File: Supported-Encryption-Types.html

package info (click to toggle)
krb5 1.4.4-7etch8
  • links: PTS
  • area: main
  • in suites: etch
  • size: 49,188 kB
  • ctags: 25,838
  • sloc: ansic: 270,358; exp: 21,157; makefile: 10,635; sh: 6,403; yacc: 2,515; perl: 1,925; cpp: 743; awk: 449; python: 379; asm: 248; lex: 190; sed: 172; csh: 147
file content (70 lines) | stat: -rw-r--r-- 2,738 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
<html lang="en">
<head>
<title>Kerberos V5 System Administrator's Guide</title>
<meta http-equiv="Content-Type" content="text/html">
<meta name="description" content="Kerberos V5 System Administrator's Guide">
<meta name="generator" content="makeinfo 4.5">
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
</head>
<body>
<div class="node">
<p>
Node:<a name="Supported%20Encryption%20Types">Supported Encryption Types</a>,
Next:<a rel="next" accesskey="n" href="Salts.html#Salts">Salts</a>,
Previous:<a rel="previous" accesskey="p" href="Configuration-Files.html#Configuration%20Files">Configuration Files</a>,
Up:<a rel="up" accesskey="u" href="Configuration-Files.html#Configuration%20Files">Configuration Files</a>
<hr><br>
</div>

<h3 class="section">Supported Encryption Types</h3>

<p>Any tag in the configuration files which requires a list of encryption
types can be set to some combination of the following strings.

     <dl>
<dt><code>des-cbc-crc</code>
     <dd>DES cbc mode with CRC-32
<br><dt><code>des-cbc-md4</code>
     <dd>DES cbc mode with RSA-MD4
<br><dt><code>des-cbc-md5</code>
     <dd>DES cbc mode with RSA-MD5
<br><dt><code>des3-cbc-sha1</code>
     <dd><dt><code>des3-hmac-sha1</code>
     <dd><dt><code>des3-cbc-sha1-kd</code>
     <dd>triple DES cbc mode with HMAC/sha1
<br><dt><code>des-hmac-sha1</code>
     <dd>DES with HMAC/sha1
<br><dt><code>aes256-cts-hmac-sha1-96</code>
     <dd><dt><code>aes256-cts</code>
     <dd>AES-256 CTS mode with 96-bit SHA-1 HMAC
<br><dt><code>aes128-cts-hmac-sha1-96</code>
     <dd><dt><code>aes128-cts</code>
     <dd>AES-128 CTS mode with 96-bit SHA-1 HMAC
<br><dt><code>arcfour-hmac</code>
     <dd><dt><code>rc4-hmac</code>
     <dd><dt><code>arcfour-hmac-md5</code>
     <dd>RC4 with HMAC/MD5
<br><dt><code>arcfour-hmac-exp</code>
     <dd><dt><code>rc4-hmac-exp</code>
     <dd><dt><code>arcfour-hmac-md5-exp</code>
     <dd>exportable RC4 with HMAC/MD5
</dl>

<p>While aes128-cts and aes256-cts are supported for all Kerberos
operations, they are not supported by older versions of our GSSAPI
implementation (krb5-1.3.1 and earlier).

<p>By default, AES is enabled in this release.  Sites wishing to use AES
encryption types on their KDCs need to be careful not to give GSSAPI
services AES keys if the servers have not been updated.  If older
GSSAPI services are given AES keys, then services may fail when
clients supporting AES for GSSAPI are used.  Sites may wish to use AES
for user keys and for the ticket granting ticket key, although doing
so requires specifying what encryption types are used as each
principal is created.

<p>If all GSSAPI-based services have been updated before or with the KDC,
this is not an issue.

</body></html>