1. Security Developer’s Guide
  2. Java Generic Security Services (Java GSS-API)
  3. The Kerberos 5 GSS-API Mechanism

The Kerberos 5 GSS-API Mechanism

This section describes and lists security features regarding Java Generic Security Services (Java GSS) for Kerberos 5. It also describes the Object Identifier (OID) for the Kerberos V5 mechanism, the encryption types, and the krb5.conf settings supported by Java GSS.

The Generic Security Services Application Program Interface (GSS-API) mechanism is defined by RFC 1964 and supplemented with RFC 4121 under the Internet Standards process.

The OID for the Kerberos V5 Mechanism

According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.2; see also GSSAPI Mechanisms in Java Security Standard Algorithm Names.

Java GSS/Kerberos Supported Encryption Types

The following table lists the preferred order of Java GSS/Kerberos supported encryption types.

Table 7-1 Java GSS/Kerberos Supported Encryption Types

Name Aliases etype Number
aes256-cts-hmac-sha1-96 aes256-sha1, aes256-cts 18
aes128-cts-hmac-sha1-96 aes128-sha1, aes128-cts 17
aes256-cts-hmac-sha384-192 aes256-sha2 20
aes128-cts-hmac-sha256-128 aes128-sha2 19
des3-cbc-sha1 des3-hmac-sha1 16
arcfour-hmac-md5 arcfour-hmac, rc4-hmac 23
des-cbc-crc None 1
des-cbc-md5 None 3

Note:

The AES-256 encryption type is enabled by default. The following legacy encryption types are disabled by default:

  • The DES-based encryption types, including des-cbc-crc and dec-cbc-md5
  • des3-cbc-sha1
  • arcfour-hmac-md5

A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.

Supported krb5.conf Settings

The following parameters are supported:

include FILENAME
includedir DIRNAME

[libdefaults]
allow_weak_crypto
ap_req_checksum_type
canonicalize
clockskew
default_checksum
default_keytab_name
default_realm
default_tgs_enctypes
default_tkt_enctypes
dns_canonicalize_hostname
dns_fallback
dns_lookup_kdc
dns_lookup_realm
extra_addresses
forwardable
kdc_default_options
kdc_timeout
max_retries
no_addresses
noaddresses
permitted_enctypes
proxiable
renew_lifetime
renewable
safe_checksum_type
ticket_lifetime
udp_preference_limit
 
[realms]
  REALM.NAME = {
      kdc
      kdc_timeout
      udp_preference_limit
      max_retries
  }
 
[capaths]
  A = {
    I = .
    B = I
  }
 
[domain_realm]
  domain=REALM

The following are the default values for krb5.conf file parameters: 

allow_weak_crypto = false
canonicalize = false
clockskew = 300
default_tgs_enctypes = <value of permitted_enctypes>
default_tkt_enctypes = <value of permitted_enctypes>
dns_canonicalize_hostname = true
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = false
kdc_timeout = 30s
max_retries = 3
no_addresses = true
noaddresses = true
permitted_enctypes = <all encryption types in Table 7-1>
proxiable = false
renewable = false
udp_preference_limit = 1465

If no krb5.conf file is found or a setting doesn't exist in a krb5.conf file, then these default values will be used. For example, a DNS lookup will be performed to fetch KDC details because the default value of dns_lookup_kdc is true.