[37424] in Kerberos
Re: Quick question related to Kerberos + AES256 + SHA2
daemon@ATHENA.MIT.EDU (Rick van Rein)
Thu Feb 25 09:03:21 2016
Message-ID: <56CF0987.5060504@openfortress.nl>
Date: Thu, 25 Feb 2016 15:02:47 +0100
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <56CF0950.1050700@openfortress.nl>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hey,
You cannot mix any set of algorithms you want, but you need a predefined encryption type. Compare it to TLS' ciphersuites if you like.
`
The standardised list is available on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
The closest to what you are asking is aes256-cts-hmac-sha1-96; it uses a SHA1 hash cut off to a 96 bit prefix as a MAC, if I remember correctly. Chase the link if you need more detail / certainty.
As far as I know, MIT Kerberos will use this encryption type by default. Can't speak for Heimdal, Shishi or AD.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
