Quick question related to Kerberos + AES256 + SHA2
Prashanth Marampally
PMarampally at agiliance.com
Thu Feb 25 09:11:31 EST 2016
Hi Rick,
Thank you so much for quick reply.
I'll go through it now.
Thanks,
Prashanth
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Rick van Rein
Sent: Thursday, February 25, 2016 7:33 PM
To: kerberos at mit.edu
Subject: Re: Quick question related to Kerberos + AES256 + SHA2
Hey,
You cannot mix any set of algorithms you want, but you need a predefined encryption type. Compare it to TLS' ciphersuites if you like.
`
The standardised list is available on
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
The closest to what you are asking is aes256-cts-hmac-sha1-96; it uses a SHA1 hash cut off to a 96 bit prefix as a MAC, if I remember correctly. Chase the link if you need more detail / certainty.
As far as I know, MIT Kerberos will use this encryption type by default. Can't speak for Heimdal, Shishi or AD.
-Rick
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list