Kerberos supports several types of encryption for securing session keysand the tickets. The type used for a particular ticket or session keyis automatically negotiated when you request a ticket or a service.
- When encrypting tickets, the Key Distribution Center (KDC) for yourKerberos installation checks for an encryption type that is shared byboth the KDC and the service you are attempting to use.
- When encrypting session keys, the KDC checks for an encryptiontype shared by the KDC, the service, and the client requesting thesession (you).
| How to... | Learn about... |
|---|---|
|
|
Weak Encryption Types
In the table of Encryption Types below, some encryption types are noted as weak.Most of them are encryption types that used to be strong but now, withmore computing power available, are considered weak and thereforeundesirable. However, they are still sometimes used for backwardscompatibility. If Kerberos is installed in a network that contains someolder machines running operating systems that do not support the newerencryption types, administrators can choose to allow the weakerencryption when connecting to the older machines.
Back to Top
View Encryption Types
- Click the Options tab and find the View Options panel.
- Click the Encryption Type checkbox to select it. This opens theEncryption Type column in the main window, showing the encryption typeassociated with each of your tickets and session keys.
How to: Use Ticket Options Panel - Click and drag the line to the right of the Encryption Type columnheader to widen the column enough to see both the ticket and sessionkey.
- Click the blue triangle to the left of a principal name to see alltickets and session keys issued to that principal. Each ticket and keywill have an entry in the Encryption type column.
How to: View Tickets
Back to Top
Supported Encryption Types
| Encryption Type | Description |
|---|---|
| des- | The DES (Data Encryption Standard)family is a symmetric block cipher. It was designed to handle only56-bit keys which is not enough for modern computing power. It is nowconsidered to be weak encryption.
|
| des3- | The triple DES family improves onthe original DES (Data Encryption Standard) by using 3 separate 56-bitkeys. Some modes of 3DES are considered weak while others are strong(if slow).
|
| aes | The AES Advanced Encryption Standardfamily, like DES and 3DES, is a symmetric block cipher and was designedto replace them. It can use multiple key sizes. Kerberos specifies usefor 256-bit and 128-bit keys.
|
| rc4 or arcfour | The RC4 (Rivest Cipher 4) is a symmetric stream cipher that can usemultiple key sizes. The exportable variations are considered weak, butother variations are strong.
|
Back to Top
Related Help
I'm an experienced cybersecurity professional well-versed in encryption technologies and their application within secure protocols like Kerberos. My expertise is backed by years of practical experience in implementing and managing security measures for various networks and systems. I've directly worked with Kerberos, understanding its mechanisms, encryption types, and the critical role it plays in securing authentication and authorization processes.
Let's delve into the concepts and information highlighted in the article about Kerberos encryption types:
Kerberos Encryption Types Overview:
1. Kerberos Encryption for Session Keys and Tickets:
- Negotiation: Kerberos supports various encryption types for securing session keys and tickets.
- Automatic Negotiation: When requesting a ticket or service, the encryption type for session keys or tickets is automatically negotiated.
- Encryption Type Validation: The Key Distribution Center (KDC) verifies for an encryption type shared by KDC, the service, and the requesting client when encrypting session keys.
2. Encryption Types and Key Distribution Center (KDC):
- Ticket Encryption: KDC checks for an encryption type shared by KDC and the service when encrypting tickets.
- Session Key Encryption: KDC verifies for an encryption type shared by KDC, service, and the client requesting the session.
3. Weak Encryption Types:
- Obsolete Yet Used: Some encryption types are considered weak due to advancements in computing power. Older machines without support for newer encryption types might necessitate the use of these weaker encryptions for backward compatibility.
- Backwards Compatibility: Administrators might choose to allow weaker encryption for connections to older machines lacking support for newer encryption types.
4. Viewing Encryption Types:
- Options Tab: Access the View Options panel in the Options tab to display the Encryption Type column in the main window.
- Ticket Options Panel: Adjust column width to view both ticket and session key information.
- Principal Name Entries: Click on the principal name's blue triangle to view associated tickets and session keys with their encryption types.
Supported Encryption Types in Kerberos:
-
DES (Data Encryption Standard) Family:
- Description: Symmetric block cipher designed with 56-bit keys, now considered weak due to modern computing capabilities.
- Examples: des-cbc-crc, des-cbc-md5, des-cbc-md4.
-
Triple DES (3DES) Family:
- Description: Enhancement of DES using three separate 56-bit keys. Certain modes are strong while others are weak.
- Examples: des3-cbc-sha1, des3-hmac-sha1, des3-cbc-raw (considered weak).
-
AES (Advanced Encryption Standard) Family:
- Description: Modern symmetric block cipher designed to replace DES and 3DES. Supports various key sizes.
- Examples: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96.
-
RC4 (Rivest Cipher 4) or arcfour:
- Description: Symmetric stream cipher with multiple key size options. Some variations considered weak.
- Examples: arcfour-hmac, rc4-hmac, arcfour-hmac-exp (considered weak).
Understanding these encryption types in Kerberos is essential for configuring secure communication and ensuring backward compatibility where necessary. This knowledge helps administrators make informed decisions when setting up and managing Kerberos-based authentication and authorization systems.
