Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8193851

Support AES Encryption with HMAC-SHA2 for Kerberos 5 defined in RFC 8009

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 11
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      The new etypes are not the most preferred one. Even if preferred, the KDC will always generate tickets and session keys that are known to be supported by all parties.

      (I'd rather choose None but it's not allowed.)
      Show
      The new etypes are not the most preferred one. Even if preferred, the KDC will always generate tickets and session keys that are known to be supported by all parties. (I'd rather choose None but it's not allowed.)
    • Interface Kind:
      Other
    • Scope:
      Implementation

      Description

      Summary

      Support the two new encryption types "aes128-cts-hmac-sha256-128" and "aes256-cts-hmac-sha384-192" as defined in RFC 8009.

      Problem

      The new encryption types are using stronger HMAC algorithms based on SHA256 and SHA384. Both MIT krb5 and Heimdal have supported them in their latest releases. The RFC was published on October 2016.

      Solution

      Adding support for the two new encryption types.

      Specification

      • Two new encryption type names defined:
        • aes128-cts-hmac-sha256-128, etype number 19, with alias aes128-sha2
        • aes256-cts-hmac-sha384-192, etype number 20, with alias aes256-sha2
      • New aliases defined for existing encryption types:
        • aes128-sha1 for aes128-cts-hmac-sha1-96
        • aes256-sha1 for aes256-cts-hmac-sha1-96
      • The new preference order will be "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5"

      The names and preference order are the same with the latest release (1.15) of MIT krb5, the reference implementation of Kerberos 5.

      These changes will be added into the JDK 11 version of https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-api-mechanism.html. (Please note the JDK 9 doc on this topic is still in migration).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                weijun Weijun Wang
                Reviewed By:
                Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: