Interoperability with Microsoft KDC using AES
Todd Stecher
tstecher at qwest.net
Wed May 30 01:51:49 EDT 2007
Small correction below... Time to get up with the times...
On May 29, 2007, at 2:35 PM, Todd Stecher wrote:
>
> On May 29, 2007, at 2:21 PM, Ankur Upadhyaya wrote:
>
>> Based on what I have read so far, I understand that only DES
>> encryption
>> can be used if client and server principals using MIT Kerberos 5
>> are to
>> interoperate with a Microsoft Windows Server 2000 or 2003 Active
>> Directory
>> KDC.
>
> Correct.
>
MIT 1.4.1 supports RC4 HMAC. major DOH!
Don't use DES unless you really really really have to.
>>
>> As of Windows Server 2008, however, Microsoft will support 256-bit
>> AES
>> encryption for its Kerberos implementation. Does anybody have any
>> information on whether or not MIT Kerberos 5 principals will be
>> able to
>> interoperate with this Microsoft KDC using 256-bit AES encryption (or
>> anything stronger than DES)?
>
> If this didn't happen, someone at MS is asleep at the wheel (right
> larry / JK?). In truth, when I left, AES interop was one of the
> top priorities of the Windows team, and they've been contributing
> heavily to the AES standard.
>
> (In fact, support for an AES Kerberos client may already be in Vista.)
>
>> _______________________________________________
>> krbdev mailing list krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>
> Thanks,
> Todd
More information about the krbdev
mailing list