Kerberos - Encryption type

> Software Security > (Authentication|Access control|Identification) - AuthN > Kerberos

1 - About

There are three components:

Each one may support a different set of encryption types, and the protocol needs to negotiate a mutually-supported enctype for things to work.

Encryption is used for both the ticket-granting-ticket and session tickets.

3 - Type

  • CRC (DES_CBC_CRC): Supports CRC32 as described in [RFC3961] page 31.
  • MD5 (DES_CBC_MD5): Supports RSA-MD5 as described in [RFC3961] page 31.
  • RC4 (RC4_HMAC_MD5): Supports RC4-HMAC-MD5 as described in [RFC4757].
  • A128 (AES128_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES128 as described in [RFC3961] page 31.
  • A256 (AES256_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES256 as described in [RFC3961] page 31.
Advertising

4 - Support

4.1 - KDC has no support for encryption type

  • When the client talks to the KDC it tells the KDC what it supports, and the KDC can accommodate that.
  • When the client asks for a ticket for the server, neither of them directly knows what enctypes the server supports, and the KDC can potentially issue a service ticket with an enctype the server doesn't understand. (“no support for encryption type”)

The way you avoid this problem is by limiting the encryption types stored in the KDCs DB for the server to what the server actually understands. The KDC can't issue tickets with encryption types it doesn't have on record. Everything is guaranteed to work.

5 - Documentation / Reference