Encryption type to support AES CTR mode

Greg Hudson ghudson at mit.edu
Tue Mar 8 11:15:34 EST 2016

On 03/07/2016 07:35 PM, Zheng, Kai wrote:
> Looks like only AES CTS mode is supported, wonder if AES CTR is possible to be supported as well with reasonable effort. The mode is desired for its high speed up, particularly with AES-NI support. Thanks.

Kerberos is built on top of encryption primitives which must provide
authenticated encryption and unlimited key reuse.  (In reality, there
are certain limits to key reuse for existing encryption types before the
security properties start to degrade, but they are quite large.)  AES
CTR mode is not an authenticated encryption mode, nor does it tolerate
key reuse.

AES-GCM is a counter-based mode which is authenticated and can achieve
high performance on AESNI-capable hardware.  However, GCM requires a
unique nonce for each message, and fails catastrophically if a nonce is
reused.  When we considered introducing a general AES-GCM encryption
type in the past, the working group effectively decided that it was
unsuitable due to the potential for nonce reuse.

There have been recent proposals to use AES-GCM for GSS-API and other
Kerberos-related session protocols which use ephemeral keys.  See this
email thread:


I would caution that I have yet to see any benchmark results indicating
a measurable speedup from using a theoretically faster cipher mode in
the context of a Kerberos-related protocol.  There is a risk of adding a
great deal of complexity to implementations for minimal or no benefit.

More information about the krbdev mailing list