[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)
> -----Original Message-----
> From: Norbert Klasen [mailto:norbert.klasen@daasi.de]
> --On 18 April 2002 06:45 -0700 Howard Chu <hyc@highlandsun.com> wrote:
> > I saw someone recommend using SASL/GSSAPI over a TLS session. This is
> > overkill, since both TLS and SASL are performing encryption at the same
> > time.
> Would the encryption key size something to worry about? In our
> environment
> we cannot use 3DES and thus have to rely on the 56 bits provided by
> des-cbc-crc. By using StartTLS/LDAPS with a DES-CBC3-SHA/RC4-MD5
> cipher one
> could "upgrade" to a 128 bit key.
I hadn't thought of that. Technically, by using single-DES twice like this,
you're only getting a key strength of about 80 bits (somewhere between 79
and 84, I'm a bit fuzzy on the math at the moment) but I suppose it's an
improvement. Triple-DES gives you the equivalent strength of a 112 bit
single-encryption key (56*2), not 168 bits (56*3). (It would take 7 DES
iterations to get the strength of a 168 bit single-encryption key.)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support