idnits 2.17.1 draft-ietf-cat-kerberos-pk-init-34.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1924. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1901. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1908. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1914. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, -- The KDC's DH public key. -- The DH public key value is encoded as a BIT -- STRING according to [RFC3279]. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the pkAuthenticator field -- in the request if the DH keys are NOT reused, -- 0 otherwise. dhKeyExpiration [2] KerberosTime OPTIONAL, -- Expiration time for KDC's key pair, -- present if and only if the DH keys are reused. -- If present, the KDC's DH public key MUST not be -- used past the point of this expiration time. -- If this field is omitted then the serverDHNonce -- field MUST also be omitted. ... } == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, -- The KDC's DH public key. -- The DH public key value is encoded as a BIT -- STRING according to [RFC3279]. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the pkAuthenticator field -- in the request if the DH keys are NOT reused, -- 0 otherwise. dhKeyExpiration [2] KerberosTime OPTIONAL, -- Expiration time for KDC's key pair, -- present if and only if the DH keys are reused. -- If present, the KDC's DH public key MUST not be -- used past the point of this expiration time. -- If this field is omitted then the serverDHNonce -- field MUST also be omitted. ... } -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 7, 2006) is 6647 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 1724 -- Looks like a reference, but probably isn't: '1' on line 1728 -- Looks like a reference, but probably isn't: '2' on line 1713 -- Looks like a reference, but probably isn't: '3' on line 1633 == Unused Reference: 'RFC3565' is defined on line 1444, but no explicit reference was found in the text == Unused Reference: 'LENSTRA' is defined on line 1479, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE1363' ** Downref: Normative reference to an Informational RFC: RFC 2412 ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) ** Obsolete normative reference: RFC 3447 (Obsoleted by RFC 8017) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) -- Possible downref: Non-RFC (?) normative reference: ref. 'X680' -- Possible downref: Non-RFC (?) normative reference: ref. 'X690' Summary: 8 errors (**), 0 flaws (~~), 6 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP L. Zhu 3 Internet-Draft Microsoft Corporation 4 Expires: August 11, 2006 B. Tung 5 USC Information Sciences Institute 6 February 7, 2006 8 Public Key Cryptography for Initial Authentication in Kerberos 9 draft-ietf-cat-kerberos-pk-init-34 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on August 11, 2006. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 This document describes protocol extensions (hereafter called PKINIT) 43 to the Kerberos protocol specification. These extensions provide a 44 method for integrating public key cryptography into the initial 45 authentication exchange, by using asymmetric-key signature and/or 46 encryption algorithms in pre-authentication data fields. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Conventions Used in This Document . . . . . . . . . . . . . . 5 52 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6 54 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6 55 3.1.2. Recommended Algorithms . . . . . . . . . . . . . . . . 6 56 3.1.3. Defined Message and Encryption Types . . . . . . . . . 7 57 3.1.4. Kerberos Encryption Types Defined for CMS 58 Algorithm Identifiers . . . . . . . . . . . . . . . . 8 59 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9 60 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9 61 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 14 62 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 18 63 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 25 64 3.3. Interoperability Requirements . . . . . . . . . . . . . . 26 65 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 27 66 4. Security Considerations . . . . . . . . . . . . . . . . . . . 27 67 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30 68 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 70 7.1. Normative References . . . . . . . . . . . . . . . . . . . 30 71 7.2. Informative References . . . . . . . . . . . . . . . . . . 32 72 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 32 73 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 38 74 Appendix C. Miscellaneous Information about Microsoft Windows 75 PKINIT Implementations . . . . . . . . . . . . . . . 40 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 77 Intellectual Property and Copyright Statements . . . . . . . . . . 42 79 1. Introduction 81 The Kerberos V5 protocol [RFC4120] involves use of a trusted third 82 party known as the Key Distribution Center (KDC) to negotiate shared 83 session keys between clients and services and provide mutual 84 authentication between them. 86 The corner-stone of Kerberos V5 is the Ticket and the Authenticator. 87 A Ticket encapsulates a symmetric key (the ticket session key) in an 88 envelope (a public message) intended for a specific service. The 89 contents of the Ticket are encrypted with a symmetric key shared 90 between the service principal and the issuing KDC. The encrypted 91 part of the Ticket contains the client principal name, amongst other 92 items. An Authenticator is a record that can be shown to have been 93 recently generated using the ticket session key in the associated 94 Ticket. The ticket session key is known by the client who requested 95 the ticket. The contents of the Authenticator are encrypted with the 96 associated ticket session key. The encrypted part of an 97 Authenticator contains a timestamp and the client principal name, 98 amongst other items. 100 As shown in Figure 1 below, the Kerberos V5 protocol consists of the 101 following message exchanges between the client and the KDC, and the 102 client and the application service: 104 - The Authentication Service (AS) Exchange 106 The client obtains an "initial" ticket from the Kerberos 107 authentication server (AS), typically a Ticket Granting Ticket 108 (TGT). The AS-REQ message and the AS-REP message are the request 109 and the reply message respectively between the client and the AS. 111 - The Ticket Granting Service (TGS) Exchange 113 The client subsequently uses the TGT to authenticate and request a 114 service ticket for a particular service, from the Kerberos ticket- 115 granting server (TGS). The TGS-REQ message and the TGS-REP 116 message are the request and the reply message respectively between 117 the client and the TGS. 119 - The Client/Server Authentication Protocol (AP) Exchange 121 The client then makes a request with an AP-REQ message, consisting 122 of a service ticket and an authenticator that certifies the 123 client's possession of the ticket session key. The server may 124 optionally reply with an AP-REP message. AP exchanges typically 125 negotiate session specific symmetric keys. 127 Usually, the AS and TGS are integrated in a single device also known 128 as the KDC. 130 Figure 1: The Message Exchanges in the Kerberos V5 Protocol 132 +--------------+ 133 +--------->| KDC | 134 AS-REQ / +-------| | 135 / / +--------------+ 136 / / ^ | 137 / |AS-REP / | 138 | | / TGS-REQ + TGS-REP 139 | | / / 140 | | / / 141 | | / +---------+ 142 | | / / 143 | | / / 144 | | / / 145 | v / v 146 ++-------+------+ +-----------------+ 147 | Client +------------>| Application | 148 | | AP-REQ | Server | 149 | |<------------| | 150 +---------------+ AP-REP +-----------------+ 152 In the AS exchange, the KDC reply contains the ticket session key, 153 amongst other items, that is encrypted using a key (the AS reply key) 154 shared between the client and the KDC. The AS reply key is typically 155 derived from the client's password for human users. Therefore for 156 human users the attack resistance strength of the Kerberos protocol 157 is no stronger than the strength of their passwords. 159 The use of asymmetric cryptography in the form of X.509 certificates 160 [RFC3280] is popular for facilitating data origin authentication and 161 perfect secrecy. An established Public Key Infrastructure (PKI) 162 provides key management and key distribution mechanisms that can be 163 used to establish authentication and secure communication. Adding 164 public-key cryptography to Kerberos provides a nice congruence to 165 public-key protocols, obviates the human users' burden to manage 166 strong passwords, and allows Kerberized applications to take 167 advantage of existing key services and identity management. 169 The advantage afforded by the Kerberos TGT is that the client exposes 170 his long-term secrets only once. The TGT and its associated session 171 key can then be used for any subsequent service ticket requests. One 172 result of this is that all further authentication is independent of 173 the method by which the initial authentication was performed. 174 Consequently, initial authentication provides a convenient place to 175 integrate public-key cryptography into Kerberos authentication. In 176 addition, the use of symmetric cryptography after the initial 177 exchange is preferred for performance. 179 This document describes the methods and data formats using which the 180 client and the KDC can use public and private key pairs to mutually 181 authenticate in the AS exchange and negotiate the AS reply key, known 182 only by the client and the KDC, to encrypt the AS-REP sent by the 183 KDC. 185 2. Conventions Used in This Document 187 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 188 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 189 document are to be interpreted as described in [RFC2119]. 191 In this protocol, both the client and the KDC have a public-private 192 key pair in order to prove their identities to each other over the 193 open network. The term "signature key" is used to refer to the 194 private key of the key pair being used. 196 The encryption key used to encrypt the enc-part field of the KDC-REP 197 in the AS-REP [RFC4120] is referred to as the AS reply key. 199 An empty sequence in an optional field can be either included or 200 omitted: both encodings are permitted and considered equivalent. 202 The term "Modular Exponential Diffie-Hellman" is used to refer to the 203 Diffie-Hellman key exchange as described in [RFC2631], in order to 204 differentiate it from other equivalent representations of the same 205 key agreement algorithm. 207 3. Extensions 209 This section describes extensions to [RFC4120] for supporting the use 210 of public-key cryptography in the initial request for a ticket. 212 Briefly, this document defines the following extensions to [RFC4120]: 214 1. The client indicates the use of public-key authentication by 215 including a special preauthenticator in the initial request. This 216 preauthenticator contains the client's public-key data and a 217 signature. 219 2. The KDC tests the client's request against its authentication 220 policy and trusted Certification Authorities (CAs). 222 3. If the request passes the verification tests, the KDC replies as 223 usual, but the reply is encrypted using either: 225 a. a key generated through a Diffie-Hellman (DH) key exchange 226 [RFC2631] [IEEE1363] with the client, signed using the KDC's 227 signature key; or 229 b. a symmetric encryption key, signed using the KDC's signature 230 key and encrypted using the client's public key. 232 Any keying material required by the client to obtain the 233 encryption key for decrypting the KDC reply is returned in a pre- 234 authentication field accompanying the usual reply. 236 4. The client validates the KDC's signature, obtains the encryption 237 key, decrypts the reply, and then proceeds as usual. 239 Section 3.1 of this document enumerates the required algorithms and 240 necessary extension message types. Section 3.2 describes the 241 extension messages in greater detail. 243 3.1. Definitions, Requirements, and Constants 245 3.1.1. Required Algorithms 247 All PKINIT implementations MUST support the following algorithms: 249 o AS reply key enctype(s): aes128-cts-hmac-sha1-96 and aes256-cts- 250 hmac-sha1-96 [RFC3962]. 252 o Signature algorithm(s): sha-1WithRSAEncryption [RFC3370]. 254 o AS reply key delivery method(s): the Diffie-Hellman key delivery 255 method as described in Section 3.2.3.1. 257 In addition, implementations of this specification MUST be capable of 258 processing the Extended Key Usage (EKU) extension and the id-pkinit- 259 san (as defined in Section 3.2.2) otherName of the Subject 260 Alternative Name (SAN) extension in X.509 certificates [RFC3280]. 262 3.1.2. Recommended Algorithms 264 All PKINIT implementations SHOULD support the following algorithms: 266 o AS reply key delivery method(s): the public key encryption key 267 delivery method as described in Section 3.2.3.2. 269 For implementations that support the public key encryption key 270 delivery method, the following algorithms MUST be supported: 272 a) Key transport algorithm(s) identified in the 273 keyEncryptionAlgorithm field of the type KeyTransRecipientInfo 274 [RFC3852] for encrypting the temporary key in the encryptedKey 275 field [RFC3852] with a public key, as described in 276 Section 3.2.3.2: rsaEncryption (this is the RSAES-PKCS1-v1_5 277 encryption scheme) [RFC3370] [RFC3447]. 279 b) Content encryption algorithm(s) identified in the 280 contentEncryptionAlgorithm field of the type EncryptedContentInfo 281 [RFC3852] for encrypting the AS reply key with the temporary key 282 contained in the encryptedKey field of the type 283 KeyTransRecipientInfo [RFC3852], as described in Section 3.2.3.2: 284 des-ede3-cbc (three-key 3DES, CBC mode) [RFC3370]. 286 3.1.3. Defined Message and Encryption Types 288 PKINIT makes use of the following new pre-authentication types: 290 PA_PK_AS_REQ 16 291 PA_PK_AS_REP 17 293 PKINIT also makes use of the following new authorization data type: 295 AD_INITIAL_VERIFIED_CAS 9 297 PKINIT introduces the following new error codes: 299 KDC_ERR_CLIENT_NOT_TRUSTED 62 300 KDC_ERR_INVALID_SIG 64 301 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 302 KDC_ERR_CANT_VERIFY_CERTIFICATE 70 303 KDC_ERR_INVALID_CERTIFICATE 71 304 KDC_ERR_REVOKED_CERTIFICATE 72 305 KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 306 KDC_ERR_CLIENT_NAME_MISMATCH 75 307 KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 308 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 309 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 310 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 311 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81 313 PKINIT uses the following typed data types for errors: 315 TD_TRUSTED_CERTIFIERS 104 316 TD_INVALID_CERTIFICATES 105 317 TD_DH_PARAMETERS 109 319 The ASN.1 module for all structures defined in this document (plus 320 IMPORT statements for all imported structures) is given in 321 Appendix A. 323 All structures defined in or imported into this document MUST be 324 encoded using Distinguished Encoding Rules (DER) [X680] [X690] 325 (unless otherwise noted). All data structures carried in OCTET 326 STRINGs must be encoded according to the rules specified in 327 corresponding specifications. 329 Interoperability note: Some implementations may not be able to decode 330 wrapped Cryptographic Message Syntax (CMS) [RFC3852] objects encoded 331 with BER; specifically, they may not be able to decode indefinite 332 length encodings. To maximize interoperability, implementers SHOULD 333 encode CMS objects used in PKINIT with DER. 335 3.1.4. Kerberos Encryption Types Defined for CMS Algorithm Identifiers 337 PKINIT defines the following Kerberos encryption type numbers 338 [RFC3961], which can be used in the etype field of the AS-REQ 339 [RFC4120] message to indicate to the KDC the client's acceptance of 340 the corresponding algorithms (including key transport algorithms 341 [RFC3370], content encryption algorithms [RFC3370], and signature 342 algorithms) for use with Cryptographic Message Syntax (CMS) [RFC3852] 343 [RFC3370]. 345 Per [RFC4120], the encryption types in the etype field are in the 346 decreasing preference order of the client. Note that there is no 347 significance in the relative order between any two of different types 348 of algorithms: key transport algorithms, content encryption 349 algorithms and signature algorithms. 351 The presence of each of these encryption types in the etype field is 352 equivalent to the presence of the corresponding algorithm Object 353 Identifier (OID) in the supportedCMSTypes field as described in 354 Section 3.2.1. And the preference order expressed in the 355 supportedCMSTypes field would override the preference order listed in 356 the etype field. 358 Kerberos Encryption Type Name Num Corresponding Algorithm OID 359 ============================== === =============================== 360 id-dsa-with-sha1-CmsOID 9 id-dsa-with-sha1 [RFC3370] 361 md5WithRSAEncryption-CmsOID 10 md5WithRSAEncryption [RFC3370] 362 sha-1WithRSAEncryption-CmsOID 11 sha-1WithRSAEncryption [RFC3370] 363 rc2-cbc-EnvOID 12 rc2-cbc [RFC3370] 364 rsaEncryption-EnvOID 13 rsaEncryption [RFC3447][RFC3370] 365 id-RSAES-OAEP-EnvOID 14 id-RSAES-OAEP [RFC3447][RFC3560] 366 des-ede3-cbc-EnvOID 15 des-ede3-cbc [RFC3370] 368 The above encryption type numbers are used only to indicate support 369 for the use of the corresponding algorithms in PKINIT; they do not 370 correspond to actual Kerberos encryption types [RFC3961] and MUST NOT 371 be used in the etype field of the Kerberos EncryptedData type 372 [RFC4120]. The practice of assigning Kerberos encryption type 373 numbers to indicate support for CMS algorithms is considered 374 deprecated, and new numbers should not be assigned for this purpose. 375 Instead, the supportedCMSTypes field should be used to identify the 376 algorithms supported by the client and the preference order of the 377 client. 379 For maximum interoperability, however, PKINIT clients wishing to 380 indicate to the KDC the support for one or more of the algorithms 381 listed above SHOULD include the corresponding encryption type 382 number(s) in the etype field of the AS-REQ. 384 3.2. PKINIT Pre-authentication Syntax and Use 386 This section defines the syntax and use of the various pre- 387 authentication fields employed by PKINIT. 389 3.2.1. Generation of Client Request 391 The initial authentication request (AS-REQ) is sent as per [RFC4120]; 392 in addition, a pre-authentication data element, whose padata-type is 393 PA_PK_AS_REQ and whose padata-value contains the DER encoding of the 394 type PA-PK-AS-REQ, is included. 396 PA-PK-AS-REQ ::= SEQUENCE { 397 signedAuthPack [0] IMPLICIT OCTET STRING, 398 -- Contains a CMS type ContentInfo encoded 399 -- according to [RFC3852]. 400 -- The contentType field of the type ContentInfo 401 -- is id-signedData (1.2.840.113549.1.7.2), 402 -- and the content field is a SignedData. 403 -- The eContentType field for the type SignedData is 404 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the 405 -- eContent field contains the DER encoding of the 406 -- type AuthPack. 407 -- AuthPack is defined below. 408 trustedCertifiers [1] SEQUENCE OF 409 ExternalPrincipalIdentifier OPTIONAL, 410 -- Contains a list of CAs, trusted by the client, 411 -- that can be used to certify the KDC. 412 -- Each ExternalPrincipalIdentifier identifies a CA 413 -- or a CA certificate (thereby its public key). 414 -- The information contained in the 415 -- trustedCertifiers SHOULD be used by the KDC as 416 -- hints to guide its selection of an appropriate 417 -- certificate chain to return to the client. 418 kdcPkId [2] IMPLICIT OCTET STRING 419 OPTIONAL, 420 -- Contains a CMS type SignerIdentifier encoded 421 -- according to [RFC3852]. 422 -- Identifies, if present, a particular KDC 423 -- public key that the client already has. 424 ... 425 } 427 DHNonce ::= OCTET STRING 429 ExternalPrincipalIdentifier ::= SEQUENCE { 430 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 431 -- Contains a PKIX type Name encoded according to 432 -- [RFC3280]. 433 -- Identifies the certificate subject by the 434 -- distinguished subject name. 435 -- REQUIRED when there is a distinguished subject 436 -- name present in the certificate. 437 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 438 -- Contains a CMS type IssuerAndSerialNumber encoded 439 -- according to [RFC3852]. 440 -- Identifies a certificate of the subject. 441 -- REQUIRED for TD-INVALID-CERTIFICATES and 442 -- TD-TRUSTED-CERTIFIERS. 443 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 444 -- Identifies the subject's public key by a key 445 -- identifier. When an X.509 certificate is 446 -- referenced, this key identifier matches the X.509 447 -- subjectKeyIdentifier extension value. When other 448 -- certificate formats are referenced, the documents 449 -- that specify the certificate format and their use 450 -- with the CMS must include details on matching the 451 -- key identifier to the appropriate certificate 452 -- field. 453 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. 455 ... 456 } 458 AuthPack ::= SEQUENCE { 459 pkAuthenticator [0] PKAuthenticator, 460 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 461 -- Type SubjectPublicKeyInfo is defined in 462 -- [RFC3280]. 463 -- Specifies Diffie-Hellman domain parameters 464 -- and the client's public key value [IEEE1363]. 465 -- The DH public key value is encoded as a BIT 466 -- STRING according to [RFC3279]. 467 -- This field is present only if the client wishes 468 -- to use the Diffie-Hellman key agreement method. 469 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 470 OPTIONAL, 471 -- Type AlgorithmIdentifier is defined in 472 -- [RFC3280]. 473 -- List of CMS algorithm [RFC3370] identifiers 474 -- that identify key transport algorithms, or 475 -- content encryption algorithms, or signature 476 -- algorithms supported by the client in order of 477 -- (decreasing) preference. 478 clientDHNonce [3] DHNonce OPTIONAL, 479 -- Present only if the client indicates that it 480 -- wishes to reuse DH keys or to allow the KDC to 481 -- do so (see Section 3.2.3.1). 482 ... 483 } 485 PKAuthenticator ::= SEQUENCE { 486 cusec [0] INTEGER (0..999999), 487 ctime [1] KerberosTime, 488 -- cusec and ctime are used as in [RFC4120], for 489 -- replay prevention. 490 nonce [2] INTEGER (0..4294967295), 491 -- Chosen randomly; This nonce does not need to 492 -- match with the nonce in the KDC-REQ-BODY. 493 paChecksum [3] OCTET STRING OPTIONAL, 494 -- MUST be present. 495 -- Contains the SHA1 checksum, performed over 496 -- KDC-REQ-BODY. 497 ... 498 } 500 The ContentInfo [RFC3852] structure contained in the signedAuthPack 501 field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and 502 is filled out as follows: 504 1. The contentType field of the type ContentInfo is id-signedData 505 (as defined in [RFC3852]), and the content field is a SignedData 506 (as defined in [RFC3852]). 508 2. The eContentType field for the type SignedData is id-pkinit- 509 authData: { iso(1) org(3) dod(6) internet(1) security(5) 510 kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS 511 implementers: the signed attribute content-type MUST be present 512 in this SignedData instance and its value is id-pkinit-authData 513 according to [RFC3852]. 515 3. The eContent field for the type SignedData contains the DER 516 encoding of the type AuthPack. 518 4. The signerInfos field of the type SignedData contains a single 519 signerInfo, which contains the signature over the type AuthPack. 521 5. The AuthPack structure contains a PKAuthenticator, the client 522 public key information, the CMS encryption types supported by the 523 client and a DHNonce. The pkAuthenticator field certifies to the 524 KDC that the client has recent knowledge of the signing key that 525 authenticates the client. The clientPublicValue field specifies 526 Diffie-Hellman domain parameters and the client's public key 527 value. The DH public key value is encoded as a BIT STRING 528 according to [RFC3279]. The clientPublicValue field is present 529 only if the client wishes to use the Diffie-Hellman key agreement 530 method. The supportedCMSTypes field specifies the list of CMS 531 algorithm identifiers that are supported by the client in order 532 of (decreasing) preference, and can be used to identify a 533 signature algorithm or a key transport algorithm [RFC3370] in the 534 keyEncryptionAlgorithm field of the type KeyTransRecipientInfo or 535 a content encryption algorithm [RFC3370] in the 536 contentEncryptionAlgorithm field of the type EncryptedContentInfo 537 [RFC3852] when encrypting the AS reply key as described in 538 Section 3.2.3.2. However, there is no significance in the 539 relative order between any two of different types of algorithms: 540 key transport algorithms, content encryption algorithms, and 541 signature algorithms. The clientDHNonce field is described later 542 in this section. 544 6. The ctime field in the PKAuthenticator structure contains the 545 current time on the client's host, and the cusec field contains 546 the microsecond part of the client's timestamp. The ctime and 547 cusec fields are used together to specify a reasonably accurate 548 timestamp [RFC4120]. The nonce field is chosen randomly. The 549 paChecksum field MUST be present and it contains a SHA1 checksum 550 that is performed over the KDC-REQ-BODY [RFC4120]. In order to 551 ease future migration from the use of SHA1, the paChecksum field 552 is made optional syntactically: when the request is extended to 553 negotiate hash algorithms, the new client wishing not to use SHA1 554 will send the request in the extended message syntax without the 555 paChecksum field. The KDC conforming to this specification MUST 556 return a KRB-ERROR [RFC4120] message with the code 557 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (see Section 3.2.3). That 558 will allow a new client to retry with SHA1 if allowed by the 559 local policy. 561 7. The certificates field of the type SignedData contains 562 certificates intended to facilitate certification path 563 construction, so that the KDC can verify the signature over the 564 type AuthPack. For path validation, these certificates SHOULD be 565 sufficient to construct at least one certification path from the 566 client certificate to one trust anchor acceptable by the KDC 567 [RFC4158]. The client MUST be capable of including such a set of 568 certificates if configured to do so. The certificates field MUST 569 NOT contain "root" CA certificates. 571 8. The client's Diffie-Hellman public value (clientPublicValue) is 572 included if and only if the client wishes to use the Diffie- 573 Hellman key agreement method. The Diffie-Hellman domain 574 parameters [IEEE1363] for the client's public key are specified 575 in the algorithm field of the type SubjectPublicKeyInfo [RFC3279] 576 and the client's Diffie-Hellman public key value is mapped to a 577 subjectPublicKey (a BIT STRING) according to [RFC3279]. When 578 using the Diffie-Hellman key agreement method, implementations 579 MUST support Oakley 1024-bit Modular Exponential (MODP) well- 580 known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group 581 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known 582 group 16 [RFC3526]. 584 The Diffie-Hellman field size should be chosen so as to provide 585 sufficient cryptographic security [RFC3766]. 587 When MODP Diffie-Hellman is used, the exponents should have at 588 least twice as many bits as the symmetric keys that will be 589 derived from them [ODL99]. 591 9. The client may wish to reuse DH keys or to allow the KDC to do so 592 (see Section 3.2.3.1). If so, then the client includes the 593 clientDHNonce field. This nonce string MUST be as long as the 594 longest key length of the symmetric key types that the client 595 supports. This nonce MUST be chosen randomly. 597 The ExternalPrincipalIdentifier structure is used in this document to 598 identify the subject's public key thereby the subject principal. 599 This structure is filled out as follows: 601 1. The subjectName field contains a PKIX type Name encoded according 602 to [RFC3280]. This field identifies the certificate subject by 603 the distinguished subject name. This field is REQUIRED when 604 there is a distinguished subject name present in the certificate 605 being used. 607 2. The issuerAndSerialNumber field contains a CMS type 608 IssuerAndSerialNumber encoded according to [RFC3852]. This field 609 identifies a certificate of the subject. This field is REQUIRED 610 for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both 611 structures are defined in Section 3.2.2). 613 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's 614 public key by a key identifier. When an X.509 certificate is 615 referenced, this key identifier matches the X.509 616 subjectKeyIdentifier extension value. When other certificate 617 formats are referenced, the documents that specify the 618 certificate format and their use with the CMS must include 619 details on matching the key identifier to the appropriate 620 certificate field. This field is RECOMMENDED for TD-TRUSTED- 621 CERTIFIERS (as defined in Section 3.2.2). 623 The trustedCertifiers field of the type PA-PK-AS-REQ contains a list 624 of CAs, trusted by the client, that can be used to certify the KDC. 625 Each ExternalPrincipalIdentifier identifies a CA or a CA certificate 626 (thereby its public key). 628 The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type 629 SignerIdentifier encoded according to [RFC3852]. This field 630 identifies, if present, a particular KDC public key that the client 631 already has. 633 3.2.2. Receipt of Client Request 635 Upon receiving the client's request, the KDC validates it. This 636 section describes the steps that the KDC MUST (unless otherwise 637 noted) take in validating the request. 639 The KDC verifies the client's signature in the signedAuthPack field 640 according to [RFC3852]. 642 If, while validating the client's X.509 certificate [RFC3280], the 643 KDC cannot build a certification path to validate the client's 644 certificate, it sends back a KRB-ERROR [RFC4120] message with the 645 code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for 646 this error message is a TYPED-DATA (as defined in [RFC4120]) that 647 contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and 648 whose data-value contains the DER encoding of the type TD-TRUSTED- 649 CERTIFIERS: 651 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF 652 ExternalPrincipalIdentifier 653 -- Identifies a list of CAs trusted by the KDC. 654 -- Each ExternalPrincipalIdentifier identifies a CA 655 -- or a CA certificate (thereby its public key). 657 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the 658 TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate 659 (thereby its public key) trusted by the KDC. 661 Upon receiving this error message, the client SHOULD retry only if it 662 has a different set of certificates (from those of the previous 663 requests) that form a certification path (or a partial path) from one 664 of the trust anchors acceptable by the KDC to its own certificate. 666 If, while processing the certification path, the KDC determines that 667 the signature on one of the certificates in the signedAuthPack field 668 is invalid, it returns a KRB-ERROR [RFC4120] message with the code 669 KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error 670 message is a TYPED-DATA that contains an element whose data-type is 671 TD_INVALID_CERTIFICATES, and whose data-value contains the DER 672 encoding of the type TD-INVALID-CERTIFICATES: 674 TD-INVALID-CERTIFICATES ::= SEQUENCE OF 675 ExternalPrincipalIdentifier 676 -- Each ExternalPrincipalIdentifier identifies a 677 -- certificate (sent by the client) with an invalid 678 -- signature. 680 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the 681 TD-INVALID-CERTIFICATES structure identifies a certificate (that was 682 sent by the client) with an invalid signature. 684 If more than one X.509 certificate signature is invalid, the KDC MAY 685 include one IssuerAndSerialNumber per invalid signature within the 686 TD-INVALID-CERTIFICATES. 688 The client's X.509 certificate is validated according to [RFC3280]. 690 Based on local policy, the KDC may also check whether any X.509 691 certificates in the certification path validating the client's 692 certificate have been revoked. If any of them have been revoked, the 693 KDC MUST return an error message with the code 694 KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the 695 revocation status but is unable to do so, it SHOULD return an error 696 message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The 697 certificate or certificates affected are identified exactly as for 698 the error code KDC_ERR_INVALID_CERTIFICATE (see above). 700 Note that the TD_INVALID_CERTIFICATES error data is only used to 701 identify invalid certificates sent by the client in the request. 703 The client's public key is then used to verify the signature. If the 704 signature fails to verify, the KDC MUST return an error message with 705 the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for 706 this error message. 708 In addition to validating the client's signature, the KDC MUST also 709 check that the client's public key used to verify the client's 710 signature is bound to the client's principal name as specified in the 711 AS-REQ as follows: 713 1. If the KDC has its own binding between either the client's 714 signature-verification public key or the client's certificate and 715 the client's Kerberos principal name, it uses that binding. 717 2. Otherwise, if the client's X.509 certificate contains a Subject 718 Alternative Name (SAN) extension carrying a KRB5PrincipalName 719 (defined below) in the otherName field of the type GeneralName 720 [RFC3280], it binds the client's X.509 certificate to that name. 722 The type of the otherName field is AnotherName. The type-id field 723 of the type AnotherName is id-pkinit-san: 725 id-pkinit-san OBJECT IDENTIFIER ::= 726 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 727 x509SanAN (2) } 729 And the value field of the type AnotherName is a 730 KRB5PrincipalName. 732 KRB5PrincipalName ::= SEQUENCE { 733 realm [0] Realm, 734 principalName [1] PrincipalName 735 } 737 If the Kerberos client name in the AS-REQ does not match a name bound 738 by the KDC (the binding can be in the certificate, for example as 739 described above), or if there is no binding found by the KDC, the KDC 740 MUST return an error message with the code 741 KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for 742 this error message. 744 Even if the certification path is validated and the certificate is 745 mapped to the client's principal name, the KDC may decide not to 746 accept the client's certificate, depending on local policy. 748 The KDC MAY require the presence of an Extended Key Usage (EKU) 749 KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field 750 of the client's X.509 certificate: 752 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= 753 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 754 pkinit(3) keyPurposeClientAuth(4) } 755 -- PKINIT client authentication. 756 -- Key usage bits that MUST be consistent: 757 -- digitalSignature. 759 The digitalSignature key usage bit [RFC3280] MUST be asserted when 760 the intended purpose of the client's X.509 certificate is restricted 761 with the id-pkinit-KPClientAuth EKU. 763 If this EKU KeyPurposeId is required but it is not present or if the 764 client certificate is restricted not to be used for PKINIT client 765 authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return 766 an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There 767 is no accompanying e-data for this error message. KDCs implementing 768 this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc- 769 logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there 770 are a large number of X.509 client certificates deployed for use with 771 PKINIT which have this EKU. 773 As a matter of local policy, the KDC MAY decide to reject requests on 774 the basis of the absence or presence of other specific EKU OID's. 776 If the digest algorithm used in generating the CA signature for the 777 public key in any certificate of the request is not acceptable by the 778 KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code 779 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be 780 encoded in TYPED-DATA although none is defined at this point. 782 If the client's public key is not accepted with reasons other than 783 what were specified above, the KDC returns a KRB-ERROR [RFC4120] 784 message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no 785 accompanying e-data currently defined for this error message. 787 The KDC MUST check the timestamp to ensure that the request is not a 788 replay, and that the time skew falls within acceptable limits. The 789 recommendations for clock skew times in [RFC4120] apply here. If the 790 check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or 791 KRB_AP_ERR_SKEW, respectively. 793 If the clientPublicValue is filled in, indicating that the client 794 wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD 795 check to see if the key parameters satisfy its policy. If they do 796 not, it MUST return an error message with the code 797 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a 798 TYPED-DATA that contains an element whose data-type is 799 TD_DH_PARAMETERS, and whose data-value contains the DER encoding of 800 the type TD-DH-PARAMETERS: 802 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 803 -- Each AlgorithmIdentifier specifies a set of 804 -- Diffie-Hellman domain parameters [IEEE1363]. 805 -- This list is in decreasing preference order. 807 TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters 808 that the KDC supports in decreasing preference order, from which the 809 client SHOULD pick one to retry the request. 811 The AlgorithmIdentifier structure is defined in [RFC3280] and is 812 filled in according to [RFC3279]. More specifically Section 2.3.3 of 813 [RFC3279] describes how to fill in the AlgorithmIdentifier structure 814 in the case where MODP Diffie-Hellman key exchange is used. 816 If the client included a kdcPkId field in the PA-PK-AS-REQ and the 817 KDC does not possess the corresponding key, the KDC MUST ignore the 818 kdcPkId field as if the client did not include one. 820 If the digest algorithm used by the id-pkinit-authData is not 821 acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120] 822 message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. 823 The accompanying e-data MUST be encoded in TYPED-DATA although none 824 is defined at this point. 826 3.2.3. Generation of KDC Reply 828 If the paChecksum filed in the request is not present, the KDC 829 conforming to this specification MUST return a KRB-ERROR [RFC4120] 830 message with the code KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED. The 831 accompanying e-data MUST be encoded in TYPED-DATA (no error data is 832 defined by this specification). 834 Assuming that the client's request has been properly validated, the 835 KDC proceeds as per [RFC4120], except as follows. 837 The KDC MUST set the initial flag and include an authorization data 838 element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued 839 ticket. The ad-data [RFC4120] field contains the DER encoding of the 840 type AD-INITIAL-VERIFIED-CAS: 842 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF 843 ExternalPrincipalIdentifier 844 -- Identifies the certification path based on which 845 -- the client certificate was validated. 846 -- Each ExternalPrincipalIdentifier identifies a CA 847 -- or a CA certificate (thereby its public key). 849 The AD-INITIAL-VERIFIED-CAS structure identifies the certification 850 path based on which the client certificate was validated. Each 851 ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD- 852 INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate 853 (thereby its public key). 855 Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization 856 data does permit empty SEQUENCEs to be encoded. Such empty sequences 857 may only be used if the KDC itself vouches for the user's 858 certificate. 860 The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT 861 containers if the list of CAs satisfies the AS' realm's local policy 862 (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag 863 [RFC4120]). Furthermore, any TGS MUST copy such authorization data 864 from tickets used within a PA-TGS-REQ of the TGS-REQ into the 865 resulting ticket. If the list of CAs satisfies the local KDC's 866 realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT 867 container, otherwise it MAY unwrap the authorization data out of the 868 AD-IF-RELEVANT container. 870 Application servers that understand this authorization data type 871 SHOULD apply local policy to determine whether a given ticket bearing 872 such a type *not* contained within an AD-IF-RELEVANT container is 873 acceptable. (This corresponds to the AP server checking the 874 transited field when the TRANSITED-POLICY-CHECKED flag has not been 875 set [RFC4120].) If such a data type is contained within an AD-IF- 876 RELEVANT container, AP servers MAY apply local policy to determine 877 whether the authorization data is acceptable. 879 A pre-authentication data element, whose padata-type is PA_PK_AS_REP 880 and whose padata-value contains the DER encoding of the type PA-PK- 881 AS-REP (defined below), is included in the AS-REP [RFC4120]. 883 PA-PK-AS-REP ::= CHOICE { 884 dhInfo [0] DHRepInfo, 885 -- Selected when Diffie-Hellman key exchange is 886 -- used. 887 encKeyPack [1] IMPLICIT OCTET STRING, 888 -- Selected when public key encryption is used. 889 -- Contains a CMS type ContentInfo encoded 890 -- according to [RFC3852]. 891 -- The contentType field of the type ContentInfo is 892 -- id-envelopedData (1.2.840.113549.1.7.3). 893 -- The content field is an EnvelopedData. 894 -- The contentType field for the type EnvelopedData 895 -- is id-signedData (1.2.840.113549.1.7.2). 896 -- The eContentType field for the inner type 897 -- SignedData (when unencrypted) is 898 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the 899 -- eContent field contains the DER encoding of the 900 -- type ReplyKeyPack. 901 -- ReplyKeyPack is defined in Section 3.2.3.2. 902 ... 903 } 905 DHRepInfo ::= SEQUENCE { 906 dhSignedData [0] IMPLICIT OCTET STRING, 907 -- Contains a CMS type ContentInfo encoded according 908 -- to [RFC3852]. 909 -- The contentType field of the type ContentInfo is 910 -- id-signedData (1.2.840.113549.1.7.2), and the 911 -- content field is a SignedData. 912 -- The eContentType field for the type SignedData is 913 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the 914 -- eContent field contains the DER encoding of the 915 -- type KDCDHKeyInfo. 916 -- KDCDHKeyInfo is defined below. 917 serverDHNonce [1] DHNonce OPTIONAL, 918 -- Present if and only if dhKeyExpiration is 919 -- present in the KDCDHKeyInfo. 920 ... 921 } 923 KDCDHKeyInfo ::= SEQUENCE { 924 subjectPublicKey [0] BIT STRING, 925 -- The KDC's DH public key. 926 -- The DH public key value is encoded as a BIT 927 -- STRING according to [RFC3279]. 928 nonce [1] INTEGER (0..4294967295), 929 -- Contains the nonce in the pkAuthenticator field 930 -- in the request if the DH keys are NOT reused, 931 -- 0 otherwise. 932 dhKeyExpiration [2] KerberosTime OPTIONAL, 933 -- Expiration time for KDC's key pair, 934 -- present if and only if the DH keys are reused. 935 -- If present, the KDC's DH public key MUST not be 936 -- used past the point of this expiration time. 937 -- If this field is omitted then the serverDHNonce 938 -- field MUST also be omitted. 939 ... 940 } 942 The content of the AS-REP is otherwise unchanged from [RFC4120]. The 943 KDC encrypts the reply as usual, but not with the client's long-term 944 key. Instead, it encrypts it with either a shared key derived from a 945 Diffie-Hellman exchange, or a generated encryption key. The contents 946 of the PA-PK-AS-REP indicate which key delivery method is used. 948 If the client does not wish to use the Diffie-Hellman key delivery 949 method (the clientPublicValue field is not present in the request) 950 and the KDC does not support the public key encryption key delivery 951 method, the KDC MUST return an error message with the code 952 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED. There is no 953 accompanying e-data for this error message. 955 In addition, the lifetime of the ticket returned by the KDC MUST NOT 956 exceed that of the client's public-private key pair. The ticket 957 lifetime, however, can be shorter than that of the client's public- 958 private key pair. For the implementations of this specification, the 959 lifetime of the client's public-private key pair is the validity 960 period in X.509 certificates [RFC3280], unless configured otherwise. 962 3.2.3.1. Using Diffie-Hellman Key Exchange 964 In this case, the PA-PK-AS-REP contains a DHRepInfo structure. 966 The ContentInfo [RFC3852] structure for the dhSignedData field is 967 filled in as follows: 969 1. The contentType field of the type ContentInfo is id-signedData 970 (as defined in [RFC3852]), and the content field is a SignedData 971 (as defined in [RFC3852]). 973 2. The eContentType field for the type SignedData is the OID value 974 for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1) 975 security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS 976 implementers: the signed attribute content-type MUST be present 977 in this SignedData instance and its value is id-pkinit-DHKeyData 978 according to [RFC3852]. 980 3. The eContent field for the type SignedData contains the DER 981 encoding of the type KDCDHKeyInfo. 983 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce 984 and optionally the expiration time of the KDC's DH key being 985 reused. The subjectPublicKey field of the type KDCDHKeyInfo 986 field identifies KDC's DH public key. This DH public key value 987 is encoded as a BIT STRING according to [RFC3279]. The nonce 988 field contains the nonce in the pkAuthenticator field in the 989 request if the DH keys are NOT reused. The value of this nonce 990 field is 0 if the DH keys are reused. The dhKeyExpiration field 991 is present if and only if the DH keys are reused. If the 992 dhKeyExpiration field is present, the KDC's public key in this 993 KDCDHKeyInfo structure MUST NOT be used past the point of this 994 expiration time. If this field is omitted then the serverDHNonce 995 field MUST also be omitted. 997 5. The signerInfos field of the type SignedData contains a single 998 signerInfo, which contains the signature over the type 999 KDCDHKeyInfo. 1001 6. The certificates field of the type SignedData contains 1002 certificates intended to facilitate certification path 1003 construction, so that the client can verify the KDC's signature 1004 over the type KDCDHKeyInfo. The information contained in the 1005 trustedCertifiers in the request SHOULD be used by the KDC as 1006 hints to guide its selection of an appropriate certificate chain 1007 to return to the client. This field may be left empty if the KDC 1008 public key specified by the kdcPkId field in the PA-PK-AS-REQ was 1009 used for signing. Otherwise, for path validation, these 1010 certificates SHOULD be sufficient to construct at least one 1011 certification path from the KDC certificate to one trust anchor 1012 acceptable by the client [RFC4158]. The KDC MUST be capable of 1013 including such a set of certificates if configured to do so. The 1014 certificates field MUST NOT contain "root" CA certificates. 1016 7. If the client included the clientDHNonce field, then the KDC may 1017 choose to reuse its DH keys. If the server reuses DH keys then 1018 it MUST include an expiration time in the dhKeyExpiration field. 1019 Past the point of the expiration time, the signature over the 1020 type DHRepInfo is considered expired/invalid. When the server 1021 reuses DH keys then it MUST include a serverDHNonce at least as 1022 long as the length of keys for the symmetric encryption system 1023 used to encrypt the AS reply. Note that including the 1024 serverDHNonce changes how the client and server calculate the key 1025 to use to encrypt the reply; see below for details. The KDC 1026 SHOULD NOT reuse DH keys unless the clientDHNonce field is 1027 present in the request. 1029 The AS reply key is derived as follows: 1031 1. Both the KDC and the client calculate the shared secret value as 1032 follows: 1034 a) When MODP Diffie-Hellman is used, let DHSharedSecret be the 1035 shared secret value. DHSharedSecret is the value ZZ as 1036 described in Section 2.1.1 of [RFC2631]. 1038 DHSharedSecret is first padded with leading zeros such that the 1039 size of DHSharedSecret in octets is the same as that of the 1040 modulus, then represented as a string of octets in big-endian 1041 order. 1043 Implementation note: Both the client and the KDC can cache the 1044 triple (ya, yb, DHSharedSecret), where ya is the client's public 1045 key and yb is the KDC's public key. If both ya and yb are the 1046 same in a later exchange, the cached DHSharedSecret can be used. 1048 2. Let K be the key-generation seed length [RFC3961] of the AS reply 1049 key whose enctype is selected according to [RFC4120]. 1051 3. Define the function octetstring2key() as follows: 1053 octetstring2key(x) == random-to-key(K-truncate( 1054 SHA1(0x00 | x) | 1055 SHA1(0x01 | x) | 1056 SHA1(0x02 | x) | 1057 ... 1058 )) 1060 where x is an octet string; | is the concatenation operator; 0x00, 1061 0x01, 0x02, etc., are each represented as a single octet; random- 1062 to-key() is an operation that generates a protocol key from a 1063 bitstring of length K; and K-truncate truncates its input to the 1064 first K bits. Both K and random-to-key() are as defined in the 1065 kcrypto profile [RFC3961] for the enctype of the AS reply key. 1067 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be 1068 the serverDHNonce; otherwise, let both n_c and n_k be empty octet 1069 strings. 1071 5. The AS reply key k is: 1073 k = octetstring2key(DHSharedSecret | n_c | n_k) 1075 3.2.3.2. Using Public Key Encryption 1077 In this case, the PA-PK-AS-REP contains the encKeyPack field where 1078 the AS reply key is encrypted. 1080 The ContentInfo [RFC3852] structure for the encKeyPack field is 1081 filled in as follows: 1083 1. The contentType field of the type ContentInfo is id-envelopedData 1084 (as defined in [RFC3852]), and the content field is an 1085 EnvelopedData (as defined in [RFC3852]). 1087 2. The contentType field for the type EnvelopedData is id- 1088 signedData: { iso (1) member-body (2) us (840) rsadsi (113549) 1089 pkcs (1) pkcs7 (7) signedData (2) }. 1091 3. The eContentType field for the inner type SignedData (when 1092 decrypted from the encryptedContent field for the type 1093 EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6) 1094 internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }. 1095 Notes to CMS implementers: the signed attribute content-type MUST 1096 be present in this SignedData instance and its value is id- 1097 pkinit-rkeyData according to [RFC3852]. 1099 4. The eContent field for the inner type SignedData contains the DER 1100 encoding of the type ReplyKeyPack (as described below). 1102 5. The signerInfos field of the inner type SignedData contains a 1103 single signerInfo, which contains the signature for the type 1104 ReplyKeyPack. 1106 6. The certificates field of the inner type SignedData contains 1107 certificates intended to facilitate certification path 1108 construction, so that the client can verify the KDC's signature 1109 for the type ReplyKeyPack. The information contained in the 1110 trustedCertifiers in the request SHOULD be used by the KDC as 1111 hints to guide its selection of an appropriate certificate chain 1112 to return to the client. This field may be left empty if the KDC 1113 public key specified by the kdcPkId field in the PA-PK-AS-REQ was 1114 used for signing. Otherwise, for path validation, these 1115 certificates SHOULD be sufficient to construct at least one 1116 certification path from the KDC certificate to one trust anchor 1117 acceptable by the client [RFC4158]. The KDC MUST be capable of 1118 including such a set of certificates if configured to do so. The 1119 certificates field MUST NOT contain "root" CA certificates. 1121 7. The recipientInfos field of the type EnvelopedData is a SET which 1122 MUST contain exactly one member of type KeyTransRecipientInfo. 1123 The encryptedKey of this member contains the temporary key which 1124 is encrypted using the client's public key. 1126 8. The unprotectedAttrs or originatorInfo fields of the type 1127 EnvelopedData MAY be present. 1129 If there is a supportedCMSTypes field in the AuthPack, the KDC must 1130 check to see if it supports any of the listed types. If it supports 1131 more than one of the types, the KDC SHOULD use the one listed first. 1132 If it does not support any of them, it MUST return an error message 1133 with the code KDC_ERR_ETYPE_NOSUPP [RFC4120]. 1135 Furthermore the KDC computes the checksum of the AS-REQ in the client 1136 request. This checksum is performed over the type AS-REQ and the 1137 protocol key [RFC3961] of the checksum operation is the replyKey and 1138 the key usage number is 6. If the replyKey's enctype is "newer" 1139 [RFC4120] [RFC4121], the checksum operation is the required checksum 1140 operation [RFC3961] of that enctype. 1142 ReplyKeyPack ::= SEQUENCE { 1143 replyKey [0] EncryptionKey, 1144 -- Contains the session key used to encrypt the 1145 -- enc-part field in the AS-REP, i.e. the 1146 -- AS reply key. 1147 asChecksum [1] Checksum, 1148 -- Contains the checksum of the AS-REQ 1149 -- corresponding to the containing AS-REP. 1150 -- The checksum is performed over the type AS-REQ. 1151 -- The protocol key [RFC3961] of the checksum is the 1152 -- replyKey and the key usage number is 6. 1153 -- If the replyKey's enctype is "newer" [RFC4120] 1154 -- [RFC4121], the checksum is the required 1155 -- checksum operation [RFC3961] for that enctype. 1156 -- The client MUST verify this checksum upon receipt 1157 -- of the AS-REP. 1158 ... 1159 } 1161 Implementations of this RSA encryption key delivery method are 1162 RECOMMENDED to support RSA keys at least 2048 bits in size. 1164 3.2.4. Receipt of KDC Reply 1166 Upon receipt of the KDC's reply, the client proceeds as follows. If 1167 the PA-PK-AS-REP contains the dhSignedData field, the client derives 1168 the AS reply key using the same procedure used by the KDC as defined 1169 in Section 3.2.3.1. Otherwise, the message contains the encKeyPack 1170 field, and the client decrypts and extracts the temporary key in the 1171 encryptedKey field of the member KeyTransRecipientInfo, and then uses 1172 that as the AS reply key. 1174 If the public key encryption method is used, the client MUST verify 1175 the asChecksum contained in the ReplyKeyPack. 1177 In either case, the client MUST verify the signature in the 1178 SignedData according to [RFC3852]. The KDC's X.509 certificate MUST 1179 be validated according to [RFC3280]. In addition, unless the client 1180 can otherwise verify that the public key used to verify the KDC's 1181 signature is bound to the KDC of the target realm, the KDC's X.509 1182 certificate MUST contain a Subject Alternative Name extension 1183 [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as 1184 defined in Section 3.2.2) and whose value is a KRB5PrincipalName that 1185 matches the name of the TGS of the target realm (as defined in 1186 Section 7.3 of [RFC4120]). 1188 Unless the client knows by some other means that the KDC certificate 1189 is intended for a Kerberos KDC, the client MUST require that the KDC 1190 certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc: 1192 id-pkinit-KPKdc OBJECT IDENTIFIER ::= 1193 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 1194 pkinit(3) keyPurposeKdc(5) } 1195 -- Signing KDC responses. 1196 -- Key usage bits that MUST be consistent: 1197 -- digitalSignature. 1199 The digitalSignature key usage bit [RFC3280] MUST be asserted when 1200 the intended purpose of the KDC's X.509 certificate is restricted 1201 with the id-pkinit-KPKdc EKU. 1203 If the KDC certificate contains the Kerberos TGS name encoded as an 1204 id-pkinit-san SAN, this certificate is certified by the issuing CA as 1205 a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required. 1207 If all applicable checks are satisfied, the client then decrypts the 1208 enc-part field of the KDC-REP in the AS-REP using the AS reply key, 1209 and then proceeds as described in [RFC4120]. 1211 3.3. Interoperability Requirements 1213 The client MUST be capable of sending a set of certificates 1214 sufficient to allow the KDC to construct a certification path for the 1215 client's certificate, if the correct set of certificates is provided 1216 through configuration or policy. 1218 If the client sends all the X.509 certificates on a certification 1219 path to a trust anchor acceptable by the KDC, and the KDC can not 1220 verify the client's public key otherwise, the KDC MUST be able to 1221 process path validation for the client's certificate based on the 1222 certificates in the request. 1224 The KDC MUST be capable of sending a set of certificates sufficient 1225 to allow the client to construct a certification path for the KDC's 1226 certificate, if the correct set of certificates is provided through 1227 configuration or policy. 1229 If the KDC sends all the X.509 certificates on a certification path 1230 to a trust anchor acceptable by the client, and the client can not 1231 verify the KDC's public key otherwise, the client MUST be able to 1232 process path validation for the KDC's certificate based on the 1233 certificates in the reply. 1235 3.4. KDC Indication of PKINIT Support 1237 If pre-authentication is required, but was not present in the 1238 request, per [RFC4120] an error message with the code 1239 KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be 1240 stored in the e-data field of the KRB-ERROR message to specify which 1241 pre-authentication mechanisms are acceptable. The KDC can then 1242 indicate the support of PKINIT by including an empty element whose 1243 padata-type is PA_PK_AS_REQ in that METHOD-DATA object. 1245 Otherwise if it is required by the KDC's local policy that the client 1246 must be pre-authenticated using the pre-authentication mechanism 1247 specified in this document, but no PKINIT pre-authentication was 1248 present in the request, an error message with the code 1249 KDC_ERR_PREAUTH_FAILED SHOULD be returned. 1251 KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in 1252 the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET 1253 STRING), and clients MUST ignore this and any other value. Future 1254 extensions to this protocol may specify other data to send instead of 1255 an empty OCTET STRING. 1257 4. Security Considerations 1259 The security of cryptographic algorithms is dependent on generating 1260 secret quantities [RFC4086]. The number of truly random bits is 1261 extremely important to determining the attack resistance strength of 1262 the cryptosystem, for example, the secret Diffie-Hellman exponents 1263 must be chosen based on n truly random bits (where n is the system 1264 security requirement). The security of the overall system is 1265 significantly weakened by using insufficient random inputs: a 1266 sophisticated attacker may find it easier to reproduce the 1267 environment that produced the secret quantities and to search the 1268 resulting small set of possibilities than to locate the quantities in 1269 the whole of the potential number space. 1271 Kerberos error messages are not integrity protected, as a result, the 1272 domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered 1273 with by an attacker so that the set of domain parameters selected 1274 could be either weaker or not mutually preferred. Local policy can 1275 configure sets of domain parameters acceptable locally, or disallow 1276 the negotiation of DH domain parameters. 1278 The symmetric reply key size and Diffie-Hellman field size or RSA 1279 modulus size should be chosen so as to provide sufficient 1280 cryptographic security [RFC3766]. 1282 When MODP Diffie-Hellman is used, the exponents should have at least 1283 twice as many bits as the symmetric keys that will be derived from 1284 them [ODL99]. 1286 PKINIT raises certain security considerations beyond those that can 1287 be regulated strictly in protocol definitions. We will address them 1288 in this section. 1290 PKINIT extends the cross-realm model to the public-key 1291 infrastructure. Users of PKINIT must understand security policies 1292 and procedures appropriate to the use of Public Key Infrastructures 1293 [RFC3280]. 1295 In order to trust a KDC certificate that is certified by a CA as a 1296 KDC certificate for a target realm (for example, by asserting the TGS 1297 name of that Kerberos realm as an id-pkinit-san SAN and/or 1298 restricting the certificate usage by using the id-pkinit-KPKdc EKU, 1299 as described in Section 3.2.4), the client MUST verify that the KDC 1300 certificate's issuing CA is authorized to issue KDC certificates for 1301 that target realm. Otherwise, the binding between the KDC 1302 certificate and the KDC of the target realm is not established. 1304 How to validate this authorization is a matter of local policy. A 1305 way to achieve this is the configuration of specific sets of 1306 intermediary CAs and trust anchors, one of which must be on the KDC 1307 certificate's certification path [RFC3280]; and for each CA or trust 1308 anchor the realms for which it is allowed to issue certificates. 1310 In addition, if any CA is trusted to issue KDC certificates can also 1311 issue other kinds of certificates, then local policy must be able to 1312 distinguish between them: for example, it could require that KDC 1313 certificates contain the id-pkinit-KPKdc EKU or that the realm be 1314 specified with the id-pkinit-san SAN. 1316 It is the responsibility of the PKI administrators for an 1317 organization to ensure that KDC certificates are only issued to KDCs, 1318 and that clients can ascertain this using their local policy. 1320 Standard Kerberos allows the possibility of interactions between 1321 cryptosystems of varying strengths; this document adds interactions 1322 with public-key cryptosystems to Kerberos. Some administrative 1323 policies may allow the use of relatively weak public keys. When 1324 using such weak asymmetric keys to protect/exchange stronger 1325 symmetric Keys, the attack resistant strength of the overall system 1326 is no better than that of these weak keys [RFC3766]. 1328 PKINIT requires keys for symmetric cryptosystems to be generated. 1329 Some such systems contain "weak" keys. For recommendations regarding 1330 these weak keys, see [RFC4120]. 1332 PKINIT allows the use of the same RSA key pair for encryption and 1333 signing when doing RSA encryption based key delivery. This is not 1334 recommended usage of RSA keys [RFC3447], by using DH based key 1335 delivery this is avoided. 1337 Care should be taken in how certificates are chosen for the purposes 1338 of authentication using PKINIT. Some local policies may require that 1339 key escrow be used for certain certificate types. Deployers of 1340 PKINIT should be aware of the implications of using certificates that 1341 have escrowed keys for the purposes of authentication. Because 1342 signing only certificates are normally not escrowed, by using DH 1343 based key delivery this is avoided. 1345 PKINIT does not provide for a "return routability" test to prevent 1346 attackers from mounting a denial-of-service attack on the KDC by 1347 causing it to perform unnecessary and expensive public-key 1348 operations. Strictly speaking, this is also true of standard 1349 Kerberos, although the potential cost is not as great, because 1350 standard Kerberos does not make use of public-key cryptography. By 1351 using DH based key delivery and reusing DH keys, the necessary crypto 1352 processing cost per request can be minimized. 1354 When the Diffie-Hellman key exchange method is used, additional pre- 1355 authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as 1356 defined in this specification) is not bound to the AS_REQ by the 1357 mechanisms discussed in this specification (meaning it may be dropped 1358 or added by attackers without being detected by either the client or 1359 the KDC). Designers of additional pre-authentication data should 1360 take that into consideration if such additional pre-authentication 1361 data can be used in conjunction with the PA_PK_AS_REQ. The future 1362 work of the Kerberos working group is expected to update the hash 1363 algorithms specified in this document and provide a generic mechanism 1364 to bind additional pre-authentication data with the accompanying 1365 AS_REQ. 1367 5. Acknowledgements 1369 The following people have made significant contributions to this 1370 draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist 1371 Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey 1372 Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M 1373 Grundman and Jeffrey Altman. 1375 Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and 1376 Chris Walstad discovered a binding issue between the AS-REQ and AS- 1377 REP in draft -26, the asChecksum field was added as the result. 1379 Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and 1380 Jonathan Trostle who wrote earlier versions of this document. 1382 The authors are indebted to the Kerberos working group chair Jeffrey 1383 Hutzelman who kept track of various issues and was enormously helpful 1384 during the creation of this document. 1386 Some of the ideas on which this document is based arose during 1387 discussions over several years between members of the SAAG, the IETF 1388 CAT working group, and the PSRG, regarding integration of Kerberos 1389 and SPX. Some ideas have also been drawn from the DASS system. 1390 These changes are by no means endorsed by these groups. This is an 1391 attempt to revive some of the goals of those groups, and this 1392 document approaches those goals primarily from the Kerberos 1393 perspective. 1395 Lastly, comments from groups working on similar ideas in DCE have 1396 been invaluable. 1398 6. IANA Considerations 1400 This document has no actions for IANA. 1402 7. References 1404 7.1. Normative References 1406 [IEEE1363] 1407 IEEE, "Standard Specifications for Public Key 1408 Cryptography", IEEE 1363, 2000. 1410 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1411 Requirement Levels", BCP 14, RFC 2119, March 1997. 1413 [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", 1414 RFC 2412, November 1998. 1416 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", 1417 RFC 2631, June 1999. 1419 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 1420 Identifiers for the Internet X.509 Public Key 1421 Infrastructure Certificate and Certificate Revocation List 1422 (CRL) Profile", RFC 3279, April 2002. 1424 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 1425 X.509 Public Key Infrastructure Certificate and 1426 Certificate Revocation List (CRL) Profile", RFC 3280, 1427 April 2002. 1429 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 1430 Algorithms", RFC 3370, August 2002. 1432 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 1433 Standards (PKCS) #1: RSA Cryptography Specifications 1434 Version 2.1", RFC 3447, February 2003. 1436 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 1437 Diffie-Hellman groups for Internet Key Exchange (IKE)", 1438 RFC 3526, May 2003. 1440 [RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport 1441 Algorithm in Cryptographic Message Syntax (CMS)", 1442 RFC 3560, July 2003. 1444 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 1445 Encryption Algorithm in Cryptographic Message Syntax 1446 (CMS)", RFC 3565, July 2003. 1448 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 1449 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 1450 RFC 3766, April 2004. 1452 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 1453 RFC 3852, July 2004. 1455 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1456 Kerberos 5", RFC 3961, February 2005. 1458 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 1459 Encryption for Kerberos 5", RFC 3962, February 2005. 1461 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 1462 Requirements for Security", BCP 106, RFC 4086, June 2005. 1464 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1465 Kerberos Network Authentication Service (V5)", RFC 4120, 1466 July 2005. 1468 [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, 1469 Information technology - Abstract Syntax Notation One 1470 (ASN.1): Specification of basic notation. 1472 [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002, 1473 Information technology - ASN.1 encoding Rules: Specification 1474 of Basic Encoding Rules (BER), Canonical Encoding Rules 1475 (CER) and Distinguished Encoding Rules (DER). 1477 7.2. Informative References 1479 [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key 1480 Sizes", Journal of Cryptology 14 (2001) 255-293. 1482 [ODL99] Odlyzko, A., "Discrete logarithms: The past and the 1483 future, Designs, Codes, and Cryptography (1999)". 1484 April 1999. 1486 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 1487 Version 5 Generic Security Service Application Program 1488 Interface (GSS-API) Mechanism: Version 2", RFC 4121, 1489 July 2005. 1491 [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. 1492 Nicholas, "Internet X.509 Public Key Infrastructure: 1493 Certification Path Building", RFC 4158, September 2005. 1495 Appendix A. PKINIT ASN.1 Module 1497 KerberosV5-PK-INIT-SPEC { 1498 iso(1) identified-organization(3) dod(6) internet(1) 1499 security(5) kerberosV5(2) modules(4) pkinit(5) 1500 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 1502 IMPORTS 1503 SubjectPublicKeyInfo, AlgorithmIdentifier 1504 FROM PKIX1Explicit88 { iso (1) 1505 identified-organization (3) dod (6) internet (1) 1506 security (5) mechanisms (5) pkix (7) id-mod (0) 1507 id-pkix1-explicit (18) } 1508 -- As defined in RFC 3280. 1510 KerberosTime, PrincipalName, Realm, EncryptionKey 1511 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 1512 dod(6) internet(1) security(5) kerberosV5(2) 1513 modules(4) krb5spec2(2) } ; 1515 id-pkinit OBJECT IDENTIFIER ::= 1516 { iso (1) org (3) dod (6) internet (1) security (5) 1517 kerberosv5 (2) pkinit (3) } 1519 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 } 1520 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 } 1521 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 } 1522 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 } 1523 id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 } 1525 id-pkinit-san OBJECT IDENTIFIER ::= 1526 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 1527 x509SanAN (2) } 1529 pa-pk-as-req INTEGER ::= 16 1530 pa-pk-as-rep INTEGER ::= 17 1532 ad-initial-verified-cas INTEGER ::= 9 1534 td-trusted-certifiers INTEGER ::= 104 1535 td-invalid-certificates INTEGER ::= 105 1536 td-dh-parameters INTEGER ::= 109 1538 PA-PK-AS-REQ ::= SEQUENCE { 1539 signedAuthPack [0] IMPLICIT OCTET STRING, 1540 -- Contains a CMS type ContentInfo encoded 1541 -- according to [RFC3852]. 1542 -- The contentType field of the type ContentInfo 1543 -- is id-signedData (1.2.840.113549.1.7.2), 1544 -- and the content field is a SignedData. 1545 -- The eContentType field for the type SignedData is 1546 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the 1547 -- eContent field contains the DER encoding of the 1548 -- type AuthPack. 1549 -- AuthPack is defined below. 1550 trustedCertifiers [1] SEQUENCE OF 1551 ExternalPrincipalIdentifier OPTIONAL, 1552 -- Contains a list of CAs, trusted by the client, 1553 -- that can be used to certify the KDC. 1554 -- Each ExternalPrincipalIdentifier identifies a CA 1555 -- or a CA certificate (thereby its public key). 1556 -- The information contained in the 1557 -- trustedCertifiers SHOULD be used by the KDC as 1558 -- hints to guide its selection of an appropriate 1559 -- certificate chain to return to the client. 1560 kdcPkId [2] IMPLICIT OCTET STRING 1561 OPTIONAL, 1562 -- Contains a CMS type SignerIdentifier encoded 1563 -- according to [RFC3852]. 1564 -- Identifies, if present, a particular KDC 1565 -- public key that the client already has. 1566 ... 1567 } 1569 DHNonce ::= OCTET STRING 1571 ExternalPrincipalIdentifier ::= SEQUENCE { 1572 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 1573 -- Contains a PKIX type Name encoded according to 1574 -- [RFC3280]. 1575 -- Identifies the certificate subject by the 1576 -- distinguished subject name. 1577 -- REQUIRED when there is a distinguished subject 1578 -- name present in the certificate. 1579 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 1580 -- Contains a CMS type IssuerAndSerialNumber encoded 1581 -- according to [RFC3852]. 1582 -- Identifies a certificate of the subject. 1583 -- REQUIRED for TD-INVALID-CERTIFICATES and 1584 -- TD-TRUSTED-CERTIFIERS. 1585 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 1586 -- Identifies the subject's public key by a key 1587 -- identifier. When an X.509 certificate is 1588 -- referenced, this key identifier matches the X.509 1589 -- subjectKeyIdentifier extension value. When other 1590 -- certificate formats are referenced, the documents 1591 -- that specify the certificate format and their use 1592 -- with the CMS must include details on matching the 1593 -- key identifier to the appropriate certificate 1594 -- field. 1595 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. 1596 ... 1597 } 1598 AuthPack ::= SEQUENCE { 1599 pkAuthenticator [0] PKAuthenticator, 1600 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 1601 -- Type SubjectPublicKeyInfo is defined in 1602 -- [RFC3280]. 1603 -- Specifies Diffie-Hellman domain parameters 1604 -- and the client's public key value [IEEE1363]. 1605 -- The DH public key value is encoded as a BIT 1606 -- STRING according to [RFC3279]. 1607 -- This field is present only if the client wishes 1608 -- to use the Diffie-Hellman key agreement method. 1609 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 1610 OPTIONAL, 1611 -- Type AlgorithmIdentifier is defined in 1612 -- [RFC3280]. 1613 -- List of CMS algorithm [RFC3370] identifiers 1614 -- that identify key transport algorithms, or 1615 -- content encryption algorithms, or signature 1616 -- algorithms supported by the client in order of 1617 -- (decreasing) preference. 1618 clientDHNonce [3] DHNonce OPTIONAL, 1619 -- Present only if the client indicates that it 1620 -- wishes to reuse DH keys or to allow the KDC to 1621 -- do so. 1622 ... 1623 } 1625 PKAuthenticator ::= SEQUENCE { 1626 cusec [0] INTEGER (0..999999), 1627 ctime [1] KerberosTime, 1628 -- cusec and ctime are used as in [RFC4120], for 1629 -- replay prevention. 1630 nonce [2] INTEGER (0..4294967295), 1631 -- Chosen randomly; This nonce does not need to 1632 -- match with the nonce in the KDC-REQ-BODY. 1633 paChecksum [3] OCTET STRING OPTIONAL, 1634 -- MUST be present. 1635 -- Contains the SHA1 checksum, performed over 1636 -- KDC-REQ-BODY. 1637 ... 1638 } 1640 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF 1641 ExternalPrincipalIdentifier 1642 -- Identifies a list of CAs trusted by the KDC. 1643 -- Each ExternalPrincipalIdentifier identifies a CA 1644 -- or a CA certificate (thereby its public key). 1646 TD-INVALID-CERTIFICATES ::= SEQUENCE OF 1647 ExternalPrincipalIdentifier 1648 -- Each ExternalPrincipalIdentifier identifies a 1649 -- certificate (sent by the client) with an invalid 1650 -- signature. 1652 KRB5PrincipalName ::= SEQUENCE { 1653 realm [0] Realm, 1654 principalName [1] PrincipalName 1655 } 1657 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF 1658 ExternalPrincipalIdentifier 1659 -- Identifies the certification path based on which 1660 -- the client certificate was validated. 1661 -- Each ExternalPrincipalIdentifier identifies a CA 1662 -- or a CA certificate (thereby its public key). 1664 PA-PK-AS-REP ::= CHOICE { 1665 dhInfo [0] DHRepInfo, 1666 -- Selected when Diffie-Hellman key exchange is 1667 -- used. 1668 encKeyPack [1] IMPLICIT OCTET STRING, 1669 -- Selected when public key encryption is used. 1670 -- Contains a CMS type ContentInfo encoded 1671 -- according to [RFC3852]. 1672 -- The contentType field of the type ContentInfo is 1673 -- id-envelopedData (1.2.840.113549.1.7.3). 1674 -- The content field is an EnvelopedData. 1675 -- The contentType field for the type EnvelopedData 1676 -- is id-signedData (1.2.840.113549.1.7.2). 1677 -- The eContentType field for the inner type 1678 -- SignedData (when unencrypted) is 1679 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the 1680 -- eContent field contains the DER encoding of the 1681 -- type ReplyKeyPack. 1682 -- ReplyKeyPack is defined below. 1683 ... 1684 } 1686 DHRepInfo ::= SEQUENCE { 1687 dhSignedData [0] IMPLICIT OCTET STRING, 1688 -- Contains a CMS type ContentInfo encoded according 1689 -- to [RFC3852]. 1690 -- The contentType field of the type ContentInfo is 1691 -- id-signedData (1.2.840.113549.1.7.2), and the 1692 -- content field is a SignedData. 1693 -- The eContentType field for the type SignedData is 1694 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the 1695 -- eContent field contains the DER encoding of the 1696 -- type KDCDHKeyInfo. 1697 -- KDCDHKeyInfo is defined below. 1698 serverDHNonce [1] DHNonce OPTIONAL, 1699 -- Present if and only if dhKeyExpiration is 1700 -- present. 1701 ... 1702 } 1704 KDCDHKeyInfo ::= SEQUENCE { 1705 subjectPublicKey [0] BIT STRING, 1706 -- The KDC's DH public key. 1707 -- The DH public key value is encoded as a BIT 1708 -- STRING according to [RFC3279]. 1709 nonce [1] INTEGER (0..4294967295), 1710 -- Contains the nonce in the pkAuthenticator field 1711 -- in the request if the DH keys are NOT reused, 1712 -- 0 otherwise. 1713 dhKeyExpiration [2] KerberosTime OPTIONAL, 1714 -- Expiration time for KDC's key pair, 1715 -- present if and only if the DH keys are reused. 1716 -- If present, the KDC's DH public key MUST not be 1717 -- used past the point of this expiration time. 1718 -- If this field is omitted then the serverDHNonce 1719 -- field MUST also be omitted. 1720 ... 1721 } 1723 ReplyKeyPack ::= SEQUENCE { 1724 replyKey [0] EncryptionKey, 1725 -- Contains the session key used to encrypt the 1726 -- enc-part field in the AS-REP, i.e. the 1727 -- AS reply key. 1728 asChecksum [1] Checksum, 1729 -- Contains the checksum of the AS-REQ 1730 -- corresponding to the containing AS-REP. 1731 -- The checksum is performed over the type AS-REQ. 1732 -- The protocol key [RFC3961] of the checksum is the 1733 -- replyKey and the key usage number is 6. 1734 -- If the replyKey's enctype is "newer" [RFC4120] 1735 -- [RFC4121], the checksum is the required 1736 -- checksum operation [RFC3961] for that enctype. 1737 -- The client MUST verify this checksum upon receipt 1738 -- of the AS-REP. 1739 ... 1740 } 1741 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 1742 -- Each AlgorithmIdentifier specifies a set of 1743 -- Diffie-Hellman domain parameters [IEEE1363]. 1744 -- This list is in decreasing preference order. 1745 END 1747 Appendix B. Test Vectors 1749 Function octetstring2key() is defined in Section 3.2.3.1. This 1750 section describes a few sets of test vectors that would be useful for 1751 implementers of octetstring2key(). 1753 Set 1 1754 ===== 1755 Input octet string x is: 1757 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1758 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1759 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1761 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1762 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1763 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1764 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1765 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1766 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1767 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1768 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1769 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1771 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1772 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1774 Output of K-truncate() when the key size is 32 octets: 1776 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83 1777 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41 1779 Set 2: 1780 ===== 1781 Input octet string x is: 1783 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1784 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1785 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1786 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1787 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1788 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1789 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1792 Output of K-truncate() when the key size is 32 octets: 1794 ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb 1795 a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e 1797 Set 3: 1798 ====== 1799 Input octet string x is: 1801 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1802 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1803 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 1804 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 1805 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 1806 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 1807 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 1808 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 1810 Output of K-truncate() when the key size is 32 octets: 1812 c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3 1813 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e 1815 Set 4: 1816 ===== 1817 Input octet string x is: 1819 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1820 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1821 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 1822 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 1823 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 1825 Output of K-truncate() when the key size is 32 octets: 1827 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a 1828 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc 1830 Appendix C. Miscellaneous Information about Microsoft Windows PKINIT 1831 Implementations 1833 Earlier revisions of the PKINIT I-D were implemented in various 1834 releases of Microsoft Windows and deployed in fairly large numbers. 1835 To enable the community to better interoperate with systems running 1836 those releases, the following information may be useful. 1838 KDC certificates issued by Windows 2000 Enterprise CAs contain a 1839 dNSName SAN with the DNS name of the host running the KDC, and the 1840 id-kp-serverAuth EKU [RFC3280]. 1842 KDC certificates issued by Windows 2003 Enterprise CAs contain a 1843 dNSName SAN with the DNS name of the host running the KDC, the id-kp- 1844 serverAuth EKU and the id-ms-kp-sc-logon EKU. 1846 It is anticipated that the next release of Windows is already too far 1847 along to allow it to support the issuing KDC certificates with id- 1848 pkinit-san SAN as specified in this RFC. Instead, they will have a 1849 dNSName SAN containing the domain name of the KDC and the intended 1850 purpose of these KDC certificates be restricted by the presence of 1851 the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU. 1853 In addition to checking that the above are present in a KDC 1854 certificate, Windows clients verify that the issuer of the KDC 1855 certificate is one of a set of allowed issuers of such certificates, 1856 so those wishing to issue KDC certificates need to configure their 1857 Windows clients appropriately. 1859 Client certificates accepted by Windows 2000 and Windows 2003 Server 1860 KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) 1861 SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN 1862 contains a UTF8 encoded string whose value is that of the Directory 1863 Service attribute UserPrincipalName of the client account object, and 1864 the purpose of including the id-ms-san-sc-logon-upn SAN in the client 1865 certificate is to validate the client mapping (in other words, the 1866 client's public key is bound to the account that has this 1867 UserPrincipalName value). 1869 It should be noted that all Microsoft Kerberos realm names are domain 1870 style realm names and strictly in upper case. In addition, the 1871 UserPrincipalName attribute is globally unique in Windows 2000 and 1872 Windows 2003. 1874 Authors' Addresses 1876 Larry Zhu 1877 Microsoft Corporation 1878 One Microsoft Way 1879 Redmond, WA 98052 1880 US 1882 Email: lzhu@microsoft.com 1884 Brian Tung 1885 USC Information Sciences Institute 1886 4676 Admiralty Way Suite 1001 1887 Marina del Rey, CA 90292 1888 US 1890 Email: brian@isi.edu 1892 Intellectual Property Statement 1894 The IETF takes no position regarding the validity or scope of any 1895 Intellectual Property Rights or other rights that might be claimed to 1896 pertain to the implementation or use of the technology described in 1897 this document or the extent to which any license under such rights 1898 might or might not be available; nor does it represent that it has 1899 made any independent effort to identify any such rights. Information 1900 on the procedures with respect to rights in RFC documents can be 1901 found in BCP 78 and BCP 79. 1903 Copies of IPR disclosures made to the IETF Secretariat and any 1904 assurances of licenses to be made available, or the result of an 1905 attempt made to obtain a general license or permission for the use of 1906 such proprietary rights by implementers or users of this 1907 specification can be obtained from the IETF on-line IPR repository at 1908 http://www.ietf.org/ipr. 1910 The IETF invites any interested party to bring to its attention any 1911 copyrights, patents or patent applications, or other proprietary 1912 rights that may cover technology that may be required to implement 1913 this standard. Please address the information to the IETF at 1914 ietf-ipr@ietf.org. 1916 Disclaimer of Validity 1918 This document and the information contained herein are provided on an 1919 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1920 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1921 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1922 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1923 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1924 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1926 Copyright Statement 1928 Copyright (C) The Internet Society (2006). This document is subject 1929 to the rights, licenses and restrictions contained in BCP 78, and 1930 except as set forth therein, the authors retain all their rights. 1932 Acknowledgment 1934 Funding for the RFC Editor function is currently provided by the 1935 Internet Society.