Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] Re: FYI on alt-means RC4-hmac

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] Re: FYI on alt-means RC4-hmac

Chronological Thread 
  • From: David Walker <>
  • To: "Capehart,Jeffrey D" <>
  • Cc: InCommon AD Assurance Group <>
  • Subject: [AD-Assurance] Re: FYI on alt-means RC4-hmac
  • Date: Thu, 22 Aug 2013 21:50:55 -0700


Yes, I'm pretty sure it should be RC4; I've changed the document.  (Eric, do you concur?)

FYI, I won't be in tomorrow's call, as I'm on vacation.  Hopefully, I'll return to find you guys have resolved everything without me.


On Thu, 2013-08-22 at 19:54 +0000, Capehart,Jeffrey D wrote:


Under risks, you have “Microsoft's implementation of Kerberos uses the MD4-HMAC encryption algorithm…”


Should that be RC4?  The MD4 algorithm is used with the NT hash (one way function) which I suppose is technically related since I recall that the actual Kerberos key is generated using the String2Key of the plain text password doing the MD4 of the Unicode of that plaintext.  It is basically the same as the Windows NT key as used in NTLM / NTLMv2.  And then, per the Kerberos protocol, the timestamp, ticket, or other data is encrypted using the RC4-HMAC algorithm with the key as derived/generated.


It can be quite confusing because I think the HMAC algorithm uses MD5 hash so you get three unapproved algorithms for the price of one.  (RC4, MD4, MD5).




Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882


  • [AD-Assurance] Re: FYI on alt-means RC4-hmac, David Walker, 08/23/2013

Archive powered by MHonArc 2.6.16.

Top of Page