Configuring IBM NAS version 1.4.0.7 for AIX using a Non-default encryption type

Introduction: This article explains in detail how to enable and use Non-default encryption types such as "Aes128-cts" in the Kerberos settings (ibm®network authentication Service). Also explains why each step is performed. This content helps the Kerberos administrator use any Non-default encryption type in the Kerberos settings.

Brief introduction

IBM network authentication Service (NAS) standard protocol based on Kerberos Version 5 Internet Engineering Task Force (IETF) Request for Commen T (RFC) 1510. Kerberos is a network authentication protocol. It is designed to provide strong authentication and encrypted communication for client-server applications by using key encryption techniques. IBM NAS Server (KDC) is supported on IBM AIX.

Network File System (NFS) version 4 is the latest edition of the NFS Protocol, which defines a new generation of network file systems. NFS V4 is explained in detail by RFC 3530. An important feature of NFS V4 is to meet higher security standards. In this protocol, you use the GSS-API framework provided by Kerberos, Lipkey, and SPKM-3 to protect the interaction between the client and the server.

IBM NFS V4 uses the Kerberos implementation provided by IBM NAS to meet its security requirements. IBM NAS is used for authentication, and it can also be used for message encryption between NFS clients and servers.

The IBM NAS supports different encryption types. The difference between the different encryption types is the strength of the algorithm and the length of the key used. The combination of algorithm and key length produces strong encryption, medium encryption, and weak encryption. Prior to IBM NFS V4, IBM aix®v5.3l and 6.1 were able to use AES encryption (128-bit and 256-bit key lengths).

Encryption types supported by IBM NAS and IBM NFS V4

IBM NAS supports encryption algorithms such as Arcfour, DES, Triple-des, and AES. Using a combination of different key lengths and hashing algorithms, IBM NAS provides the type of encryption shown in table 1.

Table 1. Encryption types supported by IBM NAS

Encryption type	Description	Name used in the configuration file
enctype_aes128_cts_hmac_sha1_96	AES-128 CTS mode, 96-bit SHA-1 HMAC	"aes128-cts-hmac-sha1-96"/"Aes128-cts"
enctype_aes256_cts_hmac_sha1_96	AES-256 CTS mode, 96-bit SHA-1 HMAC	"aes256-cts-hmac-sha1-96"/"Aes256-cts"
Enctype_des_cbc_crc	DES CBC Mode, CRC-32	"DES-CBC-CRC"
Enctype_des_cbc_md4	DES CBC Mode, RSA-MD4	"DES-CBC-MD4"
Enctype_des_cbc_md5	DES CBC Mode, RSA-MD5	"Des-cbc-md5"
Enctype_des3_cbc_sha1	Triple DES CBC Mode, HMAC/SHA1	"DES3-CBC-SHA1"
Enctype_arcfour_hmac	Arcfour,hmac/md5	"Arcfour-hmac"
Enctype_arcfour_hmac_exp	Exportable ARCFOUR,HMAC/MD5	"Arcfour-hmac-exp"

IBM NFS V4 supports a small subset of the encryption types in table 1. The supported encryption algorithms are DES, Triple-des, and AES. Using a combination of different key lengths and hashing algorithms, IBM NFS V4 supports the following encryption types: DES–CBC–CRC, DES–CBC–MD4, Des–cbc–md5, DES3–CBC–SHA1, Aes128-cts, aes256-cts.