Yes, you are correct.

Also, if you display a key table file using ktutil, and you have a
DES-CBC-CRC key, you would see 1.

Since we see values of 1,3,16,23 etc. in the key table file entry, this
suggests the 'cipher suite' number (commonly known as etype).

>From RFC4120, we see :


EncryptionKey ::= SEQUENCE {
keytype [0] Int32 -- actually encryption type --,
keyvalue [1] OCTET STRING
}

The comment in the RFC suggests the keytype field is actually the
encryption type (e.g. etype) and not the keytype ...

Hopefully you can see from my above examples, that use of keytype is a
little confusing and open to interpretation ? I guess this is why the
comment was added in RFC4120 ?

Thanks,
Tim

-----Original Message-----
From: Michael B Allen [mailto:mba2000@ioplex.com]
Sent: 01 May 2006 23:33
To: Tim Alsop
Cc: mdw@umich.edu; kerberos@mit.edu
Subject: Re: keytab file format - exporting arcfour keys from active
directory

On Mon, 1 May 2006 22:32:44 +0100
"Tim Alsop" wrote:

> * 0 2 keytype
> * 2 2 keylen
> * 4 keylen keydata
> * }
> * POSSIBLE if length left {
> * xxx 4 vno
> * }
> */
>
> Is the "keytype" actually the key type, or is it the etype ? I ask

this
> because I have seen key tables created by various products that have

the
> etype stored in this field.


Keytype. At least the values I'm seeing correspond to the values seen
in ktutil list (e.g. 3 is des-cbc-md5, 23 is arcfour-hmac-md5, 16 is
des3-cbc-sha1, etc).

Mike

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos