The Kerberos 5 GSS-API Mechanism (original) (raw)
This section describes security features regarding Java Generic Security Services (Java GSS) for Kerberos 5.
The GSS-API mechanism is defined by RFC 1964, supplemented with RFC 4121 under the Official Internet Protocol Standards process. See RFC 1964 and RFC 4121.
This section also describes the Object Identifier (OID) for the Kerberos V5 mechanism, in the Official Internet Protocol Standards process, the encryption types, and the krb5.conf settings supported by Java GSS.
The OID for the Kerberos V5 Mechanism
According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.
Java GSS/Kerberos Supported Encryption Types
The following table lists the preferred order of encryption types:
Java SE Supported Encryption Types
| Name | Aliases | etype Number |
|---|---|---|
| aes256-cts-hmac-sha1-96 | aes256-cts | 18 |
| aes128-cts-hmac-sha1-96 | aes128-cts | 17 |
| arcfour-hmac-md5 | arcfour-hmac | 23 |
| des3-cbc-sha1 | des3-hmac-sha1, des3-cbc-sha1-kd, des3-cbc-hmac-sha1-kd | 16 |
| des-cbc-md5 | None | 3 |
| des-cbc-crc | None | 1 |
Note that des-cbc-crc and dec-cbc-md5 are disabled by default in JDK 8.
A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.
For more detailed information about the AES encryption types (AES128 and AES256) and the RC4-HMAC encryption type, see Java Generic Security Services API and Kerberos Enhancements for Java SE 6.
For more detailed information about the DES and Triple DES encryption types, see Java Generic Security Services API and Kerberos Enhancements for Java SE 5.0 and Support for Triple DES Encryption.
Supported krb5.conf Settings
The following parameters are supported:
[libdefaults] default_realm allow_weak_crypto
dns_lookup_kdc dns_lookup_realm dns_fallback
default_checksum safe_checksum_type ap_req_checksum_type default_keytab_name
default_tkt_enctypes permitted_enctypes default_tgs_enctypes
no_addresses noaddresses
renewable proxiable forwardable
kdc_default_options clockskew
kdc_timeout udp_preference_limit
[realms] REALM.NAME = { kdc = }
[capaths] A = { I = . B = I }
[domain_realm] domain=REALM
The following are the defaults for krb5.conf file parameters.
no_addresses = true noaddresses = true dns_fallback = true dns_lookup_kdc = true dns_lookup_realm = true allow_weak_crypto = false kdc_timeout = 30000 max_retries = 3 udp_preference_limit = -1 clockskew = 300 renewable = false proxiable = false forwardable = false
If no krb5.conf file is found or a setting doesn't exist in akrb5.conf file, then these default values will be used. For example, a DNS lookup will be performed to fetch KDC details because the default value of dns_lookup_kdc is true.