Quick question related to Kerberos + AES256 + SHA2
Rick van Rein
rick at openfortress.nl
Thu Feb 25 09:02:47 EST 2016
Hey,
You cannot mix any set of algorithms you want, but you need a predefined encryption type. Compare it to TLS' ciphersuites if you like.
`
The standardised list is available on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
The closest to what you are asking is aes256-cts-hmac-sha1-96; it uses a SHA1 hash cut off to a 96 bit prefix as a MAC, if I remember correctly. Chase the link if you need more detail / certainty.
As far as I know, MIT Kerberos will use this encryption type by default. Can't speak for Heimdal, Shishi or AD.
-Rick
More information about the Kerberos
mailing list