why is aes sha1 the default encryption type
Nico Williams
nico at cryptonector.com
Tue Jun 23 18:13:08 EDT 2026
On Tue, Jun 23, 2026 at 08:16:06PM +0000, Charles Hedrick via Kerberos wrote:
> does the encrypt affect the way user passwords are hashed in the KDC.
> (I assume password hashses are stored, not passwords in the clear?)
Kerberos supports multiple "pre-authentication" mechanisms. The most
commonly used ones are password-based and -here you are about to be sad-
the KDC stores a password-equivalent.
There is a PAKE now for Kerberos, but it's symmetric, so once again the
KDC stores a password-equivalent.
Lastly there is PKINIT, where you use a client certificate to
authenticate the user. A KDC that supports PKINIT can avoid storing
password equivalents when all the clients support it _and_ you have a
way to provision all users with private keys and certificates.
Nico
--
More information about the Kerberos
mailing list