keytab file format - exporting arcfour keys from active directory

[Tim Alsop]

Yes, you are correct. 

Also, if you display a key table file using ktutil, and you have a
DES-CBC-CRC key, you would see 1. 

Since we see values of 1,3,16,23 etc. in the key table file entry, this
suggests the 'cipher suite' number (commonly known as etype).

>From RFC4120, we see :

   EncryptionKey   ::= SEQUENCE {  
           keytype         [0] Int32 -- actually encryption type --, 
           keyvalue        [1] OCTET STRING 
   }

The comment in the RFC suggests the keytype field is actually the
encryption type (e.g. etype) and not the keytype ...

Hopefully you can see from my above examples, that use of keytype is a
little confusing and open to interpretation ? I guess this is why the
comment was added in RFC4120 ?

Thanks,
Tim

-----Original Message-----
From: Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent: 01 May 2006 23:33
To: Tim Alsop
Cc: mdw at umich.edu; kerberos at mit.edu
Subject: Re: keytab file format - exporting arcfour keys from active
directory

On Mon, 1 May 2006 22:32:44 +0100
"Tim Alsop" <Tim.Alsop at CyberSafe.Com> wrote:

>  * 0 2  keytype
>  * 2 2  keylen
>  * 4 keylen     keydata
>  * }
>  * POSSIBLE if length left {
>  * xxx 4        vno
>  * }
>  */
> 
> Is the "keytype" actually the key type, or is it the etype ? I ask
this
> because I have seen key tables created by various products that have
the
> etype stored in this field.

Keytype. At least the values I'm seeing correspond to the values seen
in ktutil list (e.g. 3 is des-cbc-md5, 23 is arcfour-hmac-md5, 16 is
des3-cbc-sha1, etc).

Mike