| < draft-ietf-cat-kerberos-pk-init-20.txt | draft-ietf-cat-kerberos-pk-init-21.txt > | |||
|---|---|---|---|---|
| INTERNET-DRAFT Brian Tung | INTERNET-DRAFT Brian Tung | |||
| draft-ietf-cat-kerberos-pk-init-20.txt Clifford Neuman | draft-ietf-cat-kerberos-pk-init-21.txt Clifford Neuman | |||
| Updates: CLARIFICATIONS USC/ISI | expires April 25, 2005 USC/ISI | |||
| expires January 25, 2005 Matthew Hur | ||||
| Ari Medvinsky | ||||
| Microsoft Corporation | ||||
| Sasha Medvinsky | Sasha Medvinsky | |||
| Motorola, Inc. | Motorola, Inc. | |||
| John Wray | ||||
| Iris Associates, Inc. | ||||
| Jonathan Trostle | ||||
| Public Key Cryptography for Initial Authentication in Kerberos | Public Key Cryptography for Initial Authentication in Kerberos | |||
| 0. Status Of This Memo | 0. Status Of This Memo | |||
| By submitting this Internet-Draft, I certify that any applicable | By submitting this Internet-Draft, I certify that any applicable | |||
| patent or other IPR claims of which I am aware have been disclosed, | patent or other IPR claims of which I am aware have been disclosed, | |||
| or will be disclosed, and any of which I become aware will be | or will be disclosed, and any of which I become aware will be | |||
| disclosed, in accordance with RFC 3668. | disclosed, in accordance with RFC 3668. | |||
| This document is an Internet-Draft and is in full conformance with | Internet-Drafts are working documents of the Internet Engineering | |||
| all provision of Section 10 of RFC 2026. Internet-Drafts are | Task Force (IETF), its areas, and its working groups. Note that | |||
| working documents of the Internet Engineering Task Force (IETF), its | other groups may also distribute working documents as | |||
| areas, and its working groups. Note that other groups may also | Internet-Drafts. | |||
| distribute working documents as Internet-Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six | Internet-Drafts are draft documents valid for a maximum of six | |||
| months and may be updated, replaced, or obsoleted by other documents | months and may be updated, replaced, or obsoleted by other documents | |||
| at any time. It is inappropriate to use Internet-Drafts as | at any time. It is inappropriate to use Internet-Drafts as | |||
| reference material or to cite them other than as "work in progress." | reference material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||
| The distribution of this memo is unlimited. It is filed as | The distribution of this memo is unlimited. It is filed as | |||
| draft-ietf-cat-kerberos-pk-init-20.txt and expires January 25, 2005. | draft-ietf-cat-kerberos-pk-init-21.txt and expires April 25, 2005. | |||
| Please send comments to the authors. | Please send comments to the authors. | |||
| 1. Abstract | 1. Abstract | |||
| This document describes protocol extensions (hereafter called | This document describes protocol extensions (hereafter called | |||
| PKINIT) to the Kerberos protocol specification ([1], hereafter | PKINIT) to the Kerberos protocol specification [1]. These | |||
| called CLARIFICATIONS). These extensions provide a method for | extensions provide a method for integrating public key cryptography | |||
| integrating public key cryptography into the initial authentication | into the initial authentication exchange, by passing digital | |||
| exchange, by passing digital certificates and associated | certificates and associated authenticators in preauthentication data | |||
| authenticators in preauthentication data fields. | fields. | |||
| 2. Introduction | 2. Introduction | |||
| A client typically authenticates itself to a service in Kerberos | A client typically authenticates itself to a service in Kerberos | |||
| using three distinct though related exchanges. First, the client | using three distinct though related exchanges. First, the client | |||
| requests a ticket-granting ticket (TGT) from the Kerberos | requests a ticket-granting ticket (TGT) from the Kerberos | |||
| authentication server (AS). Then, it uses the TGT to request a | authentication server (AS). Then, it uses the TGT to request a | |||
| service ticket from the Kerberos ticket-granting server (TGS). | service ticket from the Kerberos ticket-granting server (TGS). | |||
| Usually, the AS and TGS are integrated in a single device known as | Usually, the AS and TGS are integrated in a single device known as | |||
| a Kerberos Key Distribution Center, or KDC. (In this document, we | a Kerberos Key Distribution Center, or KDC. (In this document, we | |||
| skipping to change at line 95 ¶ | skipping to change at line 88 ¶ | |||
| no inherent security benefit. | no inherent security benefit. | |||
| As noted above, a convenient and efficient place to introduce | As noted above, a convenient and efficient place to introduce | |||
| public-key cryptography into Kerberos is in the initial | public-key cryptography into Kerberos is in the initial | |||
| authentication exchange. This document describes the methods and | authentication exchange. This document describes the methods and | |||
| data formats for integrating public-key cryptography into Kerberos | data formats for integrating public-key cryptography into Kerberos | |||
| initial authentication. | initial authentication. | |||
| 3. Extensions | 3. Extensions | |||
| This section describes extensions to CLARIFICATIONS for supporting | This section describes extensions to [1] for supporting the use of | |||
| the use of public-key cryptography in the initial request for a | public-key cryptography in the initial request for a ticket. | |||
| ticket. | ||||
| Briefly, this document defines the following extensions to | Briefly, this document defines the following extensions to [1]: | |||
| CLARIFICATIONS: | ||||
| 1. The client indicates the use of public-key authentication by | 1. The client indicates the use of public-key authentication by | |||
| including a special preauthenticator in the initial request. | including a special preauthenticator in the initial request. | |||
| This preauthenticator contains the client's public-key data | This preauthenticator contains the client's public-key data | |||
| and a signature. | and a signature. | |||
| 2. The KDC tests the client's request against its policy and | 2. The KDC tests the client's request against its policy and | |||
| trusted Certification Authorities (CAs). | trusted Certification Authorities (CAs). | |||
| 3. If the request passes the verification tests, the KDC | 3. If the request passes the verification tests, the KDC | |||
| skipping to change at line 130 ¶ | skipping to change at line 121 ¶ | |||
| Any keying material required by the client to obtain the | Any keying material required by the client to obtain the | |||
| Encryption key is returned in a preauthentication field | Encryption key is returned in a preauthentication field | |||
| accompanying the usual reply. | accompanying the usual reply. | |||
| 4. The client obtains the encryption key, decrypts the reply, | 4. The client obtains the encryption key, decrypts the reply, | |||
| and then proceeds as usual. | and then proceeds as usual. | |||
| Section 3.1 of this document defines the necessary message formats. | Section 3.1 of this document defines the necessary message formats. | |||
| Section 3.2 describes their syntax and use in greater detail. | Section 3.2 describes their syntax and use in greater detail. | |||
| 3.1. Definitions | 3.1. Definitions, Requirements, and Constants | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | ||||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | ||||
| document are to be interpreted as described in RFC 2119 [12]. | ||||
| 3.1.1. Required Algorithms | 3.1.1. Required Algorithms | |||
| All PKINIT implementations MUST support the following algorithms: | All PKINIT implementations MUST support the following algorithms: | |||
| - Reply key (or DH-derived key): AES256-CTS-HMAC-SHA1-96 etype. | - Reply key (or DH-derived key): AES256-CTS-HMAC-SHA1-96 etype. | |||
| - Signature algorithm: SHA-1 digest and RSA. | - Signature algorithm: SHA-1 digest and RSA. | |||
| - Reply key delivery method: ephemeral-ephemeral Diffie-Hellman | - Reply key delivery method: ephemeral-ephemeral Diffie-Hellman | |||
| with a non-zero nonce. | with a non-zero nonce. | |||
| - Unkeyed checksum type for the paChecksum member of | - Unkeyed checksum type for the paChecksum member of | |||
| PKAuthenticator: SHA1 (unkeyed). | PKAuthenticator: SHA1 (unkeyed), Kerberos checksum type 14 | |||
| [11]. | ||||
| 3.1.2. Defined Message and Encryption Types | 3.1.2. Defined Message and Encryption Types | |||
| PKINIT makes use of the following new preauthentication types: | PKINIT makes use of the following new preauthentication types: | |||
| PA-PK-AS-REQ TBD | PA-PK-AS-REQ TBD | |||
| PA-PK-AS-REP TBD | PA-PK-AS-REP TBD | |||
| PKINIT also makes use of the following new authorization data type: | PKINIT also makes use of the following new authorization data type: | |||
| skipping to change at line 175 ¶ | skipping to change at line 171 ¶ | |||
| KDC_ERR_INVALID_CERTIFICATE 71 | KDC_ERR_INVALID_CERTIFICATE 71 | |||
| KDC_ERR_REVOKED_CERTIFICATE 72 | KDC_ERR_REVOKED_CERTIFICATE 72 | |||
| KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 | KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 | |||
| KDC_ERR_CLIENT_NAME_MISMATCH 75 | KDC_ERR_CLIENT_NAME_MISMATCH 75 | |||
| PKINIT uses the following typed data types for errors: | PKINIT uses the following typed data types for errors: | |||
| TD-DH-PARAMETERS TBD | TD-DH-PARAMETERS TBD | |||
| TD-TRUSTED-CERTIFIERS 104 | TD-TRUSTED-CERTIFIERS 104 | |||
| TD-CERTIFICATE-INDEX 105 | TD-CERTIFICATE-INDEX 105 | |||
| TD-UNKEYED-CHECKSUM-INFO 109 | ||||
| PKINIT defines the following encryption types, for use in the AS-REQ | PKINIT defines the following encryption types, for use in the AS-REQ | |||
| message (to indicate acceptance of the corresponding encryption OIDs | message (to indicate acceptance of the corresponding encryption OIDs | |||
| in PKINIT): | in PKINIT): | |||
| dsaWithSHA1-CmsOID 9 | dsaWithSHA1-CmsOID 9 | |||
| md5WithRSAEncryption-CmsOID 10 | md5WithRSAEncryption-CmsOID 10 | |||
| sha1WithRSAEncryption-CmsOID 11 | sha1WithRSAEncryption-CmsOID 11 | |||
| rc2CBC-EnvOID 12 | rc2CBC-EnvOID 12 | |||
| rsaEncryption-EnvOID (PKCS1 v1.5) 13 | rsaEncryption-EnvOID (PKCS1 v1.5) 13 | |||
| rsaES-OAEP-EnvOID (PKCS1 v2.0) 14 | rsaES-OAEP-EnvOID (PKCS1 v2.0) 14 | |||
| des-ede3-cbc-EnvOID 15 | des-ede3-cbc-EnvOID 15 | |||
| The above encryption types are used by the client only within the | The above encryption types are used by the client only within the | |||
| KDC-REQ-BODY to indicate which CMS [2] algorithms it supports. Their | KDC-REQ-BODY to indicate which CMS [2] algorithms it supports. Their | |||
| use within Kerberos EncryptedData structures is not specified by this | use within Kerberos EncryptedData structures is not specified by this | |||
| document. | document. | |||
| The ASN.1 module for all structures defined in this document (plus | The ASN.1 module for all structures defined in this document (plus | |||
| IMPORT statements for all imported structures) are given in Appendix | IMPORT statements for all imported structures) are given in Appendix | |||
| A. All structures MUST be encoded using Distinguished Encoding | A. In the event of a discrepancy between Appendix A and the portions | |||
| Rules (DER). | of ASN.1 in the main text, the appendix is normative. | |||
| All structures defined in this document MUST be encoded using | ||||
| Distinguished Encoding Rules (DER). All imported data structures | ||||
| must be encoded according to the rules specified in Kerberos [1] or | ||||
| CMS [2] as appropriate. | ||||
| Interoperability note: Some implementations may not be able to | ||||
| decode CMS objects encoded with BER but not DER; specifically, they | ||||
| may not be able to decode infinite length encodings. To maximize | ||||
| interoperability, implementers SHOULD encode CMS objects used in | ||||
| PKINIT with DER. | ||||
| 3.1.3. Algorithm Identifiers | 3.1.3. Algorithm Identifiers | |||
| PKINIT does not define, but does make use of, the following | PKINIT does not define, but does make use of, the following | |||
| algorithm identifiers. | algorithm identifiers. | |||
| PKINIT uses the following algorithm identifier for Diffie-Hellman | PKINIT uses the following algorithm identifier for Diffie-Hellman | |||
| key agreement [9]: | key agreement [9]: | |||
| dhpublicnumber | dhpublicnumber | |||
| skipping to change at line 225 ¶ | skipping to change at line 233 ¶ | |||
| encrypting the temporary key with a public key: | encrypting the temporary key with a public key: | |||
| rsaEncryption (PKCS1 v1.5) | rsaEncryption (PKCS1 v1.5) | |||
| id-RSAES-OAEP (PKCS1 v2.0) | id-RSAES-OAEP (PKCS1 v2.0) | |||
| PKINIT uses the following algorithm identifiers [2] for encrypting | PKINIT uses the following algorithm identifiers [2] for encrypting | |||
| the reply key with the temporary key: | the reply key with the temporary key: | |||
| des-ede3-cbc (three-key 3DES, CBC mode) | des-ede3-cbc (three-key 3DES, CBC mode) | |||
| rc2-cbc (RC2, CBC mode) | rc2-cbc (RC2, CBC mode) | |||
| aes256_CBC (AES-256, CBC mode) | ||||
| Kerberos data structures require the use of integer etypes, while CMS | ||||
| objects use OIDs. Therefore, each cryptographic algorithm supported | ||||
| by PKINIT is identified both by a CMS OID and by an equivalent | ||||
| Kerberos etype (defined in section 3.1.2). | ||||
| 3.2. PKINIT Preauthentication Syntax and Use | 3.2. PKINIT Preauthentication Syntax and Use | |||
| This section defines the syntax and use of the various | This section defines the syntax and use of the various | |||
| preauthentication fields employed by PKINIT. | preauthentication fields employed by PKINIT. | |||
| 3.2.1. Client Request | 3.2.1. Client Request | |||
| The initial authentication request (AS-REQ) is sent as per RFC | The initial authentication request (AS-REQ) is sent as per [1]; in | |||
| 1510bis; in addition, a preauthentication field contains data signed | addition, a preauthentication field contains data signed by the | |||
| by the client's private signature key, as follows: | client's private signature key, as follows: | |||
| WrapContentInfo ::= OCTET STRING (CONSTRAINED BY { | ||||
| -- Contains a BER encoding of | ||||
| -- ContentInfo | ||||
| }) | ||||
| WrapIssuerAndSerial ::= OCTET STRING (CONSTRAINED BY { | ||||
| -- Contains a BER encoding of | ||||
| -- IssuerAndSerialNumber | ||||
| }) | ||||
| PA-PK-AS-REQ ::= SEQUENCE { | PA-PK-AS-REQ ::= SEQUENCE { | |||
| signedAuthPack [0] ContentInfo, | signedAuthPack [0] IMPLICIT WrapContentInfo, | |||
| -- Defined in CMS [2]. | ||||
| -- Type is SignedData. | -- Type is SignedData. | |||
| -- Content is AuthPack | -- Content is AuthPack | |||
| -- (defined below). | -- (defined below). | |||
| trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | |||
| -- A list of CAs, trusted by | -- A list of CAs, trusted by | |||
| -- the client, used to certify | -- the client, used to certify | |||
| -- KDCs. | -- KDCs. | |||
| kdcCert [2] IssuerAndSerialNumber OPTIONAL, | kdcCert [2] IMPLICIT WrapIssuerAndSerial | |||
| -- Defined in CMS [2]. | OPTIONAL, | |||
| -- Identifies a particular KDC | -- Identifies a particular KDC | |||
| -- certificate, if the client | -- certificate, if the client | |||
| -- already has it. | -- already has it. | |||
| ... | ... | |||
| } | } | |||
| TrustedCA ::= CHOICE { | TrustedCA ::= CHOICE { | |||
| caName [0] Name, | caName [1] Name, | |||
| -- Fully qualified X.500 name | -- Fully qualified X.500 name | |||
| -- as defined in RFC 3280 [4]. | -- as defined in RFC 3280 [4]. | |||
| issuerAndSerial [2] IssuerAndSerialNumber, | issuerAndSerial [2] IMPLICIT WrapIssuerAndSerial, | |||
| -- Identifies a specific CA | -- Identifies a specific CA | |||
| -- certificate. | -- certificate. | |||
| ... | ... | |||
| } | } | |||
| AuthPack ::= SEQUENCE { | AuthPack ::= SEQUENCE { | |||
| pkAuthenticator [0] PKAuthenticator, | pkAuthenticator [0] PKAuthenticator, | |||
| clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | |||
| -- Defined in RFC 3280 [4]. | -- Defined in RFC 3280 [4]. | |||
| -- Present only if the client | -- Present only if the client | |||
| skipping to change at line 286 ¶ | skipping to change at line 299 ¶ | |||
| -- Diffie-Hellman. | -- Diffie-Hellman. | |||
| supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | |||
| OPTIONAL, | OPTIONAL, | |||
| -- List of CMS encryption types | -- List of CMS encryption types | |||
| -- supported by client in order | -- supported by client in order | |||
| -- of (decreasing) preference. | -- of (decreasing) preference. | |||
| ... | ... | |||
| } | } | |||
| PKAuthenticator ::= SEQUENCE { | PKAuthenticator ::= SEQUENCE { | |||
| cusec [0] INTEGER, | cusec [0] INTEGER (0..999999), | |||
| ctime [1] KerberosTime, | ctime [1] KerberosTime, | |||
| -- cusec and ctime are used as | -- cusec and ctime are used as | |||
| -- in CLARIFICATIONS, for replay | -- in [1], for replay | |||
| -- prevention. | -- prevention. | |||
| nonce [2] INTEGER (0..4294967295), | nonce [2] INTEGER (0..4294967295), | |||
| -- Binds reply to request, | -- Binds reply to request, | |||
| -- MUST be zero when client | -- MUST be zero when client | |||
| -- will accept cached | -- will accept cached | |||
| -- Diffie-Hellman parameters | -- Diffie-Hellman parameters | |||
| -- from KDC. MUST NOT be | -- from KDC. MUST NOT be | |||
| -- zero otherwise. | -- zero otherwise. | |||
| paChecksum [3] Checksum, | paChecksum [3] Checksum, | |||
| -- Defined in CLARIFICATIONS. | -- Defined in [1]. | |||
| -- Performed over KDC-REQ-BODY, | -- Performed over KDC-REQ-BODY, | |||
| -- MUST be unkeyed. | -- MUST be unkeyed. | |||
| ... | ... | |||
| } | } | |||
| The ContentInfo in the signedAuthPack is filled out as follows: | The ContentInfo in the signedAuthPack is filled out as follows: | |||
| 1. The eContent field contains data of type AuthPack. It MUST | 1. The eContent field contains data of type AuthPack. It MUST | |||
| contain the pkAuthenticator, and MAY also contain the | contain the pkAuthenticator, and MAY also contain the | |||
| client's Diffie-Hellman public value (clientPublicValue). | client's Diffie-Hellman public value (clientPublicValue). | |||
| 2. The eContentType field MUST contain the OID value for | 2. The eContentType field MUST contain the OID value for | |||
| id-pkauthdata: { iso(1) org(3) dod(6) internet(1) | id-pkauthdata: { iso(1) org(3) dod(6) internet(1) | |||
| security(5) kerberosv5(2) pkinit(3) pkauthdata(1)} | security(5) kerberosv5(2) pkinit(3) pkauthdata(1)} | |||
| 3. The signerInfos field MUST contain the signature over the | 3. The signerInfos field MUST contain the signature over the | |||
| AuthPack. | AuthPack. | |||
| 4. The certificates field MUST contain at least a signature | 4. The certificates field MUST contain at least a signature | |||
| verification certificate chain that the KDC can use to | verification certificate chain that the KDC can use to | |||
| verify the signature over the AuthPack. Additionally, the | verify the signature over the AuthPack. The certificate | |||
| client MAY insert an encryption certificate chain, if | chain(s) MUST NOT contain the root CA certificate. | |||
| (for example) the client is not using ephemeral-ephemeral | ||||
| Diffie-Hellman. | ||||
| 5. If a Diffie-Hellman key is being used, the parameters SHOULD | 5. If a Diffie-Hellman key is being used, the parameters MUST | |||
| be chosen from the First or Second defined Oakley Groups. | be chosen from Oakley Group 2 or 14. Implementations MUST | |||
| support Group 2; they are RECOMMENDED to support Group 14. | ||||
| (See RFC 2409 [10].) | (See RFC 2409 [10].) | |||
| 6. The KDC may wish to use cached Diffie-Hellman parameters. | 6. The KDC may wish to use cached Diffie-Hellman parameters. | |||
| To indicate acceptance of caching, the client sends zero in | To indicate acceptance of caching, the client sends zero in | |||
| the nonce field of the pkAuthenticator. Zero is not a valid | the nonce field of the pkAuthenticator. Zero is not a valid | |||
| value for this field under any other circumstances. Since | value for this field under any other circumstances. Since | |||
| zero is used to indicate acceptance of cached parameters, | zero is used to indicate acceptance of cached parameters, | |||
| message binding in this case is performed using only the | message binding in this case is performed using only the | |||
| nonce in the main request. | nonce in the main request. | |||
| 3.2.2. Validation of Client Request | 3.2.2. Validation of Client Request | |||
| Upon receiving the client's request, the KDC validates it. This | Upon receiving the client's request, the KDC validates it. This | |||
| section describes the steps that the KDC MUST (unless otherwise | section describes the steps that the KDC MUST (unless otherwise | |||
| noted) take in validating the request. | noted) take in validating the request. | |||
| The KDC must look for a client certificate in the signedAuthPack. | The KDC must look for a client certificate in the signedAuthPack. | |||
| If it cannot find one signed by a CA it trusts, it sends back an | If it cannot find one signed by a CA it trusts, it sends back an | |||
| error of type KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying | error of type KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying | |||
| e-data for this error is a SEQUENCE OF TYPED-DATA (as defined in RFC | e-data for this error is a TYPED-DATA (as defined in [1]). For this | |||
| 1510bis). For this error, the data-type is TD-TRUSTED-CERTIFIERS, | error, the data-type is TD-TRUSTED-CERTIFIERS, and the data-value is | |||
| and the data-value is an OCTET STRING containing the DER encoding of | the DER encoding of | |||
| TrustedCertifiers ::= SEQUENCE OF Name | TrustedCertifiers ::= SEQUENCE OF Name | |||
| If, while verifying the certificate chain, the KDC determines that | If, while verifying the certificate chain, the KDC determines that | |||
| the signature on one of the certificates in the signedAuthPack is | the signature on one of the certificates in the signedAuthPack is | |||
| invalid, it returns an error of type KDC_ERR_INVALID_CERTIFICATE. | invalid, it returns an error of type KDC_ERR_INVALID_CERTIFICATE. | |||
| The accompanying e-data for this error is a SEQUENCE OF TYPED-DATA, | The accompanying e-data for this error is a TYPED-DATA, whose | |||
| whose data-type is TD-CERTIFICATE-INDEX, and whose data-value is an | data-type is TD-CERTIFICATE-INDEX, and whose data-value is the DER | |||
| OCTET STRING containing the DER encoding of the index into the | encoding of the index into the CertificateSet field, ordered as sent | |||
| CertificateSet field, ordered as sent by the client: | by the client: | |||
| CertificateIndex ::= IssuerAndSerialNumber | CertificateIndex ::= IssuerAndSerialNumber | |||
| -- IssuerAndSerialNumber of | -- IssuerAndSerialNumber of | |||
| -- certificate with invalid signature | -- certificate with invalid signature | |||
| If more than one certificate signature is invalid, the KDC MAY send | If more than one certificate signature is invalid, the KDC MAY send | |||
| one TYPED-DATA per invalid signature. | one TYPED-DATA per invalid signature. | |||
| The KDC MAY also check whether any certificates in the client's | The KDC MAY also check whether any certificates in the client's | |||
| chain have been revoked. If any of them have been revoked, the KDC | chain have been revoked. If any of them have been revoked, the KDC | |||
| skipping to change at line 409 ¶ | skipping to change at line 421 ¶ | |||
| If the KDC does not have its own mapping and there is no Kerberos | If the KDC does not have its own mapping and there is no Kerberos | |||
| name present in the certificate, or if the name in the request does | name present in the certificate, or if the name in the request does | |||
| not match the name in the certificate (including the realm name), or | not match the name in the certificate (including the realm name), or | |||
| if there is no name in the request, the KDC MUST return error code | if there is no name in the request, the KDC MUST return error code | |||
| KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data | KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data | |||
| for this error. | for this error. | |||
| Even if the chain is validated, and the names in the certificate and | Even if the chain is validated, and the names in the certificate and | |||
| the request match, the KDC may decide not to trust the client. For | the request match, the KDC may decide not to trust the client. For | |||
| example, the certificate may include an Enxtended Key Usage (EKU) OID | example, the certificate may include an Extended Key Usage (EKU) OID | |||
| in the extensions field. As a matter of local policy, the KDC may | in the extensions field. As a matter of local policy, the KDC may | |||
| decide to reject requests on the basis of the absence or presence of | decide to reject requests on the basis of the absence or presence of | |||
| specific EKU OIDs. In this case, the KDC MUST return error code | specific EKU OIDs. In this case, the KDC MUST return error code | |||
| KDC_ERR_CLIENT_NOT_TRUSTED. The PKINIT EKU OID is defined as: | KDC_ERR_CLIENT_NOT_TRUSTED. The PKINIT EKU OID is defined as: | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| pkinit(3) pkekuoid(4) } | pkinit(3) pkekuoid(4) } | |||
| If the client's signature on the signedAuthPack fails to verify, the KDC | If the client's signature on the signedAuthPack fails to verify, the KDC | |||
| MUST return error KDC_ERR_INVALID_SIG. There is no accompanying | MUST return error KDC_ERR_INVALID_SIG. There is no accompanying | |||
| e-data for this error. | e-data for this error. | |||
| The KDC MUST check the timestamp to ensure that the request is not | The KDC MUST check the timestamp to ensure that the request is not | |||
| a replay, and that the time skew falls within acceptable limits. | a replay, and that the time skew falls within acceptable limits. | |||
| The recommendations clock skew times in CLARIFICATIONS apply here. | The recommendations clock skew times in [1] apply here. If the | |||
| If the check fails, the KDC MUSTreturn error code KRB_AP_ERR_REPEAT | check fails, the KDC MUSTreturn error code KRB_AP_ERR_REPEAT or | |||
| or KRB_AP_ERR_SKEW, respectively. | KRB_AP_ERR_SKEW, respectively. | |||
| If the clientPublicValue is filled in, indicating that the client | If the clientPublicValue is filled in, indicating that the client | |||
| wishes to use ephemeral-ephemeral Diffie-Hellman, the KDC checks to | wishes to use ephemeral-ephemeral Diffie-Hellman, the KDC checks to | |||
| see if the parameters satisfy its policy. If they do not, it MUST | see if the parameters satisfy its policy. If they do not, it MUST | |||
| return error code KDC_ERR_KEY_SIZE. The accompanying e-data is a | return error code KDC_ERR_KEY_SIZE. The accompanying e-data is a | |||
| SEQUENCE OF TYPED-DATA, whose data-type is TD-DH-PARAMETERS, and | TYPED-DATA, whose data-type is TD-DH-PARAMETERS, and whose | |||
| whose data-value is an OCTET STRING containing the DER encoding of a | data-value is the DER encoding of a DomainParameters (see [3]), | |||
| DomainParameters (see [3]), including appropriate Diffie-Hellman | including appropriate Diffie-Hellman parameters with which to retry | |||
| parameters with which to retry the request. | the request. | |||
| The KDC MUST return error code KDC_ERR_CERTIFICATE_MISMATCH if the | The KDC MUST return error code KDC_ERR_CERTIFICATE_MISMATCH if the | |||
| client included a kdcCert field in the PA-PK-AS-REQ and the KDC does | client included a kdcCert field in the PA-PK-AS-REQ and the KDC does | |||
| not have the corresponding certificate. | not have the corresponding certificate. | |||
| The KDC MUST return error code KDC_ERR_KDC_NOT_TRUSTED if the client | The KDC MUST return error code KDC_ERR_KDC_NOT_TRUSTED if the client | |||
| did not include a kdcCert field, but did include a trustedCertifiers | did not include a kdcCert field, but did include a trustedCertifiers | |||
| field, and the KDC does not possesses a certificate issued by one of | field, and the KDC does not possesses a certificate issued by one of | |||
| the listed certifiers. | the listed certifiers. | |||
| If there is a supportedCMSTypes field in the AuthPack, the KDC must | If there is a supportedCMSTypes field in the AuthPack, the KDC must | |||
| check to see if it supports any of the listed types. If it supports | check to see if it supports any of the listed types. If it supports | |||
| more than one of the types, the KDC SHOULD use the one listed first. | more than one of the types, the KDC SHOULD use the one listed first. | |||
| If it does not support any of them, it MUST return an error of type | If it does not support any of them, it MUST return an error of type | |||
| KRB5KDC_ERR_ETYPE_NOSUPP. | KRB5KDC_ERR_ETYPE_NOSUPP. | |||
| 3.2.3. KDC Reply | 3.2.3. KDC Reply | |||
| Assuming that the client's request has been properly validated, the | Assuming that the client's request has been properly validated, the | |||
| KDC proceeds as per CLARIFICATIONS, except as follows. | KDC proceeds as per [1], except as follows. | |||
| The KDC MUST set the initial flag and include an authorization data | The KDC MUST set the initial flag and include an authorization data | |||
| of type AD-INITIAL-VERIFIED-CAS in the issued ticket. The value is | of type AD-INITIAL-VERIFIED-CAS in the issued ticket. The value is | |||
| an OCTET STRING containing the DER encoding of InitialVerifiedCAs: | an OCTET STRING containing the DER encoding of InitialVerifiedCAs: | |||
| InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE { | InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE { | |||
| ca [0] Name, | ca [0] Name, | |||
| Validated [1] BOOLEAN, | Validated [1] BOOLEAN, | |||
| ... | ... | |||
| } | } | |||
| skipping to change at line 483 ¶ | skipping to change at line 495 ¶ | |||
| Application servers that understand this authorization data type | Application servers that understand this authorization data type | |||
| SHOULD apply local policy to determine whether a given ticket | SHOULD apply local policy to determine whether a given ticket | |||
| bearing such a type *not* contained within an AD-IF-RELEVANT | bearing such a type *not* contained within an AD-IF-RELEVANT | |||
| container is acceptable. (This corresponds to the AP server | container is acceptable. (This corresponds to the AP server | |||
| checking the transited field when the TRANSITED-POLICY-CHECKED flag | checking the transited field when the TRANSITED-POLICY-CHECKED flag | |||
| has not been set.) If such a data type is contained within an | has not been set.) If such a data type is contained within an | |||
| AD-IF-RELEVANT container, AP servers MAY apply local policy to | AD-IF-RELEVANT container, AP servers MAY apply local policy to | |||
| determine whether the authorization data is acceptable. | determine whether the authorization data is acceptable. | |||
| The AS-REP is otherwise unchanged from CLARIFICATIONS. The KDC | The AS-REP is otherwise unchanged from [1]. The KDC encrypts the | |||
| encrypts the reply as usual, but not with the client's long-term | reply as usual, but not with the client's long-term key. Instead, | |||
| key. Instead, it encrypts it with either a generated encryption | it encrypts it with either a generated encryption key, or a key | |||
| key, or a key derived from a Diffie-Hellman exchange. The contents | derived from a Diffie-Hellman exchange. The contents of the | |||
| of the PA-PK-AS-REP indicate the type of encryption key that was | PA-PK-AS-REP indicate the type of encryption key that was used: | |||
| used: | ||||
| PA-PK-AS-REP ::= CHOICE { | PA-PK-AS-REP ::= CHOICE { | |||
| dhSignedData [0] ContentInfo, | dhSignedData [0] IMPLICIT WrapContentInfo, | |||
| -- Type is SignedData. | -- Type is SignedData. | |||
| -- Content is KDCDHKeyInfo | -- Content is KDCDHKeyInfo | |||
| -- (defined below). | -- (defined below). | |||
| encKeyPack [1] ContentInfo, | encKeyPack [1] IMPLICIT WrapContentInfo, | |||
| -- Type is EnvelopedData. | -- Type is EnvelopedData. | |||
| -- Content is SignedData over | -- Content is SignedData over | |||
| -- ReplyKeyPack (defined below). | -- ReplyKeyPack (defined below). | |||
| ... | ... | |||
| } | } | |||
| KDCDHKeyInfo ::= SEQUENCE { | KDCDHKeyInfo ::= SEQUENCE { | |||
| subjectPublicKey [0] BIT STRING, | subjectPublicKey [0] BIT STRING, | |||
| -- Equals public exponent | -- Equals public exponent | |||
| -- (g^a mod p). | -- (g^a mod p). | |||
| -- INTEGER encoded as payload | -- INTEGER encoded as payload | |||
| -- of BIT STRING. | -- of BIT STRING. | |||
| nonce [1] INTEGER, | nonce [1] INTEGER (0..4294967295), | |||
| -- Binds reply to request. | -- Binds reply to request. | |||
| -- Exception: A value of zero | -- Exception: A value of zero | |||
| -- indicates that the KDC is | -- indicates that the KDC is | |||
| -- using cached values. | -- using cached values. | |||
| dhKeyExpiration [2] KerberosTime OPTIONAL, | dhKeyExpiration [2] KerberosTime OPTIONAL, | |||
| -- Expiration time for KDC's | -- Expiration time for KDC's | |||
| -- cached values. | -- cached values. | |||
| ... | ... | |||
| } | } | |||
| skipping to change at line 536 ¶ | skipping to change at line 547 ¶ | |||
| security(5) kerberosv5(2) pkinit(3) pkdhkeydata(2) } | security(5) kerberosv5(2) pkinit(3) pkdhkeydata(2) } | |||
| 3. The signerInfos field contains a single signerInfo, which is | 3. The signerInfos field contains a single signerInfo, which is | |||
| the signature of the KDCDHKeyInfo. | the signature of the KDCDHKeyInfo. | |||
| 4. The certificates field contains a signature verification | 4. The certificates field contains a signature verification | |||
| certificate chain that the client will use to verify the | certificate chain that the client will use to verify the | |||
| KDC's signature over the KDCDHKeyInfo. This field may only | KDC's signature over the KDCDHKeyInfo. This field may only | |||
| be left empty if the client did include a kdcCert field in | be left empty if the client did include a kdcCert field in | |||
| the PA-PK-AS-REQ, indicating that it has the KDC's | the PA-PK-AS-REQ, indicating that it has the KDC's | |||
| certificate. | certificate. The certificate chain MUST NOT contain the | |||
| root CA certificate. | ||||
| 5. If the client and KDC agree to use cached parameters, the | 5. If the client and KDC agree to use cached parameters, the | |||
| KDC MUST return a zero in the nonce field and include the | KDC MUST return a zero in the nonce field and include the | |||
| expiration time of the cached values in the dhKeyExpiration | expiration time of the cached values in the dhKeyExpiration | |||
| field. If this time is exceeded, the client MUST NOT use | field. If this time is exceeded, the client MUST NOT use | |||
| the reply. If the time is absent, the client MUST NOT use | the reply. If the time is absent, the client MUST NOT use | |||
| the reply and MAY resubmit a request with a non-zero nonce, | the reply and MAY resubmit a request with a non-zero nonce, | |||
| thus indicating non-acceptance of the cached parameters. | thus indicating non-acceptance of the cached parameters. | |||
| The key is derived as follows: Both the KDC and the client calculate | The KDC reply key is derived as follows: | |||
| 1. Both the KDC and the client calculate the shared secret | ||||
| value | ||||
| DHKey = g^(ab) mod p | ||||
| where a and b are the client's and KDC's private exponents, | ||||
| respectively. DHKey, padded first with leading zeros as | ||||
| needed to make it as long as the modulus p, is represented | ||||
| as a string of octets in big-endian order (such that the | ||||
| size of DHKey in octets is the size of the modulus p). | ||||
| 2. Let K be the key-generation seed length [6] of the reply key | ||||
| whose enctype is selected according to [1]. | ||||
| 3. Define the function octetstring2key() as follows: | ||||
| octetstring2key(h, x) == random-to-key(K-truncate( | ||||
| h(0x00 | x) | | ||||
| h(0x01 | x) | | ||||
| h(0x02 | x) | | ||||
| ... | ||||
| )) | ||||
| where x is an octet string; h:octet string -> octet string | ||||
| is a cryptographically strong hash function; | is the | ||||
| concatenation operator; 0x00, 0x01, 0x02, etc. are each | ||||
| represented as a single octet; random-to-key() is an | ||||
| operation that generates a protocolkey from a bitstring of | ||||
| length K; and K-truncate truncates its input to K bits. | ||||
| Both K and random-to-key() are defined in the kcrypto | ||||
| profile [6] for the enctype of the reply key. | ||||
| A good example of h() is SHA1. | ||||
| 4. Define H to be a hash function based on operations of a | ||||
| given checksum type [6], as follows: | ||||
| H(x) = get_mic(dummy-key, x) | ||||
| where x is an octet string. | ||||
| H() MUST be a cryptographically strong hash, in order to be | ||||
| suitable for use in the octetstring2key() operation above. | ||||
| 5. The client specifies a checksum type to use in the | ||||
| paChecksum of the PKAuthenticator. If the H() operation | ||||
| based on this checksum is not suitable for use in | ||||
| octetstring2key(), or this checksum type is too weak or not | ||||
| supported by the KDC, the KDC MUST return an error of type | ||||
| KDC_ERR_PA_CKSUMTYPE_NOT_SUPPORTED. The accompanying e-data | ||||
| for this error is a TYPED-DATA: the data-type is | ||||
| TD-UNKEYED-CHECKSUM-INFO, and the data-value is the DER | ||||
| encoding of | ||||
| UNKEYED-CHECKSUM-INFO ::= SEQUENCE OF SEQUENCE { | ||||
| cksumtype [0] Int32, | ||||
| ... | ||||
| } | ||||
| This list is in the preference order (best choice first) of | ||||
| the KDC, and the client SHOULD retry with the first | ||||
| available checksum type. | ||||
| 6. When cached DH parameters are used, let n_c be the | ||||
| clientDHNonce, and n_k be the serverDHNonce; otherwise, let | ||||
| both n_c and n_k be empty octet strings. The reply key k is | ||||
| k = octetstring2key(H, DHKey | n_c | n_k) | ||||
| where H() is the hash function based on the checksum type | ||||
| used in the paChecksum of the PKAuthenticator (as defined in | ||||
| step 4). | ||||
| Both the KDC and the client calculate | ||||
| the value g^(ab) mod p, where a and b are the client's and KDC's | the value g^(ab) mod p, where a and b are the client's and KDC's | |||
| private exponents, respectively. They both take the first k bits of | private exponents, respectively. They both take the first k bits of | |||
| this secret value as a key generation seed, where the parameter k | this secret value as a key generation seed, where the parameter k | |||
| (the size of the seed) is dependent on the selected key type, as | (the size of the seed) is dependent on the selected key type, as | |||
| specified in [6]. The seed is then converted into a protocol key by | specified in [6]. The seed is then converted into a protocol key by | |||
| applying to it a random-to-key function, which is also dependent on | applying to it a random-to-key function, which is also dependent on | |||
| key type. | key type. | |||
| If the KDC and client are not using Diffie-Hellman, the KDC encrypts | If the KDC and client are not using Diffie-Hellman, the KDC encrypts | |||
| the reply with an encryption key, packed in the encKeyPack, which | the reply with an encryption key, packed in the encKeyPack, which | |||
| contains data of type ReplyKeyPack: | contains data of type ReplyKeyPack: | |||
| ReplyKeyPack ::= SEQUENCE { | ReplyKeyPack ::= SEQUENCE { | |||
| replyKey [0] EncryptionKey, | replyKey [0] EncryptionKey, | |||
| -- Defined in CLARIFICATIONS. | -- Defined in [1]. | |||
| -- Used to encrypt main reply. | -- Used to encrypt main reply. | |||
| -- MUST be at least as strong | -- MUST be at least as strong | |||
| -- as session key. (Using the | -- as session key. (Using the | |||
| -- same enctype and a strong | -- same enctype and a strong | |||
| -- prng should suffice, if no | -- prng should suffice, if no | |||
| -- stronger encryption system | -- stronger encryption system | |||
| -- is available.) | -- is available.) | |||
| nonce [1] INTEGER (0..4294967295), | nonce [1] INTEGER (0..4294967295), | |||
| -- Binds reply to request. | -- Binds reply to request. | |||
| ... | ... | |||
| skipping to change at line 592 ¶ | skipping to change at line 679 ¶ | |||
| security(5) kerberosv5(2) pkinit(3) pkrkeydata(3) } | security(5) kerberosv5(2) pkinit(3) pkrkeydata(3) } | |||
| 3. The signerInfos field contains a single signerInfo, which is | 3. The signerInfos field contains a single signerInfo, which is | |||
| the signature of the ReplyKeyPack. | the signature of the ReplyKeyPack. | |||
| 4. The certificates field contains a signature verification | 4. The certificates field contains a signature verification | |||
| certificate chain that the client will use to verify the | certificate chain that the client will use to verify the | |||
| KDC's signature over the ReplyKeyPack. This field may only | KDC's signature over the ReplyKeyPack. This field may only | |||
| be left empty if the client included a kdcCert field in the | be left empty if the client included a kdcCert field in the | |||
| PA-PK-AS-REQ, indicating that it has the KDC's certificate. | PA-PK-AS-REQ, indicating that it has the KDC's certificate. | |||
| The certificate chain MUST NOT contain the root CA | ||||
| certificate. | ||||
| 5. The contentType for the EnvelopedData contains the OID value | 5. The contentType for the EnvelopedData contains the OID value | |||
| for id-signedData: { iso (1) member-body (2) us (840) rsadsi | for id-signedData: { iso (1) member-body (2) us (840) rsadsi | |||
| (113549) pkcs (1) pkcs7 (7) signedData (2) } | (113549) pkcs (1) pkcs7 (7) signedData (2) } | |||
| 6. The recipientInfos field is a SET which MUST contain exactly | 6. The recipientInfos field is a SET which MUST contain exactly | |||
| one member of type KeyTransRecipientInfo. The encryptedKey | one member of type KeyTransRecipientInfo. The encryptedKey | |||
| for this member contains the temporary key which is | for this member contains the temporary key which is | |||
| encrypted using the client's public key. | encrypted using the client's public key. | |||
| skipping to change at line 629 ¶ | skipping to change at line 718 ¶ | |||
| as to the identity of the KDC, this check MAY be omitted. | as to the identity of the KDC, this check MAY be omitted. | |||
| The client also MUST check that the KDC's certificate contains an | The client also MUST check that the KDC's certificate contains an | |||
| extendedKeyUsage OID of id-pkkdcekuoid: | extendedKeyUsage OID of id-pkkdcekuoid: | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| pkinit(3) pkkdcekuoid(5) } | pkinit(3) pkkdcekuoid(5) } | |||
| If all applicable checks are satisfied, the client then decrypts the | If all applicable checks are satisfied, the client then decrypts the | |||
| main reply with the resulting key, and then proceeds as described in | main reply with the resulting key, and then proceeds as described in | |||
| CLARIFICATIONS. | [1]. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| PKINIT raises certain security considerations beyond those that can | PKINIT raises certain security considerations beyond those that can | |||
| be regulated strictly in protocol definitions. We will address them | be regulated strictly in protocol definitions. We will address them | |||
| in this section. | in this section. | |||
| PKINIT extends the cross-realm model to the public-key | PKINIT extends the cross-realm model to the public-key | |||
| infrastructure. Users of PKINIT must understand security policies | infrastructure. Users of PKINIT must understand security policies | |||
| and procedures appropriate to the use of Public Key Infrastructures. | and procedures appropriate to the use of Public Key Infrastructures. | |||
| Standard Kerberos allows the possibility of interactions between | Standard Kerberos allows the possibility of interactions between | |||
| cryptosystems of varying strengths; this document adds interactions | cryptosystems of varying strengths; this document adds interactions | |||
| with public-key cryptosystems to Kerberos. Some administrative | with public-key cryptosystems to Kerberos. Some administrative | |||
| policies may allow the use of relatively weak public keys. Using | policies may allow the use of relatively weak public keys. Using | |||
| such keys to wrap data encrypted under stronger conventional | such keys to wrap data encrypted under stronger conventional | |||
| cryptosystems may be inappropriate. | cryptosystems may be inappropriate. | |||
| PKINIT requires keys for symmetric cryptosystems to be generated. | PKINIT requires keys for symmetric cryptosystems to be generated. | |||
| Some such systems contain "weak" keys. For recommendations regarding | Some such systems contain "weak" keys. For recommendations regarding | |||
| these weak keys, see CLARIFICATIONS. | these weak keys, see [1]. | |||
| PKINIT allows the use of a zero nonce in the PKAuthenticator when | PKINIT allows the use of a zero nonce in the PKAuthenticator when | |||
| cached Diffie-Hellman keys are used. In this case, message binding | cached Diffie-Hellman keys are used. In this case, message binding | |||
| is performed using the nonce in the main request in the same way as | is performed using the nonce in the main request in the same way as | |||
| it is done for ordinary AS-REQs (without the PKINIT | it is done for ordinary AS-REQs (without the PKINIT | |||
| pre-authenticator). The nonce field in the KDC request body is | pre-authenticator). The nonce field in the KDC request body is | |||
| signed through the checksum in the PKAuthenticator, which | signed through the checksum in the PKAuthenticator, which | |||
| cryptographically binds the PKINIT pre-authenticator to the main | cryptographically binds the PKINIT pre-authenticator to the main | |||
| body of the AS Request and also provides message integrity for the | body of the AS Request and also provides message integrity for the | |||
| full AS Request. | full AS Request. | |||
| skipping to change at line 701 ¶ | skipping to change at line 790 ¶ | |||
| Kerberos, although the potential cost is not as great, because | Kerberos, although the potential cost is not as great, because | |||
| standard Kerberos does not make use of public-key cryptography. | standard Kerberos does not make use of public-key cryptography. | |||
| The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does | The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does | |||
| permit empty SEQUENCEs to be encoded. Such empty sequences may only | permit empty SEQUENCEs to be encoded. Such empty sequences may only | |||
| be used if the KDC itself vouches for the user's certificate. [This | be used if the KDC itself vouches for the user's certificate. [This | |||
| seems to reflect the consensus of the Kerberos working group.] | seems to reflect the consensus of the Kerberos working group.] | |||
| 5. Acknowledgements | 5. Acknowledgements | |||
| The following people have made significant contributions to this | ||||
| draft: Ari Medvinsky, Matt Hur, John Wray, Jonathan Trostle, Nicolas | ||||
| Williams, Tom Yu, Sam Hartman, and Jeff Hutzelman. | ||||
| Some of the ideas on which this document is based arose during | Some of the ideas on which this document is based arose during | |||
| discussions over several years between members of the SAAG, the IETF | discussions over several years between members of the SAAG, the IETF | |||
| CAT working group, and the PSRG, regarding integration of Kerberos | CAT working group, and the PSRG, regarding integration of Kerberos | |||
| and SPX. Some ideas have also been drawn from the DASS system. | and SPX. Some ideas have also been drawn from the DASS system. | |||
| These changes are by no means endorsed by these groups. This is an | These changes are by no means endorsed by these groups. This is an | |||
| attempt to revive some of the goals of those groups, and this | attempt to revive some of the goals of those groups, and this | |||
| document approaches those goals primarily from the Kerberos | document approaches those goals primarily from the Kerberos | |||
| perspective. Lastly, comments from groups working on similar ideas | perspective. Lastly, comments from groups working on similar ideas | |||
| in DCE have been invaluable. | in DCE have been invaluable. | |||
| 6. Expiration Date | 6. Expiration Date | |||
| This draft expires January 25, 2004. | This draft expires January 25, 2004. | |||
| 7. Bibliography | 7. Bibliography | |||
| [1] RFC-Editor: To be replaced by RFC number for | [1] RFC-Editor: To be replaced by RFC number for | |||
| draft-ietf-krb-wg-kerberos-clarifications. | draft-ietf-krb-wg-kerberos-clarifications. | |||
| [2] R. Housley. Cryptographic Message Syntax., April 1999. | [2] R. Housley. Cryptographic Message Syntax. April 1999. Request | |||
| Request For Comments 2630. | For Comments 2630. | |||
| [3] W. Polk, R. Housley, and L. Bassham. Algorithms and Identifiers | [3] W. Polk, R. Housley, and L. Bassham. Algorithms and Identifiers | |||
| for the Internet X.509 Public Key Infrastructure Certificate and | for the Internet X.509 Public Key Infrastructure Certificate and | |||
| Certificate Revocation List (CRL) Profile, April 2002. Request For | Certificate Revocation List (CRL) Profile, April 2002. Request For | |||
| Comments 3279. | Comments 3279. | |||
| [4] R. Housley, W. Polk, W. Ford, D. Solo. Internet X.509 Public | [4] R. Housley, W. Polk, W. Ford, D. Solo. Internet X.509 Public | |||
| Key Infrastructure Certificate and Certificate Revocation List | Key Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile, April 2002. Request for Comments 3280. | (CRL) Profile, April 2002. Request for Comments 3280. | |||
| skipping to change at line 752 ¶ | skipping to change at line 845 ¶ | |||
| [8] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. | [8] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams. | |||
| Internet X.509 Public Key Infrastructure: Online Certificate Status | Internet X.509 Public Key Infrastructure: Online Certificate Status | |||
| Protocol - OCSP, June 1999. Request for Comments 2560. | Protocol - OCSP, June 1999. Request for Comments 2560. | |||
| [9] NIST, Guidelines for Implementing and Using the NBS Encryption | [9] NIST, Guidelines for Implementing and Using the NBS Encryption | |||
| Standard, April 1981. FIPS PUB 74. | Standard, April 1981. FIPS PUB 74. | |||
| [10] D. Harkins and D. Carrel. The Internet Key Exchange (IKE), | [10] D. Harkins and D. Carrel. The Internet Key Exchange (IKE), | |||
| November 1998. Request for Comments 2409. | November 1998. Request for Comments 2409. | |||
| [11] K. Raeburn. Unkeyed SHA-1 Checksum Specification for Kerberos | ||||
| 5. Internet-Draft, draft-ietf-krb-wg-sha1-00.txt. | ||||
| [12] S. Bradner. Key Words for Use in RFCs to Indicate Requirement | ||||
| Levels. March 1997. Request for Comments 2119 (BCP 14). | ||||
| 8. Authors | 8. Authors | |||
| Brian Tung | Brian Tung | |||
| Clifford Neuman | Clifford Neuman | |||
| USC Information Sciences Institute | USC Information Sciences Institute | |||
| 4676 Admiralty Way Suite 1001 | 4676 Admiralty Way Suite 1001 | |||
| Marina del Rey CA 90292-6695 | Marina del Rey CA 90292-6695 | |||
| Phone: +1 310 822 1511 | Phone: +1 310 822 1511 | |||
| E-mail: {brian,bcn}@isi.edu | E-mail: {brian,bcn}@isi.edu | |||
| skipping to change at line 830 ¶ | skipping to change at line 929 ¶ | |||
| pa-pk-as-rep INTEGER ::= TBD | pa-pk-as-rep INTEGER ::= TBD | |||
| pa-pk-ocsp-req INTEGER ::= TBD | pa-pk-ocsp-req INTEGER ::= TBD | |||
| pa-pk-ocsp-rep INTEGER ::= TBD | pa-pk-ocsp-rep INTEGER ::= TBD | |||
| ad-initial-verified-cas INTEGER ::= TBD | ad-initial-verified-cas INTEGER ::= TBD | |||
| td-dh-parameters INTEGER ::= TBD | td-dh-parameters INTEGER ::= TBD | |||
| td-trusted-certifiers INTEGER ::= 104 | td-trusted-certifiers INTEGER ::= 104 | |||
| td-certificate-index INTEGER ::= 105 | td-certificate-index INTEGER ::= 105 | |||
| WrapContentInfo ::= OCTET STRING (CONSTRAINED BY { | ||||
| -- Contains a BER encoding of | ||||
| -- ContentInfo | ||||
| }) | ||||
| WrapIssuerAndSerial ::= OCTET STRING (CONSTRAINED BY { | ||||
| -- Contains a BER encoding of | ||||
| -- IssuerAndSerialNumber | ||||
| }) | ||||
| PA-PK-AS-REQ ::= SEQUENCE { | PA-PK-AS-REQ ::= SEQUENCE { | |||
| signedAuthPack [0] ContentInfo, | signedAuthPack [0] IMPLICIT WrapContentInfo, | |||
| trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | |||
| kdcCert [2] IssuerAndSerialNumber OPTIONAL, | kdcCert [2] IMPLICIT WrapIssuerAndSerial | |||
| OPTIONAL, | ||||
| ... | ... | |||
| } | } | |||
| TrustedCA ::= CHOICE { | TrustedCA ::= CHOICE { | |||
| caName [0] Name, | caName [1] Name, | |||
| issuerAndSerial [2] IssuerAndSerialNumber, | issuerAndSerial [2] IMPLICIT WrapIssuerAndSerial, | |||
| ... | ... | |||
| } | } | |||
| AuthPack ::= SEQUENCE { | AuthPack ::= SEQUENCE { | |||
| pkAuthenticator [0] PKAuthenticator, | pkAuthenticator [0] PKAuthenticator, | |||
| clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | |||
| supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | |||
| OPTIONAL, | OPTIONAL, | |||
| ... | ... | |||
| } | } | |||
| PKAuthenticator ::= SEQUENCE { | PKAuthenticator ::= SEQUENCE { | |||
| cusec [0] INTEGER, | cusec [0] INTEGER (0..999999), | |||
| ctime [1] KerberosTime, | ctime [1] KerberosTime, | |||
| nonce [2] INTEGER (0..4294967295), | nonce [2] INTEGER (0..4294967295), | |||
| paChecksum [3] Checksum, | paChecksum [3] Checksum, | |||
| ... | ... | |||
| } | } | |||
| TrustedCertifiers ::= SEQUENCE OF Name | TrustedCertifiers ::= SEQUENCE OF Name | |||
| CertificateIndex ::= IssuerAndSerialNumber | CertificateIndex ::= IssuerAndSerialNumber | |||
| skipping to change at line 875 ¶ | skipping to change at line 985 ¶ | |||
| principalName [1] PrincipalName | principalName [1] PrincipalName | |||
| } | } | |||
| InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE { | InitialVerifiedCAs ::= SEQUENCE OF SEQUENCE { | |||
| ca [0] Name, | ca [0] Name, | |||
| validated [1] BOOLEAN, | validated [1] BOOLEAN, | |||
| ... | ... | |||
| } | } | |||
| PA-PK-AS-REP ::= CHOICE { | PA-PK-AS-REP ::= CHOICE { | |||
| dhSignedData [0] ContentInfo, | dhSignedData [0] IMPLICIT WrapContentInfo, | |||
| encKeyPack [1] ContentInfo, | encKeyPack [1] IMPLICIT WrapContentInfo, | |||
| ... | ... | |||
| } | } | |||
| KDCDHKeyInfo ::= SEQUENCE { | KDCDHKeyInfo ::= SEQUENCE { | |||
| subjectPublicKey [0] BIT STRING, | subjectPublicKey [0] BIT STRING, | |||
| nonce [1] INTEGER, | nonce [1] INTEGER (0..4294967295), | |||
| dhKeyExpiration [2] KerberosTime OPTIONAL, | dhKeyExpiration [2] KerberosTime OPTIONAL, | |||
| ... | ... | |||
| } | } | |||
| ReplyKeyPack ::= SEQUENCE { | ReplyKeyPack ::= SEQUENCE { | |||
| replyKey [0] EncryptionKey, | replyKey [0] EncryptionKey, | |||
| nonce [1] INTEGER (0..4294967295), | nonce [1] INTEGER (0..4294967295), | |||
| ... | ... | |||
| } | } | |||
| END | END | |||
| Copyright (C) The Internet Society (2004). This document is subject | Copyright (C) The Internet Society 2004. This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| End of changes. 51 change blocks. | ||||
| 99 lines changed or deleted | 209 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||