1.. _retiring-des: 2 3Retiring DES 4======================= 5 6Version 5 of the Kerberos protocol was originally implemented using 7the Data Encryption Standard (DES) as a block cipher for encryption. 8While it was considered secure at the time, advancements in computational 9ability have rendered DES vulnerable to brute force attacks on its 56-bit 10keyspace. As such, it is now considered insecure and should not be 11used (:rfc:`6649`). 12 13History 14------- 15 16DES was used in the original Kerberos implementation, and was the 17only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was 18added in version 1.1, with full support following in version 1.2. 19The Advanced Encryption Standard (AES), which supersedes DES, gained 20partial support in version 1.3.0 of krb5 and full support in version 1.3.2. 21However, deployments of krb5 using Kerberos databases created with older 22versions of krb5 will not necessarily start using strong crypto for 23ordinary operation without administrator intervention. 24 25MIT krb5 began flagging deprecated encryption types with release 1.17, 26and removed DES (single-DES) support in release 1.18. As a 27consequence, a release prior to 1.18 is required to perform these 28migrations. 29 30Types of keys 31------------- 32 33* The database master key: This key is not exposed to user requests, 34 but is used to encrypt other key material stored in the kerberos 35 database. The database master key is currently stored as ``K/M`` 36 by default. 37* Password-derived keys: User principals frequently have keys 38 derived from a password. When a new password is set, the KDC 39 uses various string2key functions to generate keys in the database 40 for that principal. 41* Keytab keys: Application server principals generally use random 42 keys which are not derived from a password. When the database 43 entry is created, the KDC generates random keys of various enctypes 44 to enter in the database, which are conveyed to the application server 45 and stored in a keytab. 46* Session keys: These are short-term keys generated by the KDC while 47 processing client requests, with an enctype selected by the KDC. 48 49For details on the various enctypes and how enctypes are selected by the KDC 50for session keys and client/server long-term keys, see :ref:`enctypes`. 51When using the :ref:`kadmin(1)` interface to generate new long-term keys, 52the **-e** argument can be used to force a particular set of enctypes, 53overriding the KDC default values. 54 55.. note:: 56 57 When the KDC is selecting a session key, it has no knowledge about the 58 kerberos installation on the server which will receive the service ticket, 59 only what keys are in the database for the service principal. 60 In order to allow uninterrupted operation to 61 clients while migrating away from DES, care must be taken to ensure that 62 kerberos installations on application server machines are configured to 63 support newer encryption types before keys of those new encryption types 64 are created in the Kerberos database for those server principals. 65 66Upgrade procedure 67----------------- 68 69This procedure assumes that the KDC software has already been upgraded 70to a modern version of krb5 that supports non-DES keys, so that the 71only remaining task is to update the actual keys used to service requests. 72The realm used for demonstrating this procedure, ZONE.MIT.EDU, 73is an example of the worst-case scenario, where all keys in the realm 74are DES. The realm was initially created with a very old version of krb5, 75and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value 76appropriate when the KDC was installed, but was not updated as the KDC 77was upgraded: 78 79:: 80 81 [realms] 82 ZONE.MIT.EDU = { 83 [...] 84 master_key_type = des-cbc-crc 85 supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 86 } 87 88This resulted in the keys for all principals in the realm being forced 89to DES-only, unless specifically requested using :ref:`kadmin(1)`. 90 91Before starting the upgrade, all KDCs were running krb5 1.11, 92and the database entries for some "high-value" principals were: 93 94:: 95 96 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' 97 [...] 98 Number of keys: 1 99 Key: vno 1, des-cbc-crc:v4 100 [...] 101 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' 102 [...] 103 Number of keys: 1 104 Key: vno 15, des-cbc-crc 105 [...] 106 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' 107 [...] 108 Number of keys: 1 109 Key: vno 14, des-cbc-crc 110 [...] 111 112The ``krbtgt/REALM`` key appears to have never been changed since creation 113(its kvno is 1), and all three database entries have only a des-cbc-crc key. 114 115The krbtgt key and KDC keys 116~~~~~~~~~~~~~~~~~~~~~~~~~~~ 117 118Perhaps the biggest single-step improvement in the security of the cell 119is gained by strengthening the key of the ticket-granting service principal, 120``krbtgt/REALM``---if this principal's key is compromised, so is the 121entire realm. Since the server that will handle service tickets 122for this principal is the KDC itself, it is easy to guarantee that it 123will be configured to support any encryption types which might be 124selected. However, the default KDC behavior when creating new keys is to 125remove the old keys, which would invalidate all existing tickets issued 126against that principal, rendering the TGTs cached by clients useless. 127Instead, a new key can be created with the old key retained, so that 128existing tickets will still function until their scheduled expiry 129(see :ref:`changing_krbtgt_key`). 130 131:: 132 133 [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ 134 > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal 135 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ 136 > -keepold krbtgt/ZONE.MIT.EDU" 137 Authenticating as principal root/admin@ZONE.MIT.EDU with password. 138 Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. 139 140.. note:: 141 142 The new ``krbtgt@REALM`` key should be propagated to replica KDCs 143 immediately so that TGTs issued by the primary KDC can be used to 144 issue service tickets on replica KDCs. Replica KDCs will refuse 145 requests using the new TGT kvno until the new krbtgt entry has 146 been propagated to them. 147 148It is necessary to explicitly specify the enctypes for the new database 149entry, since **supported_enctypes** has not been changed. Leaving 150**supported_enctypes** unchanged makes a potential rollback operation 151easier, since all new keys of new enctypes are the result of explicit 152administrator action and can be easily enumerated. 153Upgrading the krbtgt key should have minimal user-visible disruption other 154than that described in the note above, since only clients which list the 155new enctypes as supported will use them, per the procedure 156in :ref:`session_key_selection`. 157Once the krbtgt key is updated, the session and ticket keys for user 158TGTs will be strong keys, but subsequent requests 159for service tickets will still get DES keys until the service principals 160have new keys generated. Application service 161remains uninterrupted due to the key-selection procedure on the KDC. 162 163After the change, the database entry is now: 164 165:: 166 167 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' 168 [...] 169 Number of keys: 5 170 Key: vno 2, aes256-cts-hmac-sha1-96 171 Key: vno 2, aes128-cts-hmac-sha1-96 172 Key: vno 2, des3-cbc-sha1 173 Key: vno 2, des-cbc-crc 174 Key: vno 1, des-cbc-crc:v4 175 [...] 176 177Since the expected disruptions from rekeying the krbtgt principal are 178minor, after a short testing period, it is 179appropriate to rekey the other high-value principals, ``kadmin/admin@REALM`` 180and ``kadmin/changepw@REALM``. These are the service principals used for 181changing user passwords and updating application keytabs. The kadmin 182and password-changing services are regular kerberized services, so the 183session-key-selection algorithm described in :ref:`session_key_selection` 184applies. It is particularly important to have strong session keys for 185these services, since user passwords and new long-term keys are conveyed 186over the encrypted channel. 187 188:: 189 190 [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ 191 > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal 192 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ 193 > kadmin/admin" 194 Authenticating as principal root/admin@ZONE.MIT.EDU with password. 195 Key for "kadmin/admin@ZONE.MIT.EDU" randomized. 196 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ 197 > kadmin/changepw" 198 Authenticating as principal root/admin@ZONE.MIT.EDU with password. 199 Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. 200 201It is not necessary to retain a single-DES key for these services, since 202password changes are not part of normal daily workflow, and disruption 203from a client failure is likely to be minimal. Furthermore, if a kerberos 204client experiences failure changing a user password or keytab key, 205this indicates that that client will become inoperative once services 206are rekeyed to non-DES enctypes. Such problems can be detected early 207at this stage, giving more time for corrective action. 208 209Adding strong keys to application servers 210~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 211 212Before switching the default enctypes for new keys over to strong enctypes, 213it may be desired to test upgrading a handful of services with the 214new configuration before flipping the switch for the defaults. This 215still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default 216enctypes: 217 218:: 219 220 [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ 221 > aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal 222 [root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ 223 > /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ 224 > -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" 225 Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. 226 Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. 227 Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. 228 Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. 229 Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. 230 231Be sure to remove the old keys from the application keytab, per best 232practice. 233 234:: 235 236 [root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold 237 Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. 238 Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. 239 240Adding strong keys by default 241~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 242Once the high-visibility services have been rekeyed, it is probably 243appropriate to change :ref:`kdc.conf(5)` to generate keys with the new 244encryption types by default. This enables server administrators to generate 245new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`, 246and causes user password 247changes to add new encryption types for their entries. It will probably 248be necessary to implement administrative controls to cause all user 249principal keys to be updated in a reasonable period of time, whether 250by forcing password changes or a password synchronization service that 251has access to the current password and can add the new keys. 252 253:: 254 255 [realms] 256 ZONE.MIT.EDU = { 257 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal 258 259.. note:: 260 261 The krb5kdc process must be restarted for these changes to take effect. 262 263At this point, all service administrators can update their services and the 264servers behind them to take advantage of strong cryptography. 265If necessary, the server's krb5 installation should be configured and/or 266upgraded to a version supporting non-DES keys. See :ref:`enctypes` for 267krb5 version and configuration settings. 268Only when the service is configured to accept non-DES keys should 269the key version number be incremented and new keys generated 270(``k5srvutil change && k5srvutil delold``). 271 272:: 273 274 root@dr-willy:~# k5srvutil change 275 Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. 276 Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. 277 Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. 278 Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. 279 Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. 280 root@dr-willy:~# klist -e -k -t /etc/krb5.keytab 281 Keytab name: WRFILE:/etc/krb5.keytab 282 KVNO Timestamp Principal 283 ---- ----------------- -------------------------------------------------------- 284 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) 285 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 286 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) 287 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) 288 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) 289 root@dr-willy:~# k5srvutil delold 290 Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. 291 Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. 292 293When a single service principal is shared by multiple backend servers in 294a load-balanced environment, it may be necessary to schedule downtime 295or adjust the population in the load-balanced pool in order to propagate 296the updated keytab to all hosts in the pool with minimal service interruption. 297 298Removing DES keys from usage 299~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 300 301This situation remains something of a testing or transitory state, 302as new DES keys are still being generated, and will be used if requested 303by a client. To make more progress removing DES from the realm, the KDC 304should be configured to not generate such keys by default. 305 306.. note:: 307 308 An attacker posing as a client can implement a brute force attack against 309 a DES key for any principal, if that key is in the current (highest-kvno) 310 key list. This attack is only possible if **allow_weak_crypto = true** 311 is enabled on the KDC. Setting the **+requires_preauth** flag on a 312 principal forces this attack to be an online attack, much slower than 313 the offline attack otherwise available to the attacker. However, setting 314 this flag on a service principal is not always advisable; see the entry in 315 :ref:`add_principal` for details. 316 317The following KDC configuration will not generate DES keys by default: 318 319:: 320 321 [realms] 322 ZONE.MIT.EDU = { 323 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal 324 325.. note:: 326 327 As before, the KDC process must be restarted for this change to take 328 effect. It is best practice to update kdc.conf on all KDCs, not just the 329 primary, to avoid unpleasant surprises should the primary fail and a 330 replica need to be promoted. 331 332It is now appropriate to remove the legacy single-DES key from the 333``krbtgt/REALM`` entry: 334 335:: 336 337 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ 338 > krbtgt/ZONE.MIT.EDU" 339 Authenticating as principal host/admin@ATHENA.MIT.EDU with password. 340 Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. 341 342After the maximum ticket lifetime has passed, the old database entry 343should be removed. 344 345:: 346 347 [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' 348 Authenticating as principal root/admin@ZONE.MIT.EDU with password. 349 Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. 350 351After the KDC is restarted with the new **supported_enctypes**, 352all user password changes and application keytab updates will not 353generate DES keys by default. 354 355:: 356 357 contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU 358 Password for zonetest@ZONE.MIT.EDU: [enter old password] 359 Enter new password: [enter new password] 360 Enter it again: [enter new password] 361 Password changed. 362 contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' 363 [...] 364 Number of keys: 3 365 Key: vno 9, aes256-cts-hmac-sha1-96 366 Key: vno 9, aes128-cts-hmac-sha1-96 367 Key: vno 9, des3-cbc-sha1 368 [...] 369 370 [kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ 371 > -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' 372 Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. 373 Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. 374 Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. 375 Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. 376 377Once all principals have been re-keyed, DES support can be disabled on the 378KDC (**allow_weak_crypto = false**), and client machines can remove 379**allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration 380files, completing the migration. **allow_weak_crypto** takes precedence over 381all places where DES enctypes could be explicitly configured. DES keys will 382not be used, even if they are present, when **allow_weak_crypto = false**. 383 384Support for legacy services 385~~~~~~~~~~~~~~~~~~~~~~~~~~~ 386 387If there remain legacy services which do not support non-DES enctypes 388(such as older versions of AFS), **allow_weak_crypto** must remain 389enabled on the KDC. Client machines need not have this setting, 390though---applications which require DES can use API calls to allow 391weak crypto on a per-request basis, overriding the system krb5.conf. 392However, having **allow_weak_crypto** set on the KDC means that any 393principals which have a DES key in the database could still use those 394keys. To minimize the use of DES in the realm and restrict it to just 395legacy services which require DES, it is necessary to remove all other 396DES keys. The realm has been configured such that at password and 397keytab change, no DES keys will be generated by default. The task 398then reduces to requiring user password changes and having server 399administrators update their service keytabs. Administrative outreach 400will be necessary, and if the desire to eliminate DES is sufficiently 401strong, the KDC administrators may choose to randkey any principals 402which have not been rekeyed after some timeout period, forcing the 403user to contact the helpdesk for access. 404 405The Database Master Key 406----------------------- 407 408This procedure does not alter ``K/M@REALM``, the key used to encrypt key 409material in the Kerberos database. (This is the key stored in the stash file 410on the KDC if stash files are used.) However, the security risk of 411a single-DES key for ``K/M`` is minimal, given that access to material 412encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled. 413If an attacker can gain access to the encrypted database, they likely 414have access to the stash file as well, rendering the weak cryptography 415broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger 416encryption type is unlikely to be a high-priority task. 417 418Is is possible to upgrade the master key used for the database, if 419desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and 420**update_princ_encryption** commands, a new master key can be added 421and activated for use on new key material, and the existing entries 422converted to the new master key. 423