From 2c9fc4063c8954e49398d88cb2f5ef8054ff4c0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Tue, 8 May 2007 14:35:00 +0000 Subject: [PATCH] Salting is really Encryption types and salting. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20632 ec53bebd-3082-4978-b11e-865c3cabbd6b --- doc/setup.texi | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/doc/setup.texi b/doc/setup.texi index b7fbca503..ec86b5ee8 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -23,7 +23,7 @@ doing so. It will make life easier for you and everyone else. * Testing clients and servers:: * Slave Servers:: * Incremental propagation:: -* Salting:: +* Encryption types and salting:: * Cross realm:: * Transit policy:: * Setting up DNS:: @@ -552,7 +552,7 @@ automate this you will want to start Starting the propagation once an hour from @command{cron} is probably a good idea. -@node Incremental propagation, Salting, Slave Servers, Setting up a realm +@node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm @section Incremental propagation There is also a newer, and still somewhat experimental, mechanism for @@ -612,9 +612,15 @@ slave# /usr/heimdal/libexec/ipropd-slave master & To manage the iprop log file you should use the @command{iprop-log} command. With it you can dump, truncate and replay the logfile. -@node Salting, Cross realm, Incremental propagation, Setting up a realm -@section Salting +@node Encryption types and salting, Cross realm, Incremental propagation, Setting up a realm +@section Encryption types and salting @cindex Salting +@cindex Encryption types + +The encryption types that the KDC is going to assign by default is +possible to change. Since the keys used for user authentication is +salted the encryption types are described together with the salt +strings. Salting is used to make it harder to pre-calculate all possible keys. Using a salt increases the search space to make it almost @@ -623,8 +629,8 @@ public string (the salt) with the password, then sending it through an encryption type specific string-to-key function that will output the fixed size encryption key. -In Kerberos 5 the salt is determined by the encryption-type, except -in some special cases. +In Kerberos 5 the salt is determined by the encryption type, except in +some special cases. In @code{des} there is the Kerberos 4 salt (none at all) or the afs-salt (using the cell (realm in @@ -639,10 +645,11 @@ what salting to use. The syntax of @code{[kadmin]default_keys} is @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption -type (des, des3, arcfour), @code{salt-type} is the type of salt (pw-salt -or afs3-salt), and the salt-string is the string that will be used as -salt (remember that if the salt is appended/prepended, the empty salt "" -is the same thing as no salt at all). +type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96), +@code{salt-type} is the type of salt (pw-salt or afs3-salt), and the +salt-string is the string that will be used as salt (remember that if +the salt is appended/prepended, the empty salt "" is the same thing as +no salt at all). Common types of salting include @@ -666,7 +673,7 @@ the cell name appended to the password. @end itemize -@node Cross realm, Transit policy, Salting, Setting up a realm +@node Cross realm, Transit policy, Encryption types and salting, Setting up a realm @section Cross realm @cindex Cross realm