Password Encryption

Greg Hudson ghudson at mit.edu
Fri May 22 15:40:41 EDT 2020


On 5/22/20 2:29 PM, Joshua Brodie wrote:
> How can I find out the out of the box default password encryption used?

Kerberos doesn't encrypt passwords(*), but it does store long-term keys
derived from the passwords.  This derivation, called the "string-to-key"
operation for the encryption type, is one-way; you can't decrypt a
long-term key to get at the original password.  You can perform a
dictionary attack (trying lots of potential passwords to see if they
result in the same key).  The string-to-key operations for AES and
Camellia enctypes are deliberately slow in order to frustrate dictionary
attacks, whereas the older single-DES, triple-DES, and RC4 enctypes have
very fast string-to-key operations.

The default set of encryption types used for new principals is listed as
the default value of supported_enctypes here:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#realms

> On a getprinc -- there are 8 shown -- are these all used for the principal?

Yes, for that principal entry there are string-to-key results for all
eight encryption types.  camellia256-cts-cmac and camellia128-cts-cmac
have never been in the default value for supported_enctypes, so the
default was not used for that principal.

(*) Kerberos password-change operations do involve encrypting passwords
for transport over the wire from the client to the admin server.  But
the KDC doesn't store decryptable passwords in the database.


More information about the Kerberos mailing list