Skip to main content

Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
RFC 6649

Approval announcement
Draft of message to be sent after approval:


From: The IESG <>
To: IETF-Announce <>
Cc: RFC Editor <>,
    krb-wg mailing list <>,
    krb-wg chair <>
Subject: Protocol Action: 'Deprecate DES, RC4-HMAC-EXP, and other weak cryptographic algorithms in Kerberos' to Best Current Practice (draft-ietf-krb-wg-des-die-die-die-04.txt)

The IESG has approved the following document:
- 'Deprecate DES, RC4-HMAC-EXP, and other weak cryptographic algorithms
   in Kerberos'
  (draft-ietf-krb-wg-des-die-die-die-04.txt) as a Best Current Practice

This document is the product of the Kerberos Working Group.

The IESG contact persons are Stephen Farrell and Sean Turner.

A URL of this Internet Draft is:

Ballot Text

The IESG have approved the designation of RFC 1510 as an Historic
RFC as requested by this document.

Technical Summary

  A long long time ago Data Encryption Standard (DES) was
  standardized. Some 30 years later (2005) IT was withdrawn as a
  standard by National Institute of Standards and Technology (NIST),
  today 7 years later, its time for DES to finally die. By 2008 it
  was possible to brute force DES keys in 6.4 days using less than
  USD 10k worth of hardware. So by 2008 DES had passed its sell-by
  date. This document updates RFC1964, RFC4120, RFC4121 and RFC 4757
  to deprecate the use of DES in Kerberos. Because the version of  
  Kerberos specified in RFC1510 only supports DES and has been
  replaced by RFC4120, RFC1510 is reclassified as historic. There is
  a downward reference to RFC 4757 in order to deprecate an algorithm
  specified in that RFC; this downward reference is appropriate 
  because reclassifying RFC 4757 as standards track is not desired.

Working Group Summary

  This document represents the consensus of the Kerberos Working Group.

Document Quality

  At least three major Kerberos implementations have already either
  implemented the recommendations of this document by removing DES
  support entirely, or changed their default configuration such that
  DES and related algorithms deprecated by this document must be 
  explicitly enabled by an administrator before they can be used.


  The Document Shepherd for this document is Sam Hartman; Jeffrey Hutzelman acted
  as shepherd for much of the life of this document.
  The responsible Area Director is Stephen Farrell. 

RFC Editor Notes

(1)  Abstract

   this document reclassifies RFC1510 as Historic.
   this document recommends the reclassification of RFC1510 as Historic.

(2)  Section 2


   Accordingly, this document reclassifies [RFC1510]
   (obsoleted by [RFC4120]) as Historic

   Accordingly, this document recommends the reclassification of
   [RFC1510] (obsoleted by [RFC4120]) as Historic

(3) Section 5

   This document hereby reclassifies [RFC1510] as Historic.

   This document recommends the reclassification of [RFC1510] as

(4) Change from Updates 1510 to Obsoletes 1510 in the header

Please change the header to say that this does not update 1510 (remove
1510 from the list of updated RFCs) and add that this document obsoletes
1510 (if approved) to the header.

RFC Editor Note