Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
RFC 6649

Document Type RFC - Best Current Practice (July 2012; No errata)
Obsoletes RFC 1510
Also known as BCP 179
Authors Love Astrand  , Taylor Yu 
Last updated 2015-10-14
Replaces draft-lha-des-die-die-die
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state Submitted to IESG for Publication
Document shepherd Sam Hartman
IESG IESG state RFC 6649 (Best Current Practice)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Stephen Farrell
IESG note Sam Hartman ( is the document shepherd.
Send notices to (None)
Internet Engineering Task Force (IETF)              L. Hornquist Astrand
Request for Comments: 6649                                   Apple, Inc.
BCP: 179                                                           T. Yu
Obsoletes: 1510                                  MIT Kerberos Consortium
Updates: 1964, 4120, 4121, 4757                                July 2012
Category: Best Current Practice
ISSN: 2070-1721

  Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms
                              in Kerberos


   The Kerberos 5 network authentication protocol, originally specified
   in RFC 1510, can use the Data Encryption Standard (DES) for
   encryption.  Almost 30 years after first publishing DES, the National
   Institute of Standards and Technology (NIST) finally withdrew the
   standard in 2005, reflecting a long-established consensus that DES is
   insufficiently secure.  By 2008, commercial hardware costing less
   than USD 15,000 could break DES keys in less than a day on average.
   DES is long past its sell-by date.  Accordingly, this document
   updates RFC 1964, RFC 4120, RFC 4121, and RFC 4757 to deprecate the
   use of DES, RC4-HMAC-EXP, and other weak cryptographic algorithms in
   Kerberos.  Because RFC 1510 (obsoleted by RFC 4120) supports only
   DES, this document recommends the reclassification of RFC 1510 as

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   BCPs is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Hornquist Astrand & Yu    Best Current Practice                 [Page 1]
RFC 6649                Deprecate DES in Kerberos              July 2012

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Hornquist Astrand & Yu    Best Current Practice                 [Page 2]
RFC 6649                Deprecate DES in Kerberos              July 2012

1.  Introduction

   The original specification of the Kerberos 5 network authentication
   protocol [RFC1510] supports only the Data Encryption Standard (DES)
   for encryption.  For many years, the cryptographic community has
   regarded DES as providing inadequate security, mostly because of its
   small key size.  Accordingly, this document recommends the
   reclassification of [RFC1510] (obsoleted by [RFC4120]) as Historic
   and updates current Kerberos-related specifications [RFC1964],
   [RFC4120], and [RFC4121] to deprecate the use of DES and other weak
   cryptographic algorithms in Kerberos, including some unkeyed
   checksums and hashes, along with the weak 56-bit "export strength"
   RC4 variant encryption type of [RFC4757].

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

3.  Affected Specifications

   The original IETF specification of Kerberos 5 [RFC1510] only supports
   DES for encryption.  [RFC4120] obsoletes [RFC1510] and updates the
   Kerberos specification to include additional cryptographic
   algorithms, but still permits the use of DES.  [RFC3961] describes
   the Kerberos cryptographic system and includes support for DES
   encryption types, but it does not specify requirement levels for

   The specification of the Kerberos Generic Security Services
   Application Programming Interface (GSS-API) mechanism [RFC1964] and
   its updated version [RFC4121] define checksum and encryption
   mechanisms based on DES.  With the existence of newer encryption
   types for Kerberos GSS-API defined in [RFC4121], Microsoft's
   RC4-HMAC-based GSS-API mechanism, and MIT's DES3 (which is not
   published as an RFC), there is no need to support the old DES-based
   integrity (SGN) and confidentiality (SEAL) types.

   [RFC4757] describes the RC4-HMAC encryption types used by Microsoft
Show full document text