etype specs for des3 implementation

Ezra Peisach epeisach at MIT.EDU
Tue Nov 2 06:48:43 EST 2004

I am not an expert on the crypto systems - but am familiar with the
source tree and how things are used.  MIT krb5 uses some old names in
some places, while the standards drafts were being written and some
of the #defines might not make the most sense. Perhaps Ken or someone
might want to add comments to krb5.hin indicating how the #define maps
to the proposed standard names.

I looked at the header files in question...
With regard to the specific questions:
des3-cbc-sha1                      7

and you are looking at the

> #define ENCTYPE_DES3_CBC_SHA1   0x0010

but if you read further in the spec.... 0x0010 is 16 which is
     des3-cbc-sha1-kd                  16              6.3

At the bottom of the spec the comment:
   (The "des3-cbc-sha1" assignment is a deprecated version using no key
   derivation.  It should not be confused with des3-cbc-sha1-kd.)

If you look in lib/crypto/etypes.c - you will see that
ENCTYPE_DES3_CBC-SHA1 (value 16) maps to "des3-cbc-sha1"...
So - you are looking the the spec - seeing "des3-cbc-sha1" and looking at
the #define... So the ENCTYPE_DES3_CBC_SHA maps to the current standard.

Therefore, I suspect that the #define has a confusing name - but the
newer version is used.  (i.e. des3-cbc-sha1 #7 is not implemented)

Now onto the des3-cbc-md5 (etype 5)

The #define calls this ENCTYPE_DES3_CBC_SHA - with the comment above
it saying /* XXX deprecated ? */

This #define is used in only one place in the source tree...
(src/kdc/kdc_preauth.c). It will recognize it - but nothing else in the
source tree uses it. The comment implies it was in the 1510bis-04 draft.

While I agree the #define name is confusing - it does not appear to be
implemented... (nor is it required by the

On Tue, 2 Nov 2004, Kiran Kumar wrote:

> Hi,
> Posting this to krbdev, as I did not get any response from krbcore.
> I have a copy of MIT Kerberos 1.3.5, the krb5.h in this distribution
> defines the following etypes:
> #define ENCTYPE_DES3_CBC_SHA    0x0005  /* DES-3 cbc mode with NIST-SHA */
> #define ENCTYPE_DES_HMAC_SHA1   0x0008
> #define ENCTYPE_DES3_CBC_SHA1   0x0010
> These etype definitions are different from  the crypto spec for Kerberos
> [ ]
> des3-cbc-md5                       5
> des3-cbc-sha1                      7
> Aren't these two out of sync ?
> Can anyone here let me know if there is a plan to fix this issue ?
> Thanks,
> Kiran
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list