[29910] in Kerberos
Password Salting Methods
daemon@ATHENA.MIT.EDU (Michael B Allen)
Fri May 30 16:45:11 2008
Message-ID: <78c6bd860805291922w52ac1b83n955ed6a0b2d93259@mail.gmail.com>
Date: Thu, 29 May 2008 22:22:10 -0400
From: "Michael B Allen" <ioplex@gmail.com>
To: kerberos <kerberos@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
Is there a reference anywhere that outlines the different password
salting methods used by different KDCs?
AFAICT AD w/ RC4 doesn't actually use a salt. Heimdal seems to just
use the realm and principal name concatenated together without any
separators.
What does MIT do?
What does Windows 2008 w/ AES use?
Windows 2000?
Do the salt values change depending on the enctype?
I'm interested in knowing to what degree salts can be predicted given
only the information a client preparing to issue an AS-REQ would have.
Ultimately I'm trying to reduce ETYPE_INFO(2) discovery to improve
performance and get rid of annoying Windows "preauthentication failed"
event log errors.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
