Skip Menu |
 

To: krb5-bugs@MIT.EDU
Subject: allow dh_min_bits >= 1024
From: Tom Yu <tlyu@MIT.EDU>
Date: Fri, 05 Apr 2013 21:10:48 -0400
Windows 7 clients apparently offer the 1024-bit Oakley MODP group, and
might have some trouble with Diffie-Hellman parameter counterproposals
by the KDC. Allowing dh_min_bits to be 1024 (but not by default)
should allow these clients to do PKINIT successfully (if combined with
the "missing q parameter" interop workaround). Arguably, 1024 bits is
too weak for modern usage, but SP800-57 says it's equivalent to 80
bits of security, and we still allow administrators to configure
single-DES, which is weaker.

We should still investigate the underlying interop problem, though.
From: tlyu@mit.edu
Subject: git commit

Allow config of dh_min_bits < 2048

Allow configuration to override the default dh_min_bits of 2048 to
1024. Disallow configuration of dh_min_bits < 1024, but continue to
default to 2048.

https://github.com/krb5/krb5/commit/cae44d2d014985022a001924dce4a56d12c63818
Author: Tom Yu <tlyu@mit.edu>
Commit: cae44d2d014985022a001924dce4a56d12c63818
Branch: master
src/plugins/preauth/pkinit/pkinit.h | 1 +
src/plugins/preauth/pkinit/pkinit_srv.c | 7 ++++---
2 files changed, 5 insertions(+), 3 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Allow config of dh_min_bits < 2048

Allow configuration to override the default dh_min_bits of 2048 to
1024. Disallow configuration of dh_min_bits < 1024, but continue to
default to 2048.

(cherry picked from commit cae44d2d014985022a001924dce4a56d12c63818)

https://github.com/krb5/krb5/commit/dfaaf09bd0da8df2d52bea63dcb6f89c3ed7cfd3
Author: Tom Yu <tlyu@mit.edu>
Commit: dfaaf09bd0da8df2d52bea63dcb6f89c3ed7cfd3
Branch: krb5-1.11
src/plugins/preauth/pkinit/pkinit.h | 1 +
src/plugins/preauth/pkinit/pkinit_srv.c | 7 ++++---
2 files changed, 5 insertions(+), 3 deletions(-)