Kerberos AES256 and constants

Greg Hudson ghudson at mit.edu
Sun Oct 11 13:34:24 EDT 2020


On 10/11/20 6:16 AM, Egor wrote:
> Good day.
> I am searching for detailed AES256 kerberos algorithm implementation.
> I am interested espeсially in nfold algorithm in it. I know, how nfold algorithm works, but it is very important for me to know, which constants except string "kerberos" are used in key derivation with the help of nfold algorithm. I have heard that these constants depends on the type of traffic packet (AS_REG, AS_REP, TGS_REP)
> Could you please help to find it, it is very important?

RFC 3961 and 3962 are the references here.  RFC 3961 defines the overall
framework and (in section 5) the simplified profile.  RFC 3962 defines
the AES-SHA1 enctypes using the simplified profile.

In the simplified profile, the protocol key is used to derive three
subkeys named Kc, Ke, and Ki.  Ke and Ki are used for encryption (Ki for
the integrity tag, Ke to encrypt the plaintext) and Kc is used for the
checksum operation.  The derivation of these subkeys is specified at the
very end of RFC 3961 section 5.3.  The n-folded constant used in these
derivations is the key usage number (as a four-byte big-endian integer)
with a different byte appended for each subkey.

The key usage number is determined by the Kerberos or application
protocol operation being performed.  Specific key usage numbers are
defined in RFC 4120 section 7.5.1 and in the ad hoc registry at:
https://github.com/krb5/krb5-assignments/blob/master/key-usage

As you noted, the constant "kerberos" is also used at the end of the
string-to-key operation.


More information about the Kerberos mailing list