Quick question related to Kerberos + AES256 + SHA2

Todd Grayson tgrayson at cloudera.com
Thu Feb 25 11:13:14 EST 2016


The supported ecnryption types are tied to the kerberos release, which is
tied to the OS release level by our distribution vendors.  It is extremely
rare for customers to be compiling / building kerberos on their own.

http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
*permitted_enctypes*

Note that permitted encyption types for the MIT libraries, REQUIRES the
proper encryption type name be used, abbreviated names are not supported,
whats in that link is the form of the name that will be parsed, invalid
encryption types are ignored and the defaults are applied instead (all the
types)

Encryption types that are newer in the MIT/AD space are limited by the
support of the JDK, detailed by the JGSS listing:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html

Note arcfour-hmac-md5 is also supported (rc4-hmac)

The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1

On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <simo at redhat.com> wrote:

> Not that the Kitten WG is working on standardizing new enctypes for AES
> +HMAC-SHA2, this is the latest draft:
> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09
>
> Although it will take a while before all the most common implementations
> will have support for it, and it may never land on older OSs.
>
> Simo.
>
> On Thu, 2016-02-25 at 14:22 +0000, Prashanth Marampally wrote:
> > Yep. Got it!
> >
> > Thanks,
> > Prashanth
> >
> > -----Original Message-----
> > From: Rick van Rein [mailto:rick at openfortress.nl]
> > Sent: Thursday, February 25, 2016 7:50 PM
> > To: Prashanth Marampally
> > Cc: kerberos at mit.edu
> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2
> >
> > OK,
> >
> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much
> stronger.  I didn't make that clear before.
> >
> > -Rick
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME


More information about the Kerberos mailing list