<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([etype]) are defined in an [IANA Registry] at: [Kerberos Encryption Type Numbers|https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1|target='_blank']


These are signed values ranging from -2147483648 to 2147483647. 
* Positive values should be assigned only for algorithms specified in accordance with this specification for use with [Kerberos] or related [protocols].
* Negative values are for private use; local and experimental algorithms should use these values.  
* Zero is reserved and may not be assigned.


!! [{$pagename}] [Microsoft Windows]
[{$pagename}] for [Microsoft Windows] is decided by the [MsDS-SupportedEncryptionTypes] values or the defaults if not set. 

[MsDS-SupportedEncryptionTypes] values can be set from a [Group Policy Object].

The default [{$pagename}] for [Windows Vista]/[Windows 7] [clients] is [AES]256 and [Windows XP] and [Windows Server 2003] [clients] default to [RC4].


This implies that when [Windows Vista]/[Windows 7] client will initially attempt to use [AES] when talking to a [Domain Controller] during the [Kerberos] [Kerberos Pre-Authentication] stage, [Windows Server 2003] DC‘s on the other hand don‘t support using [AES] with [Kerberos] which is why they log the [Windows Event Log] and ask the client to try again with one of [{$pagename}] the DC supports (which usually ends up as [RC4]).



Table shows those that are likely to be encountered.
%%zebra-table
%%sortable
%%table-filter
||Encryption type||Aliases||etype (dec)||etype (hex)||[msDS|MsDS-SupportedEncryptionTypes]||Description	RFC||[Windows|Microsoft Windows] support||[MIT] [Kerberos] support||Notes
|[DES]-[CBC]-[CRC]| |1|0x0001|0x0001|[DES] cbc mode with [CRC]-32|[RFC 3961] section 6.2.3|[Windows Server 2000], __disabled__ by default as of [Windows Server 2008]R2|All versions|[Cryptographically Weak] &amp; [Deprecated]
|[DES]-[CBC]-[MD4]| |2|0x0002| |DES cbc mode with RSA-MD4|[RFC 3961] section 6.2.2|Not supported|All versions|[Cryptographically Weak] &amp; [Deprecated]
|[DES]-[CBC]-[MD5]|des|3|0x0003|0x0002|[DES] cbc mode with [RSA]-[MD5]|[RFC 3961] section 6.2.1|[Windows Server 2000]+, __disabled__ by default as of [Windows Server 2008] R2|All versions|[Cryptographically Weak] &amp; [Deprecated]
|[DES]-[CBC]-raw| |4|0x0004| |[DES] cbc mode raw|[RFC 3961] marked as &quot;reserved&quot;|Not supported|Unknown|Weak &amp; deprecated, not defined in any [RFC]
|[DES3]-[CBC]-raw| |6|0x0006| |[Triple DES] cbc mode raw|[RFC 3961] marked as &quot;reserved&quot;|Not supported|Unknown|[Cryptographically Weak] &amp; [Deprecated], not defined in any RFC
|[DES3]-[CBC]-[SHA-1]|des3-hmac-sha1\\des3-cbc-sha1-kd|16|0x0010| |[Triple DES] cbc mode with [HMAC]/[SHA-1]|[RFC 3961], section 6.3|Not supported|1.1| 	
|[AES]128-[CTS]-[HMAC-SHA1]-96|aes128-cts\\aes128-sha1|17|0x0011|0x0008|[AES]-128 [CTS] mode with 96-[bit] [SHA-1] [HMAC]|[RFC 3962]|[Windows Server 2008]+|1.3| 	
|[AES]256-[CTS]-[HMAC-SHA1]-96|aes256-cts\\aes256-sha1|18|0x0012|0x0010|[AES]-256 [CTS] mode with 96-[bit] [SHA-1] [HMAC]|[RFC 3962|[Windows Server 2008]+|[Windows Server 2008] R2 |1.3| 
|[AES]128-cts-hmac-sha256-128|aes128-sha2|19|0x0013| |[AES]-128 [CTS] mode with 128-bit [SHA-256] [HMAC]|[RFC 3962]|Not supported|1.15|RFC was only published in October 2016
|[AES]256-cts-hmac-sha384-192|aes256-sha2|20|0x0014| |[AES]-256 [CTS] mode with 192-bit [SHA-384] [HMAC]|[RFC 3962]|Not supported|1.15|RFC was only published in October 2016
|[RC4]-[HMAC]|rc4-hmac\\[RC4]-[HMAC]-[MD5]|23|0x0017| |ArcFour with [HMAC]/[MD5]|[RFC 4757]|[Windows Server 2000]+|1.3| 
|[RC4]-[HMAC]|[RC4]-[HMAC]-[MD5]-[EXP|Export-grade]|24|0x0018| |[Exportable|Export-grade] ArcFour ([RC4]) with [HMAC]/[MD5]|[RFC 4757]|[Windows Server 2000]+|1.3|[Cryptographically Weak] &amp; [Deprecated]
|[camellia]128-cts-cmac|camellia128-cts|25|0x0019| |[Camellia]-128 [CTS] mode with [CMAC]|[RFC 4757]|Not supported|1.9| 
|[camellia]256-cts-cmac|[camellia]256-cts|26|0x001a| |[Camellia]-256 [CTS] mode with [CMAC]|[RFC 4757]|Not supported|1.9| 	
/%
/%
/%

!! [Kerberos Cryptosystem Negotiation Extension]
[Kerberos] allows negotiation of [ciphers] to be used by use of the [Kerberos Cryptosystem Negotiation Extension]


!! [{$pagename}] with [DES]
In practical terms, a [Windows Client] starts a [Kerberos] [Protocol] [Communication] a list of supported [{$pagename}] ([Etypes]). The [KDC] responds to the list with the most secure [{$pagename}]s they both support. For example, a Windows 7 computer sends an [AS_REQ]. You can how it looks in [Wireshark]:
[{Image src='Kerberos Encryption Types/as_req-kerberos.png' caption='AS_REQ' align=left width=768 height=768 style='font-size: 120%}]. 

\\The [KDC] responds that it requires pre-authentication and sends a list of its supported encryption types: ([DES] was enabled for demonstration purposes):

[{Image src='Kerberos Encryption Types/as_resp-kerberos.png' caption='KDC RESP' align=left width=768 height=768 style='font-size: 120%}]. 

\\Some [Operating System] are not always configured to use [{$pagename}] at the same [cipher] levels and may not support negotiation or [Kerberos Pre-Authentication] or they may not support [AES] [ciphers]. 

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

















</pre>