Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.507 (Entity 5.507)
Subject: Remove single-DES support
X-RT-Original-Encoding: iso-8859-1
Content-Length: 832

Release 1.8 began a transition away from single-DES support by 
requiring "allow_weak_crypto = true".  Due to the 56-bit key size of 
single-DES, an unknown key can be recovered via brute-force attack 
with a small investment in cloud computing resources.

This ticket removes single-DES support for release 1.18.  
Specifically, it removes:

* The afs3 and v4 salt types.  The afs3 salt type indicates an AFS-
specific string-to-key function which only applies to single-DES 
keys.  The v4 salt type (indicating the empty salt) was a 
transitional measure for converting krb4 databases; although it was 
not restricted for use with single-DES keys, it is not useful for 
other key types.

* The des-cbc-crc, des-cbc-md4, des-cbc-md5, and des-hmac-sha1 
encryption types.

* The crc32, des-cbc, md4-des, and md5-des checksum types.