astrand       Expires February 1, 2010                [Page 4]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


3.  Recommendations

   Kerberos implementation and deployments SHOULD NOT use the single DES
   encryption: DES-CBC-MD5, DES-CBC-MD4, DES-CBC-CRC.















































Hornquist Astrand       Expires February 1, 2010                [Page 5]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


4.  Security Considerations

   Removing support for single DES improves security since DES is
   considered to be insecure by most parties.















































Hornquist Astrand       Expires February 1, 2010                [Page 6]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


5.  IANA Considerations

   There are no IANA Considerations for this document
















































Hornquist Astrand       Expires February 1, 2010                [Page 7]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


6.  References

6.1.  Normative References

   [RFC1510]  Kohl, J. and B. Neuman, "The Kerberos Network
              Authentication Service (V5)", RFC 1510, September 1993.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3961]  Raeburn, K., "Encryption and Checksum Specifications for
              Kerberos 5", RFC 3961, February 2005.

   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
              Kerberos Network Authentication Service (V5)", RFC 4120,
              July 2005.

6.2.  Informative References

   [DES-Transition-Plan]
              National Institute of Standards and Technology, "DES
              Transition Plan - Federal Register / Vol. 70, No. 96",
              May 2006.




























Hornquist Astrand       Expires February 1, 2010                [Page 8]


Internet-Draft  Move DES to Historic Status for Kerberos       July 2009


Author's Address

   Love Hornquist Astrand
   Apple, Inc
   Cupertino
   USA

   Email: lha@apple.com











































Hornquist Astrand       Expires February 1, 2010                [Page 9]

Document	Document type	This is an older version of an Internet-Draft whose latest revision state is "Replaced". Expired & archived
	Select version	00 01 02 03 04 05
	Compare versions
	Author
	Replaced by	draft-ietf-krb-wg-des-die-die-die
	RFC stream
	Other formats	txt html xml pdf bibtex bibxml
	Additional resources	Mailing list discussion