(heimdal.info) Salting

Info Catalog

(heimdal.info) Incremental propagation

(heimdal.info) Setting up a realm

(heimdal.info) Cross realm

 
 Salting
 =======
 
 Salting is used to make it harder to precalculate all possible keys.
 Using a salt increases the search space to make it almost impossible to
 precalculate all keys. Salting is the process of mixing a public string
 (the salt) with the password, then sending it through an
 encryption-type specific string-to-key function that will output the
 fixed size encryption key.
 
 In Kerberos 5 the salt is determined by the encryption-type, except in
 some special cases.
 
 In `des' there is the Kerberos 4 salt (none at all) or the afs-salt
 (using the cell (realm in afs-lingo)).
 
 In `arcfour' (the encryption type that Microsoft Windows 2000 uses)
 there is no salt. This is to be compatible with NTLM keys in Windows NT
 4.
 
 `[kadmin]default_keys' in `krb5.conf' controls what salting to use,
 
 The syntax of `[kadmin]default_keys' is
 `[etype:]salt-type[:salt-string]'. `etype' is the encryption type (des,
 des3, arcfour), `salt-type' is the type of salt (pw-salt or afs3-salt),
 and the salt-string is the string that will be used as salt (remember
 that if the salt is appended/prepended, the empty salt "" is the same
 thing as no salt at all).
 
 Common types of salting includes
 
    * `v4' (or `des:pw-salt:')
 
      The Kerberos 4 salting is using no salt att all. Reason there is
      colon that the end or the salt string is that it makes the salt
      the empty string (same as no salt).
 
    * `v5' (or `pw-salt')
 
      `pw-salt' means all regular encryption-types that is regular
 
    * `afs3-salt'
 
      `afs3-salt' is the salting that is used with Transarc kaserver. Its
      the cell appended to the password.
 
 

Info Catalog

(heimdal.info) Incremental propagation

(heimdal.info) Setting up a realm

(heimdal.info) Cross realm