krb5 commit: Document aes-sha2 enctypes
Greg Hudson
ghudson at mit.edu
Mon Oct 3 16:02:46 EDT 2016
https://github.com/krb5/krb5/commit/6fd74a89ac6c2444a347a357fac51b3490467284
commit 6fd74a89ac6c2444a347a357fac51b3490467284
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu Dec 10 13:17:31 2015 -0500
Document aes-sha2 enctypes
Add minimal documentation for the new aes-sha2 enctypes.
ticket: 8490
doc/admin/conf_files/kdc_conf.rst | 15 +++++++++++----
doc/admin/enctypes.rst | 30 ++++++++++++++++--------------
doc/appdev/refs/macros/index.rst | 4 ++++
3 files changed, 31 insertions(+), 18 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 429c528..13077ec 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -814,8 +814,10 @@ des-cbc-raw DES cbc mode raw (weak)
des3-cbc-raw Triple DES cbc mode raw (weak)
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1
des-hmac-sha1 DES with HMAC/sha1 (weak)
-aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC
-aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC
+aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC
+aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC
+aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC
+aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC
arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
@@ -840,8 +842,13 @@ front.
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
operations, they are not supported by very old versions of our GSSAPI
implementation (krb5-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+
+The **aes128-sha2** and **aes256-sha2** encryption types are new in
+release 1.15. Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
.. _Keysalt_lists:
diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst
index 44b6a8c..3cdfc92 100644
--- a/doc/admin/enctypes.rst
+++ b/doc/admin/enctypes.rst
@@ -124,20 +124,22 @@ Enctype compatibility
See :ref:`Encryption_types` for additional information about enctypes.
-======================= ===== ======== =======
-enctype weak? krb5 Windows
-======================= ===== ======== =======
-des-cbc-crc weak all >=2000
-des-cbc-md4 weak all ?
-des-cbc-md5 weak all >=2000
-des3-cbc-sha1 >=1.1 none
-arcfour-hmac >=1.3 >=2000
-arcfour-hmac-exp weak >=1.3 >=2000
-aes128-cts-hmac-sha1-96 >=1.3 >=Vista
-aes256-cts-hmac-sha1-96 >=1.3 >=Vista
-camellia128-cts-cmac >=1.9 none
-camellia256-cts-cmac >=1.9 none
-======================= ===== ======== =======
+========================== ===== ======== =======
+enctype weak? krb5 Windows
+========================== ===== ======== =======
+des-cbc-crc weak all >=2000
+des-cbc-md4 weak all ?
+des-cbc-md5 weak all >=2000
+des3-cbc-sha1 >=1.1 none
+arcfour-hmac >=1.3 >=2000
+arcfour-hmac-exp weak >=1.3 >=2000
+aes128-cts-hmac-sha1-96 >=1.3 >=Vista
+aes256-cts-hmac-sha1-96 >=1.3 >=Vista
+aes128-cts-hmac-sha256-128 >=1.15 none
+aes256-cts-hmac-sha384-192 >=1.15 none
+camellia128-cts-cmac >=1.9 none
+camellia256-cts-cmac >=1.9 none
+========================== ===== ======== =======
krb5 releases 1.8 and later disable the single-DES enctypes by
default. Microsoft Windows releases Windows 7 and later disable
diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst
index 2271e90..e767471 100644
--- a/doc/appdev/refs/macros/index.rst
+++ b/doc/appdev/refs/macros/index.rst
@@ -34,6 +34,8 @@ Public
CKSUMTYPE_HMAC_MD5_ARCFOUR.rst
CKSUMTYPE_HMAC_SHA1_96_AES128.rst
CKSUMTYPE_HMAC_SHA1_96_AES256.rst
+ CKSUMTYPE_HMAC_SHA256_128_AES128.rst
+ CKSUMTYPE_HMAC_SHA384_192_AES256.rst
CKSUMTYPE_HMAC_SHA1_DES3.rst
CKSUMTYPE_MD5_HMAC_ARCFOUR.rst
CKSUMTYPE_NIST_SHA.rst
@@ -42,7 +44,9 @@ Public
CKSUMTYPE_RSA_MD5.rst
CKSUMTYPE_RSA_MD5_DES.rst
ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst
+ ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst
ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst
+ ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst
ENCTYPE_ARCFOUR_HMAC.rst
ENCTYPE_ARCFOUR_HMAC_EXP.rst
ENCTYPE_CAMELLIA128_CTS_CMAC.rst
More information about the cvs-krb5
mailing list