selecting master key enctype for a new database

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

selecting master key enctype for a new database

Phil Tracy
I need to create a new realm, and I'm wondering if anyone has a
recommendation about which enctype to use for the master key.

The kdb5_util program seems to still default to des-cbc-crc when creating a
database (I'm running MIT Kerberos 1.4.1), and I'm not sure if there's a
good reason for this.  I'd like to use one of the new, stronger enctypes
like aes256, but I'm not sure what the pros and cons are.

I suppose that all of the slave KDCs would have to be upgraded to a version
of Kerberos that supports whatever master key enctype I choose, but I don't
anticipate a problem there.  Are there client issues?  Cross-realm trust
issues?  Something else?  I don't plan to run anything but MIT Kerberos for
a KDC, but if anyone knows of any gotchas with specific enctypes/vendors,
that might be useful information.  Thanks.

Phil Tracy
[hidden email]
Information Systems Architecture
Northwestern University Information Technology

Kerberos mailing list           [hidden email]