Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262273

Deprecate 3DES and RC4 in Kerberos

XMLWordPrintable

    • behavioral
    • minimal
    • Hide
      AES-based encryption types were introduced in MIT krb5 around 2003, and Microsoft started supporting them in Windows Server 2008. The old 3DES and RC4 etype are no longer used today. MIT krb5 has deprecated them in 1.19 (released on 2021-02-01) and its KDC stopped generating these keys by default since 1.14 (release in 2015).

      Users that have to interop with old krb5 implementations can add "allow_weak_crypto = true" in the krb5.conf file, or list the preferred etypes explicitly in a permitted_enctypes setting.
      Show
      AES-based encryption types were introduced in MIT krb5 around 2003, and Microsoft started supporting them in Windows Server 2008. The old 3DES and RC4 etype are no longer used today. MIT krb5 has deprecated them in 1.19 (released on 2021-02-01) and its KDC stopped generating these keys by default since 1.14 (release in 2015). Users that have to interop with old krb5 implementations can add "allow_weak_crypto = true" in the krb5.conf file, or list the preferred etypes explicitly in a permitted_enctypes setting.
    • Other
    • Implementation

      Summary

      Deprecate 3DES and RC4 related encryption types used in Kerberos.

      Problem

      The two encryption types have long been considered weak and were deprecated in RFC 8429 in 2018.

      Solution

      Deprecate des3-hmac-sha1 (etype 16) and rc4-hmac (etype 23), that is to say, unless "allow_weak_crypto = true" is specified in krb5.conf, they would not appear in the permitted_etypes list of Kerberos.

      Specification

      This will be documented in the The Kerberos 5 GSS-API Mechanism inside the Java documentation.

            weijun Weijun Wang
            weijun Weijun Wang
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: