Adding supported enctypes to kdc - Kerberos

This is a discussion on Adding supported enctypes to kdc - Kerberos ; Our current supported enctypes are: des3-hmac-sha1:normal, des-cbc-crc:normal, des-cbc-crc:v4, des-cbc- crc:afs3 I want to add rc4-hmac So my question is will this disrupt anything? I have read that the order matters where I put it in the file. Do I need ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Adding supported enctypes to kdc

  1. Adding supported enctypes to kdc

    Our current supported enctypes are:
    des3-hmac-sha1:normal, des-cbc-crc:normal, des-cbc-crc:v4, des-cbc-
    crc:afs3

    I want to add rc4-hmac
    So my question is will this disrupt anything? I have read that the
    order matters where I put it in the file.
    Do I need to rekey any principals with keepold? I don't intend to
    remove any enctypes just add them.

    Should I add anything else while I am at it? We are striving towards
    Microsoft Compatibility.

    Thanks
    Steve Devine
    MSU


  2. Re: Adding supported enctypes to kdc

    I would definitely add aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96,
    as Microsoft is adding these to AD (and I prefer good encryption, not
    really broken encryption)

    as per:
    http://blogs.technet.com/ad/archive/...-together.aspx

    * Steve Devine [2007-11-16 15:05]:
    > Our current supported enctypes are:
    > des3-hmac-sha1:normal, des-cbc-crc:normal, des-cbc-crc:v4, des-cbc-
    > crc:afs3
    >
    > I want to add rc4-hmac
    > So my question is will this disrupt anything? I have read that the
    > order matters where I put it in the file.
    > Do I need to rekey any principals with keepold? I don't intend to
    > remove any enctypes just add them.
    >
    > Should I add anything else while I am at it? We are striving towards
    > Microsoft Compatibility.
    >
    > Thanks
    > Steve Devine
    > MSU



  3. Re: Adding supported enctypes to kdc

    John Washington writes:

    > I would definitely add aes128-cts-hmac-sha1-96 and
    > aes256-cts-hmac-sha1-96, as Microsoft is adding these to AD (and I
    > prefer good encryption, not really broken encryption)


    Is there any reason to add the 128-bit keys? So far, it seems like
    everyone who can do 128-bit can also do 256-bit, but maybe that isn't true
    of the upcoming Windows release? (They're both equally export-controlled,
    so far as I know.)

    --
    Russ Allbery (rra@stanford.edu)

  4. Re: Adding supported enctypes to kdc

    On Fri, Nov 16, 2007 at 03:50:16PM -0800, Russ Allbery wrote:
    > John Washington writes:
    >
    > > I would definitely add aes128-cts-hmac-sha1-96 and
    > > aes256-cts-hmac-sha1-96, as Microsoft is adding these to AD (and I
    > > prefer good encryption, not really broken encryption)

    >
    > Is there any reason to add the 128-bit keys? So far, it seems like
    > everyone who can do 128-bit can also do 256-bit, but maybe that isn't true
    > of the upcoming Windows release? (They're both equally export-controlled,
    > so far as I know.)


    It isn't true for Solaris 10 without the supplemental cryptography
    packages -- I don't recall if this changed in S10U4 or will change in
    U5, but we're definitely moving towards delivering 256-bit key length
    support by default.

    Nico
    --

+ Reply to Thread