Use of Encryption for KRB_AP_REQ

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Sun Sep 12 04:37:38 EDT 2004


The CyberSafe products support this cipher suite (e.g. 3DES-CBC-MD5),
however we use etype=5 for this suite which is different to other
implementations that use etype=5. This is clearly not a good approach
since every implementation that is using etype=5 should represent the
same (and compatible) cipher suite. We clearly have to be careful about
how our 3DES support is used by our customers. We will encourage the use
of AES instead when we have made this available in our products.

Is your requirement related to PacketCable or CableHome ? I ask this
because I am aware that these standards use 3DES-CBC-MD5 as the cipher

Tim Alsop
CyberSafe Limited

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of Ahluwalia, Ish
Sent: 11 September 2004 00:43
To: kerberos at
Subject: Use of Encryption for KRB_AP_REQ

Hi All:

I'm new to kerberos world, so appologies in advance if it's too basic of
a question.  Does MIT kerberos support des3-cbc-md5 encryption type?  I
have a requirement which requires me to have the Authenticator field of
the AP_REQ to be encrypted using 3des-cbc-md5 encryption algorithm.
Looking at krb5.h file and the IETF specification, it doesn't look like
this algorithm is supported.  Any help will be greatly appreciated?  Is
there a way to get around this problem and still use MIT kerberos V5.



Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list