Password Salting Methods

Michael B Allen ioplex at gmail.com
Thu May 29 22:22:10 EDT 2008


Hi,

Is there a reference anywhere that outlines the different password
salting methods used by different KDCs?

AFAICT AD w/ RC4 doesn't actually use a salt. Heimdal seems to just
use the realm and principal name concatenated together without any
separators.

What does MIT do?

What does Windows 2008 w/ AES use?

Windows 2000?

Do the salt values change depending on the enctype?

I'm interested in knowing to what degree salts can be predicted given
only the information a client preparing to issue an AS-REQ would have.

Ultimately I'm trying to reduce ETYPE_INFO(2) discovery to improve
performance and get rid of annoying Windows "preauthentication failed"
event log errors.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/



More information about the Kerberos mailing list