Add minimal documentation for the new aes-sha2 enctypes.
ticket: 8490
des3-cbc-raw Triple DES cbc mode raw (weak)
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1
des-hmac-sha1 DES with HMAC/sha1 (weak)
-aes256-cts-hmac-sha1-96 aes256-cts AES-256 CTS mode with 96-bit SHA-1 HMAC
-aes128-cts-hmac-sha1-96 aes128-cts AES-128 CTS mode with 96-bit SHA-1 HMAC
+aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC
+aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC
+aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC
+aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC
arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC
While **aes128-cts** and **aes256-cts** are supported for all Kerberos
operations, they are not supported by very old versions of our GSSAPI
implementation (krb5-1.3.1 and earlier). Services running versions of
-krb5 without AES support must not be given AES keys in the KDC
-database.
+krb5 without AES support must not be given keys of these encryption
+types in the KDC database.
+
+The **aes128-sha2** and **aes256-sha2** encryption types are new in
+release 1.15. Services running versions of krb5 without support for
+these newer encryption types must not be given keys of these
+encryption types in the KDC database.
.. _Keysalt_lists:
See :ref:`Encryption_types` for additional information about enctypes.
-======================= ===== ======== =======
-enctype weak? krb5 Windows
-======================= ===== ======== =======
-des-cbc-crc weak all >=2000
-des-cbc-md4 weak all ?
-des-cbc-md5 weak all >=2000
-des3-cbc-sha1 >=1.1 none
-arcfour-hmac >=1.3 >=2000
-arcfour-hmac-exp weak >=1.3 >=2000
-aes128-cts-hmac-sha1-96 >=1.3 >=Vista
-aes256-cts-hmac-sha1-96 >=1.3 >=Vista
-camellia128-cts-cmac >=1.9 none
-camellia256-cts-cmac >=1.9 none
-======================= ===== ======== =======
+========================== ===== ======== =======
+enctype weak? krb5 Windows
+========================== ===== ======== =======
+des-cbc-crc weak all >=2000
+des-cbc-md4 weak all ?
+des-cbc-md5 weak all >=2000
+des3-cbc-sha1 >=1.1 none
+arcfour-hmac >=1.3 >=2000
+arcfour-hmac-exp weak >=1.3 >=2000
+aes128-cts-hmac-sha1-96 >=1.3 >=Vista
+aes256-cts-hmac-sha1-96 >=1.3 >=Vista
+aes128-cts-hmac-sha256-128 >=1.15 none
+aes256-cts-hmac-sha384-192 >=1.15 none
+camellia128-cts-cmac >=1.9 none
+camellia256-cts-cmac >=1.9 none
+========================== ===== ======== =======
krb5 releases 1.8 and later disable the single-DES enctypes by
default. Microsoft Windows releases Windows 7 and later disable
CKSUMTYPE_HMAC_MD5_ARCFOUR.rst
CKSUMTYPE_HMAC_SHA1_96_AES128.rst
CKSUMTYPE_HMAC_SHA1_96_AES256.rst
+ CKSUMTYPE_HMAC_SHA256_128_AES128.rst
+ CKSUMTYPE_HMAC_SHA384_192_AES256.rst
CKSUMTYPE_HMAC_SHA1_DES3.rst
CKSUMTYPE_MD5_HMAC_ARCFOUR.rst
CKSUMTYPE_NIST_SHA.rst
CKSUMTYPE_RSA_MD5.rst
CKSUMTYPE_RSA_MD5_DES.rst
ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst
+ ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst
ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst
+ ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst
ENCTYPE_ARCFOUR_HMAC.rst
ENCTYPE_ARCFOUR_HMAC_EXP.rst
ENCTYPE_CAMELLIA128_CTS_CMAC.rst
projects / thirdparty / krb5.git / commitdiff
