[39628] in Kerberos
Re: why is aes sha1 the default encryption type
daemon@ATHENA.MIT.EDU (Nico Williams)
Tue Jun 23 18:26:44 2026
Date: Tue, 23 Jun 2026 17:25:27 -0500
From: Nico Williams <nico@cryptonector.com>
To: Charles Hedrick <hedrick@rutgers.edu>
Message-ID: <ajsH18O56saGzr/t@ubby>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <ajsE9DvlSNai1okP@ubby>
Cc: "Kerberos@mit.edu" <Kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Jun 23, 2026 at 05:13:08PM -0500, Nico Williams wrote:
> On Tue, Jun 23, 2026 at 08:16:06PM +0000, Charles Hedrick via Kerberos wrote:
> > does the encrypt affect the way user passwords are hashed in the KDC.
> > (I assume password hashses are stored, not passwords in the clear?)
>
> Kerberos supports multiple "pre-authentication" mechanisms. The most
> commonly used ones are password-based and -here you are about to be sad-
> the KDC stores a password-equivalent.
>
> There is a PAKE now for Kerberos, but it's symmetric, so once again the
> KDC stores a password-equivalent.
I should add that these password equivalents are derived from the
password and a salt using PBKDF2, which is a compute-hard but not
memory-hard PBKDF, and the default round count count for it is set as of
some 20 years ago, so it's too low (in principle it can be raised), so
it's not all that compute-hard either.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
