GSSAPI interoperability problem between Java 1.5 & MIT Kerberos

Sam Hartman hartmans at MIT.EDU
Tue Jan 10 15:28:41 EST 2006

>>>>> "Seema" == Seema Malkani <Seema.Malkani at Sun.COM> writes:

    Seema> Apparently this problem is seen only when using
    Seema> "des-cbc-crc" as the encryption type.

    Seema> MIT Kerberos uses Sign Alg of (DES MAC MD5 - 00 00) for
    Seema> both "des-cbc-crc" and "des-cbc-md5" enctypes. Latest RFC's
    Seema> don't seem to indicate this. Can MIT team comment on this.

so, as this is an older enctype, RFC 1964 is the governing spec.

I don't think anything in RFC 1964 depends on what enctype is used.
The only factor as far as RFC 1964 is concerned is whether a key is a
DES key or not.
That's consistent with how RFC 1510 thought about enctypes.

In particular RFC 1964 does not mention des-cbc-md4 or des-cbc-crc at

I do agree it is sub-optimal that the MIT implementation does not
support des-mac.  I'm not at all sure it is worth fixing; it would be
years before we got the fix everywhere and it does not seem that DES's
lifetime is that long.


More information about the krbdev mailing list