1.1.2 - Principals
1.1 - Introduction
1.1.4 - KDC (Key Distribution Center)

1.1.3 - Keys

The Kerberos server generates keys based on the password we provide. Those keys are stored in the server and used to encrypt and decrypt the data being exchanged with the client.

The Key is computed using either the user’s password or a random value, and is salted with the realm.

Using the realm as the salt offers a level of protection : if one's key is broken on a realm, that does not mean the password is compromised. The key on another realm would still be safe.

How it works in ApacheDS ?

When you add a new entry in the server, it generates a secret key using the password and the Principal of the added entry. For instance, say we add this entry :

dn: uid=hnelson,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: krb5principal
objectClass: krb5kdcentry
objectClass: top
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0
cn: Horatio Nelson
sn: Nelson

the server will automatically create the keys (each one is encoded in ASN.1 BER format), set them as values of krb5key attribute and add to the entry.

Each value of krb5Key attribbute will be in the following ASN.1 format :

::text
EncryptionKey   ::= SEQUENCE {
    keytype         [0] Int32 -- actually encryption type --,
    keyvalue        [1] OCTET STRING
}
There is a special case : if the password is "randomkey", the key will be generated using a random number created on the fly.
Note that we will generate more than one key : we generate one key for each of the supported encryption types.

ApacheDS Kerberos server supports the following set of encryption types :

* DES_CBC_MD5
* DES3_CBC_SHA1_KD
* RC4_HMAC
* AES128_CTS_HMAC_SHA1_96
* AES256_CTS_HMAC_SHA1_96

The default encryption types used by the server are, aes128-cts-hmac-sha1-96, des-cbc-md5 and des3-cbc-sha1-kd DES_CBC_MD5. The supported encryption types can be added or removed by modifying the Kerberos server configuration.

The modified entry will now look like :

dn: uid=hnelson,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: krb5principal
objectClass: krb5kdcentry
objectClass: top
uid: hnelson
userPassword: secret
krb5PrincipalName: hnelson@EXAMPLE.COM
krb5KeyVersionNumber: 0
cn: Horatio Nelson
sn: Nelson
krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x3D 0x33 0x31 0x8F 0xBE ...'
krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...'
krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...'
krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...'

Each of these keys match one of the EncryptionType.

1.1.2 - Principals
1.1 - Introduction
1.1.4 - KDC (Key Distribution Center)