On 06/14/2015 09:11 AM, Chris Hecker wrote: > I'm calling krb5_k_encrypt with a random key that I'm going to use for > miscellaneous stuff. I assume I want to use > KRB5_KEYUSAGE_APP_DATA_ENCRYPT? I don't see much documentation on this, > but it looks like the most obviously named one.
RFC 4120 section 7.5.1 summarizes key usage numbers. Ideally, your application protocol should specify different key usage numbers for different kinds of messages, using the range 1026-2047. (There's no need to avoid conflicts with other application protocols, as other protocols won't be using the same keys.) Failing that, you can use key usage 1024 for everything, but make sure that the kinds of plaintexts you encrypt look sufficiently different that an attacker can't substitute one for another. I'm not sure what the intent of KRB5_KEYUSAGE_APP_DATA_ENCRYPT is. It corresponds to a reserved value in RFC 4120. > Most of the enctypes don't seem to use the usage at all... Everything except the single-DES enctypes uses the key usage. For 3DES and AES, see lib/crypto/krb/enc_dk_hmac.c. For RC4, see enc_rc4.c. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos