Interoperability with Microsoft KDC using AES
Henry B. Hotz
hotz at jpl.nasa.gov
Wed May 30 12:50:25 EDT 2007
On May 30, 2007, at 9:09 AM, krbdev-request at mit.edu wrote:
> Date: Tue, 29 May 2007 22:51:49 -0700
> From: Todd Stecher <tstecher at qwest.net>
> Subject: Re: Interoperability with Microsoft KDC using AES
> To: Todd Stecher <tstecher at qwest.net>, Ankur Upadhyaya
> <ankur at ca.ibm.com>
> Cc: krbdev at mit.edu
> Message-ID: <87EEB9B6-5FA5-40C5-B19F-49D9F56E51D6 at qwest.net>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
> Small correction below... Time to get up with the times...
>
> On May 29, 2007, at 2:35 PM, Todd Stecher wrote:
>
>>
>> On May 29, 2007, at 2:21 PM, Ankur Upadhyaya wrote:
>>
>>> Based on what I have read so far, I understand that only DES
>>> encryption
>>> can be used if client and server principals using MIT Kerberos 5
>>> are to
>>> interoperate with a Microsoft Windows Server 2000 or 2003 Active
>>> Directory
>>> KDC.
>>
>> Correct.
>>
>
>
> MIT 1.4.1 supports RC4 HMAC. major DOH!
>
> Don't use DES unless you really really really have to.
Yes, but you reputedly need the latest version of the support tools
on W2K3 in order to get the options to enable its use with non-MS
machines. They aren't automatically updated, unlike the server
software itself.
IIRC Longhorn/Vista/whatever server isn't out yet.
>>> As of Windows Server 2008, however, Microsoft will support 256-bit
>>> AES
>>> encryption for its Kerberos implementation. Does anybody have any
>>> information on whether or not MIT Kerberos 5 principals will be
>>> able to
>>> interoperate with this Microsoft KDC using 256-bit AES encryption
>>> (or
>>> anything stronger than DES)?
>>
>> If this didn't happen, someone at MS is asleep at the wheel (right
>> larry / JK?). In truth, when I left, AES interop was one of the
>> top priorities of the Windows team, and they've been contributing
>> heavily to the AES standard.
>>
>> (In fact, support for an AES Kerberos client may already be in
>> Vista.)
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list