directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: PrinciplaName makeSalt method
Date Wed, 30 Dec 2015 09:46:44 GMT
The logic is either from the spec (3961?) or MIT Kerberos codes. It's intended to form the
salt in that way, thus given a certain password for a principal, the generated encryption
key will be the same value for an encryption type. All the vendors implement the logic so
they can talk to each other for the clients using password. Not safe? Yes, that's why the
other mean like using genkey with random bytes would be preferred for service principals.
This explanation may be not accurate but should be a starting to explore.

Regards,
Kai

-----Original Message-----
From: Emmanuel L├ęcharny [mailto:elecharny@gmail.com] 
Sent: Wednesday, December 30, 2015 5:19 PM
To: kerby@directory.apache.org
Subject: PrinciplaName makeSalt method

Hi !

I wonder what the PrincipalName.makeSalt() method is doing... It constructs a PrincipalName
where the '/' and '@' are removed, and concatenated in reverse order, which does not make
a lot of sense to me... Worst case : it is used to produce a salt for an encryption method,
which is a bad idea, considering the salt is based on the principalName's content...
Mime
View raw message