[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

To: "Norbert Klasen" <norbert.klasen@daasi.de>, <openldap-software@OpenLDAP.org>
Subject: RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 19 Apr 2002 02:21:21 -0700
Importance: Normal
In-reply-to: <221188672.1019207233@dino.directory.dfn.de>

> -----Original Message-----
> From: Norbert Klasen [mailto:norbert.klasen@daasi.de]

> --On 18 April 2002 06:45 -0700 Howard Chu <hyc@highlandsun.com> wrote:
> > I saw someone recommend using SASL/GSSAPI over a TLS session. This is
> > overkill, since both TLS and SASL are performing encryption at the same
> > time.

> Would the encryption key size something to worry about? In our
> environment
> we cannot use 3DES and thus have to rely on the 56 bits provided by
> des-cbc-crc. By using StartTLS/LDAPS with a DES-CBC3-SHA/RC4-MD5
> cipher one
> could "upgrade" to a 128 bit key.

I hadn't thought of that. Technically, by using single-DES twice like this,
you're only getting a key strength of about 80 bits (somewhere between 79
and 84, I'm a bit fuzzy on the math at the moment) but I suppose it's an
improvement. Triple-DES gives you the equivalent strength of a 112 bit
single-encryption key (56*2), not 168 bits (56*3). (It would take 7 DES
iterations to get the strength of a 168 bit single-encryption key.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)
  - From: Norbert Klasen <norbert.klasen@daasi.de>

Prev by Date: RE: Some queries regarding Schema, Triggering Notification etc.
Next by Date: RE: Adding aliases in SSL/TLS certificate (Was: ldapsearch TLS error)
Index(es):
- Chronological
- Thread