Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262273

Deprecate 3DES and RC4 in Kerberos

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      AES-based encryption types were introduced in MIT krb5 around 2003, and Microsoft started supporting them in Windows Server 2008. The old 3DES and RC4 etype are no longer used today. MIT krb5 has deprecated them in 1.19 (released on 2021-02-01) and its KDC stopped generating these keys by default since 1.14 (release in 2015).

      Users that have to interop with old krb5 implementations can add "allow_weak_crypto = true" in the krb5.conf file, or list the preferred etypes explicitly in a permitted_enctypes setting.
      Show
      AES-based encryption types were introduced in MIT krb5 around 2003, and Microsoft started supporting them in Windows Server 2008. The old 3DES and RC4 etype are no longer used today. MIT krb5 has deprecated them in 1.19 (released on 2021-02-01) and its KDC stopped generating these keys by default since 1.14 (release in 2015). Users that have to interop with old krb5 implementations can add "allow_weak_crypto = true" in the krb5.conf file, or list the preferred etypes explicitly in a permitted_enctypes setting.
    • Interface Kind:
      Other
    • Scope:
      Implementation

      Description

      Summary

      Deprecate 3DES and RC4 related encryption types used in Kerberos.

      Problem

      The two encryption types have long been considered weak and were deprecated in RFC 8429 in 2018.

      Solution

      Deprecate des3-hmac-sha1 (etype 16) and rc4-hmac (etype 23), that is to say, unless "allow_weak_crypto = true" is specified in krb5.conf, they would not appear in the permitted_etypes list of Kerberos.

      Specification

      This will be documented in the The Kerberos 5 GSS-API Mechanism inside the Java documentation.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              weijun Weijun Wang
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: