Spec-Zone .ru
спецификации, руководства, описания, API
|
The goal of this
exercise is to learn how to use various Kerberos encryption algorithms
to secure the communication. In J2SE 1.4, Java GSS/Kerberos provided
support for only DES encryption type. The Java GSS/Kerberos provider
has been enhanced in J2SE 5.0 and later releases to support stronger
Kerberos encryption algorithms,
and is in compliance with latest Kerberos specification RFC4120.
Support for various Kerberos encryption types, such as AES256, AES128,
3DES, RC4-HMAC, and DES are now all available. J2SE 5.0 supports 3DES
and DES Kerberos encryption types. Support for AES and RC4-HMAC in
Kerberos is available for Java SE 6 onwards.
Here is a list of all the encryption types supported by the Java GSS/Kerberos provider in Java SE 6.0:
src/krb5.conf
AES256-CTS
encryption type[libdefaults]NOTE: Solaris 10 does not support
default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts permitted_enctypes = aes256-cts
AES256
by default. You will need to install
the following packages:-SUNWcry, SUNWcryr, SUNWcryptointIn addition, JCE in Java SE also does not support
AES256
by default. AES128-CTS
encryption type
[libdefaults]
default_tkt_enctypes = aes128-cts
default_tgs_enctypes = aes128-cts
permitted_enctypes = aes128-cts
RC4-HMAC
encryption type
[libdefaults]
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
DES3-CBC-SHA1
encryption type
[libdefaults]
default_tkt_enctypes = des3-cbc-sha1
default_tgs_enctypes = des3-cbc-sha1
permitted_enctypes = des3-cbc-sha1
DES-CBC-MD5
encryption type
[libdefaults]
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
DES-CBC-CRC
encryption type
[libdefaults]
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
permitted_enctypes = des-cbc-crc
% kdestroy
% xterm &
% java -Djava.security.auth.login.config=jaas-krb5.conf \ -Djava.security.krb5.conf=krb5.conf \ GSSServer
host
running on the machine j1hol-001
, you would
enter the following. When prompted for the password, enter changeit.% java -Djava.security.auth.login.config=jaas-krb5.conf
-Djava.security.krb5.conf=krb5.conf \
GSSClient host j1hol-001
In this exercise, you learned how to
write a client-server application that uses Java GSS API to
authenticate and communicate securely with each other, using stronger
Kerberos encryption algorithms. You can enable Kerberos debugging
(-Dsun.security.krb5.debug=true
), to obtain information about the
Kerberos encryption type used.