1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> 2<html><head> 3<meta name="GENERATOR" content="Microsoft� HTML Help Workshop 4.1"> 4<link rel="stylesheet" type="text/css" href="Leash.css"> 5<title>Encryption_Types</title></head> 6 7<body> 8<h1>Encryption Types</h1> 9<p> 10Kerberos supports several types of encryption for securing session keys 11and the tickets. The type used for a particular ticket or session key 12is automatically negotiated when you request a ticket or a service. </p> 13<ul> 14<li>When encrypting tickets, the Key Distribution Center (KDC) for your 15Kerberos installation checks for an encryption type that is shared by 16both the KDC and the service you are attempting to use.</li> 17<li> When encrypting session keys, the KDC checks for an encryption 18type shared by the KDC, the service, and the client requesting the 19session (you). </li> 20</ul> 21 22<table> 23<tbody><tr> 24<th id="th2">How to...</th> <th id="th2">Learn about...</th></tr> 25<tr> 26<td> 27<ul id="helpul"> 28<li><a href="#view"> View encryption types</a></li> 29</ul> 30</td> 31<td> 32<ul id="helpul"> 33<li><a href="#weak"> Weak encryption types</a></li> 34<li><a href="#supported"> Supported encryption types</a></li> 35<li><a href="#related-help"> Related help</a></li> 36</ul> 37</td> 38</tr> 39</tbody></table> 40 41<p></p> 42<h2><a name="weak"> Weak Encryption Types </a></h2> 43<p> 44In the table of Encryption Types below, some encryption types are noted as <b>weak</b>. 45Most of them are encryption types that used to be strong but now, with 46more computing power available, are considered weak and therefore 47undesirable. However, they are still sometimes used for backwards 48compatibility. If Kerberos is installed in a network that contains some 49older machines running operating systems that do not support the newer 50encryption types, administrators can choose to allow the weaker 51encryption when connecting to the older machines.</p> 52<p> 53<a href="#top">Back to Top</a> </p> 54<h2><a name="view">View Encryption Types</a></h2> 55<ol> 56<li>Click the Options tab and find the View Options panel. </li> 57<li>Click the Encryption Type checkbox to select it. This opens the 58Encryption Type column in the main window, showing the encryption type 59associated with each of your tickets and session keys. <br> 60<a href="HTML/Options_Tab.htm#using-ticket-options">How to: Use Ticket Options Panel</a></li> 61<li>Click and drag the line to the right of the Encryption Type column 62header to widen the column enough to see both the ticket and session 63key.</li> 64<li> Click the blue triangle to the left of a principal name to see all 65tickets and session keys issued to that principal. Each ticket and key 66will have an entry in the Encryption type column. <br> 67<a href="HTML/View_Tickets.htm">How to: View Tickets </a> 68</li></ol> 69 70 71<p> 72<a href="#top">Back to Top</a> </p> 73 74<a name="supported"><p></p></a> 75<h2>Supported Encryption Types </h2> 76<table> 77<tbody><tr> 78<th>Encryption Type </th> 79<th>Description</th> 80</tr> 81<tr> 82<th id="th2"> des3- </th> 83 <td> The triple DES family improves on 84the original DES (Data Encryption Standard) by using 3 separate 56-bit 85keys. Some modes of 3DES are considered weak while others are strong 86(if slow). <ul id="helpul"> 87<li> des3-cbc-sha1</li> 88<li> des3-cbc-raw (<b>weak</b>) </li> 89<li>des3-hmac-sha1 </li> 90<li>des3-cbc-sha1-kd </li> 91</ul> 92</td> 93 </tr> 94<tr> 95<th id="th2"> aes </th> 96 <td>The AES Advanced Encryption Standard 97family, like 3DES, is a symmetric block cipher and was designed 98to replace them. It can use multiple key sizes. Kerberos specifies use 99for 256-bit and 128-bit keys. 100<ul id="helpul"> 101<li> aes256-cts-hmac-sha1-96 </li> 102<li> aes128-cts-hmac-sha1-96 </li> 103</ul> 104</td> 105</tr> 106<tr> 107<th id="th2"> rc4 or <br> arcfour</th> 108<td>The RC4 (Rivest Cipher 4) is a symmetric stream cipher that can use 109multiple key sizes. The exportable variations are considered weak, but 110other variations are strong. 111<ul id="helpul"> 112<li> arcfour-hmac </li> 113<li> rc4-hmac </li> 114<li> arcfour-hmac-md5</li> 115<li> arcfour-hmac-exp (<b>weak</b>) </li> 116<li> rc4-hmac-exp (<b>weak</b>) </li> 117<li> arcfour-hmac-md5-exp(<b>weak</b>) </li> 118</ul> 119</td> 120</tr> 121</tbody></table> 122<p> 123<a href="#top">Back to Top</a> </p> 124<h2><a name="related-help">Related Help</a></h2> 125<ul id="helpul"> 126<li><a href="HTML/View_Tickets.htm">View tickets</a></li> 127<li><a href="HTML/Kerberos_Terminology.htm#ticket">Kerberos Terminology: Tickets</a></li> 128</ul> 129 130 131<script language="JavaScript"> 132popfont="Arial,.825," 133popupRealm=" Kerberos realms are a way of logically grouping resources and identities that use Kerberos. Your realm is the home of your Kerberos identity and your point of entry to the network resources controlled by Kerberos." 134</script> 135 136<object id="popup" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"> 137</object> 138 139</body></html> 140