| Title: 1.1.3 - Keys |
| NavPrev: 1.1.2-principals.html |
| NavPrevText: 1.1.2 - Principals |
| NavUp: 1.1-introduction.html |
| NavUpText: 1.1 - Introduction |
| NavNext: 1.1.4-kdc.html |
| NavNextText: 1.1.4 - KDC (Key Distribution Center) |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| # 1.1.3 - Keys |
| |
| The **Kerberos** server generates keys based on the password we provide. Those keys are stored in the server and used to encrypt and decrypt the data being exchanged with the client. |
| |
| The Key is computed using either the user's password or a random value, and is salted with the realm. |
| |
| <DIV class="INFO" markdown="1"> |
| Using the realm as the salt offers a level of protection : if one's key is broken on a realm, that does not mean the password is compromised. The key on another realm would still be safe. |
| </DIV> |
| |
| ## How it works in ApacheDS ? |
| |
| When you add a new entry in the server, it generates a secret key using the password and the **Principal** of the added entry. For instance, say we add this entry : |
| |
| :::text |
| dn: uid=hnelson,ou=users,dc=example,dc=com |
| objectClass: inetOrgPerson |
| objectClass: organizationalPerson |
| objectClass: person |
| objectClass: krb5principal |
| objectClass: krb5kdcentry |
| objectClass: top |
| uid: hnelson |
| userPassword: secret |
| krb5PrincipalName: hnelson@EXAMPLE.COM |
| krb5KeyVersionNumber: 0 |
| cn: Horatio Nelson |
| sn: Nelson |
| |
| the server will automatically create the keys (each one is encoded in ASN.1 BER format), set them as values of krb5key attribute and add to the entry. |
| |
| Each value of krb5Key attribbute will be in the following ASN.1 format : |
| |
| ::text |
| EncryptionKey ::= SEQUENCE { |
| keytype [0] Int32 -- actually encryption type --, |
| keyvalue [1] OCTET STRING |
| } |
| |
| <DIV class="INFO" mardown="1"> |
| There is a special case : if the password is "randomkey", the key will be generated using a random number created on the fly. |
| </DIV> |
| |
| <DIV class="INFO" mardown="1"> |
| Note that we will generate more than one key : we generate one key for each of the supported encryption types. |
| |
| ApacheDS Kerberos server supports the following set of encryption types : |
| |
| * DES_CBC_MD5 |
| * DES3_CBC_SHA1_KD |
| * RC4_HMAC |
| * AES128_CTS_HMAC_SHA1_96 |
| * AES256_CTS_HMAC_SHA1_96 |
| |
| The default encryption types used by the server are, aes128-cts-hmac-sha1-96, des-cbc-md5 and des3-cbc-sha1-kd DES_CBC_MD5. The supported encryption types can be added or removed by modifying the Kerberos server configuration. |
| </DIV> |
| |
| |
| The modified entry will now look like : |
| |
| :::text |
| dn: uid=hnelson,ou=users,dc=example,dc=com |
| objectClass: inetOrgPerson |
| objectClass: organizationalPerson |
| objectClass: person |
| objectClass: krb5principal |
| objectClass: krb5kdcentry |
| objectClass: top |
| uid: hnelson |
| userPassword: secret |
| krb5PrincipalName: hnelson@EXAMPLE.COM |
| krb5KeyVersionNumber: 0 |
| cn: Horatio Nelson |
| sn: Nelson |
| krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x3D 0x33 0x31 0x8F 0xBE ...' |
| krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29 0x52 ...' |
| krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14 0x60 ...' |
| krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64 0x8A ...' |
| krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38 0xB6 ...' |
| |
| Each of these keys match one of the EncryptionType. |