why is aes sha1 the default encryption type

Nico Williams nico at cryptonector.com
Tue Jun 23 18:25:27 EDT 2026


On Tue, Jun 23, 2026 at 05:13:08PM -0500, Nico Williams wrote:
> On Tue, Jun 23, 2026 at 08:16:06PM +0000, Charles Hedrick via Kerberos wrote:
> > does the encrypt affect the way user passwords are hashed in the KDC.
> > (I assume password hashses are stored, not passwords in the clear?)
> 
> Kerberos supports multiple "pre-authentication" mechanisms.  The most
> commonly used ones are password-based and -here you are about to be sad-
> the KDC stores a password-equivalent.
> 
> There is a PAKE now for Kerberos, but it's symmetric, so once again the
> KDC stores a password-equivalent.

I should add that these password equivalents are derived from the
password and a salt using PBKDF2, which is a compute-hard but not
memory-hard PBKDF, and the default round count count for it is set as of
some 20 years ago, so it's too low (in principle it can be raised), so
it's not all that compute-hard either.


More information about the Kerberos mailing list