-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathkey-usage
130 lines (123 loc) · 5.24 KB
/
key-usage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
This file contains registrations for Kerberos key usage numbers. Send
email to ghudson@mit.edu with corrections or requests for new assignments.
Each entry should contain:
* A number
* A reference to the governing standard, with section number
* A sybolic constant name if one is included in the governing standard
* A description of the key usage value if one is included in the
governing standard, or a brief indication of the associated protocol
message if it is not obvious from the constant name
Numbers may have multiple entries if there are conflicts.
1 (rfc4120 5.2.7.2)
AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
client key
2 (rfc4120 5.3)
AS-REP Ticket and TGS-REP Ticket (includes TGS session key or
application session key), encrypted with the service key
3 (rfc4120 5.4.2)
AS-REP encrypted part (includes TGS session key or application
session key), encrypted with the client key
4 (rfc4120 5.4.1)
TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS
session key
5 (rfc4120 5.4.1)
TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS
authenticator subkey
6 (rfc4120 5.5.1)
TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
with the TGS session key
7 (rfc4120 5.5.1)
TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes TGS
authenticator subkey), encrypted with the TGS session key
8 (rfc4120 5.4.2)
TGS-REP encrypted part (includes application session key),
encrypted with the TGS session key
9 (rfc4120 5.4.2)
TGS-REP encrypted part (includes application session key),
encrypted with the TGS authenticator subkey
10 (rfc4120 5.5.1)
AP-REQ Authenticator cksum, keyed with the application session
key
11 (rfc4120 5.5.1)
AP-REQ Authenticator (includes application authenticator
subkey), encrypted with the application session key
12 (rfc4120 5.5.2)
AP-REP encrypted part (includes application session subkey),
encrypted with the application session key
13 (rfc4120 5.7.1)
KRB-PRIV encrypted part, encrypted with a key chosen by the
application
14 (rfc4120 5.8.1)
KRB-CRED encrypted part, encrypted with a key chosen by the
application
15 (rfc4120 5.6.1)
KRB-SAFE cksum, keyed with a key chosen by the application
16 KERB_NON_KERB_SALT (MS-KILE 3.1.5.9, MS-PAC 2.6.1)
17 KERB_NON_KERB_CKSUM_SALT (MS-KILE 3.1.5.9, MS-PAC 2.8.1)
18 (rfc4120 7.5.1)
Reserved for future use in Kerberos and related protocols.
19 (rfc4120 5.2.6.4)
AD-KDC-ISSUED checksum
20 (rfc4120 7.5.1)
Reserved for future use in Kerberos and related protocols.
21 (rfc4120 7.5.1)
Reserved for future use in Kerberos and related protocols.
22 KG-USAGE-ACCEPTOR-SEAL (rfc4121 2)
23 KG-USAGE-ACCEPTOR-SIGN (rfc4121 2)
24 KG-USAGE-INITIATOR-SEAL (rfc4121 2)
25 KG-USAGE-INITIATOR-SIGN (rfc4121 2)
25 (draft-ietf-krb-wg-kerberos-sam-03 5.1.3)
sam-cksum checksum
26 (draft-ietf-krb-wg-kerberos-sam-03 5.1)
sam-track-id encryption
26 (MS-SFU 2.2.2)
PA-S4U-X509-USER checksum
26 (draft-ietf-krb-wg-kerberos-referrals-11 8)
PA-SERVER-REFERRAL encryption (removed in -12 draft)
27 (draft-ietf-krb-wg-kerberos-sam-03 5.3)
sam-enc-nonce-or-sad encryption
27 (MS-SFU 2.2.2)
PA-S4U-X509-USER reply checksum
39 (rfc4430 8)
KINK_ENCRYPT payload (for encryption)
40 (rfc4430 8)
Cksum field (for checksum)
41 KEY_USAGE_FINISHED (draft-zhu-pku2u-09 6.3)
42
reserved to avoid conflict due to published typos
43 (rfc6542 3.2)
channel binding MIC
44 KEY_USAGE_PA_PKINIT_KX (rfc8062 7)
45 KEY_USAGE_OTP_REQUEST (rfc6560 3.3)
46 KEY_USAGE_OTP_CONFIRM (draft-ietf-krb-wg-otp-preauth-12 4.3)
(removed in -13 draft)
50 KEY_USAGE_FAST_REQ_CHKSUM (rfc6113 5.4.2)
51 KEY_USAGE_FAST_ENC (rfc6113 5.4.2)
52 KEY_USAGE_FAST_REP (rfc6113 5.4.3)
53 KEY_USAGE_FAST_FINISHED (rfc6113 5.4.3)
54 KEY_USAGE_ENC_CHALLENGE_CLIENT (rfc6113 5.4.6)
55 KEY_USAGE_ENC_CHALLENGE_KDC (rfc6113 5.4.6)
56 KEY_USAGE_AS_REQ (rfc6803 11)
60 KEY_USAGE_GSSEAP_CHBIND_MIC (rfc7055 5.6.2)
61 KEY_USAGE_GSSEAP_ACC_TOKEN_MIC (rfc7055 5.6.3)
62 KEY_USAGE_GSSEAP_INI_TOKEN_MIC (rfc7055 5.6.3)
64 (rfc7751 4)
Verifier-MAC checksum
65 KEY_USAGE_SPAKE (draft-ietf-krb-wg-spake-preauth 4.3)
512-1023 (rfc4120 7.5.1)
Reserved for uses internal to a Kerberos implementation.
1024 (rfc4120 7.5.1)
Encryption for application use in protocols that do not
specify key usage values
The following are informational notes for values in the 512-1023
range:
513 KEY_USAGE_PA_FX_COOKIE (MIT krb5 encrypted FAST cookie)
514 KEY_USAGE_PA_AS_FRESHNESS (MIT krb5 freshness tokens)
RFC 3961 and RFC 4120 specify key usage values as unsigned, but in
practice there is some use of negative values (which are encoded as
two's complement when used in key derivation). The following are
informational notes for negative values:
-18 KU_DIGEST_ENCRYPT (Heimdal digest service)
-19 KU_DIGEST_OPAQUE (Heimdal digest service)
-21 KU_KRB5SIGNEDPATH (Heimdal and MIT krb5 S4U2Proxy without PACs)
-25 KU_H5L_COOKIE (Heimdal encrypted FAST cookie)