Documentation Contents

The Kerberos 5 GSS-API Mechanism

(Return to Security Contents)

This section describes security features regarding Java Generic Security Services (Java GSS) for Kerberos 5.

The GSS-API mechanism is defined by RFC 1964, supplemented with RFC 4121 under the Official Internet Protocol Standards process. See RFC 1964 and RFC 4121.

This section also describes the Object Identifier (OID) for the Kerberos V5 mechanism, in the Official Internet Protocol Standards process, the encryption types, and the krb5.conf settings supported by Java GSS.

The OID for the Kerberos V5 Mechanism

According to RFC 1964 section 1, the OID for Java Generic Security Services (Java GSS) for Kerberos 5 is defined as 1.2.840.113554.1.2.

Java GSS/Kerberos Supported Encryption Types

The following table lists the preferred order of encryption types:

Java SE Supported Encryption Types
Name Aliases etype Number
aes256-cts-hmac-sha1-96 aes256-cts 18
aes128-cts-hmac-sha1-96 aes128-cts 17
arcfour-hmac-md5 arcfour-hmac 23
des3-cbc-sha1 des3-hmac-sha1, des3-cbc-sha1-kd, des3-cbc-hmac-sha1-kd 16
des-cbc-md5 None 3
des-cbc-crc None 1

Note that des-cbc-crc and dec-cbc-md5 are disabled by default in JDK 8.

A user can restrict the usage of encryption for various purposes in krb5.conf, in the [libdefaults] section.

For more detailed information about the AES encryption types (AES128 and AES256) and the RC4-HMAC encryption type, see Java Generic Security Services API and Kerberos Enhancements for Java SE 6.

For more detailed information about the DES and Triple DES encryption types, see Java Generic Security Services API and Kerberos Enhancements for Java SE 5.0 and Support for Triple DES Encryption.

Supported krb5.conf Settings

The following parameters are supported:

[libdefaults]
default_realm
allow_weak_crypto
 
dns_lookup_kdc
dns_lookup_realm
dns_fallback
 
default_checksum
safe_checksum_type
ap_req_checksum_type
default_keytab_name
 
default_tkt_enctypes
permitted_enctypes
default_tgs_enctypes
 
no_addresses
noaddresses
 
renewable
proxiable
forwardable
 
kdc_default_options
clockskew
 
kdc_timeout
udp_preference_limit
 
[realms]
  REALM.NAME = {
    kdc =
  }
 
[capaths]
  A = {
    I = .
    B = I
  }
 
[domain_realm]
  domain=REALM

The following are the defaults for krb5.conf file parameters.

no_addresses = true
noaddresses = true
dns_fallback = true
dns_lookup_kdc = true
dns_lookup_realm = true
allow_weak_crypto = false 
kdc_timeout = 30000
max_retries = 3
udp_preference_limit = -1
clockskew = 300
renewable = false
proxiable = false
forwardable = false

If no krb5.conf file is found or a setting doesn't exist in a krb5.conf file, then these default values will be used. For example, a DNS lookup will be performed to fetch KDC details because the default value of dns_lookup_kdc is true.

Oracle and/or its affiliates Copyright © 1993, 2023, Oracle and/or its affiliates. All rights reserved.
Contact Us