Kerberos Parameters

Created
2004-06-29
Last Updated
2019-07-18
Available Formats

XML
HTML
Plain text

Registries included below

Kerberos Encryption Type Numbers

Registration Procedure(s)
Standards Action for standards-track RFCs; non-standards-track 
RFCs must be reviewed by an expert.
Expert(s)
Ken Raeburn
Reference
[RFC3961]
Note
These are signed values ranging from -2147483648 to 2147483647.  Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values.  Zero is reserved and may not be assigned.
Available Formats

CSV
etype encryption type Reference
0 reserved [RFC6448]
1 des-cbc-crc (deprecated) [RFC6649]
2 des-cbc-md4 (deprecated) [RFC6649]
3 des-cbc-md5 (deprecated) [RFC6649]
4 Reserved [RFC3961]
5 des3-cbc-md5 (deprecated) [RFC8429]
6 Reserved [RFC3961]
7 des3-cbc-sha1 (deprecated) [RFC8429]
8 Unassigned
9 dsaWithSHA1-CmsOID [RFC4556]
10 md5WithRSAEncryption-CmsOID [RFC4556]
11 sha1WithRSAEncryption-CmsOID [RFC4556]
12 rc2CBC-EnvOID [RFC4556]
13 rsaEncryption-EnvOID [RFC4556][from PKCS#1 v1.5]]
14 rsaES-OAEP-ENV-OID [RFC4556][from PKCS#1 v2.0]]
15 des-ede3-cbc-Env-OID [RFC4556]
16 des3-cbc-sha1-kd (deprecated) [RFC8429]
17 aes128-cts-hmac-sha1-96 [RFC3962]
18 aes256-cts-hmac-sha1-96 [RFC3962]
19 aes128-cts-hmac-sha256-128 [RFC8009]
20 aes256-cts-hmac-sha384-192 [RFC8009]
21-22 Unassigned
23 rc4-hmac (deprecated) [RFC8429]
24 rc4-hmac-exp (deprecated) [RFC6649]
25 camellia128-cts-cmac [RFC6803]
26 camellia256-cts-cmac [RFC6803]
27-64 Unassigned
65 subkey-keymaterial [(opaque; PacketCable)]
66-2147483647 Unassigned

Kerberos Checksum Type Numbers

Registration Procedure(s)
Standards Action for standards-track RFCs; non-standards-track 
RFCs must be reviewed by an expert.
Expert(s)
Ken Raeburn
Reference
[RFC3961]
Note
These are signed values ranging from -2147483648 to 2147483647.  Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values.  Zero is reserved and may not be assigned.
Available Formats

CSV
sumtype value Checksum type checksum size Reference
0 Reserved [RFC3961]
1 CRC32 (deprecated) 4 [RFC6649]
2 rsa-md4 (deprecated) 16 [RFC6649]
3 rsa-md4-des (deprecated) 24 [RFC6649]
4 des-mac (deprecated) 16 [RFC6649]
5 des-mac-k (deprecated) 8 [RFC6649]
6 rsa-md4-des-k (deprecated) 16 [RFC6649]
7 rsa-md5 (deprecated) 16 [RFC8429]
8 rsa-md5-des (deprecated) 24 [RFC6649]
9 rsa-md5-des3 24
10 sha1 (unkeyed) 20
11 Unassigned
12 hmac-sha1-des3-kd (deprecated) 20 [RFC8429]
13 hmac-sha1-des3 (deprecated) 20 [RFC8429]
14 sha1 (unkeyed) 20
15 hmac-sha1-96-aes128 20 [RFC3962]
16 hmac-sha1-96-aes256 20 [RFC3962]
17 cmac-camellia128 16 [RFC6803]
18 cmac-camellia256 16 [RFC6803]
19 hmac-sha256-128-aes128 16 [RFC8009]
20 hmac-sha384-192-aes256 24 [RFC8009]
21-32770 Unassigned
32771 Reserved [RFC1964]
32772-2147483647 Unassigned

Kerberos TCP Extensions

Reference
[RFC5021]
Available Formats

CSV
Range Registration Procedures Note
0-29 IESG Approval or Standards Action
30 Reserved Standards Action to updates or obsoletes [RFC5021]
Value Description Reference
0 Krb5 over TLS [RFC6251]
1-29 Unassigned
30 Reserved [RFC5021]

Pre-authentication and Typed Data

Registration Procedure(s)
Expert Review
Expert(s)
Sam Hartman (primary), Larry Zhu (secondary)
Reference
[RFC6113]
Note
The designated expert may find that IETF Review is required. See 
[RFC6113] for more information.
Available Formats

CSV
Type Value Reference
1 PA-TGS-REQ [RFC4120]
2 PA-ENC-TIMESTAMP [RFC4120]
3 PA-PW-SALT [RFC4120]
4 reserved [RFC6113]
5 PA-ENC-UNIX-TIME (deprecated) [RFC4120]
6 PA-SANDIA-SECUREID [RFC4120]
7 PA-SESAME [RFC4120]
8 PA-OSF-DCE [RFC4120]
9 PA-CYBERSAFE-SECUREID [RFC4120]
10 PA-AFS3-SALT [RFC4120][RFC3961]
11 PA-ETYPE-INFO [RFC4120]
12 PA-SAM-CHALLENGE [draft-ietf-cat-kerberos-passwords-04]
13 PA-SAM-RESPONSE [draft-ietf-cat-kerberos-passwords-04]
14 PA-PK-AS-REQ_OLD [draft-ietf-cat-kerberos-pk-init-09]
15 PA-PK-AS-REP_OLD [draft-ietf-cat-kerberos-pk-init-09]
16 PA-PK-AS-REQ [RFC4556]
17 PA-PK-AS-REP [RFC4556]
18 PA-PK-OCSP-RESPONSE [RFC4557]
19 PA-ETYPE-INFO2 [RFC4120]
20 PA-USE-SPECIFIED-KVNO [RFC4120]
20 PA-SVR-REFERRAL-INFO [RFC6806]
21 PA-SAM-REDIRECT [draft-ietf-krb-wg-kerberos-sam-03]
22 PA-GET-FROM-TYPED-DATA [(embedded in typed data)][RFC4120]
22 TD-PADATA [(embeds padata)][RFC4120]
23 PA-SAM-ETYPE-INFO [(sam/otp)][draft-ietf-krb-wg-kerberos-sam-03]
24 PA-ALT-PRINC [draft-ietf-krb-wg-hw-auth-04]
25 PA-SERVER-REFERRAL [draft-ietf-krb-wg-kerberos-referrals-11]
26-29 Unassigned
30 PA-SAM-CHALLENGE2 [draft-ietf-krb-wg-kerberos-sam-03]
31 PA-SAM-RESPONSE2 [draft-ietf-krb-wg-kerberos-sam-03]
32-40 Unassigned
41 PA-EXTRA-TGT [Reserved extra TGT][RFC6113]
42-100 Unassigned
101 TD-PKINIT-CMS-CERTIFICATES [RFC4556]
102 TD-KRB-PRINCIPAL [PrincipalName][RFC6113]
103 TD-KRB-REALM [Realm][RFC6113]
104 TD-TRUSTED-CERTIFIERS [RFC4556]
105 TD-CERTIFICATE-INDEX [RFC4556]
106 TD-APP-DEFINED-ERROR [Application specific][RFC6113]
107 TD-REQ-NONCE [INTEGER][RFC6113]
108 TD-REQ-SEQ [INTEGER][RFC6113]
109 TD_DH_PARAMETERS [RFC4556]
110 Unassigned
111 TD-CMS-DIGEST-ALGORITHMS [RFC8636]
112 TD-CERT-DIGEST-ALGORITHMS [RFC8636]
113-127 Unassigned
128 PA-PAC-REQUEST [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
129 PA-FOR_USER [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
130 PA-FOR-X509-USER [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
131 PA-FOR-CHECK_DUPS [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
132 PA-AS-CHECKSUM [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
133 PA-FX-COOKIE [RFC6113]
134 PA-AUTHENTICATION-SET [RFC6113]
135 PA-AUTH-SET-SELECTED [RFC6113]
136 PA-FX-FAST [RFC6113]
137 PA-FX-ERROR [RFC6113]
138 PA-ENCRYPTED-CHALLENGE [RFC6113]
139-140 Unassigned
141 PA-OTP-CHALLENGE [RFC6560]
142 PA-OTP-REQUEST [RFC6560]
143 PA-OTP-CONFIRM (OBSOLETED) [RFC6560]
144 PA-OTP-PIN-CHANGE [RFC6560]
145 PA-EPAK-AS-REQ [(sshock@gmail.com)][RFC6113]
146 PA-EPAK-AS-REP [(sshock@gmail.com)][RFC6113]
147 PA_PKINIT_KX [RFC8062]
148 PA_PKU2U_NAME [draft-zhu-pku2u]
149 PA-REQ-ENC-PA-REP [RFC6806]
150 PA_AS_FRESHNESS [RFC8070]
151 PA-SPAKE [draft-ietf-kitten-krb-spake-preauth]
152-164 Unassigned
165 PA-SUPPORTED-ETYPES [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
166 PA-EXTENDED_ERROR [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]

FAST Armor Types

Registration Procedure(s)
Standards Action
Reference
[RFC6113]
Available Formats

CSV
Type Name Description Reference
0 Reserved Reserved [RFC6113]
1 FX_FAST_ARMOR_AP_REQUEST Ticket armor using an ap-req. [RFC6113]

FAST Options

Registration Procedure(s)
Standards Action
Reference
[RFC6113]
Available Formats

CSV
Type Name Description Reference
0 RESERVED Reserved for future expansion of this field. [RFC6113]
1 hide-client-names Requesting the KDC to hide client names in the KDC response [RFC6113]
16 kdc-follow-referrals reserved [RFC6113]

Well-Known Kerberos Principal Names

Registration Procedure(s)
Specification Required
Expert(s)
Unassigned
Reference
[RFC6111]
Available Formats

CSV
Well-Known Kerberos Principal Name Reference
anonymous [RFC8062]

Well-Known Kerberos Realm Names

Registration Procedure(s)
Specification Required
Expert(s)
Unassigned
Reference
[RFC6111]
Available Formats

CSV
Well-Known Kerberos Realm Name Reference
anonymous [RFC8062]

Kerberos Message Transport Types

Registration Procedure(s)
IETF Review
Reference
[RFC6784]
Available Formats

CSV
Value Description Reference
0 Reserved [RFC6784]
1 UDP [RFC6784]
2 TCP [RFC6784]
3 TLS [RFC6784]
4-254 Unassigned
255 Reserved [RFC6784]