Query on EncryptionType and keytype

Sam Hartman hartmans at MIT.EDU
Tue Jul 22 21:47:01 EDT 2003


>>>>> "KK" == KK  <kakes_m at hotmail.com> writes:

    KK> Hi All, Can anyone tell me if there is any distinction between
    KK> etype [ EncryptionType ] and keytype as defined in section 6.1
    KK> and 6.2 of the Kerberos RFC 1510 ?

The writers of RFC 1510 invisioned that key types and encryption types
would be separate concepts.  However, they failed to actually specify
a protocol that could work that way.  So, the Kerberos community has
established a 1-to-1 mapping between key type and enctype that is
formalized in draft-ietf-krb-wg-kerberos-clarifications (the successor
to RFC 1510).


    KK> I specifically want to know whether it will be right according
    KK> to the RFC, to service ticket requests from clients for
    KK> encryption type des-cbc-md5 for principals who only have a key
    KK> of type des-cbc-crc in the Kerberos database ?


It is wrong to do so unless you know that the service actually
supports des-cbc-md5.  But if your KDC has enough information to know
this some other way, then you can optimize things and store only one
key for all the single DES enctypes.

Tom Yu had a rather long write up on how MIT handles this issue sent
to the krbdev at mit.edu mailing list about a year ago.



More information about the Kerberos mailing list