Currently we support multiple encryption algorithm in Kerberos. Here's a brief description from TechNet:
Encryption type | Description and version support |
DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
DES_CBC_MD5 | Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
RC4_HMAC_MD5 | Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
AES128_HMAC_SHA1 | Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
AES256_HMAC_SHA1 | Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1). Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
Future encryption types | Reserved by Microsoft for additional encryption types that might be implemented. |
We can constrain algorithm used by Kerberos by GPO. It's located at:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos
The actual registry key is located at:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes
You can find the detailed bit flag explanation on MSDN:
Where the bits are defined as:
Value | Description |
A | DES-CBC-CRC |
B | DES-CBC-MD5 |
C | RC4-HMAC |
D | AES128-CTS-HMAC-SHA1-96 |
E | AES256-CTS-HMAC-SHA1-96 |
F | FAST-supported |
G | Compound-identity-supported |
H | Claims-supported |
I | Resource-SID-compression-disabled |
But how to understand this bit flag table and how it's implmented on a real Windows client? Let's do some test & observation.
1. Open GPMC on Windows 2008 R2, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Network security: Configure encryption types allowed for Kerberos, enable all option except "Future encryption types".
2. Apply this GPO to a machine, check the reg key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes. It's 31, which is binary 11111. Referring the table from MSDN, this means enable option A/B/C/D/E, aka DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96. RSOP confirmed the same thing:
3. Now enable the option "Future encryption types". How do you expect the new value for SupportedEncryptionTypes reg key? Well, it's now 2147483647. Convert to binary and you get 1111111111111111111111111111111. Wow, plenty lot of "1"s! Now you may get the idea: by setting all possible bits to 1, we instructed client OS to enable every single encryption option it supports on current build. Simple?
Wish this post helped you to understand the SupportedEncryptionTypes reg key. And thanks Jianwei Zhao from Norch China PFE team who raised the discussion and doing tests with me!
Reference:
Supported Encryption Types Bit Flags
http://msdn.microsoft.com/en-us/library/ee808210.aspx
Network security: Configure encryption types allowed for Kerberos
http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
