[37431] in Kerberos
Re: Quick question related to Kerberos + AES256 + SHA2
daemon@ATHENA.MIT.EDU (Todd Grayson)
Thu Feb 25 11:18:54 2016
MIME-Version: 1.0
In-Reply-To: <CALNT6MX_ytAEaq9ar_RwsnVgU=z0X4KPsQ=Q8Ex+7Ar6kEbOvg@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Thu, 25 Feb 2016 09:18:14 -0700
Message-ID: <CALNT6MWb-NVVYTFeXhKNrDu3Xwq95BPgMXP0J4P8Cgpk=mnb_g@mail.gmail.com>
To: Simo Sorce <simo@redhat.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Apologies everyone - this was a mixed up response by me.
Please disregard my discussion on download and compile, I'm discussing a
behavior by our install base, not the MIT user community.
On Thu, Feb 25, 2016 at 9:13 AM, Todd Grayson <tgrayson@cloudera.com> wrote:
> The supported ecnryption types are tied to the kerberos release, which is
> tied to the OS release level by our distribution vendors. It is extremely
> rare for customers to be compiling / building kerberos on their own.
>
>
> http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
> *permitted_enctypes*
>
> Note that permitted encyption types for the MIT libraries, REQUIRES the
> proper encryption type name be used, abbreviated names are not supported,
> whats in that link is the form of the name that will be parsed, invalid
> encryption types are ignored and the defaults are applied instead (all the
> types)
>
> Encryption types that are newer in the MIT/AD space are limited by the
> support of the JDK, detailed by the JGSS listing:
>
>
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
>
> Note arcfour-hmac-md5 is also supported (rc4-hmac)
>
> The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1
>
> On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <simo@redhat.com> wrote:
>
>> Not that the Kitten WG is working on standardizing new enctypes for AES
>> +HMAC-SHA2, this is the latest draft:
>> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09
>>
>> Although it will take a while before all the most common implementations
>> will have support for it, and it may never land on older OSs.
>>
>> Simo.
>>
>> On Thu, 2016-02-25 at 14:22 +0000, Prashanth Marampally wrote:
>> > Yep. Got it!
>> >
>> > Thanks,
>> > Prashanth
>> >
>> > -----Original Message-----
>> > From: Rick van Rein [mailto:rick@openfortress.nl]
>> > Sent: Thursday, February 25, 2016 7:50 PM
>> > To: Prashanth Marampally
>> > Cc: kerberos@mit.edu
>> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2
>> >
>> > OK,
>> >
>> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much
>> stronger. I didn't make that clear before.
>> >
>> > -Rick
>> >
>> > ________________________________________________
>> > Kerberos mailing list Kerberos@mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
