This section describes security features regarding Java Generic Security Services (Java GSS) for Kerberos 5.
The GSS-API mechanism is defined by RFC 1964, supplemented with RFC 4121 under the Official Internet Protocol Standards process. See RFC 1964 and RFC 4121.
This section also describes the Object Identifier (OID) for the Kerberos V5 mechanism, in the Official Internet Protocol Standards process, the encryption types, and the krb5.conf
settings supported by Java GSS.
According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.
The following table lists the preferred order of encryption types:
Name | Aliases | etype Number |
---|---|---|
aes256-cts-hmac-sha1-96 | aes256-cts | 18 |
aes128-cts-hmac-sha1-96 | aes128-cts | 17 |
arcfour-hmac-md5 | arcfour-hmac | 23 |
des3-cbc-sha1 | des3-hmac-sha1, des3-cbc-sha1-kd, des3-cbc-hmac-sha1-kd | 16 |
des-cbc-md5 | None | 3 |
des-cbc-crc | None | 1 |
Note that des-cbc-crc
and dec-cbc-md5
are disabled by default in JDK 8.
A user can restrict the usage of encryption for various purposes in krb5.conf
, in the [libdefaults]
section.
For more detailed information about the AES encryption types (AES128 and AES256) and the RC4-HMAC encryption type, see Java Generic Security Services API and Kerberos Enhancements for Java SE 6.
For more detailed information about the DES and Triple DES encryption types, see Java Generic Security Services API and Kerberos Enhancements for Java SE 5.0 and Support for Triple DES Encryption.
The following parameters are supported:
[libdefaults] default_realm allow_weak_crypto dns_lookup_kdc dns_lookup_realm dns_fallback default_checksum safe_checksum_type ap_req_checksum_type default_keytab_name default_tkt_enctypes permitted_enctypes default_tgs_enctypes no_addresses noaddresses renewable proxiable forwardable kdc_default_options clockskew kdc_timeout udp_preference_limit [realms] REALM.NAME = { kdc = } [capaths] A = { I = . B = I } [domain_realm] domain=REALM
The following are the defaults for the krb5.conf
file parameters.
no_addresses = true noaddresses = true dns_fallback = true dns_lookup_kdc = true dns_lookup_realm = true allow_weak_crypto = false kdc_timeout = 30000 max_retries = 3 udp_preference_limit = -1 clockskew = 300 renewable = false proxiable = false forwardable = false