Part IV : Secure Communications Using Stronger Encryption Algorithms
Exercise 7: Configuring to Use Stronger Encryption Algorithms in a Kerberos Environment, to Secure the Communication
Goal of this exercise
The goal of this exercise is to learn how to use various Kerberos encryption algorithms to secure the communication. Java GSS/Kerberos provides a wide range of encryption algorythms, including AES256, AES128, 3DES, RC4-HMAC, and DES.
The following is a list of all the encryption types supported by the Java GSS/Kerberos provider in Java SE:
- AES256-CTS
- AES128-CTS
- RC4-HMAC
- DES3-CBC-SHA1
- DES-CBC-MD5
- DES-CBC-CRC
Steps to follow
Configure the Key Distribution Center (KDC) and update the Kerberos database.
First, you need to update to use the KDC that supports the required Kerberos encryption types, such as Solaris 10 or the latest MIT Kerberos 1.4 from MIT distribution. If you are using Active Directory on a Windows platform, it supports only DES and RC4-HMAC encryption types.
You need to update the Kerberos database to generate the new keys with stronger encryption algorithms. By default, Solaris 10 KDC will generate the keys for all the above encryption types listed. You can now create a keytab that will include all the keys for all the above encryption types.
NOTE: If you want to use Windows 2000 KDC, you can configure to use the DES and RC4-HMAC encryption types that are available on Windows.
Edit the Kerberos configuration file (
src/krb5.conf
).You will need to edit the Kerberos configuration file in order to select the desired encryption types used. The required parameters that you will need to insert under the
libdefaults
section of the Kerberos configuration file are listed below. For the purpose of this exercise, all the required entries have been added to a sample Kerberos configuration file included with the exercise, and the entries have been commented out. To enable the desired encryption type, you only need to uncomment the required entries.To enable AES256-CTS encryption type, add the following:
[libdefaults] default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts permitted_enctypes = aes256-cts
NOTE: Solaris 10 does not support AES256 by default. You will need to install the following packages: SUNWcry, SUNWcryr, SUNWcryptoint. In addition, JCE in Java SE also does not support AES256 by default. You will need to install the JCE crypto policy with the unlimited version to allow AES with 256-bit key.
To enable AES128-CTS encryption type, add the following:
[libdefaults] default_tkt_enctypes = aes128-cts default_tgs_enctypes = aes128-cts permitted_enctypes = aes128-cts
To enable RC4-HMAC encryption type, add the following:
[libdefaults] default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac
To enable DES3-CBC-SHA1 encryption type, add the following:
[libdefaults] default_tkt_enctypes = des3-cbc-sha1 default_tgs_enctypes = des3-cbc-sha1 permitted_enctypes = des3-cbc-sha1
To enable DES-CBC-MD5 encryption type, add the following:
[libdefaults] default_tkt_enctypes = des-cbc-md5 default_tgs_enctypes = des-cbc-md5 permitted_enctypes = des-cbc-md5
To enable DES-CBC-CRC encryption type, add the following:
[libdefaults] default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc permitted_enctypes = des-cbc-crc
NOTE: If the above parameters are not added to the Kerberos configuration file, Solaris 10 will default to use AES128 enctype. If the exportable crypto packages have been installed, it will default to use AES256 enctype.
NOTE: Destroy any pre-existing Kerberos TGT in the ticket cache from the previous exercise as follows:
% kdestroy
Launch a new window and start the server using the updated
krb5.conf
as follows:% xterm & % java -Djava.security.auth.login.config=jaas-krb5.conf \ -Djava.security.krb5.conf=krb5.conf GSSServer
Run the client application using the updated
krb5.conf
. TheGSSClient
class takes two parameters: the service name and the name of the server that the service is running on. For example, if the service ishost
running on the machinej1hol-001
, use the following (provide a secure password when prompted):% java -Djava.security.auth.login.config=jaas-krb5.conf \ -Djava.security.krb5.conf=krb5.conf \ GSSClient host j1hol-001
Summary
In this exercise, you learned how to write a client-server application that uses Java GSS API to authenticate and communicate securely using stronger Kerberos encryption algorithms. You can enable Kerberos debugging (-Dsun.security.krb5.debug=true
), to obtain information about the Kerberos encryption type used.