The Kerberos 5 GSS-API Mechanism

(Return to Security Contents)

This topic describes and lists security features regarding Java Generic Security Services (Java GSS) for Kerberos 5.

This GSS-API mechanism is defined by RFC 1964, supplemented with RFC 4121 under the Official Internet Protocol Standards process. See RFC 1964 and RFC 4121.

This topic also describes the Object Identifier (OID) for the Kerberos V5 mechanism, in the Official Internet Protocol Standards process, the encryption types, and the krb5.conf settings supported by Java GSS.

Note: Java GSS features have been in each version of Java SE since 1.4.2.


The OID for the Kerberos V5 Mechanism

According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.

Java GSS/Kerberos Supported Encryption Types

Each major release of Java SE has added features or additional supported encryption types for GSS/Kerberos. However, support for new encryption types have been included in update editions of Java SE 5 and Java SE 6.

The following table lists the preferred order of encryption types supported in editions of Java up to Java SE 8.

Java SE 7 Supported Encryption Types
Name etype Number
aes256-cts 18
aes128-cts 17
aes128-cts 23
des3-cbc-sha1 16
des-cbc-md5 3
des-cbc-crc 1

Note that des-cbc-crc and dec-cbc-md5 are disabled by default in JDK 8.

A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.

For more detailed information about the AES encryption types (AES128 and AES256 and the RC4-HMAC encryption type, see Java GSS for Java SE 6.

For more detailed information about the DES and Triple DES encryption types, see Java GSS for Java SE 5 and Support for Triple DES Encryption.

Supported krb5.conf Settings

In Java SE 7, the following are the supported parameters.

[libdefaults]
default_realm
allow_weak_crypto
 
dns_lookup_kdc
dns_lookup_realm
dns_fallback
 
default_checksum
safe_checksum_type
ap_req_checksum_type
default_keytab_name
 
default_tkt_enctypes
permitted_enctypes
default_tgs_enctypes
 
no_addresses
noaddresses
 
renewable
proxiable
forwardable
 
kdc_default_options
clockskew
 
kdc_timeout
udp_preference_limit
 
[realms]
  REALM.NAME = {
    kdc =
  }
 
[capaths]
  A = {
    I = .
    B = I
  }
 
[domain_realm]
  domain=REALM

The following are the defaults for the krb5.conf file parameters.
no_addresses = true
noaddresses = true
dns_fallback = true (false in JDK 6)
dns_lookup_kdc = true (false in JDK 6)
dns_lookup_realm = true (false in JDK 6)
allow_weak_crypto = false (true in JDK 7)
kdc_timeout = 30000
max_retries = 3
udp_preference_limit = -1
clockskew = 300
renewable = false
proxiable = false
forwardable = false


Copyright © 1993, 2016, Oracle and/or its affiliates. All rights reserved.