[37430] in Kerberos
Re: Quick question related to Kerberos + AES256 + SHA2
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Feb 25 11:13:51 2016
MIME-Version: 1.0
In-Reply-To: <1456414787.6599.296.camel@redhat.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 25 Feb 2016 09:13:14 -0700
Message-ID: <CALNT6MX_ytAEaq9ar_RwsnVgU=z0X4KPsQ=Q8Ex+7Ar6kEbOvg@mail.gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The supported ecnryption types are tied to the kerberos release, which is
tied to the OS release level by our distribution vendors. It is extremely
rare for customers to be compiling / building kerberos on their own.
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
*permitted_enctypes*
Note that permitted encyption types for the MIT libraries, REQUIRES the
proper encryption type name be used, abbreviated names are not supported,
whats in that link is the form of the name that will be parsed, invalid
encryption types are ignored and the defaults are applied instead (all the
types)
Encryption types that are newer in the MIT/AD space are limited by the
support of the JDK, detailed by the JGSS listing:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
Note arcfour-hmac-md5 is also supported (rc4-hmac)
The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1
On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <simo@redhat.com> wrote:
> Not that the Kitten WG is working on standardizing new enctypes for AES
> +HMAC-SHA2, this is the latest draft:
> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09
>
> Although it will take a while before all the most common implementations
> will have support for it, and it may never land on older OSs.
>
> Simo.
>
> On Thu, 2016-02-25 at 14:22 +0000, Prashanth Marampally wrote:
> > Yep. Got it!
> >
> > Thanks,
> > Prashanth
> >
> > -----Original Message-----
> > From: Rick van Rein [mailto:rick@openfortress.nl]
> > Sent: Thursday, February 25, 2016 7:50 PM
> > To: Prashanth Marampally
> > Cc: kerberos@mit.edu
> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2
> >
> > OK,
> >
> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much
> stronger. I didn't make that clear before.
> >
> > -Rick
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
