directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <>
Subject RE: EncyptionKey structure an KVNO
Date Sat, 09 Jan 2016 01:20:26 GMT
If you'd look up references to it, you might find that it's mainly for keytab things. EncryptionKey
needs to be persisted in KDC database and can be exported. When exported, the kvno or key
version is important, keytab consumers like application servers would use it to find the appropriate
key considering keytype/enctype, kvno/version, and principal. Note when every time a key is
exported, the key version will be increased by 1. 

It's the key along with the kvno that needs to be persisted in database/backend, but not the
encrypted data.

-----Original Message-----
From: Emmanuel L├ęcharny [] 
Sent: Saturday, January 09, 2016 8:29 AM
Subject: EncyptionKey structure an KVNO


the EncryptionKey class contains a field kvno. I have no idea why we should have such a field,
and why and for what it is used ?

The KVNO is described as :

      A tag associated with encrypted data identifies which key was used
      for encryption when a long-lived key associated with a principal
      changes over time.  It is used during the transition to a new key
      so that the party decrypting a message can tell whether the data
      was encrypted with the old or the new key.

We have a field name KVNO in the EncryptedData class already...
View raw message