[24200] in Kerberos
Re: Updating encryption types
daemon@ATHENA.MIT.EDU (Phil Dibowitz)
Fri Jul 1 17:53:39 2005
Date: Fri, 1 Jul 2005 14:52:55 -0700
From: Phil Dibowitz <phil@usc.edu>
To: kerberos@mit.edu
Message-ID: <20050701215255.GD13640@usc.edu>
Mail-Followup-To: kerberos@mit.edu
Mime-Version: 1.0
In-Reply-To: <C59A521CC0544AA2F50DE956@sirius.fac.cs.cmu.edu>
Content-Type: multipart/mixed; boundary="===============042215515668993397=="
Errors-To: kerberos-bounces@mit.edu
--===============042215515668993397==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="6ikeTwixDYOWkHTM"
Content-Disposition: inline
--6ikeTwixDYOWkHTM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Jul 01, 2005 at 06:03:52AM -0400, Jeffrey Hutzelman wrote:
> When responding to an initial ticket request, the KDC chooses three keys:
>=20
> (1) The key in which the KDC's reply to the client will be encrypted.
> This key will be of one of the enctypes the KDC supports.
> This key will be of one of the enctypes the client says it supports.
> And, this key will be one of the client's long-term keys from the
> KDB, which means it will naturally be of one of the enctypes for
> which the KDB contains a key for this client.
<SNIP>
After reading this and Will Fiveash's slides, I think I have a better
understanding.... but let me make a few simplified restatements to make sure
I'm correct:
1. Changing the enctypes (the previous admin had it hard coded) will cause
session keys to use the new enctypes, but other keys will not immediately s=
ee
effect.
2. As users change their password, the kadmind will generate their secret k=
eys
in all supported formats, and provided a client supports that encryption ty=
pe,
the higher encryption types will be used.
So far, so good?
Which leaves me with a question:
Is there a way to tell what encryption type is being used for the session
key? I'm assuming the "3 etypes {511 511 1}" means there are three encrypti=
on
types defined (which seems right)... but then there's "etypes {rep=3D1 tkt=
=3D1
ses=3D1}" which I interpret to say the session key is type "1" (DES?).
Thanks.
--=20
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 180 - 213-821-5427
--6ikeTwixDYOWkHTM
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFCxbs37lkZ1Iyv898RAl74AJ9BLLdXuPR45jgayblr60nLSbPGEACfeZNO
sOcgTW1Sz88Fq3vv7XwpGVU=
=Wbhe
-----END PGP SIGNATURE-----
--6ikeTwixDYOWkHTM--
--===============042215515668993397==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============042215515668993397==--
