EncyptionKey structure an KVNO

[Emmanuel Lécharny <el...@gmail.com>]

Hi,

the EncryptionKey class contains a field kvno. I have no idea why we
should have such a field, and why and for what it is used ?

The KVNO is described as :

"
      A tag associated with encrypted data identifies which key was used
      for encryption when a long-lived key associated with a principal
      changes over time.  It is used during the transition to a new key
      so that the party decrypting a message can tell whether the data
      was encrypted with the old or the new key.
"

We have a field name KVNO in the EncryptedData class already...

RE: EncyptionKey structure an KVNO

["Zheng, Kai" <ka...@intel.com>]

If you'd look up references to it, you might find that it's mainly for keytab things. EncryptionKey needs to be persisted in KDC database and can be exported. When exported, the kvno or key version is important, keytab consumers like application servers would use it to find the appropriate key considering keytype/enctype, kvno/version, and principal. Note when every time a key is exported, the key version will be increased by 1. 

It's the key along with the kvno that needs to be persisted in database/backend, but not the encrypted data.

-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com] 
Sent: Saturday, January 09, 2016 8:29 AM
To: kerby@directory.apache.org
Subject: EncyptionKey structure an KVNO

Hi,

the EncryptionKey class contains a field kvno. I have no idea why we should have such a field, and why and for what it is used ?

The KVNO is described as :

"
      A tag associated with encrypted data identifies which key was used
      for encryption when a long-lived key associated with a principal
      changes over time.  It is used during the transition to a new key
      so that the party decrypting a message can tell whether the data
      was encrypted with the old or the new key.
"

We have a field name KVNO in the EncryptedData class already...