2 iso(1) identified-organization(3) dod(6) internet(1)
3 security(5) kerberosV5(2) modules(4) krb5spec2(2)
4 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
6 -- OID arc for KerberosV5
8 -- This OID may be used to identify Kerberos protocol messages
9 -- encapsulated in other protocols.
11 -- This OID also designates the OID arc for KerberosV5-related OIDs.
13 -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
14 id-krb5 OBJECT IDENTIFIER ::= {
15 iso(1) identified-organization(3) dod(6) internet(1)
16 security(5) kerberosV5(2)
19 Int32 ::= INTEGER (-2147483648..2147483647)
20 -- signed values representable in 32 bits
22 UInt32 ::= INTEGER (0..4294967295)
23 -- unsigned 32 bit values
25 Microseconds ::= INTEGER (0..999999)
29 -- asn1ate doesn't support 'GeneralString (IA5String)'
30 -- only 'GeneralString' or 'IA5String', on the wire
31 -- GeneralString is used.
33 -- KerberosString ::= GeneralString (IA5String)
34 KerberosString ::= GeneralString
36 Realm ::= KerberosString
38 PrincipalName ::= SEQUENCE {
39 name-type [0] NameType, -- Int32,
40 name-string [1] SEQUENCE OF KerberosString
45 KerberosTime ::= GeneralizedTime -- with no fractional seconds
47 HostAddress ::= SEQUENCE {
49 address [1] OCTET STRING
52 -- NOTE: HostAddresses is always used as an OPTIONAL field and
53 -- should not be empty.
54 HostAddresses -- NOTE: subtly different from rfc1510,
55 -- but has a value mapping and encodes the same
56 ::= SEQUENCE OF HostAddress
58 -- NOTE: AuthorizationData is always used as an OPTIONAL field and
59 -- should not be empty.
60 AuthorizationData ::= SEQUENCE OF SEQUENCE {
61 ad-type [0] AuthDataType, -- Int32,
62 ad-data [1] OCTET STRING
65 AuthDataType ::= Int32
67 PA-DATA ::= SEQUENCE {
68 -- NOTE: first tag is [1], not [0]
69 padata-type [1] PADataType, -- Int32
70 padata-value [2] OCTET STRING -- might be encoded AP-REQ
76 -- asn1ate doesn't support 'MAX' nor a lower range != 1.
77 -- We'll use a custom enodeValue() hooks for BitString
78 -- in order to encode them with at least 32-Bit.
80 -- KerberosFlags ::= BIT STRING (SIZE (32..MAX))
81 KerberosFlags ::= BIT STRING (SIZE (1..32))
82 -- minimum number of bits shall be sent,
83 -- but no fewer than 32
85 EncryptedData ::= SEQUENCE {
86 etype [0] EncryptionType, --Int32 EncryptionType --
87 kvno [1] UInt32 OPTIONAL,
88 cipher [2] OCTET STRING -- ciphertext
91 EncryptionKey ::= SEQUENCE {
92 keytype [0] EncryptionType, -- Int32 actually encryption type --
93 keyvalue [1] OCTET STRING
96 Checksum ::= SEQUENCE {
97 cksumtype [0] ChecksumType, -- Int32,
98 checksum [1] OCTET STRING
101 ChecksumType ::= Int32
103 Ticket ::= [APPLICATION 1] SEQUENCE {
104 tkt-vno [0] INTEGER (5),
106 sname [2] PrincipalName,
107 enc-part [3] EncryptedData -- EncTicketPart
110 -- Encrypted part of ticket
111 EncTicketPart ::= [APPLICATION 3] SEQUENCE {
112 flags [0] TicketFlags,
113 key [1] EncryptionKey,
115 cname [3] PrincipalName,
116 transited [4] TransitedEncoding,
117 authtime [5] KerberosTime,
118 starttime [6] KerberosTime OPTIONAL,
119 endtime [7] KerberosTime,
120 renew-till [8] KerberosTime OPTIONAL,
121 caddr [9] HostAddresses OPTIONAL,
122 authorization-data [10] AuthorizationData OPTIONAL
125 -- encoded Transited field
126 TransitedEncoding ::= SEQUENCE {
127 tr-type [0] Int32 -- must be registered --,
128 contents [1] OCTET STRING
131 TicketFlags ::= KerberosFlags
144 -- the following are new since 1510
145 -- transited-policy-checked(12),
146 -- ok-as-delegate(13)
148 AS-REQ ::= [APPLICATION 10] KDC-REQ
150 TGS-REQ ::= [APPLICATION 12] KDC-REQ
152 KDC-REQ ::= SEQUENCE {
153 -- NOTE: first tag is [1], not [0]
154 pvno [1] INTEGER (5) ,
155 msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
156 padata [3] SEQUENCE OF PA-DATA OPTIONAL
157 -- NOTE: not empty --,
158 req-body [4] KDC-REQ-BODY
161 KDC-REQ-BODY ::= SEQUENCE {
162 kdc-options [0] KDCOptions,
163 cname [1] PrincipalName OPTIONAL
164 -- Used only in AS-REQ --,
167 -- Also client's in AS-REQ --,
168 sname [3] PrincipalName OPTIONAL,
169 from [4] KerberosTime OPTIONAL,
170 till [5] KerberosTime,
171 rtime [6] KerberosTime OPTIONAL,
173 etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType
174 -- in preference order --,
175 addresses [9] HostAddresses OPTIONAL,
176 enc-authorization-data [10] EncryptedData OPTIONAL
177 -- AuthorizationData --,
178 additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
182 EncryptionType ::= Int32
184 KDCOptions ::= KerberosFlags
190 -- allow-postdate(5),
196 -- opt-hardware-auth(11),
199 -- Canonicalize is used in RFC 6806
201 -- 26 was unused in 1510
202 -- disable-transited-check(26),
205 -- enc-tkt-in-skey(28),
209 AS-REP ::= [APPLICATION 11] KDC-REP
211 TGS-REP ::= [APPLICATION 13] KDC-REP
213 KDC-REP ::= SEQUENCE {
214 pvno [0] INTEGER (5),
215 msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
216 padata [2] SEQUENCE OF PA-DATA OPTIONAL
217 -- NOTE: not empty --,
219 cname [4] PrincipalName,
221 enc-part [6] EncryptedData
222 -- EncASRepPart or EncTGSRepPart,
226 EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
228 EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
230 EncKDCRepPart ::= SEQUENCE {
231 key [0] EncryptionKey,
232 last-req [1] LastReq,
234 key-expiration [3] KerberosTime OPTIONAL,
235 flags [4] TicketFlags,
236 authtime [5] KerberosTime,
237 starttime [6] KerberosTime OPTIONAL,
238 endtime [7] KerberosTime,
239 renew-till [8] KerberosTime OPTIONAL,
241 sname [10] PrincipalName,
242 caddr [11] HostAddresses OPTIONAL
245 LastReq ::= SEQUENCE OF SEQUENCE {
247 lr-value [1] KerberosTime
250 AP-REQ ::= [APPLICATION 14] SEQUENCE {
251 pvno [0] INTEGER (5),
252 msg-type [1] INTEGER (14),
253 ap-options [2] APOptions,
255 authenticator [4] EncryptedData -- Authenticator
258 APOptions ::= KerberosFlags
260 -- use-session-key(1),
261 -- mutual-required(2)
263 -- Unencrypted authenticator
264 Authenticator ::= [APPLICATION 2] SEQUENCE {
265 authenticator-vno [0] INTEGER (5),
267 cname [2] PrincipalName,
268 cksum [3] Checksum OPTIONAL,
269 cusec [4] Microseconds,
270 ctime [5] KerberosTime,
271 subkey [6] EncryptionKey OPTIONAL,
272 seq-number [7] UInt32 OPTIONAL,
273 authorization-data [8] AuthorizationData OPTIONAL
276 AP-REP ::= [APPLICATION 15] SEQUENCE {
277 pvno [0] INTEGER (5),
278 msg-type [1] INTEGER (15),
279 enc-part [2] EncryptedData -- EncAPRepPart
282 EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
283 ctime [0] KerberosTime,
284 cusec [1] Microseconds,
285 subkey [2] EncryptionKey OPTIONAL,
286 seq-number [3] UInt32 OPTIONAL
289 KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
290 pvno [0] INTEGER (5),
291 msg-type [1] INTEGER (20),
292 safe-body [2] KRB-SAFE-BODY,
296 KRB-SAFE-BODY ::= SEQUENCE {
297 user-data [0] OCTET STRING,
298 timestamp [1] KerberosTime OPTIONAL,
299 usec [2] Microseconds OPTIONAL,
300 seq-number [3] UInt32 OPTIONAL,
301 s-address [4] HostAddress,
302 r-address [5] HostAddress OPTIONAL
305 KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
306 pvno [0] INTEGER (5),
307 msg-type [1] INTEGER (21),
308 -- NOTE: there is no [2] tag
309 enc-part [3] EncryptedData -- EncKrbPrivPart
312 EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
313 user-data [0] OCTET STRING,
314 timestamp [1] KerberosTime OPTIONAL,
315 usec [2] Microseconds OPTIONAL,
316 seq-number [3] UInt32 OPTIONAL,
317 s-address [4] HostAddress -- sender's addr --,
318 r-address [5] HostAddress OPTIONAL -- recip's addr
321 KRB-CRED ::= [APPLICATION 22] SEQUENCE {
322 pvno [0] INTEGER (5),
323 msg-type [1] INTEGER (22),
324 tickets [2] SEQUENCE OF Ticket,
325 enc-part [3] EncryptedData -- EncKrbCredPart
328 EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
329 ticket-info [0] SEQUENCE OF KrbCredInfo,
330 nonce [1] UInt32 OPTIONAL,
331 timestamp [2] KerberosTime OPTIONAL,
332 usec [3] Microseconds OPTIONAL,
333 s-address [4] HostAddress OPTIONAL,
334 r-address [5] HostAddress OPTIONAL
337 KrbCredInfo ::= SEQUENCE {
338 key [0] EncryptionKey,
339 prealm [1] Realm OPTIONAL,
340 pname [2] PrincipalName OPTIONAL,
341 flags [3] TicketFlags OPTIONAL,
342 authtime [4] KerberosTime OPTIONAL,
343 starttime [5] KerberosTime OPTIONAL,
344 endtime [6] KerberosTime OPTIONAL,
345 renew-till [7] KerberosTime OPTIONAL,
346 srealm [8] Realm OPTIONAL,
347 sname [9] PrincipalName OPTIONAL,
348 caddr [10] HostAddresses OPTIONAL
351 KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
352 pvno [0] INTEGER (5),
353 msg-type [1] INTEGER (30),
354 ctime [2] KerberosTime OPTIONAL,
355 cusec [3] Microseconds OPTIONAL,
356 stime [4] KerberosTime,
357 susec [5] Microseconds,
358 error-code [6] Int32,
359 crealm [7] Realm OPTIONAL,
360 cname [8] PrincipalName OPTIONAL,
361 realm [9] Realm -- service realm --,
362 sname [10] PrincipalName -- service name --,
363 e-text [11] KerberosString OPTIONAL,
364 e-data [12] OCTET STRING OPTIONAL
367 METHOD-DATA ::= SEQUENCE OF PA-DATA
370 -- asn1ate doesn't support 'MAX'
372 -- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
373 TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE {
375 data-value [1] OCTET STRING OPTIONAL
378 -- preauth stuff follows
380 PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
382 PA-ENC-TS-ENC ::= SEQUENCE {
383 patimestamp [0] KerberosTime -- client's time --,
384 pausec [1] Microseconds OPTIONAL
387 ETYPE-INFO-ENTRY ::= SEQUENCE {
389 salt [1] OCTET STRING OPTIONAL
392 ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
394 ETYPE-INFO2-ENTRY ::= SEQUENCE {
396 salt [1] KerberosString OPTIONAL,
397 s2kparams [2] OCTET STRING OPTIONAL
400 ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY
402 AD-IF-RELEVANT ::= AuthorizationData
404 AD-KDCIssued ::= SEQUENCE {
405 ad-checksum [0] Checksum,
406 i-realm [1] Realm OPTIONAL,
407 i-sname [2] PrincipalName OPTIONAL,
408 elements [3] AuthorizationData
411 AD-AND-OR ::= SEQUENCE {
412 condition-count [0] Int32,
413 elements [1] AuthorizationData
416 AD-MANDATORY-FOR-KDC ::= AuthorizationData
420 PA-S4U2Self ::= SEQUENCE {
421 name [0] PrincipalName,
424 auth [3] KerberosString
433 -- prettyPrint values
437 NameTypeValues ::= INTEGER { -- Int32
438 kRB5-NT-UNKNOWN(0), -- Name type not known
439 kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in
440 kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt)
441 kRB5-NT-SRV-HST(3), -- Service with host name as instance
442 kRB5-NT-SRV-XHST(4), -- Service with host as remaining components
443 kRB5-NT-UID(5), -- Unique ID
444 kRB5-NT-X500-PRINCIPAL(6), -- PKINIT
445 kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name
446 kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN
447 kRB5-NT-WELLKNOWN(11), -- Wellknown
448 kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID
449 kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name
450 kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID
452 NameTypeSequence ::= SEQUENCE {
453 dummy [0] NameTypeValues
456 TicketFlagsValues ::= BIT STRING { -- KerberosFlags
469 -- the following are new since 1510
470 transited-policy-checked(12),
473 TicketFlagsSequence ::= SEQUENCE {
474 dummy [0] TicketFlagsValues
477 KDCOptionsValues ::= BIT STRING { -- KerberosFlags
489 opt-hardware-auth(11),
492 -- Canonicalize is used by RFC 6806
494 -- 26 was unused in 1510
495 disable-transited-check(26),
502 KDCOptionsSequence ::= SEQUENCE {
503 dummy [0] KDCOptionsValues
506 MessageTypeValues ::= INTEGER {
507 krb-as-req(10), -- Request for initial authentication
508 krb-as-rep(11), -- Response to KRB_AS_REQ request
509 krb-tgs-req(12), -- Request for authentication based on TGT
510 krb-tgs-rep(13), -- Response to KRB_TGS_REQ request
511 krb-ap-req(14), -- application request to server
512 krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL
513 krb-safe(20), -- Safe (checksummed) application message
514 krb-priv(21), -- Private (encrypted) application message
515 krb-cred(22), -- Private (encrypted) message to forward credentials
516 krb-error(30) -- Error response
518 MessageTypeSequence ::= SEQUENCE {
519 dummy [0] MessageTypeValues
522 PADataTypeValues ::= INTEGER {
524 -- kRB5-PADATA-TGS-REQ(1),
525 -- kRB5-PADATA-AP-REQ(1),
526 kRB5-PADATA-KDC-REQ(1),
527 kRB5-PADATA-ENC-TIMESTAMP(2),
528 kRB5-PADATA-PW-SALT(3),
529 kRB5-PADATA-ENC-UNIX-TIME(5),
530 kRB5-PADATA-SANDIA-SECUREID(6),
531 kRB5-PADATA-SESAME(7),
532 kRB5-PADATA-OSF-DCE(8),
533 kRB5-PADATA-CYBERSAFE-SECUREID(9),
534 kRB5-PADATA-AFS3-SALT(10),
535 kRB5-PADATA-ETYPE-INFO(11),
536 kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp)
537 kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp)
538 kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19)
539 kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19)
540 -- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number)
541 kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25)
542 kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25)
543 kRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
544 kRB5-PADATA-ETYPE-INFO2(19),
545 -- kRB5-PADATA-USE-SPECIFIED-KVNO(20),
546 kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
547 kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
548 kRB5-PADATA-GET-FROM-TYPED-DATA(22),
549 kRB5-PADATA-SAM-ETYPE-INFO(23),
550 kRB5-PADATA-SERVER-REFERRAL(25),
551 kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov)
552 kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com)
553 kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com)
554 kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT
555 kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName
556 kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT
557 kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT
558 kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific
559 kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER
560 kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
561 kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
562 kRB5-PADATA-FOR-USER(129), -- MS-KILE
563 kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE
564 kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE
565 kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE
566 -- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to
567 -- tell KDC that is supports
568 -- the asCheckSum in the
570 kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
571 kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
572 kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
573 kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework
574 kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework
575 kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework
576 kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com)
577 kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com)
578 kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com)
579 kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com)
580 kRB5-PADATA-EPAK-AS-REQ(145),
581 kRB5-PADATA-EPAK-AS-REP(146),
582 kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
583 kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
584 kRB5-PADATA-REQ-ENC-PA-REP(149), --
585 kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE
587 PADataTypeSequence ::= SEQUENCE {
588 dummy [0] PADataTypeValues
591 AuthDataTypeValues ::= INTEGER {
592 kRB5-AUTHDATA-IF-RELEVANT(1),
593 kRB5-AUTHDATA-INTENDED-FOR-SERVER(2),
594 kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3),
595 kRB5-AUTHDATA-KDC-ISSUED(4),
596 kRB5-AUTHDATA-AND-OR(5),
597 kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6),
598 kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7),
599 kRB5-AUTHDATA-MANDATORY-FOR-KDC(8),
600 kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9),
601 kRB5-AUTHDATA-OSF-DCE(64),
602 kRB5-AUTHDATA-SESAME(65),
603 kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
604 kRB5-AUTHDATA-WIN2K-PAC(128),
605 kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
606 kRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
607 kRB5-AUTHDATA-SIGNTICKET-OLD(142),
608 kRB5-AUTHDATA-SIGNTICKET(512)
610 AuthDataTypeSequence ::= SEQUENCE {
611 dummy [0] AuthDataTypeValues
614 ChecksumTypeValues ::= INTEGER {
615 kRB5-CKSUMTYPE-NONE(0),
616 kRB5-CKSUMTYPE-CRC32(1),
617 kRB5-CKSUMTYPE-RSA-MD4(2),
618 kRB5-CKSUMTYPE-RSA-MD4-DES(3),
619 kRB5-CKSUMTYPE-DES-MAC(4),
620 kRB5-CKSUMTYPE-DES-MAC-K(5),
621 kRB5-CKSUMTYPE-RSA-MD4-DES-K(6),
622 kRB5-CKSUMTYPE-RSA-MD5(7),
623 kRB5-CKSUMTYPE-RSA-MD5-DES(8),
624 kRB5-CKSUMTYPE-RSA-MD5-DES3(9),
625 kRB5-CKSUMTYPE-SHA1-OTHER(10),
626 kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12),
627 kRB5-CKSUMTYPE-SHA1(14),
628 kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15),
629 kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16),
630 kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003
631 kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number
632 kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial
634 ChecksumTypeSequence ::= SEQUENCE {
635 dummy [0] ChecksumTypeValues
638 EncryptionTypeValues ::= INTEGER {
639 kRB5-ENCTYPE-NULL(0),
640 kRB5-ENCTYPE-DES-CBC-CRC(1),
641 kRB5-ENCTYPE-DES-CBC-MD4(2),
642 kRB5-ENCTYPE-DES-CBC-MD5(3),
643 kRB5-ENCTYPE-DES3-CBC-MD5(5),
644 kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7),
645 kRB5-ENCTYPE-SIGN-DSA-GENERATE(8),
646 kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9),
647 kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10),
648 kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation
649 kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17),
650 kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18),
651 kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23),
652 kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24),
653 kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48),
654 -- some "old" windows types
655 kRB5-ENCTYPE-ARCFOUR-MD4(-128),
656 kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133),
657 kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135),
658 -- these are for Heimdal internal use
659 -- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000),
660 -- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001),
661 -- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002),
662 -- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003),
663 -- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com
664 -- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com
665 kRB5-ENCTYPE-DUMMY(-1111)
667 EncryptionTypeSequence ::= SEQUENCE {
668 dummy [0] EncryptionTypeValues