Kerberos Parameters

Created: 2004-06-29
Last Updated: 2024-12-06
Available Formats: XML
HTML
Plain text

Registries Included Below

Kerberos Encryption Type Numbers
Kerberos Checksum Type Numbers
Kerberos TCP Extensions
Pre-authentication and Typed Data
FAST Armor Types
FAST Options
Well-Known Kerberos Principal Names
Well-Known Kerberos Realm Names
Kerberos Message Transport Types
Kerberos Second Factor Types
Kerberos SPAKE Groups

Kerberos Encryption Type Numbers

Registration Procedure(s)

Standards Action for standards-track RFCs; non-standards-track 
RFCs must be reviewed by an expert.

Expert(s)

Ken Raeburn

Reference

[RFC3961]

Note

These are signed values ranging from -2147483648 to 2147483647.  Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values.  Zero is reserved and may not be assigned.

Available Formats

CSV

etype	encryption type	Reference
0	reserved	[RFC6448]
1	des-cbc-crc (deprecated)	[RFC6649]
2	des-cbc-md4 (deprecated)	[RFC6649]
3	des-cbc-md5 (deprecated)	[RFC6649]
4	Reserved	[RFC3961]
5	des3-cbc-md5 (deprecated)	[RFC8429]
6	Reserved	[RFC3961]
7	des3-cbc-sha1 (deprecated)	[RFC8429]
8	Unassigned
9	dsaWithSHA1-CmsOID	[RFC4556]
10	md5WithRSAEncryption-CmsOID	[RFC4556]
11	sha1WithRSAEncryption-CmsOID	[RFC4556]
12	rc2CBC-EnvOID	[RFC4556]
13	rsaEncryption-EnvOID	[RFC4556][from PKCS#1 v1.5]]
14	rsaES-OAEP-ENV-OID	[RFC4556][from PKCS#1 v2.0]]
15	des-ede3-cbc-Env-OID	[RFC4556]
16	des3-cbc-sha1-kd (deprecated)	[RFC8429]
17	aes128-cts-hmac-sha1-96	[RFC3962]
18	aes256-cts-hmac-sha1-96	[RFC3962]
19	aes128-cts-hmac-sha256-128	[RFC8009]
20	aes256-cts-hmac-sha384-192	[RFC8009]
21-22	Unassigned
23	rc4-hmac (deprecated)	[RFC8429]
24	rc4-hmac-exp (deprecated)	[RFC6649]
25	camellia128-cts-cmac	[RFC6803]
26	camellia256-cts-cmac	[RFC6803]
27-64	Unassigned
65	subkey-keymaterial	[(opaque; PacketCable)]
66-2147483647	Unassigned

Kerberos Checksum Type Numbers

Registration Procedure(s)

Standards Action for standards-track RFCs; non-standards-track 
RFCs must be reviewed by an expert.

Expert(s)

Ken Raeburn

Reference

[RFC3961]

Note

These are signed values ranging from -2147483648 to 2147483647.  Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values.  Zero is reserved and may not be assigned.

Available Formats

CSV

sumtype value	Checksum type	checksum size	Reference
0	Reserved		[RFC3961]
1	CRC32 (deprecated)	4	[RFC6649]
2	rsa-md4 (deprecated)	16	[RFC6649]
3	rsa-md4-des (deprecated)	24	[RFC6649]
4	des-mac (deprecated)	16	[RFC6649]
5	des-mac-k (deprecated)	8	[RFC6649]
6	rsa-md4-des-k (deprecated)	16	[RFC6649]
7	rsa-md5 (deprecated)	16	[RFC8429]
8	rsa-md5-des (deprecated)	24	[RFC6649]
9	rsa-md5-des3	24
10	sha1 (unkeyed)	20
11	Unassigned
12	hmac-sha1-des3-kd (deprecated)	20	[RFC8429]
13	hmac-sha1-des3 (deprecated)	20	[RFC8429]
14	sha1 (unkeyed)	20
15	hmac-sha1-96-aes128	20	[RFC3962]
16	hmac-sha1-96-aes256	20	[RFC3962]
17	cmac-camellia128	16	[RFC6803]
18	cmac-camellia256	16	[RFC6803]
19	hmac-sha256-128-aes128	16	[RFC8009]
20	hmac-sha384-192-aes256	24	[RFC8009]
21-32770	Unassigned
32771	Reserved		[RFC1964]
32772-2147483647	Unassigned

Kerberos TCP Extensions

Reference: [RFC5021]
Available Formats: CSV

Range	Registration Procedures	Note
0-29	Standards Action or IESG Approval
30	Reserved	Standards Action that updates or obsoletes [RFC5021]

Value	Description	Reference
0	Krb5 over TLS	[RFC6251]
1-29	Unassigned
30	Reserved	[RFC5021]

Pre-authentication and Typed Data

Registration Procedure(s)

Expert Review

Expert(s)

Sam Hartman (primary), Larry Zhu (secondary)

Reference

[RFC6113]

Note

The designated expert may find that IETF Review is required. See 
[RFC6113] for more information.

Available Formats

CSV

Type	Value	Reference
1	PA-TGS-REQ	[RFC4120]
2	PA-ENC-TIMESTAMP	[RFC4120]
3	PA-PW-SALT	[RFC4120]
4	reserved	[RFC6113]
5	PA-ENC-UNIX-TIME (deprecated)	[RFC4120]
6	PA-SANDIA-SECUREID	[RFC4120]
7	PA-SESAME	[RFC4120]
8	PA-OSF-DCE	[RFC4120]
9	PA-CYBERSAFE-SECUREID	[RFC4120]
10	PA-AFS3-SALT	[RFC4120][RFC3961]
11	PA-ETYPE-INFO	[RFC4120]
12	PA-SAM-CHALLENGE	[draft-ietf-cat-kerberos-passwords-04]
13	PA-SAM-RESPONSE	[draft-ietf-cat-kerberos-passwords-04]
14	PA-PK-AS-REQ_OLD	[draft-ietf-cat-kerberos-pk-init-09]
15	PA-PK-AS-REP_OLD	[draft-ietf-cat-kerberos-pk-init-09]
16	PA-PK-AS-REQ	[RFC4556]
17	PA-PK-AS-REP	[RFC4556]
18	PA-PK-OCSP-RESPONSE	[RFC4557]
19	PA-ETYPE-INFO2	[RFC4120]
20	PA-USE-SPECIFIED-KVNO	[RFC4120]
20	PA-SVR-REFERRAL-INFO	[RFC6806]
21	PA-SAM-REDIRECT	[draft-ietf-krb-wg-kerberos-sam-03]
22	PA-GET-FROM-TYPED-DATA	[(embedded in typed data)][RFC4120]
22	TD-PADATA	[(embeds padata)][RFC4120]
23	PA-SAM-ETYPE-INFO	[(sam/otp)][draft-ietf-krb-wg-kerberos-sam-03]
24	PA-ALT-PRINC	[draft-ietf-krb-wg-hw-auth-04]
25	PA-SERVER-REFERRAL	[draft-ietf-krb-wg-kerberos-referrals-11]
26-29	Unassigned
30	PA-SAM-CHALLENGE2	[draft-ietf-krb-wg-kerberos-sam-03]
31	PA-SAM-RESPONSE2	[draft-ietf-krb-wg-kerberos-sam-03]
32-40	Unassigned
41	PA-EXTRA-TGT	[Reserved extra TGT][RFC6113]
42-100	Unassigned
101	TD-PKINIT-CMS-CERTIFICATES	[RFC4556]
102	TD-KRB-PRINCIPAL	[PrincipalName][RFC6113]
103	TD-KRB-REALM	[Realm][RFC6113]
104	TD-TRUSTED-CERTIFIERS	[RFC4556]
105	TD-CERTIFICATE-INDEX	[RFC4556]
106	TD-APP-DEFINED-ERROR	[Application specific][RFC6113]
107	TD-REQ-NONCE	[INTEGER][RFC6113]
108	TD-REQ-SEQ	[INTEGER][RFC6113]
109	TD_DH_PARAMETERS	[RFC4556]
110	Unassigned
111	TD-CMS-DIGEST-ALGORITHMS	[RFC8636]
112	TD-CERT-DIGEST-ALGORITHMS	[RFC8636]
113-127	Unassigned
128	PA-PAC-REQUEST	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
129	PA-FOR_USER	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
130	PA-FOR-X509-USER	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
131	PA-FOR-CHECK_DUPS	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
132	PA-AS-CHECKSUM	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
133	PA-FX-COOKIE	[RFC6113]
134	PA-AUTHENTICATION-SET	[RFC6113]
135	PA-AUTH-SET-SELECTED	[RFC6113]
136	PA-FX-FAST	[RFC6113]
137	PA-FX-ERROR	[RFC6113]
138	PA-ENCRYPTED-CHALLENGE	[RFC6113]
139-140	Unassigned
141	PA-OTP-CHALLENGE	[RFC6560]
142	PA-OTP-REQUEST	[RFC6560]
143	PA-OTP-CONFIRM (OBSOLETED)	[RFC6560]
144	PA-OTP-PIN-CHANGE	[RFC6560]
145	PA-EPAK-AS-REQ	[(sshock@gmail.com)][RFC6113]
146	PA-EPAK-AS-REP	[(sshock@gmail.com)][RFC6113]
147	PA_PKINIT_KX	[RFC8062]
148	PA_PKU2U_NAME	[draft-zhu-pku2u-09]
149	PA-REQ-ENC-PA-REP	[RFC6806]
150	PA_AS_FRESHNESS	[RFC8070]
151	PA-SPAKE	[RFC9588]
152	PA-REDHAT-IDP-OAUTH2	[Pavel_Březina]
153	PA-REDHAT-PASSKEY	[Pavel_Březina]
154-164	Unassigned
165	PA-SUPPORTED-ETYPES	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
166	PA-EXTENDED_ERROR	[MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]

FAST Armor Types

Registration Procedure(s)

Standards Action

Reference

[RFC6113]

Available Formats

CSV

Type	Name	Description	Reference
0	Reserved	Reserved	[RFC6113]
1	FX_FAST_ARMOR_AP_REQUEST	Ticket armor using an ap-req.	[RFC6113]

FAST Options

Registration Procedure(s)

Standards Action

Reference

[RFC6113]

Available Formats

CSV

Type	Name	Description	Reference
0	RESERVED	Reserved for future expansion of this field.	[RFC6113]
1	hide-client-names	Requesting the KDC to hide client names in the KDC response	[RFC6113]
16	kdc-follow-referrals	reserved	[RFC6113]

Well-Known Kerberos Principal Names

Registration Procedure(s)

Specification Required

Expert(s)

Unassigned

Reference

[RFC6111]

Available Formats

CSV

Well-Known Kerberos Principal Name	Reference
anonymous	[RFC8062]

Well-Known Kerberos Realm Names

Registration Procedure(s)

Specification Required

Expert(s)

Unassigned

Reference

[RFC6111]

Available Formats

CSV

Well-Known Kerberos Realm Name	Reference
anonymous	[RFC8062]

Kerberos Message Transport Types

Registration Procedure(s)

IETF Review

Reference

[RFC6784]

Available Formats

CSV

Value	Description	Reference
0	Reserved	[RFC6784]
1	UDP	[RFC6784]
2	TCP	[RFC6784]
3	TLS	[RFC6784]
4-254	Unassigned
255	Reserved	[RFC6784]

Kerberos Second Factor Types

Registration Procedure(s)

Specification Required

Expert(s)

Simo Sorce, Greg Hudson

Reference

[RFC9588]

Note

Registration requests should be sent to the mailing list described 
in [RFC9588]. If approved, designated experts should notify IANA 
within three weeks. For assistance, please contact iana@iana.org.

Note

These are signed integers ranging from -2147483648 to 2147483647,
inclusive. Positive values must be assigned only for algorithms 
specified in accordance with these rules for use with Kerberos 
and related protocols. Negative values should be used for private 
and experimental algorithms only. Zero is reserved and must not 
be assigned. Values should be assigned in increasing order.

Available Formats

CSV

ID Number	Name	Reference
0	Reserved	[RFC9588]
1	SF-NONE	[RFC9588]

Kerberos SPAKE Groups

Registration Procedure(s)

Specification Required

Expert(s)

Simo Sorce, Greg Hudson

Reference

[RFC9588]

Note

Registration requests should be sent to the mailing list described 
in [RFC9588]. If approved, designated experts should notify IANA 
within three weeks. For assistance, please contact iana@iana.org.

Note

These are signed integers ranging from -2147483648 to 2147483647,
inclusive. Positive values must be assigned only for algorithms 
specified in accordance with these rules for use with Kerberos 
and related protocols. Negative values should be used for private 
and experimental algorithms only. Zero is reserved and must not 
be assigned. Values should be assigned in increasing order.

Available Formats

CSV

ID Number	Name	Serialization	Multiplier Length	Multiplier Conversion	SPAKE M Constant	SPAKE N Constant	Hash Function	Reference
0	Reserved							[RFC9588]
1	edwards25519	[RFC8032, Section 3.1]	32	[RFC8032, Section 3.1]	d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf	d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab	SHA-256 [RFC6234]	[RFC7748, Section 4.1][(edwards25519)]
2	P-256	[SECG-SEC1, Section 2.3.3] [(compressed format)]	32	[SECG-SEC1, Section 2.3.8]	02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f	03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49	SHA-256 [RFC6234]	[SECG-SEC2, Section 2.4.2]
3	P-384	[SECG-SEC1, Section 2.3.3] [(compressed format)]	48	[SECG-SEC1, Section 2.3.8]	030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853	02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10	SHA-384 [RFC6234]	[SECG-SEC2, Section 2.5.1]
4	P-521	[SECG-SEC1, Section 2.3.3] [(compressed format)]	48	[SECG-SEC1, Section 2.3.8]	02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa	0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25	SHA-512 [RFC6234]	[SECG-SEC2, Section 2.6.1]

Contact Information

ID	Name	Contact URI	Last Updated
[Pavel_Březina]	Pavel Březina	mailto:pbrezina&redhat.com	2023-03-29