Matching the iteration count for aes encryption when using a keytab
Roland Dowdeswell
elric at imrryr.org
Tue Aug 19 20:38:02 EDT 2008
On 1219139182 seconds since the Beginning of the UNIX epoch
"josephharfouch at iinet.net.au" wrote:
>
>I notice that the s2kaparams entry in the ETYPE_INFO2 as described in RFC4120
>is a mechanism where the KDC can inform the client of a different iteration
>count rather the default 4096 for AES encryption, so that the client can
>match the generated key, similar to when a different salt is used.
>
>How would this work if the key is already precalculated and stored in a keytab
>, i.e if the kinit -k command used to obtain a ticket? I presume that a
IIRC, the keytab stores the keys rather than passphrases used to
generate the keys. The salt/iteration count is used to convert a
passphrase into a key. So, neither should be necessary for regular
keytab files.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krbdev
mailing list