I have not yet completed a full review of this (320-page) document, and I
worry that I may not finish before the deadline, so I am bringing this
concern to your attention now.
Section 3.2.1.1 of this document ("Kerberos V5 as a security triple")
seems to indicate that it is mandatory for a conformant NFSv4
implementation to implement the Kerberos V5 GSS-API mechanism and a few
"security triples" (mechanism,quality of protection,service). All of the
mandatory-to-implement security triples use the DES-MAC-MD5 algorithm.
The draft goes on to indicate that clients should engage in security
negotiation (section 3.3) to determine what security to use for bulk
operation, and that since kerberos-v5 under RPCSEC_GSS is mandatory, the
negotiation will be performed using that security provider. The actual
mechanism resulting from the negotiation may be different (or may be the
same), but this single-DES mechanism seems to be required to be used to
protect the negotiation step.
Given that the kerberos working group has published RFC 6649 (Deprecate
DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos)
and single-DES is known to be critically vulnerable to brute-force
attacks, I have grave concern about the IETF publishing new standards
documents that mandate the implementation of single-DES and do not specify
strong cryptographic algorithms. I feel that to do so would be misleading
implementors into believing that single-DES is sufficient and other
mechanisms need not be implemented, when in reality this is not true.
Sincerely,
Ben Kaduk
MIT Kerberos Consortium