DES Versus 3DES Key Type Settings
Chapter 1 31
DES Versus 3DES Key Type Settings
In the processes outlined in the section “Authentication Process” on
page 27, if the user principal and the service principal do not use the
same key type, the process continues as described.
The Kerberos server acts as the only trusted party, and the client or the
service does not accept a message encrypted by the client or the service
key. Both the client application and the service share a secret key only
with the server.
The authenticator data that the service and client encrypt or decrypt is
encrypted in session keys. The server sends the required session keys to
the client and service in packets that are encrypted with their respective
keys. The Kerberos server checks the key type settings for the user
principals and service principals and determines the most secure
encryption allowed for the session key. If the user principals and service
principals have a 3DES key stored in the database, the session key type
that is returned is of type 3DES. If only one has a 3DES key and the
other has a DES key, then the session key that is returned is of type
The server never returns a session key in the service ticket packet that
uses stronger encryption than the session key included with a TGT
packet. If a user principal has both 3DES and DES keys and uses the
DES key to obtain a TGT, all service tickets obtained using this TGT
contain DES session keys.
IMPORTANT The krbtgt/<REALM NAME> is the ticket-granting principal. This is a
reserved principal that is automatically created when you add a realm to
the database. You must assign a key type for the krbtgt/<REALM NAME>
principal or the default key, issued by the Kerberos server, uses the
3DES encryption type.