[39625] in Kerberos
Re: why is aes sha1 the default encryption type
daemon@ATHENA.MIT.EDU (Simo Sorce via Kerberos)
Tue Jun 23 16:28:25 2026
Message-ID: <d23124f337123fc2a2e6520b10335e1df1c67eef.camel@redhat.com>
To: kerberos@mit.edu
Date: Tue, 23 Jun 2026 16:27:03 -0400
In-Reply-To: <PH0PR14MB54930D68C9207E773F2CD923AAEE2@PH0PR14MB5493.namprd14.prod.outlook.com>
MIME-Version: 1.0
From: Simo Sorce via Kerberos <kerberos@mit.edu>
Reply-To: Simo Sorce <simo@redhat.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Charles,
That is actually a KDC implementation detail, but the MIT KDC generates
a key from the password at password change time (using a derivation
function specific to each enctype and saves a key for each enctype,
togteher with a key version number).
As a data point this is the same data you obtain in a keytab.
A KDC cannot really store *a* hash, because clients do not send
passwords for authentication.
HTH,
Simo.
On Tue, 2026-06-23 at 20:16 +0000, Charles Hedrick via Kerberos wrote:
> does the encrypt affect the way user passwords are hashed in the KDC. (I assume password hashses are stored, not passwords in the clear?)
>
>
> ________________________________________
> From: Greg Hudson <ghudson@mit.edu>
> Sent: Tuesday, June 23, 2026 4:12 PM
> To: Charles Hedrick; Kerberos@mit.edu
> Subject: Re: why is aes sha1 the default encryption type
>
> On 6/23/26 08:43, Charles Hedrick via Kerberos wrote:
> > When there's a perfectly good aes sha2 type?
>
> 1. It is highly interoperable. Every Kerberos implementation of
> significance implements aes-sha1, going back many years. Microsoft
> either hasn't implemented aes-sha2 or only implemented it in 2025 (I
> can't easily tell which), so the clock has at best barely started on
> that kind of reach for aes-sha2.
>
> 2. The known flaws in SHA-1 do not affect its use as a MAC.
>
> 3. Kerberos enctype negotation isn't perfect. It works well enough for
> client interoperability, but when provisioning keytabs for servers you
> have to select an enctype that the server software supports. There is
> also this edge case if it hasn't been fixed on the Microsoft side:
> https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
>
> I get that using SHA-1 in any capacity can run afoul of regulatory
> systems, which aren't always nuanced enough to recognize that it is
> still believed to be secure as a MAC. But changing the default doesn't
> necessarily help with compliance; as long as the system can negotiate
> down to aes-sha1 then it still has SHA-1 in its attack surface.
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
