aes128 vs aes256 ?

Wyllys Ingersoll wyllys.ingersoll at
Fri Jan 23 15:26:20 EST 2004

Regarding 1.3.2-beta code - 
Just curious, why was aes128-cts-hmac-sha1-96 left out of the
DEFAULT_ETYPE_LIST in init_ctx.c ?

I noticed this because I have a DB that I created which has
aes128 master keys, but was later changed to support aes256.
Now it issues 128bit TGTs but 256 bit service keys and 
this caused a problem in the 'krb5_is_permitted_enctype'
checks in rd_req_dec.c.

req->ticket->enc_part.enctype = 18
req->ticket->enc_part2->session->enctype = 17

This causes a problem because aes128 (etype 17) is not part of the
default list and I did not specify the permitted enctypes in my 
config file.

Just wondering..


Wyllys Ingersoll <wyllys.ingersoll at>

More information about the krbdev mailing list