About
encryption in Kerberos
Encryption is used for both the ticket-granting-ticket and session tickets.
There are three components:
Each one may support a different set of encryption types, and the protocol needs to negotiate a mutually-supported enctype for things to work.
Articles Related
Type
- CRC (DES_CBC_CRC): Supports CRC32 as described in [RFC3961] page 31.
- A128 (AES128_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES128 as described in [RFC3961] page 31.
- A256 (AES256_CTS_HMAC_SHA1_96): Supports HMAC-SHA1-96-AES256 as described in [RFC3961] page 31.
Support
KDC has no support for encryption type
- When the client talks to the KDC it tells the KDC what it supports, and the KDC can accommodate that.
- When the client asks for a ticket for the server, neither of them directly knows what enctypes the server supports, and the KDC can potentially issue a service ticket with an enctype the server doesn't understand. (“no support for encryption type”)
The way you avoid this problem is by limiting the encryption types stored in the KDCs DB for the server to what the server actually understands. The KDC can't issue tickets with encryption types it doesn't have on record. Everything is guaranteed to work.