Assurance

["Roy, Nicholas S" <>]

Hi Chris,

My take on it is that the acceptability of using DES to encrypt passwords for 
credentials you plan to use for Silver is up to your interpretation of the 
term "industry standard algorithm" in the IAP document.  Version 1.1 of the 
IAP uses this language when discussing acceptable encryption algorithms.  
Version 1.0 of the document refers to algorithms that are "FIPS recommended 
or NIST approved," which I don't believe allows DES, but I could be wrong.  
In any case, you're probably better off assessing it against version 1.1 of 
the IAP document, but you might want to talk to your auditor about their 
interpretation of "industry standard" in this context.

Nick

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Christopher A Spadanuda
Sent: Wednesday, January 18, 2012 4:03 PM
To: 

Subject: [Assurance] OpenAFS - AD

Hi All,

We are working with a faculty member on campus who uses OpenAFS for one of 
his courses. OpenAFS only supports DES encryption. The faculty member would 
like use Active Directory for Authentication.  Our AD is currently Windows 
2008 R2. By default DES is not enabled. 

If we set the Domain Controller Group Policy Object to specifically allow DES 
encryption on the DC's and then allow DES on the Keberos service principal in 
AD are we going to create a situation which makes silver assurance difficult 
or impossible?  

While the cookbook talks about DES encryption in relationship to LM 
passwords, I don't believe that it addresses this specific use case.  Unless 
of course I am missing something.

Thanks,

Chris
___________________________________________________
Chris Spadanuda, Middleware and Identity Management Group Manager
University Information Technology Services
University of Wisconsin–Milwaukee
Office Phone: 414 229-5832 | E-mail: 

Cell Phone: 414 507-4761



>>