Kerberos supports several types of encryption for securing session keysand the tickets. The type used for a particular ticket or session keyis automatically negotiated when you request a ticket or a service.
- When encrypting tickets, the Key Distribution Center (KDC) for yourKerberos installation checks for an encryption type that is shared byboth the KDC and the service you are attempting to use.
- When encrypting session keys, the KDC checks for an encryptiontype shared by the KDC, the service, and the client requesting thesession (you).
How to... | Learn about... |
---|---|
|
|
Weak Encryption Types
In the table of Encryption Types below, some encryption types are noted as weak.Most of them are encryption types that used to be strong but now, withmore computing power available, are considered weak and thereforeundesirable. However, they are still sometimes used for backwardscompatibility. If Kerberos is installed in a network that contains someolder machines running operating systems that do not support the newerencryption types, administrators can choose to allow the weakerencryption when connecting to the older machines.
Back to Top
View Encryption Types
- Click the Options tab and find the View Options panel.
- Click the Encryption Type checkbox to select it. This opens theEncryption Type column in the main window, showing the encryption typeassociated with each of your tickets and session keys.
How to: Use Ticket Options Panel - Click and drag the line to the right of the Encryption Type columnheader to widen the column enough to see both the ticket and sessionkey.
- Click the blue triangle to the left of a principal name to see alltickets and session keys issued to that principal. Each ticket and keywill have an entry in the Encryption type column.
How to: View Tickets
Back to Top
Supported Encryption Types
Encryption Type | Description |
---|---|
des- | The DES (Data Encryption Standard)family is a symmetric block cipher. It was designed to handle only56-bit keys which is not enough for modern computing power. It is nowconsidered to be weak encryption.
|
des3- | The triple DES family improves onthe original DES (Data Encryption Standard) by using 3 separate 56-bitkeys. Some modes of 3DES are considered weak while others are strong(if slow).
|
aes | The AES Advanced Encryption Standardfamily, like DES and 3DES, is a symmetric block cipher and was designedto replace them. It can use multiple key sizes. Kerberos specifies usefor 256-bit and 128-bit keys.
|
rc4 or arcfour | The RC4 (Rivest Cipher 4) is a symmetric stream cipher that can usemultiple key sizes. The exportable variations are considered weak, butother variations are strong.
|
Back to Top