GSSContext's wrap() and MessageProp: Which enryption is used and available
Hi there,
I have got a question regarding GSSContext's wrap()/unwrap() methods.
These methods take a parameter, class MessageProp,
an instance ofthisclass is used to indicate the desired Quality-of-Protection (QOP)
The qop is can be set by an integer, but which kind of protection is it indicated by which number? Which kind of encryption is used, which are available?
How secure are these message exchanges?
I think QOP is useless (at least for Kerberos in Java), it's always 0.
The strength of encryption depends on the mechanism below. For Kerberos, it's what the implementation supports and how you config what etypes you preferred in krb5.conf. Normally 3des, aes-128 and aes-256 are considered as strong ones.
ahh, I see, could've guessed that myself... Thank for your reply!
Anyway, DES3 seems to be the weapon of choice as it is supported by the Java Kerberos module, but obviously not by my Active Directory/KDC.
After some further investigations I found out that DES can be hacked withing 24h, but: the Kerberos clock skew is 5min and our ticket lifetime 8hrs. So there's a remaining risk which seems to be justifiable. What do you think of that?
Your KDC is Active Directory? Then its default etype should be RC4.
This etype is already supported in JDK 6 and 5.0 update 7. You needn't do any extra configuration and it will be automatically chosen. Try the kinit tool comes with Windows version of JRE and use klist -e to look at the result.
I have no idea if RC4 is strong or not, but if you live inside a Windows world, that's what they are offering you now.
