Part IV : Secure Communications Using Stronger Encryption Algorithms

Exercise 6: Configuring to Use Stronger Encryption Algorithms in a Kerberos Environment, to Secure the Communication

Goal of This Exercise

The goal of this exercise is to learn how to use various Kerberos encryption algorithms to secure the communication. Java GSS/Kerberos provides a wide range of encryption algorithms, including AES256, AES128, 3DES, RC4-HMAC, and DES.

Note:

Encryption types based on DES, DES3, and RC4 are disabled by default. If you want to use one of these disabled encryption types, you must set the parameter allow_weak_crpyto to true in your Kerberos configuration file. See Supported krb5.conf Settings.

The following is a list of all the encryption types supported by the Java GSS/Kerberos provider in Java SE:

  • AES256-CTS
  • AES128-CTS
  • AES256-SHA2
  • AES128-SHA2
  • RC4-HMAC
  • DES3-CBC-SHA1
  • DES-CBC-MD5
  • DES-CBC-CRC

Steps to Follow

  1. Configure the Key Distribution Center (KDC) and update the Kerberos database.

    First, you need to update to use the KDC that supports the required Kerberos encryption types.

    You need to update the Kerberos database to generate the new keys with stronger encryption algorithms.

  2. If required, edit the Kerberos configuration file (krb5.conf).

    You can edit the Kerberos configuration file to select the desired encryption types used. For example, to only enable the AES256-CTS encryption type, add the following:

    [libdefaults]
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts

    To only enable the AES128-CTS encryption type, add the following:

    [libdefaults]
default_tkt_enctypes = aes128-cts
default_tgs_enctypes = aes128-cts
permitted_enctypes = aes128-cts

    Note:

    Destroy any pre-existing Kerberos TGT in the ticket cache from the previous exercise as follows:

    % kdestroy

  3. Launch a new window and start the server using the updated krb5.conf as follows: 

    % java -Djava.security.auth.login.config=jaas-krb5.conf \
-Djava.security.krb5.conf=krb5.conf GSSServer

  4. Run the client application using the updated krb5.conf. The GSSClient class takes two parameters: the service name and the name of the server that the service is running on. For example, if the service is host running on the machine j1hol-001, use the following (provide a secure password when prompted): 

    % java -Djava.security.auth.login.config=jaas-krb5.conf \
-Djava.security.krb5.conf=krb5.conf \
GSSClient host j1hol-001

Summary

In this exercise, you learned how to write a client-server application that uses Java GSS API to authenticate and communicate securely using stronger Kerberos encryption algorithms. You can enable Kerberos debugging (-Dsun.security.krb5.debug=true), to obtain information about the Kerberos encryption type used.