[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS shishi/doc/specifications
|
From: |
shishi-commit |
|
Subject: |
CVS shishi/doc/specifications |
|
Date: |
Wed, 28 Dec 2005 11:13:27 +0100 |
Update of /home/cvs/shishi/doc/specifications
In directory dopio:/tmp/cvs-serv5913
Added Files:
draft-ietf-cat-kerberos-pk-init-31.txt
Log Message:
Add.
--- /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-31.txt
2005/12/28 10:13:26 NONE
+++ /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-31.txt
2005/12/28 10:13:26 1.1
NETWORK WORKING GROUP L. Zhu
Internet-Draft Microsoft Corporation
Expires: June 24, 2006 B. Tung
USC Information Sciences Institute
December 21, 2005
Public Key Cryptography for Initial Authentication in Kerberos
draft-ietf-cat-kerberos-pk-init-31
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 24, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes protocol extensions (hereafter called PKINIT)
to the Kerberos protocol specification. These extensions provide a
method for integrating public key cryptography into the initial
authentication exchange, by using asymmetric-key signature and/or
encryption algorithms in pre-authentication data fields.
Zhu & Tung Expires June 24, 2006 [Page 1]
�
Internet-Draft PKINIT December 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 5
3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Definitions, Requirements, and Constants . . . . . . . . . 6
3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6
3.1.2. Defined Message and Encryption Types . . . . . . . . . 6
3.1.3. Algorithm Identifiers . . . . . . . . . . . . . . . . 7
3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9
3.2.1. Generation of Client Request . . . . . . . . . . . . . 9
3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 13
3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 17
3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 24
3.3. Interoperability Requirements . . . . . . . . . . . . . . 25
3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 26
4. Security Considerations . . . . . . . . . . . . . . . . . . . 26
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.1. Normative References . . . . . . . . . . . . . . . . . . . 29
7.2. Informative References . . . . . . . . . . . . . . . . . . 31
Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 31
Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 36
Appendix C. Miscellaneous Information about Microsoft Windows
PKINIT Implementations . . . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
Intellectual Property and Copyright Statements . . . . . . . . . . 41
Zhu & Tung Expires June 24, 2006 [Page 2]
�
Internet-Draft PKINIT December 2005
1. Introduction
The Kerberos V5 protocol [RFC4120] involves use of a trusted third
party known as the Key Distribution Center (KDC) to negotiate shared
session keys between clients and services and provide mutual
authentication between them.
The corner-stone of Kerberos V5 is the Ticket and the Authenticator.
A Ticket encapsulates a symmetric key (the ticket session key) in an
envelope (a public message) intended for a specific service. The
contents of the Ticket are encrypted with a symmetric key shared
between the service principal and the issuing KDC. The encrypted
part of the Ticket contains the client principal name, amongst other
items. An Authenticator is a record that can be shown to have been
recently generated using the ticket session key in the associated
Ticket. The ticket session key is known by the client who requested
the ticket. The contents of the Authenticator are encrypted with the
associated ticket session key. The encrypted part of an
Authenticator contains a timestamp and the client principal name,
amongst other items.
As shown in Figure 1 below, the Kerberos V5 protocol consists of the
following message exchanges between the client and the KDC, and the
client and the application service:
- The Authentication Service (AS) Exchange
The client obtains an "initial" ticket from the Kerberos
authentication server (AS), typically a Ticket Granting Ticket
(TGT). The AS-REQ message and the AS-REP message are the request
and the reply message respectively between the client and the AS.
- The Ticket Granting Service (TGS) Exchange
The client subsequently uses the TGT to authenticate and request a
service ticket for a particular service, from the Kerberos ticket-
granting server (TGS). The TGS-REQ message and the TGS-REP
message are the request and the reply message respectively between
the client and the TGS.
- The Client/Server Authentication Protocol (AP) Exchange
The client then makes a request with an AP-REQ message, consisting
of a service ticket and an authenticator that certifies the
client's possession of the ticket session key. The server may
optionally reply with an AP-REP message. AP exchanges typically
negotiate session specific symmetric keys.
Zhu & Tung Expires June 24, 2006 [Page 3]
�
Internet-Draft PKINIT December 2005
Usually, the AS and TGS are integrated in a single device also known
as the KDC.
Figure 1: The Message Exchanges in the Kerberos V5 Protocol
+--------------+
+--------->| KDC |
AS-REQ / +-------| |
/ / +--------------+
/ / ^ |
/ |AS-REP / |
| | / TGS-REQ + TGS-REP
| | / /
| | / /
| | / +---------+
| | / /
| | / /
| | / /
| v / v
++-------+------+ +-----------------+
| Client +------------>| Application |
| | AP-REQ | Server |
| |<------------| |
+---------------+ AP-REP +-----------------+
In the AS exchange, the KDC reply contains the ticket session key,
amongst other items, that is encrypted using a key (the AS reply key)
shared between the client and the KDC. The AS reply key is typically
derived from the client's password for human users. Therefore for
human users the attack resistance strength of the Kerberos protocol
is no stronger than the strength of their passwords.
The use of asymmetric cryptography in the form of X.509 certificates
[RFC3280] is popular for facilitating non-repudiation and perfect
secrecy. An established Public Key Infrastructure (PKI) provides key
management and key distribution mechanisms that can be used to
establish authentication and secure communication. Adding public-key
cryptography to Kerberos provides a nice congruence to public-key
protocols, obviates the human users' burden to manage strong
passwords, and allows Kerberized applications to take advantage of
existing key services and identity management.
The advantage afforded by the Kerberos TGT is that the client exposes
his long-term secrets only once. The TGT and its associated session
key can then be used for any subsequent service ticket requests. One
result of this is that all further authentication is independent of
the method by which the initial authentication was performed.
Consequently, initial authentication provides a convenient place to
Zhu & Tung Expires June 24, 2006 [Page 4]
�
Internet-Draft PKINIT December 2005
integrate public-key cryptography into Kerberos authentication. In
addition, the use of symmetric cryptography after the initial
exchange is preferred for performance.
This document describes the methods and data formats using which the
client and the KDC can use public and private key pairs to mutually
authenticate in the AS exchange and negotiate the AS reply key, known
only by the client and the KDC, to encrypt the AS-REP sent by the
KDC.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
In this protocol, both the client and the KDC have a public-private
key pair in order to prove their identities to each other over the
open network. The term "signature key" is used to refer to the
private key of the key pair being used.
The encryption key used to encrypt the enc-part field of the KDC-REP
in the AS-REP [RFC4120] is referred to as the AS reply key.
An empty sequence in an optional field can be either included or
omitted: both encodings are permitted and considered equivalent.
The term "Modular Exponential Diffie-Hellman" is used to refer to the
Diffie-Hellman key exchange as described in [RFC2631], in order to
differentiate it from other equivalent representations of the same
key agreement algorithm.
3. Extensions
This section describes extensions to [RFC4120] for supporting the use
of public-key cryptography in the initial request for a ticket.
Briefly, this document defines the following extensions to [RFC4120]:
1. The client indicates the use of public-key authentication by
including a special preauthenticator in the initial request. This
preauthenticator contains the client's public-key data and a
signature.
Zhu & Tung Expires June 24, 2006 [Page 5]
�
Internet-Draft PKINIT December 2005
2. The KDC tests the client's request against its authentication
policy and trusted Certification Authorities (CAs).
3. If the request passes the verification tests, the KDC replies as
usual, but the reply is encrypted using either:
a. a key generated through a Diffie-Hellman (DH) key exchange
[RFC2631] [IEEE1363] with the client, signed using the KDC's
signature key; or
b. a symmetric encryption key, signed using the KDC's signature
key and encrypted using the client's public key.
Any keying material required by the client to obtain the
encryption key for decrypting the KDC reply is returned in a pre-
authentication field accompanying the usual reply.
4. The client validates the KDC's signature, obtains the encryption
key, decrypts the reply, and then proceeds as usual.
Section 3.1 of this document enumerates the required algorithms and
necessary extension message types. Section 3.2 describes the
extension messages in greater detail.
3.1. Definitions, Requirements, and Constants
3.1.1. Required Algorithms
All PKINIT implementations MUST support the following algorithms:
o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac-
sha1-96 [RFC3962].
o Signature algorithm: sha-1WithRSAEncryption [RFC3279].
o AS reply key delivery method: Diffie-Hellman key exchange
[RFC2631].
In addition, implementations of this specification MUST be capable of
processing the Extended Key Usage (EKU) extension and the id-pkinit-
san (as defined in Section 3.2.2) otherName of the Subject
Alternative Name (SAN) extension in X.509 certificates [RFC3280], if
present.
3.1.2. Defined Message and Encryption Types
PKINIT makes use of the following new pre-authentication types:
Zhu & Tung Expires June 24, 2006 [Page 6]
�
Internet-Draft PKINIT December 2005
PA_PK_AS_REQ 16
PA_PK_AS_REP 17
PKINIT also makes use of the following new authorization data type:
AD_INITIAL_VERIFIED_CAS 9
PKINIT introduces the following new error codes:
KDC_ERR_CLIENT_NOT_TRUSTED 62
KDC_ERR_INVALID_SIG 64
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65
KDC_ERR_CANT_VERIFY_CERTIFICATE 70
KDC_ERR_INVALID_CERTIFICATE 71
KDC_ERR_REVOKED_CERTIFICATE 72
KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
KDC_ERR_CLIENT_NAME_MISMATCH 75
KDC_ERR_INCONSISTENT_KEY_PURPOSE 77
KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78
KDC_ERR_HASH_IN_KDF_NOT_ACCEPTED 79
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80
PKINIT uses the following typed data types for errors:
TD_TRUSTED_CERTIFIERS 104
TD_INVALID_CERTIFICATES 105
TD_DH_PARAMETERS 109
The ASN.1 module for all structures defined in this document (plus
IMPORT statements for all imported structures) is given in
Appendix A.
All structures defined in or imported into this document MUST be
encoded using Distinguished Encoding Rules (DER) [X680] [X690]
(unless otherwise noted). All data structures carried in OCTET
STRINGs must be encoded according to the rules specified in
corresponding specifications.
Interoperability note: Some implementations may not be able to decode
wrapped CMS objects encoded with BER; specifically, they may not be
able to decode indefinite length encodings. To maximize
interoperability, implementers SHOULD encode CMS objects used in
PKINIT with DER.
3.1.3. Algorithm Identifiers
PKINIT does not define, but does make use of, the following algorithm
identifiers.
Zhu & Tung Expires June 24, 2006 [Page 7]
�
Internet-Draft PKINIT December 2005
PKINIT uses the following algorithm identifier(s) for Modular
Exponential Diffie-Hellman key agreement [RFC2631] [RFC3279]:
dhpublicnumber (as described in [RFC3279])
[1895 lines skipped]