The Kerberos 5 GSS-API Mechanism
This topic describes and lists security features regarding Java Generic Security Services (Java GSS) for Kerberos 5.
This GSS-API mechanism is defined by RFC 1964, supplemented with RFC 4121 under the Official Internet Protocol Standards process. See RFC 1964 and RFC 4121.
This topic also describes the Object Identifier (OID) for the Kerberos V5 mechanism, in the Official Internet Protocol Standards process, the encryption types, and the krb5.conf
settings supported by Java GSS.
Note: Java GSS features have been in each version of Java SE since 1.4.2.
The OID for the Kerberos V5 Mechanism
According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.
Java GSS/Kerberos Supported Encryption Types
Each major release of Java SE has added features or additional supported encryption types for GSS/Kerberos. However, support for new encryption types have been included in update editions of Java SE 5 and Java SE 6.
The following table lists the preferred order of encryption types supported in editions of Java up to Java SE 8.
Name | etype Number |
---|---|
aes256-cts | 18 |
aes128-cts | 17 |
aes128-cts | 23 |
des3-cbc-sha1 | 16 |
des-cbc-md5 | 3 |
des-cbc-crc | 1 |
Note that des-cbc-crc
and dec-cbc-md5
are disabled by default in JDK 8.
A user can restrict the usage of encryption for various purposes in krb5.conf
, in the [libdefaults]
section.
For more detailed information about the AES encryption types (AES128 and AES256 and the RC4-HMAC encryption type, see Java GSS for Java SE 6.
For more detailed information about the DES and Triple DES encryption types, see Java GSS for Java SE 5 and Support for Triple DES Encryption.
Supported krb5.conf Settings
In Java SE 7, the following are the supported parameters.
[libdefaults] default_realm allow_weak_crypto dns_lookup_kdc dns_lookup_realm dns_fallback default_checksum safe_checksum_type ap_req_checksum_type default_keytab_name default_tkt_enctypes permitted_enctypes default_tgs_enctypes no_addresses noaddresses renewable proxiable forwardable kdc_default_options clockskew kdc_timeout udp_preference_limit [realms] REALM.NAME = { kdc = } [capaths] A = { I = . B = I } [domain_realm] domain=REALM
The following are the defaults for the
krb5.conf
file parameters.no_addresses = true noaddresses = true dns_fallback = true (false in JDK 6) dns_lookup_kdc = true (false in JDK 6) dns_lookup_realm = true (false in JDK 6) allow_weak_crypto = false (true in JDK 7) kdc_timeout = 30000 max_retries = 3 udp_preference_limit = -1 clockskew = 300 renewable = false proxiable = false forwardable = false