From 54472b02bf4d83e195853d52fa31c111d2e46f50 Mon Sep 17 00:00:00 2001 From: Assar Westerlund Date: Fri, 24 Aug 2001 05:24:33 +0000 Subject: [PATCH] mrege in some more text on salts from lha@stacken.kth.se git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10554 ec53bebd-3082-4978-b11e-865c3cabbd6b --- doc/setup.texi | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/doc/setup.texi b/doc/setup.texi index ee7dc06e5..aedead4bc 100644 --- a/doc/setup.texi +++ b/doc/setup.texi @@ -403,13 +403,23 @@ slave# /usr/heimdal/libexec/ipropd-slave master & Salting is used to make it harder to precalculate all possible keys. Using a salt increases the search space to make it almost -impossible to precalculate all keys. In salting you just append the salt -to the password, or somehow merge the password with the salt. +impossible to precalculate all keys. Salting is the process of mixing a +public string (the salt) with the password, then sending it through an +encryption-type specific string-to-key function that will output the +fixed size encryption key. -In Kerberos 5 the salting is determined by the encryption-type, except -in case of @code{des}. In @code{des} there is the kerberos 4 salting -(none at all) or the afs-salting (using the cell (realm in -afs-lingo)). @code{[kadmin]default_keys} in @file{krb5.conf} controls +In Kerberos 5 the salt is determined by the encryption-type, except +in some special cases. + +In @code{des} there is the Kerberos 4 salt +(none at all) or the afs-salt (using the cell (realm in +afs-lingo)). + +In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses) +there is no salt. This is to be compatible with NTLM keys in Windows +NT 4. + +@code{[kadmin]default_keys} in @file{krb5.conf} controls what salting to use, The syntax of @code{[kadmin]default_keys} is