You are viewing a plain text version of this content. The canonical link for it is here.
Posted to kerby@directory.apache.org by Emmanuel Lécharny <el...@gmail.com> on 2016/01/09 01:29:17 UTC
EncyptionKey structure an KVNO
Hi,
the EncryptionKey class contains a field kvno. I have no idea why we
should have such a field, and why and for what it is used ?
The KVNO is described as :
"
A tag associated with encrypted data identifies which key was used
for encryption when a long-lived key associated with a principal
changes over time. It is used during the transition to a new key
so that the party decrypting a message can tell whether the data
was encrypted with the old or the new key.
"
We have a field name KVNO in the EncryptedData class already...
RE: EncyptionKey structure an KVNO
Posted by "Zheng, Kai" <ka...@intel.com>.
If you'd look up references to it, you might find that it's mainly for keytab things. EncryptionKey needs to be persisted in KDC database and can be exported. When exported, the kvno or key version is important, keytab consumers like application servers would use it to find the appropriate key considering keytype/enctype, kvno/version, and principal. Note when every time a key is exported, the key version will be increased by 1.
It's the key along with the kvno that needs to be persisted in database/backend, but not the encrypted data.
-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com]
Sent: Saturday, January 09, 2016 8:29 AM
To: kerby@directory.apache.org
Subject: EncyptionKey structure an KVNO
Hi,
the EncryptionKey class contains a field kvno. I have no idea why we should have such a field, and why and for what it is used ?
The KVNO is described as :
"
A tag associated with encrypted data identifies which key was used
for encryption when a long-lived key associated with a principal
changes over time. It is used during the transition to a new key
so that the party decrypting a message can tell whether the data
was encrypted with the old or the new key.
"
We have a field name KVNO in the EncryptedData class already...