directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksander Adamowski <apache-direct...@olo.org.pl>
Subject Re: Default encryptionTypes for KdcServer
Date Mon, 16 Jan 2012 10:28:44 GMT
On Mon, Jan 16, 2012 at 08:46, Kiran Ayyagari <kayyagari@apache.org> wrote:
> in default Java installation AES is not enabled, user has to copy the
> unlimited cryptography extension jars
> (US_export_policy.jar and local_policy.jar) to enable it. (which IMHO
> is an annoyance for most developers and users alike)

I think only AES 256 is not enabled by standard policy because
symmetric cipher key lengths are capped at 128 bits.

According to my policy file on jdk 1.6.0_16:

// Some countries have import limits on crypto strength. This policy
file is worldwide importable.
grant {
    permission javax.crypto.CryptoPermission "DES", 64;
    permission javax.crypto.CryptoPermission "DESede", *;
    permission javax.crypto.CryptoPermission "RC2", 128,
                                     "javax.crypto.spec.RC2ParameterSpec", 128;
    permission javax.crypto.CryptoPermission "RC4", 128;
    permission javax.crypto.CryptoPermission "RC5", 128,
          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
    permission javax.crypto.CryptoPermission "RSA", *;
    permission javax.crypto.CryptoPermission *, 128;
};

Notice that it allows all DESede variants and any other unspecified
ciphers (including AES) at up to 128 bits key length.

>From looking at
http://svn.apache.org/repos/asf/directory/apacheds/trunk/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcSha1KdEncryption.java
it seems that des3-cbc-sha1-kd uses DESede.

So 128 bit AES and 3DES could be used on standard policy files, I suppose:

>>     private static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
>> -        { "des-cbc-md5" };
>> +        { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "des-cbc-md5" };


-- 
Best Regards,
  Aleksander Adamowski
  http://olo.org.pl

Mime
View raw message