Kerberos - Encryption type

About

encryption in Kerberos

Encryption is used for both the ticket-granting-ticket and session tickets.

There are three components:

• the client,
• the KDC,
• and the server.

Each one may support a different set of encryption types, and the protocol needs to negotiate a mutually-supported enctype for things to work.

Articles Related

Type

• CRC (DES_CBC_CRC): Supports CRC32 as described in [RFC3961] page 31.
• MD5 (DES_CBC_MD5): Supports RSA-MD5 as described in [RFC3961] page 31.
• RC4 (RC4_HMAC_MD5): Supports RC4-HMAC-MD5 as described in [RFC4757].
• A128 (AES128_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES128 as described in [RFC3961] page 31.
• A256 (AES256_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES256 as described in [RFC3961] page 31.

Support

KDC has no support for encryption type

• When the client talks to the KDC it tells the KDC what it supports, and the KDC can accommodate that.
• When the client asks for a ticket for the server, neither of them directly knows what enctypes the server supports, and the KDC can potentially issue a service ticket with an enctype the server doesn't understand. (“no support for encryption type”)

The way you avoid this problem is by limiting the encryption types stored in the KDCs DB for the server to what the server actually understands. The KDC can't issue tickets with encryption types it doesn't have on record. Everything is guaranteed to work.

Documentation / Reference

• Encryption types reference
• KDC has no support for encryption type