directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Default encryptionTypes for KdcServer
Date Mon, 16 Jan 2012 10:42:07 GMT
On Mon, Jan 16, 2012 at 3:58 PM, Aleksander Adamowski
<apache-directory@olo.org.pl> wrote:
> On Mon, Jan 16, 2012 at 08:46, Kiran Ayyagari <kayyagari@apache.org> wrote:
>> in default Java installation AES is not enabled, user has to copy the
>> unlimited cryptography extension jars
>> (US_export_policy.jar and local_policy.jar) to enable it. (which IMHO
>> is an annoyance for most developers and users alike)
>
> I think only AES 256 is not enabled by standard policy because
> symmetric cipher key lengths are capped at 128 bits.
>
> According to my policy file on jdk 1.6.0_16:
>
> // Some countries have import limits on crypto strength. This policy
> file is worldwide importable.
> grant {
>    permission javax.crypto.CryptoPermission "DES", 64;
>    permission javax.crypto.CryptoPermission "DESede", *;
>    permission javax.crypto.CryptoPermission "RC2", 128,
>                                     "javax.crypto.spec.RC2ParameterSpec",
128;
>    permission javax.crypto.CryptoPermission "RC4", 128;
>    permission javax.crypto.CryptoPermission "RC5", 128,
>          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
>    permission javax.crypto.CryptoPermission "RSA", *;
>    permission javax.crypto.CryptoPermission *, 128;
> };
>
> Notice that it allows all DESede variants and any other unspecified
> ciphers (including AES) at up to 128 bits key length.
>
> From looking at
> http://svn.apache.org/repos/asf/directory/apacheds/trunk/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcSha1KdEncryption.java
> it seems that des3-cbc-sha1-kd uses DESede.
>
> So 128 bit AES and 3DES could be used on standard policy files, I suppose:
>
yeap, correct, earlier I tested with 256 bit
AES(aes256-cts-hmac-sha1-96) using default policy, now test
passes using 128 bit AES with default policy.

appreciate the detailed information, otherwise I naively assumed that
AES was completely disabled based on the error log message.
(java.lang.IllegalArgumentException: Algorithm AES256 not enabled
	at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:292))

>>>     private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
>>> -        { "des-cbc-md5" };
>>> +        { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "des-cbc-md5" };
>
>
> --
> Best Regards,
>   Aleksander Adamowski
>   http://olo.org.pl



-- 
Kiran Ayyagari

Mime
View raw message