แชร์ผ่าน


Interpreting the SupportedEncryptionTypes Registry Key

Currently we support multiple encryption algorithm in Kerberos. Here's a brief description from TechNet:

Encryption type

Description and version support

DES_CBC_CRC

Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

DES_CBC_MD5

Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function

Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default.

RC4_HMAC_MD5

Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function

Supported in Windows 2000 Server, Windows XP, Windows Server 2003,  Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

AES128_HMAC_SHA1

Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

AES256_HMAC_SHA1

Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).

Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Future encryption types

Reserved by Microsoft for additional encryption types that might be implemented.

We can constrain algorithm used by Kerberos by GPO. It's located at:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos

 The actual registry key is located at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes 

 

You can find the detailed bit flag explanation on MSDN:

 

Where the bits are defined as:

Value

Description

A

DES-CBC-CRC

B

DES-CBC-MD5

C

RC4-HMAC

D

AES128-CTS-HMAC-SHA1-96

E

AES256-CTS-HMAC-SHA1-96

F

FAST-supported

G

Compound-identity-supported

H

Claims-supported

I

Resource-SID-compression-disabled

But how to understand this bit flag table and how it's implmented on a real Windows client? Let's do some test & observation.

1. Open GPMC on Windows 2008 R2, navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/Security Options, Network security: Configure encryption types allowed for Kerberos, enable all option except "Future encryption types".

2. Apply this GPO to a machine, check the reg key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes. It's 31, which is binary 11111. Referring the table from MSDN, this means enable option A/B/C/D/E, aka DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC, AES128-CTS-HMAC-SHA1-96, AES256-CTS-HMAC-SHA1-96. RSOP confirmed the same thing:

3. Now enable the option "Future encryption types". How do you expect the new value for SupportedEncryptionTypes reg key? Well, it's now 2147483647. Convert to binary and you get 1111111111111111111111111111111. Wow, plenty lot of "1"s! Now you may get the idea: by setting all possible bits to 1, we instructed client OS to enable every single encryption option it supports on current build. Simple?

 

Wish this post helped you to understand the SupportedEncryptionTypes reg key. And thanks Jianwei Zhao from Norch China PFE team who raised the discussion and doing tests with me!

 

Reference:

Supported Encryption Types Bit Flags

https://msdn.microsoft.com/en-us/library/ee808210.aspx

 

Network security: Configure encryption types allowed for Kerberos

https://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx

Comments

  • Anonymous
    January 27, 2017
    Very helpful thanks for posting