Quick question related to Kerberos + AES256 + SHA2
Todd Grayson
tgrayson at cloudera.com
Thu Feb 25 11:18:14 EST 2016
Apologies everyone - this was a mixed up response by me.
Please disregard my discussion on download and compile, I'm discussing a
behavior by our install base, not the MIT user community.
On Thu, Feb 25, 2016 at 9:13 AM, Todd Grayson <tgrayson at cloudera.com> wrote:
> The supported ecnryption types are tied to the kerberos release, which is
> tied to the OS release level by our distribution vendors. It is extremely
> rare for customers to be compiling / building kerberos on their own.
>
>
> http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
> *permitted_enctypes*
>
> Note that permitted encyption types for the MIT libraries, REQUIRES the
> proper encryption type name be used, abbreviated names are not supported,
> whats in that link is the form of the name that will be parsed, invalid
> encryption types are ignored and the defaults are applied instead (all the
> types)
>
> Encryption types that are newer in the MIT/AD space are limited by the
> support of the JDK, detailed by the JGSS listing:
>
>
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html
>
> Note arcfour-hmac-md5 is also supported (rc4-hmac)
>
> The JDK can not support the newer CAMELLA encryption types in the RHEL 7.1
>
> On Thu, Feb 25, 2016 at 8:39 AM, Simo Sorce <simo at redhat.com> wrote:
>
>> Not that the Kitten WG is working on standardizing new enctypes for AES
>> +HMAC-SHA2, this is the latest draft:
>> https://tools.ietf.org/html/draft-ietf-kitten-aes-cts-hmac-sha2-09
>>
>> Although it will take a while before all the most common implementations
>> will have support for it, and it may never land on older OSs.
>>
>> Simo.
>>
>> On Thu, 2016-02-25 at 14:22 +0000, Prashanth Marampally wrote:
>> > Yep. Got it!
>> >
>> > Thanks,
>> > Prashanth
>> >
>> > -----Original Message-----
>> > From: Rick van Rein [mailto:rick at openfortress.nl]
>> > Sent: Thursday, February 25, 2016 7:50 PM
>> > To: Prashanth Marampally
>> > Cc: kerberos at mit.edu
>> > Subject: Re: Quick question related to Kerberos + AES256 + SHA2
>> >
>> > OK,
>> >
>> > Also note that the hash is not SHA1 but HMAC-SHA1, which is much
>> stronger. I didn't make that clear before.
>> >
>> > -Rick
>> >
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Business Operations Manager
> Customer Operations Engineering
> Security SME
>
>
--
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME
More information about the Kerberos
mailing list