Spec-Zone .ru
спецификации, руководства, описания, API

Part IV : Secure Communications using stronger encryption algorithms (Java SE 6.0)

Exercise 7: Configuring to use stronger encryption algorithms in a Kerberos environment, to secure the communication

Goal of this exercise:

The goal of this exercise is to learn how to use various Kerberos encryption algorithms to secure the communication. In J2SE 1.4, Java GSS/Kerberos provided support for only DES encryption type. The Java GSS/Kerberos provider has been enhanced in J2SE 5.0 and later releases to support stronger Kerberos encryption algorithms, and is in compliance with latest Kerberos specification RFC4120. Support for various Kerberos encryption types, such as AES256, AES128, 3DES, RC4-HMAC, and DES are now all available. J2SE 5.0 supports 3DES and DES Kerberos encryption types. Support for AES and RC4-HMAC in Kerberos is available for Java SE 6 onwards.

Here is a list of all the encryption types supported by the Java GSS/Kerberos provider in Java SE 6.0:

  1. AES256-CTS
  2. AES128-CTS
  3. RC4-HMAC
  4. DES3-CBC-SHA1
  5. DES-CBC-MD5
  6. DES-CBC-CRC

Steps to follow:

  1. Configure the Key Distribution Center (KDC) and update the Kerberos database

    At first you need to update to use the Key Distribution Center (KDC) that supports the required Kerberos encryption types, such as Solaris 10 or the latest MIT Kerberos 1.4 from MIT distribution. If you are using the Active Directory on a Windows platform, it only supports DES and RC4-HMAC encryption types.

    You will need to update the Kerberos database, to generate the new keys with stronger encryption algorithms. By default, Solaris 10 KDC will generate the keys for all the above encryption types listed. You can now create a keytab that will include all the keys for all the above encryption types.

    NOTE:  If you want to use Windows 2000 KDC, you can configure to use the DES and RC4-HMAC encryption types that are available on the Windows machine.


  2. Edit the Kerberos configuration file. This is located in src/krb5.conf

    You will need to edit the Kerberos configuration file in order to select the desired encryption types used. The required parameters are listed below, that you will need to insert under the libdefaults section of the Kerberos configuration file. For the purpose of this exercise, all the required entries have been added to a sample Kerberos configuration file included with the exercise, and the entries have been commented out. To enable the desired encryption type, you only need to uncomment the required entries.

Summary:

In this exercise, you learned how to write a client-server application that uses Java GSS API to authenticate and communicate securely with each other, using stronger Kerberos encryption algorithms. You can enable Kerberos debugging (-Dsun.security.krb5.debug=true), to obtain information about the Kerberos encryption type used.