ad-assurance - [AD-Assurance] Which version of Windows can logon if only AES is supported?

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Which version of Windows can logon if only AES is supported?

From: "Capehart,Jeffrey D" <>
To: "" <>
Subject: [AD-Assurance] Which version of Windows can logon if only AES is supported?
Date: Fri, 3 May 2013 17:48:17 +0000
Accept-language: en-US
Authentication-results: sfpop-ironport02.merit.edu; dkim=neutral (message not signed) header.i=none

If RC4-HMAC were removed as a supported Kerberos encryption type and only AES was available, Microsoft seems to say that you should be using Windows Server 2008 and Windows Vista at the minimum.

Kerberos Enhancements to Windows VISTA (Feb 2009)

http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx

AES

This Windows Vista and Windows Server 2008 security enhancement enables the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. [changes from Windows XP]

Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.

The following table shows whether AES is used in each exchange for different combinations of Windows operating systems.

Usage of AES with different Windows operating systems

Client	Server	KDC	Ticket/Message encryption
Operating systems earlier than Windows Vista	Operating systems earlier than Windows Server 2008	Windows Server 2008	TGT might be encrypted with AES based on policy
Operating systems earlier than Windows Vista	Windows Server 2008	Windows Server 2008	Service ticket encrypted with AES
Windows Vista	Windows Server 2008	Windows Server 2008	All tickets and GSS encrypted with AES
Windows Vista	Windows Server 2008	Operating systems earlier than Windows Server 2008	GSS encrypted with AES
Windows Vista	Operating systems earlier than Windows Server 2008	Windows Server 2008	AS-REQ/REP and TGS-REQ/REP encrypted with AES
Operating systems earlier than Windows Vista	Windows Server 2008	Operating systems earlier than Windows Server 2008	No AES
Windows Vista	Operating systems earlier than Windows Server 2008	Operating systems earlier than Windows Server 2008	No AES
Operating systems earlier than Windows Vista	Operating systems earlier than Windows Server 2008	Operating systems earlier than Windows Server 2008	No AES

There are three factors that contribute to the difference in logon times between Windows Server 2003 and Windows Server 2008:

· Windows Server 2008 now uses AES 256 encryption for Kerberos where possible. Therefore, it generates an additional AES 256 hash.

· Windows Server 2008 can use AES 128 encryption for Kerberos. Therefore, it generates an additional AES 128 hash.

· Windows Server 2008 now uses Password-Based Key Derivation Function (PBKDF2) to protect cached logon information.

These changes account for the differences in logon times, and they are by design, that is required to authenticate an interactive or network logon using the new encryption algorithms compared to Windows Server 2003 using NTLM.

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu

[AD-Assurance] Which version of Windows can logon if only AES is supported?, Capehart,Jeffrey D, 05/03/2013

List archive

[AD-Assurance] Which version of Windows can logon if only AES is supported?

AES