[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)



> -----Original Message-----
> From: Norbert Klasen [mailto:norbert.klasen@daasi.de]

> --On 18 April 2002 06:45 -0700 Howard Chu <hyc@highlandsun.com> wrote:
> > I saw someone recommend using SASL/GSSAPI over a TLS session. This is
> > overkill, since both TLS and SASL are performing encryption at the same
> > time.

> Would the encryption key size something to worry about? In our
> environment
> we cannot use 3DES and thus have to rely on the 56 bits provided by
> des-cbc-crc. By using StartTLS/LDAPS with a DES-CBC3-SHA/RC4-MD5
> cipher one
> could "upgrade" to a 128 bit key.

I hadn't thought of that. Technically, by using single-DES twice like this,
you're only getting a key strength of about 80 bits (somewhere between 79
and 84, I'm a bit fuzzy on the math at the moment) but I suppose it's an
improvement. Triple-DES gives you the equivalent strength of a 112 bit
single-encryption key (56*2), not 168 bits (56*3). (It would take 7 DES
iterations to get the strength of a 168 bit single-encryption key.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support