directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: PrinciplaName makeSalt method
Date Wed, 30 Dec 2015 10:07:14 GMT
Le 30/12/15 10:46, Zheng, Kai a écrit :
> The logic is either from the spec (3961?) or MIT Kerberos codes. It's intended to form
the salt in that way, thus given a certain password for a principal, the generated encryption
key will be the same value for an encryption type. All the vendors implement the logic so
they can talk to each other for the clients using password. 
http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#keysalt :
" In Kerberos 5 the complete principal name (including the realm) is
used as the salt . This means that the same password will not result in
the same encryption key in different realms or with two different
principals in the same realm. "

and http://k5wiki.kerberos.org/wiki/Projects/Random_Salt_Generation :

The default salt is specified by RFC 4120
<http://tools.ietf.org/html/rfc4120> as "the concatenation of the
principal's realm and name components, in order, with no separators"

and RFC 4120 :

"The default salt string, if none is provided via pre-authentication
data, is the concatenation of the principal's realm and name components,
in order, with no separators."

That explains what.




Here is an interesting read :

http://k5wiki.kerberos.org/wiki/Projects/Random_Salt_Generation



Mime
View raw message