Kerberos Parameters
2004-06-29
2024-02-16
Kerberos Encryption Type Numbers
Standards Action for standards-track RFCs; non-standards-track
RFCs must be reviewed by an expert.
Ken Raeburn
These are signed values ranging from -2147483648 to 2147483647. Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values. Zero is reserved and may not be assigned.
0
reserved
1
des-cbc-crc (deprecated)
2
des-cbc-md4 (deprecated)
3
des-cbc-md5 (deprecated)
4
Reserved
5
des3-cbc-md5 (deprecated)
6
Reserved
7
des3-cbc-sha1 (deprecated)
8
Unassigned
9
dsaWithSHA1-CmsOID
10
md5WithRSAEncryption-CmsOID
11
sha1WithRSAEncryption-CmsOID
12
rc2CBC-EnvOID
13
rsaEncryption-EnvOID
from PKCS#1 v1.5]
14
rsaES-OAEP-ENV-OID
from PKCS#1 v2.0]
15
des-ede3-cbc-Env-OID
16
des3-cbc-sha1-kd (deprecated)
17
aes128-cts-hmac-sha1-96
18
aes256-cts-hmac-sha1-96
19
aes128-cts-hmac-sha256-128
20
aes256-cts-hmac-sha384-192
21-22
Unassigned
23
rc4-hmac (deprecated)
24
rc4-hmac-exp (deprecated)
25
camellia128-cts-cmac
26
camellia256-cts-cmac
27-64
Unassigned
65
subkey-keymaterial
(opaque; PacketCable)
66-2147483647
Unassigned
Kerberos Checksum Type Numbers
Standards Action for standards-track RFCs; non-standards-track
RFCs must be reviewed by an expert.
Ken Raeburn
These are signed values ranging from -2147483648 to 2147483647. Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values. Zero is reserved and may not be assigned.
0
Reserved
1
CRC32 (deprecated)
4
2
rsa-md4 (deprecated)
16
3
rsa-md4-des (deprecated)
24
4
des-mac (deprecated)
16
5
des-mac-k (deprecated)
8
6
rsa-md4-des-k (deprecated)
16
7
rsa-md5 (deprecated)
16
8
rsa-md5-des (deprecated)
24
9
rsa-md5-des3
24
10
sha1 (unkeyed)
20
11
Unassigned
12
hmac-sha1-des3-kd (deprecated)
20
13
hmac-sha1-des3 (deprecated)
20
14
sha1 (unkeyed)
20
15
hmac-sha1-96-aes128
20
16
hmac-sha1-96-aes256
20
17
cmac-camellia128
16
18
cmac-camellia256
16
19
hmac-sha256-128-aes128
16
20
hmac-sha384-192-aes256
24
21-32770
Unassigned
32771
Reserved
32772-2147483647
Unassigned
Kerberos TCP Extensions
0-29
Standards Action or IESG Approval
30
Reserved
Standards Action that updates or obsoletes
0
Krb5 over TLS
1-29
Unassigned
30
Reserved
Pre-authentication and Typed Data
Expert Review
Sam Hartman (primary), Larry Zhu (secondary)
The designated expert may find that IETF Review is required. See
for more information.
1
PA-TGS-REQ
2
PA-ENC-TIMESTAMP
3
PA-PW-SALT
4
reserved
5
PA-ENC-UNIX-TIME (deprecated)
6
PA-SANDIA-SECUREID
7
PA-SESAME
8
PA-OSF-DCE
9
PA-CYBERSAFE-SECUREID
10
PA-AFS3-SALT
11
PA-ETYPE-INFO
12
PA-SAM-CHALLENGE
13
PA-SAM-RESPONSE
14
PA-PK-AS-REQ_OLD
15
PA-PK-AS-REP_OLD
16
PA-PK-AS-REQ
17
PA-PK-AS-REP
18
PA-PK-OCSP-RESPONSE
19
PA-ETYPE-INFO2
20
PA-USE-SPECIFIED-KVNO
20
PA-SVR-REFERRAL-INFO
21
PA-SAM-REDIRECT
22
PA-GET-FROM-TYPED-DATA
(embedded in typed data)
22
TD-PADATA
(embeds padata)
23
PA-SAM-ETYPE-INFO
(sam/otp)
24
PA-ALT-PRINC
25
PA-SERVER-REFERRAL
26-29
Unassigned
30
PA-SAM-CHALLENGE2
31
PA-SAM-RESPONSE2
32-40
Unassigned
41
PA-EXTRA-TGT
Reserved extra TGT
42-100
Unassigned
101
TD-PKINIT-CMS-CERTIFICATES
102
TD-KRB-PRINCIPAL
PrincipalName
103
TD-KRB-REALM
Realm
104
TD-TRUSTED-CERTIFIERS
105
TD-CERTIFICATE-INDEX
106
TD-APP-DEFINED-ERROR
Application specific
107
TD-REQ-NONCE
INTEGER
108
TD-REQ-SEQ
INTEGER
109
TD_DH_PARAMETERS
110
Unassigned
111
TD-CMS-DIGEST-ALGORITHMS
112
TD-CERT-DIGEST-ALGORITHMS
113-127
Unassigned
128
PA-PAC-REQUEST
MSKILE
129
PA-FOR_USER
MSKILE
130
PA-FOR-X509-USER
MSKILE
131
PA-FOR-CHECK_DUPS
MSKILE
132
PA-AS-CHECKSUM
MSKILE
133
PA-FX-COOKIE
134
PA-AUTHENTICATION-SET
135
PA-AUTH-SET-SELECTED
136
PA-FX-FAST
137
PA-FX-ERROR
138
PA-ENCRYPTED-CHALLENGE
139-140
Unassigned
141
PA-OTP-CHALLENGE
142
PA-OTP-REQUEST
143
PA-OTP-CONFIRM (OBSOLETED)
144
PA-OTP-PIN-CHANGE
145
PA-EPAK-AS-REQ
(sshock@gmail.com)
146
PA-EPAK-AS-REP
(sshock@gmail.com)
147
PA_PKINIT_KX
148
PA_PKU2U_NAME
149
PA-REQ-ENC-PA-REP
150
PA_AS_FRESHNESS
151
PA-SPAKE
152
PA-REDHAT-IDP-OAUTH2
153
PA-REDHAT-PASSKEY
154-164
Unassigned
165
PA-SUPPORTED-ETYPES
MSKILE
166
PA-EXTENDED_ERROR
MSKILE
FAST Armor Types
Standards Action
0
Reserved
Reserved
1
FX_FAST_ARMOR_AP_REQUEST
Ticket armor using an ap-req.
FAST Options
Standards Action
0
RESERVED
Reserved for future expansion of this field.
1
hide-client-names
Requesting the KDC to hide client names in the KDC response
16
kdc-follow-referrals
reserved
Well-Known Kerberos Principal Names
Unassigned
Specification Required
anonymous
Well-Known Kerberos Realm Names
Unassigned
Specification Required
anonymous
Kerberos Message Transport Types
IETF Review
0
Reserved
1
UDP
2
TCP
3
TLS
4-254
Unassigned
255
Reserved
Kerberos Second Factor Types
Specification Required
Unassigned
Registration requests should be sent to the mailing list described
in . If approved, designated
experts should notify IANA within three weeks. For assistance,
please contact iana@iana.org.
These are signed integers ranging from -2147483648 to 2147483647,
inclusive. Positive values must be assigned only for algorithms
specified in accordance with these rules for use with Kerberos
and related protocols. Negative values should be used for private
and experimental algorithms only. Zero is reserved and must not
be assigned. Values should be assigned in increasing order.
0
Reserved
1
SF-NONE
Kerberos SPAKE Groups
Specification Required
Unassigned
Registration requests should be sent to the mailing list described
in . If approved, designated
experts should notify IANA within three weeks. For assistance,
please contact iana@iana.org.
These are signed integers ranging from -2147483648 to 2147483647,
inclusive. Positive values must be assigned only for algorithms
specified in accordance with these rules for use with Kerberos
and related protocols. Negative values should be used for private
and experimental algorithms only. Zero is reserved and must not
be assigned. Values should be assigned in increasing order.
0
Reserved
1
edwards25519
RFC8032, Section 3.1
32
RFC8032, Section 3.1
d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf
d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab
SHA-256
RFC7748, Section 4.1
(edwards25519)
2
P-256
SECG-SEC1, Section 2.3.3
(compressed format)
32
SECG-SEC1, Section 2.3.8
02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f
03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49
SHA-256
SECG-SEC2, Section 2.4.2
3
P-384
SECG-SEC1, Section 2.3.3
(compressed format)
48
SECG-SEC1, Section 2.3.8
030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853
02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10
SHA-384
SECG-SEC2, Section 2.5.1
4
P-521
SECG-SEC1, Section 2.3.3
(compressed format)
48
SECG-SEC1, Section 2.3.8
02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa
0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25
SHA-512
SECG-SEC2, Section 2.6.1
Pavel Březina
mailto:pbrezina&redhat.com
2023-03-29