Internet Assigned Numbers Authority

Kerberos Parameters

Created
2004-06-29
Last Updated
2024-12-06
Available Formats

XML

HTML

Plain text

Registries included below

Kerberos Encryption Type Numbers

Registration Procedure(s)
Standards Action for standards-track RFCs; non-standards-track 
RFCs must be reviewed by an expert.
Expert(s)
Ken Raeburn
Reference
[RFC3961]
Note
These are signed values ranging from -2147483648 to 2147483647.  Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values.  Zero is reserved and may not be assigned.
    
Available Formats

CSV
etype encryption type Reference
0 reserved [RFC6448]
1 des-cbc-crc (deprecated) [RFC6649]
2 des-cbc-md4 (deprecated) [RFC6649]
3 des-cbc-md5 (deprecated) [RFC6649]
4 Reserved [RFC3961]
5 des3-cbc-md5 (deprecated) [RFC8429]
6 Reserved [RFC3961]
7 des3-cbc-sha1 (deprecated) [RFC8429]
8 Unassigned
9 dsaWithSHA1-CmsOID [RFC4556]
10 md5WithRSAEncryption-CmsOID [RFC4556]
11 sha1WithRSAEncryption-CmsOID [RFC4556]
12 rc2CBC-EnvOID [RFC4556]
13 rsaEncryption-EnvOID [RFC4556][from PKCS#1 v1.5]]
14 rsaES-OAEP-ENV-OID [RFC4556][from PKCS#1 v2.0]]
15 des-ede3-cbc-Env-OID [RFC4556]
16 des3-cbc-sha1-kd (deprecated) [RFC8429]
17 aes128-cts-hmac-sha1-96 [RFC3962]
18 aes256-cts-hmac-sha1-96 [RFC3962]
19 aes128-cts-hmac-sha256-128 [RFC8009]
20 aes256-cts-hmac-sha384-192 [RFC8009]
21-22 Unassigned
23 rc4-hmac (deprecated) [RFC8429]
24 rc4-hmac-exp (deprecated) [RFC6649]
25 camellia128-cts-cmac [RFC6803]
26 camellia256-cts-cmac [RFC6803]
27-64 Unassigned
65 subkey-keymaterial [(opaque; PacketCable)]
66-2147483647 Unassigned

Kerberos Checksum Type Numbers

Registration Procedure(s)
Standards Action for standards-track RFCs; non-standards-track 
RFCs must be reviewed by an expert.
Expert(s)
Ken Raeburn
Reference
[RFC3961]
Note
These are signed values ranging from -2147483648 to 2147483647.  Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental algorithms
should use these values.  Zero is reserved and may not be assigned.
    
Available Formats

CSV
sumtype value Checksum type checksum size Reference
0 Reserved [RFC3961]
1 CRC32 (deprecated) 4 [RFC6649]
2 rsa-md4 (deprecated) 16 [RFC6649]
3 rsa-md4-des (deprecated) 24 [RFC6649]
4 des-mac (deprecated) 16 [RFC6649]
5 des-mac-k (deprecated) 8 [RFC6649]
6 rsa-md4-des-k (deprecated) 16 [RFC6649]
7 rsa-md5 (deprecated) 16 [RFC8429]
8 rsa-md5-des (deprecated) 24 [RFC6649]
9 rsa-md5-des3 24
10 sha1 (unkeyed) 20
11 Unassigned
12 hmac-sha1-des3-kd (deprecated) 20 [RFC8429]
13 hmac-sha1-des3 (deprecated) 20 [RFC8429]
14 sha1 (unkeyed) 20
15 hmac-sha1-96-aes128 20 [RFC3962]
16 hmac-sha1-96-aes256 20 [RFC3962]
17 cmac-camellia128 16 [RFC6803]
18 cmac-camellia256 16 [RFC6803]
19 hmac-sha256-128-aes128 16 [RFC8009]
20 hmac-sha384-192-aes256 24 [RFC8009]
21-32770 Unassigned
32771 Reserved [RFC1964]
32772-2147483647 Unassigned

Kerberos TCP Extensions

Reference
[RFC5021]
Available Formats

CSV
Range Registration Procedures Note
0-29 Standards Action or IESG Approval
30 Reserved Standards Action that updates or obsoletes [RFC5021]
Value Description Reference
0 Krb5 over TLS [RFC6251]
1-29 Unassigned
30 Reserved [RFC5021]

Pre-authentication and Typed Data

Registration Procedure(s)
Expert Review
Expert(s)
Sam Hartman (primary), Larry Zhu (secondary)
Reference
[RFC6113]
Note
The designated expert may find that IETF Review is required. See 
[RFC6113] for more information.
    
Available Formats

CSV
Type Value Reference
1 PA-TGS-REQ [RFC4120]
2 PA-ENC-TIMESTAMP [RFC4120]
3 PA-PW-SALT [RFC4120]
4 reserved [RFC6113]
5 PA-ENC-UNIX-TIME (deprecated) [RFC4120]
6 PA-SANDIA-SECUREID [RFC4120]
7 PA-SESAME [RFC4120]
8 PA-OSF-DCE [RFC4120]
9 PA-CYBERSAFE-SECUREID [RFC4120]
10 PA-AFS3-SALT [RFC4120][RFC3961]
11 PA-ETYPE-INFO [RFC4120]
12 PA-SAM-CHALLENGE [draft-ietf-cat-kerberos-passwords-04]
13 PA-SAM-RESPONSE [draft-ietf-cat-kerberos-passwords-04]
14 PA-PK-AS-REQ_OLD [draft-ietf-cat-kerberos-pk-init-09]
15 PA-PK-AS-REP_OLD [draft-ietf-cat-kerberos-pk-init-09]
16 PA-PK-AS-REQ [RFC4556]
17 PA-PK-AS-REP [RFC4556]
18 PA-PK-OCSP-RESPONSE [RFC4557]
19 PA-ETYPE-INFO2 [RFC4120]
20 PA-USE-SPECIFIED-KVNO [RFC4120]
20 PA-SVR-REFERRAL-INFO [RFC6806]
21 PA-SAM-REDIRECT [draft-ietf-krb-wg-kerberos-sam-03]
22 PA-GET-FROM-TYPED-DATA [(embedded in typed data)][RFC4120]
22 TD-PADATA [(embeds padata)][RFC4120]
23 PA-SAM-ETYPE-INFO [(sam/otp)][draft-ietf-krb-wg-kerberos-sam-03]
24 PA-ALT-PRINC [draft-ietf-krb-wg-hw-auth-04]
25 PA-SERVER-REFERRAL [draft-ietf-krb-wg-kerberos-referrals-11]
26-29 Unassigned
30 PA-SAM-CHALLENGE2 [draft-ietf-krb-wg-kerberos-sam-03]
31 PA-SAM-RESPONSE2 [draft-ietf-krb-wg-kerberos-sam-03]
32-40 Unassigned
41 PA-EXTRA-TGT [Reserved extra TGT][RFC6113]
42-100 Unassigned
101 TD-PKINIT-CMS-CERTIFICATES [RFC4556]
102 TD-KRB-PRINCIPAL [PrincipalName][RFC6113]
103 TD-KRB-REALM [Realm][RFC6113]
104 TD-TRUSTED-CERTIFIERS [RFC4556]
105 TD-CERTIFICATE-INDEX [RFC4556]
106 TD-APP-DEFINED-ERROR [Application specific][RFC6113]
107 TD-REQ-NONCE [INTEGER][RFC6113]
108 TD-REQ-SEQ [INTEGER][RFC6113]
109 TD_DH_PARAMETERS [RFC4556]
110 Unassigned
111 TD-CMS-DIGEST-ALGORITHMS [RFC8636]
112 TD-CERT-DIGEST-ALGORITHMS [RFC8636]
113-127 Unassigned
128 PA-PAC-REQUEST [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
129 PA-FOR_USER [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
130 PA-FOR-X509-USER [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
131 PA-FOR-CHECK_DUPS [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
132 PA-AS-CHECKSUM [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
133 PA-FX-COOKIE [RFC6113]
134 PA-AUTHENTICATION-SET [RFC6113]
135 PA-AUTH-SET-SELECTED [RFC6113]
136 PA-FX-FAST [RFC6113]
137 PA-FX-ERROR [RFC6113]
138 PA-ENCRYPTED-CHALLENGE [RFC6113]
139-140 Unassigned
141 PA-OTP-CHALLENGE [RFC6560]
142 PA-OTP-REQUEST [RFC6560]
143 PA-OTP-CONFIRM (OBSOLETED) [RFC6560]
144 PA-OTP-PIN-CHANGE [RFC6560]
145 PA-EPAK-AS-REQ [(sshock@gmail.com)][RFC6113]
146 PA-EPAK-AS-REP [(sshock@gmail.com)][RFC6113]
147 PA_PKINIT_KX [RFC8062]
148 PA_PKU2U_NAME [draft-zhu-pku2u-09]
149 PA-REQ-ENC-PA-REP [RFC6806]
150 PA_AS_FRESHNESS [RFC8070]
151 PA-SPAKE [RFC9588]
152 PA-REDHAT-IDP-OAUTH2 [Pavel_Březina]
153 PA-REDHAT-PASSKEY [Pavel_Březina]
154-164 Unassigned
165 PA-SUPPORTED-ETYPES [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]
166 PA-EXTENDED_ERROR [MSKILE][http://msdn2.microsoft.com/en-us/library/cc206927.aspx]

FAST Armor Types

Registration Procedure(s)
Standards Action
Reference
[RFC6113]
Available Formats

CSV
Type Name Description Reference
0 Reserved Reserved [RFC6113]
1 FX_FAST_ARMOR_AP_REQUEST Ticket armor using an ap-req. [RFC6113]

FAST Options

Registration Procedure(s)
Standards Action
Reference
[RFC6113]
Available Formats

CSV
Type Name Description Reference
0 RESERVED Reserved for future expansion of this field. [RFC6113]
1 hide-client-names Requesting the KDC to hide client names in the KDC response [RFC6113]
16 kdc-follow-referrals reserved [RFC6113]

Well-Known Kerberos Principal Names

Registration Procedure(s)
Specification Required
Expert(s)
Unassigned
Reference
[RFC6111]
Available Formats

CSV
Well-Known Kerberos Principal Name Reference
anonymous [RFC8062]

Well-Known Kerberos Realm Names

Registration Procedure(s)
Specification Required
Expert(s)
Unassigned
Reference
[RFC6111]
Available Formats

CSV
Well-Known Kerberos Realm Name Reference
anonymous [RFC8062]

Kerberos Message Transport Types

Registration Procedure(s)
IETF Review
Reference
[RFC6784]
Available Formats

CSV
Value Description Reference
0 Reserved [RFC6784]
1 UDP [RFC6784]
2 TCP [RFC6784]
3 TLS [RFC6784]
4-254 Unassigned
255 Reserved [RFC6784]

Kerberos Second Factor Types

Registration Procedure(s)
Specification Required
Expert(s)
Simo Sorce, Greg Hudson
Reference
[RFC9588]
Note
Registration requests should be sent to the mailing list described 
in [RFC9588]. If approved, designated experts should notify IANA 
within three weeks. For assistance, please contact iana@iana.org.
    
Note
These are signed integers ranging from -2147483648 to 2147483647,
inclusive. Positive values must be assigned only for algorithms 
specified in accordance with these rules for use with Kerberos 
and related protocols. Negative values should be used for private 
and experimental algorithms only. Zero is reserved and must not 
be assigned. Values should be assigned in increasing order.
    
Available Formats

CSV
ID Number Name Reference
0 Reserved [RFC9588]
1 SF-NONE [RFC9588]

Kerberos SPAKE Groups

Registration Procedure(s)
Specification Required
Expert(s)
Simo Sorce, Greg Hudson
Reference
[RFC9588]
Note
Registration requests should be sent to the mailing list described 
in [RFC9588]. If approved, designated experts should notify IANA 
within three weeks. For assistance, please contact iana@iana.org.
    
Note
These are signed integers ranging from -2147483648 to 2147483647,
inclusive. Positive values must be assigned only for algorithms 
specified in accordance with these rules for use with Kerberos 
and related protocols. Negative values should be used for private 
and experimental algorithms only. Zero is reserved and must not 
be assigned. Values should be assigned in increasing order.
    
Available Formats

CSV
ID Number Name Serialization Multiplier Length Multiplier Conversion SPAKE M Constant SPAKE N Constant Hash Function Reference
0 Reserved [RFC9588]
1 edwards25519 [RFC8032, Section 3.1] 32 [RFC8032, Section 3.1] d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab SHA-256 [RFC6234] [RFC7748, Section 4.1][(edwards25519)]
2 P-256 [SECG-SEC1, Section 2.3.3] [(compressed format)] 32 [SECG-SEC1, Section 2.3.8] 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49 SHA-256 [RFC6234] [SECG-SEC2, Section 2.4.2]
3 P-384 [SECG-SEC1, Section 2.3.3] [(compressed format)] 48 [SECG-SEC1, Section 2.3.8] 030ff0895ae5ebf6187080a82d82b42e2765e3b2f8749c7e05eba366434b363d3dc36f15314739074d2eb8613fceec2853 02c72cf2e390853a1c1c4ad816a62fd15824f56078918f43f922ca21518f9c543bb252c5490214cf9aa3f0baab4b665c10 SHA-384 [RFC6234] [SECG-SEC2, Section 2.5.1]
4 P-521 [SECG-SEC1, Section 2.3.3] [(compressed format)] 48 [SECG-SEC1, Section 2.3.8] 02003f06f38131b2ba2600791e82488e8d20ab889af753a41806c5db18d37d85608cfae06b82e4a72cd744c719193562a653ea1f119eef9356907edc9b56979962d7aa 0200c7924b9ec017f3094562894336a53c50167ba8c5963876880542bc669e494b2532d76c5b53dfb349fdf69154b9e0048c58a42e8ed04cef052a3bc349d95575cd25 SHA-512 [RFC6234] [SECG-SEC2, Section 2.6.1]

Contact Information

ID Name Contact URI Last Updated
[Pavel_Březina] Pavel Březina mailto:pbrezina&redhat.com 2023-03-29