DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

(heimdal.info.gz) Encryption types and salting

Info Catalog (heimdal.info.gz) Incremental propagation (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Cross realm
 
 4.12 Encryption types and salting
 =================================
 
 The encryption types that the KDC is going to assign by default is
 possible to change. Since the keys used for user authentication is
 salted the encryption types are described together with the salt
 strings.
 
 Salting is used to make it harder to pre-calculate all possible keys.
 Using a salt increases the search space to make it almost impossible to
 pre-calculate all keys. Salting is the process of mixing a public
 string (the salt) with the password, then sending it through an
 encryption type specific string-to-key function that will output the
 fixed size encryption key.
 
 In Kerberos 5 the salt is determined by the encryption type, except in
 some special cases.
 
 In `des' there is the Kerberos 4 salt (none at all) or the afs-salt
 (using the cell (realm in AFS lingo)).
 
 In `arcfour' (the encryption type that Microsoft Windows 2000 uses)
 there is no salt. This is to be compatible with NTLM keys in Windows NT
 4.
 
 `[kadmin]default_keys' in `krb5.conf' controls what salting to use.
 
 The syntax of `[kadmin]default_keys' is
 `[etype:]salt-type[:salt-string]'. `etype' is the encryption type
 (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96), `salt-type'
 is the type of salt (pw-salt or afs3-salt), and the salt-string is the
 string that will be used as salt (remember that if the salt is
 appended/prepended, the empty salt "" is the same thing as no salt at
 all).
 
 Common types of salting include
 
    * `v4' (or `des:pw-salt:')
 
      The Kerberos 4 salting is using no salt at all. Reason there is
      colon at the end of the salt string is that it makes the salt the
      empty string (same as no salt).
 
    * `v5' (or `pw-salt')
 
      `pw-salt' uses the default salt for each encryption type is
      specified for. If the encryption type `etype' isn't given, all
      default encryption will be used.
 
    * `afs3-salt'
 
      `afs3-salt' is the salt that is used with Transarc kaserver. It's
      the cell name appended to the password.
 
 
Info Catalog (heimdal.info.gz) Incremental propagation (heimdal.info.gz) Setting up a realm (heimdal.info.gz) Cross realm
automatically generated byinfo2html