[37425] in Kerberos
RE: Quick question related to Kerberos + AES256 + SHA2
daemon@ATHENA.MIT.EDU (Prashanth Marampally)
Thu Feb 25 09:11:52 2016
From: Prashanth Marampally <PMarampally@agiliance.com>
To: Rick van Rein <rick@openfortress.nl>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 25 Feb 2016 14:11:31 +0000
Message-ID: <E8B88F60B13F8A45B352646B20CF85BC7E0E23AF@mbx029-w1-ca-10.exch029.domain.local>
In-Reply-To: <56CF0987.5060504@openfortress.nl>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Rick,
Thank you so much for quick reply.
I'll go through it now.
Thanks,
Prashanth
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Rick van Rein
Sent: Thursday, February 25, 2016 7:33 PM
To: kerberos@mit.edu
Subject: Re: Quick question related to Kerberos + AES256 + SHA2
Hey,
You cannot mix any set of algorithms you want, but you need a predefined encryption type. Compare it to TLS' ciphersuites if you like.
`
The standardised list is available on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
The closest to what you are asking is aes256-cts-hmac-sha1-96; it uses a SHA1 hash cut off to a 96 bit prefix as a MAC, if I remember correctly. Chase the link if you need more detail / certainty.
As far as I know, MIT Kerberos will use this encryption type by default. Can't speak for Heimdal, Shishi or AD.
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos