| < draft-ietf-cat-kerberos-pk-init-25.txt | draft-ietf-cat-kerberos-pk-init-26.txt > | |||
|---|---|---|---|---|
| NETWORK WORKING GROUP B. Tung | NETWORK WORKING GROUP B. Tung | |||
| Internet-Draft USC Information Sciences Institute | Internet-Draft USC Information Sciences Institute | |||
| Expires: August 22, 2005 L. Zhu | Expires: November 24, 2005 L. Zhu | |||
| Microsoft Corporation | Microsoft Corporation | |||
| February 18, 2005 | May 23, 2005 | |||
| Public Key Cryptography for Initial Authentication in Kerberos | Public Key Cryptography for Initial Authentication in Kerberos | |||
| draft-ietf-cat-kerberos-pk-init-25 | draft-ietf-cat-kerberos-pk-init-26 | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | This document is an Internet-Draft and is subject to all provisions | |||
| of Section 3 of RFC 3667. By submitting this Internet-Draft, each | of Section 3 of RFC 3667. | |||
| author represents that any applicable patent or other IPR claims of | ||||
| which he or she is aware have been or will be disclosed, and any of | By submitting this Internet-Draft, each author represents that any | |||
| which he or she become aware will be disclosed, in accordance with | applicable patent or other IPR claims of which he or she is aware | |||
| RFC 3668. | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as | other groups may also distribute working documents as Internet- | |||
| Internet-Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 22, 2005. | This Internet-Draft will expire on November 24, 2005. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This document describes protocol extensions (hereafter called PKINIT) | This document describes protocol extensions (hereafter called PKINIT) | |||
| to the Kerberos protocol specification. These extensions provide a | to the Kerberos protocol specification. These extensions provide a | |||
| method for integrating public key cryptography into the initial | method for integrating public key cryptography into the initial | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | |||
| 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1 Definitions, Requirements, and Constants . . . . . . . . . 4 | 3.1 Definitions, Requirements, and Constants . . . . . . . . . 4 | |||
| 3.1.1 Required Algorithms . . . . . . . . . . . . . . . . . 4 | 3.1.1 Required Algorithms . . . . . . . . . . . . . . . . . 4 | |||
| 3.1.2 Defined Message and Encryption Types . . . . . . . . . 5 | 3.1.2 Defined Message and Encryption Types . . . . . . . . . 5 | |||
| 3.1.3 Algorithm Identifiers . . . . . . . . . . . . . . . . 6 | 3.1.3 Algorithm Identifiers . . . . . . . . . . . . . . . . 6 | |||
| 3.2 PKINIT Pre-authentication Syntax and Use . . . . . . . . . 6 | 3.2 PKINIT Pre-authentication Syntax and Use . . . . . . . . . 7 | |||
| 3.2.1 Generation of Client Request . . . . . . . . . . . . . 6 | 3.2.1 Generation of Client Request . . . . . . . . . . . . . 7 | |||
| 3.2.2 Receipt of Client Request . . . . . . . . . . . . . . 10 | 3.2.2 Receipt of Client Request . . . . . . . . . . . . . . 10 | |||
| 3.2.3 Generation of KDC Reply . . . . . . . . . . . . . . . 13 | 3.2.3 Generation of KDC Reply . . . . . . . . . . . . . . . 13 | |||
| 3.2.4 Receipt of KDC Reply . . . . . . . . . . . . . . . . . 19 | 3.2.4 Receipt of KDC Reply . . . . . . . . . . . . . . . . . 19 | |||
| 3.3 Interoperability Requirements . . . . . . . . . . . . . . 20 | 3.3 Interoperability Requirements . . . . . . . . . . . . . . 20 | |||
| 3.4 KDC Indication of PKINIT Support . . . . . . . . . . . . . 20 | 3.4 KDC Indication of PKINIT Support . . . . . . . . . . . . . 20 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 7.1 Normative References . . . . . . . . . . . . . . . . . . . 23 | 7.1 Normative References . . . . . . . . . . . . . . . . . . . 22 | |||
| 7.2 Informative References . . . . . . . . . . . . . . . . . . 24 | 7.2 Informative References . . . . . . . . . . . . . . . . . . 24 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 25 | A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 25 | |||
| Intellectual Property and Copyright Statements . . . . . . . . 30 | Intellectual Property and Copyright Statements . . . . . . . . 30 | |||
| 1. Introduction | 1. Introduction | |||
| A client typically authenticates itself to a service in Kerberos | A client typically authenticates itself to a service in Kerberos | |||
| using three distinct though related exchanges. First, the client | using three distinct though related exchanges. First, the client | |||
| requests a ticket-granting ticket (TGT) from the Kerberos | requests a ticket-granting ticket (TGT) from the Kerberos | |||
| authentication server (AS). Then, it uses the TGT to request a | authentication server (AS). Then, it uses the TGT to request a | |||
| service ticket from the Kerberos ticket-granting server (TGS). | service ticket from the Kerberos ticket-granting server (TGS). | |||
| Usually, the AS and TGS are integrated in a single device known as a | Usually, the AS and TGS are integrated in a single device known as a | |||
| Kerberos Key Distribution Center, or KDC. (In this document, both | Kerberos Key Distribution Center, or KDC. Finally, the client uses | |||
| the AS and the TGS are referred to as the KDC.) Finally, the client | the service ticket to authenticate itself to the service. | |||
| uses the service ticket to authenticate itself to the service. | ||||
| The advantage afforded by the TGT is that the client exposes his | The advantage afforded by the TGT is that the client exposes his | |||
| long-term secrets only once. The TGT and its associated session key | long-term secrets only once. The TGT and its associated session key | |||
| can then be used for any subsequent service ticket requests. One | can then be used for any subsequent service ticket requests. One | |||
| result of this is that all further authentication is independent of | result of this is that all further authentication is independent of | |||
| the method by which the initial authentication was performed. | the method by which the initial authentication was performed. | |||
| Consequently, initial authentication provides a convenient place to | Consequently, initial authentication provides a convenient place to | |||
| integrate public-key cryptography into Kerberos authentication. | integrate public-key cryptography into Kerberos authentication. | |||
| As defined in [CLAR], Kerberos authentication exchanges use | As defined in [CLAR], Kerberos authentication exchanges use | |||
| skipping to change at page 3, line 38 ¶ | skipping to change at page 3, line 37 ¶ | |||
| must be shared, so that before a client can authenticate itself, he | must be shared, so that before a client can authenticate itself, he | |||
| must already be registered with the KDC. | must already be registered with the KDC. | |||
| Conversely, public-key cryptography (in conjunction with an | Conversely, public-key cryptography (in conjunction with an | |||
| established Public Key Infrastructure) permits authentication without | established Public Key Infrastructure) permits authentication without | |||
| prior registration with a KDC. Adding it to Kerberos allows the | prior registration with a KDC. Adding it to Kerberos allows the | |||
| widespread use of Kerberized applications by clients without | widespread use of Kerberized applications by clients without | |||
| requiring them to register first with a KDC--a requirement that has | requiring them to register first with a KDC--a requirement that has | |||
| no inherent security benefit. | no inherent security benefit. | |||
| As noted above, a convenient and efficient place to introduce | As noted above, a convenient and efficient place to introduce public- | |||
| public-key cryptography into Kerberos is in the initial | key cryptography into Kerberos is in the initial authentication | |||
| authentication exchange. This document describes the methods and | exchange. This document describes the methods and data formats for | |||
| data formats for integrating public-key cryptography into Kerberos | integrating public-key cryptography into Kerberos initial | |||
| initial authentication. | authentication. | |||
| 2. Conventions Used in This Document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| Both the AS and the TGS are referred to as the KDC. | ||||
| In this document, the encryption key used to encrypt the enc-part | In this document, the encryption key used to encrypt the enc-part | |||
| field of the KDC-REP in the AS-REP [CLAR] is referred to as the KDC | field of the KDC-REP in the AS-REP [CLAR] is referred to as the AS | |||
| AS reply key. | reply key. | |||
| 3. Extensions | 3. Extensions | |||
| This section describes extensions to [CLAR] for supporting the use of | This section describes extensions to [CLAR] for supporting the use of | |||
| public-key cryptography in the initial request for a ticket. | public-key cryptography in the initial request for a ticket. | |||
| Briefly, this document defines the following extensions to [CLAR]: | Briefly, this document defines the following extensions to [CLAR]: | |||
| 1. The client indicates the use of public-key authentication by | 1. The client indicates the use of public-key authentication by | |||
| including a special preauthenticator in the initial request. This | including a special preauthenticator in the initial request. This | |||
| preauthenticator contains the client's public-key data and a | preauthenticator contains the client's public-key data and a | |||
| signature. | signature. | |||
| 2. The KDC tests the client's request against its authentication | 2. The KDC tests the client's request against its authentication | |||
| policy and trusted Certification Authorities (CAs). | policy and trusted Certification Authorities (CAs). | |||
| 3. If the request passes the verification tests, the KDC replies as | 3. If the request passes the verification tests, the KDC replies as | |||
| usual, but the reply is encrypted using either: | usual, but the reply is encrypted using either: | |||
| a. a key generated through a Diffie-Hellman (DH) key exchange | a. a key generated through a Diffie-Hellman (DH) key exchange | |||
| [RFC2631][IEEE1363] with the client, signed using the KDC's | [RFC2631] [IEEE1363] with the client, signed using the KDC's | |||
| signature key; or | signature key; or | |||
| b. a symmetric encryption key, signed using the KDC's signature | b. a symmetric encryption key, signed using the KDC's signature | |||
| key and encrypted using the client's public key. | key and encrypted using the client's public key. | |||
| Any keying material required by the client to obtain the | Any keying material required by the client to obtain the | |||
| encryption key for decrypting the KDC reply is returned in a | encryption key for decrypting the KDC reply is returned in a pre- | |||
| pre-authentication field accompanying the usual reply. | authentication field accompanying the usual reply. | |||
| 4. The client validates the KDC's signature, obtains the encryption | 4. The client validates the KDC's signature, obtains the encryption | |||
| key, decrypts the reply, and then proceeds as usual. | key, decrypts the reply, and then proceeds as usual. | |||
| Section 3.1 of this document enumerates the required algorithms and | Section 3.1 of this document enumerates the required algorithms and | |||
| necessary extension message types. Section 3.2 describes the | necessary extension message types. Section 3.2 describes the | |||
| extension messages in greater detail. | extension messages in greater detail. | |||
| 3.1 Definitions, Requirements, and Constants | 3.1 Definitions, Requirements, and Constants | |||
| 3.1.1 Required Algorithms | 3.1.1 Required Algorithms | |||
| All PKINIT implementations MUST support the following algorithms: | All PKINIT implementations MUST support the following algorithms: | |||
| o KDC AS reply key enctype: AES256-CTS-HMAC-SHA1-96 etype [RFC3961]. | o AS reply key enctype: AES256-CTS-HMAC-SHA1-96 etype [RFC3962]. | |||
| o Signature algorithm: sha-1WithRSAEncryption [RFC3279]. | o Signature algorithm: sha-1WithRSAEncryption [RFC3279]. | |||
| o KDC AS reply key delivery method: Diffie-Hellman key exchange | o AS reply key delivery method: Diffie-Hellman key exchange | |||
| [RFC2631]. | [RFC2631]. | |||
| 3.1.2 Defined Message and Encryption Types | 3.1.2 Defined Message and Encryption Types | |||
| PKINIT makes use of the following new pre-authentication types: | PKINIT makes use of the following new pre-authentication types: | |||
| PA_PK_AS_REQ 16 | PA_PK_AS_REQ 16 | |||
| PA_PK_AS_REP 17 | PA_PK_AS_REP 17 | |||
| PKINIT also makes use of the following new authorization data type: | PKINIT also makes use of the following new authorization data type: | |||
| skipping to change at page 5, line 31 ¶ | skipping to change at page 5, line 36 ¶ | |||
| KDC_ERR_CANT_VERIFY_CERTIFICATE 70 | KDC_ERR_CANT_VERIFY_CERTIFICATE 70 | |||
| KDC_ERR_INVALID_CERTIFICATE 71 | KDC_ERR_INVALID_CERTIFICATE 71 | |||
| KDC_ERR_REVOKED_CERTIFICATE 72 | KDC_ERR_REVOKED_CERTIFICATE 72 | |||
| KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 | KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 | |||
| KDC_ERR_CLIENT_NAME_MISMATCH 75 | KDC_ERR_CLIENT_NAME_MISMATCH 75 | |||
| KDC_ERR_INCONSISTENT_KEY_PURPOSE 76 | KDC_ERR_INCONSISTENT_KEY_PURPOSE 76 | |||
| PKINIT uses the following typed data types for errors: | PKINIT uses the following typed data types for errors: | |||
| TD_TRUSTED_CERTIFIERS 104 | TD_TRUSTED_CERTIFIERS 104 | |||
| TD_INVLID_CERTIFICATES 105 | TD_INVALID_CERTIFICATES 105 | |||
| TD_DH_PARAMETERS 109 | TD_DH_PARAMETERS 109 | |||
| PKINIT defines the following encryption types, for use in the AS-REQ | PKINIT defines the following encryption types, for use in the AS-REQ | |||
| message to indicate acceptance of the corresponding algorithms that | message to indicate acceptance of the corresponding algorithms that | |||
| can used by Cryptographic Message Syntax (CMS) [RFC3852] messages in | can used by Cryptographic Message Syntax (CMS) [RFC3852] messages in | |||
| the reply: | the reply: | |||
| dsaWithSHA1-CmsOID 9 | dsaWithSHA1-CmsOID 9 | |||
| md5WithRSAEncryption-CmsOID 10 | md5WithRSAEncryption-CmsOID 10 | |||
| sha1WithRSAEncryption-CmsOID 11 | sha1WithRSAEncryption-CmsOID 11 | |||
| skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 29 ¶ | |||
| PKINIT with DER. | PKINIT with DER. | |||
| 3.1.3 Algorithm Identifiers | 3.1.3 Algorithm Identifiers | |||
| PKINIT does not define, but does make use of, the following algorithm | PKINIT does not define, but does make use of, the following algorithm | |||
| identifiers. | identifiers. | |||
| PKINIT uses the following algorithm identifiers for Diffie-Hellman | PKINIT uses the following algorithm identifiers for Diffie-Hellman | |||
| key agreement [RFC3279]: | key agreement [RFC3279]: | |||
| dhpublicnumber (Diffie-Hellman modulo a prime p [RFC2631]) | dhpublicnumber (Modular Exponential Diffie-Hellman [RFC2631]) | |||
| id-ecPublicKey (Elliptic Curve Diffie-Hellman [IEEE1363]) | id-ecPublicKey (Elliptic Curve Diffie-Hellman [IEEE1363]) | |||
| PKINIT uses the following signature algorithm identifiers [RFC3279]: | PKINIT uses the following signature algorithm identifiers [RFC3279]: | |||
| sha-1WithRSAEncryption (RSA with SHA1) | sha-1WithRSAEncryption (RSA with SHA1) | |||
| md5WithRSAEncryption (RSA with MD5) | md5WithRSAEncryption (RSA with MD5) | |||
| id-dsa-with-sha1 (DSA with SHA1) | id-dsa-with-sha1 (DSA with SHA1) | |||
| PKINIT uses the following encryption algorithm identifiers [RFC3447] | PKINIT uses the following encryption algorithm identifiers [RFC3447] | |||
| for encrypting the temporary key with a public key: | for encrypting the temporary key with a public key: | |||
| rsaEncryption (PKCS1 v1.5) | rsaEncryption (PKCS1 v1.5) | |||
| id-RSAES-OAEP (PKCS1 v2.0) | id-RSAES-OAEP (PKCS1 v2.0) | |||
| PKINIT uses the following algorithm identifiers [RFC3370][RFC3565] | PKINIT uses the following algorithm identifiers [RFC3370] [RFC3565] | |||
| for encrypting the KDC AS reply key with the temporary key: | for encrypting the AS reply key with the temporary key: | |||
| des-ede3-cbc (three-key 3DES, CBC mode) | des-ede3-cbc (three-key 3DES, CBC mode) | |||
| rc2-cbc (RC2, CBC mode) | rc2-cbc (RC2, CBC mode) | |||
| id-aes256-CBC (AES-256, CBC mode) | id-aes256-CBC (AES-256, CBC mode) | |||
| 3.2 PKINIT Pre-authentication Syntax and Use | 3.2 PKINIT Pre-authentication Syntax and Use | |||
| This section defines the syntax and use of the various | This section defines the syntax and use of the various pre- | |||
| pre-authentication fields employed by PKINIT. | authentication fields employed by PKINIT. | |||
| 3.2.1 Generation of Client Request | 3.2.1 Generation of Client Request | |||
| The initial authentication request (AS-REQ) is sent as per [CLAR]; in | The initial authentication request (AS-REQ) is sent as per [CLAR]; in | |||
| addition, a pre-authentication data element, whose padata-type is | addition, a pre-authentication data element, whose padata-type is | |||
| PA_PK_AS_REQ and whose padata-value contains the DER encoding of the | PA_PK_AS_REQ and whose padata-value contains the DER encoding of the | |||
| type PA-PK-AS-REQ, is included. | type PA-PK-AS-REQ, is included. | |||
| PA-PK-AS-REQ ::= SEQUENCE { | PA-PK-AS-REQ ::= SEQUENCE { | |||
| signedAuthPack [0] IMPLICIT OCTET STRING, | signedAuthPack [0] IMPLICIT OCTET STRING, | |||
| skipping to change at page 7, line 22 ¶ | skipping to change at page 7, line 31 ¶ | |||
| -- The contentType field of the type ContentInfo | -- The contentType field of the type ContentInfo | |||
| -- is id-signedData (1.2.840.113549.1.7.2), | -- is id-signedData (1.2.840.113549.1.7.2), | |||
| -- and the content field is a SignedData. | -- and the content field is a SignedData. | |||
| -- The eContentType field for the type SignedData is | -- The eContentType field for the type SignedData is | |||
| -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | |||
| -- eContent field contains the DER encoding of the | -- eContent field contains the DER encoding of the | |||
| -- type AuthPack. | -- type AuthPack. | |||
| -- AuthPack is defined below. | -- AuthPack is defined below. | |||
| trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | |||
| -- A list of CAs, trusted by the client, that can | -- A list of CAs, trusted by the client, that can | |||
| -- be used as the trust anchor to validate the KDC's | -- be used to certify the KDC. | |||
| -- signature. | ||||
| -- Each TrustedCA identifies a CA or a CA | -- Each TrustedCA identifies a CA or a CA | |||
| -- certificate (thereby its public key). | -- certificate (thereby its public key). | |||
| -- The information contained in the | ||||
| -- trustedCertifiers SHOULD be used by the KDC as | ||||
| -- hints to guide its selection of an appropriate | ||||
| -- certificate chain to return to the client. | ||||
| kdcPkId [2] IMPLICIT OCTET STRING | kdcPkId [2] IMPLICIT OCTET STRING | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Contains a CMS type SignerIdentifier encoded | -- Contains a CMS type SignerIdentifier encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- Identifies, if present, a particular KDC | -- Identifies, if present, a particular KDC | |||
| -- public key that the client already has. | -- public key that the client already has. | |||
| ... | ... | |||
| } | } | |||
| DHNonce ::= OCTET STRING | DHNonce ::= OCTET STRING | |||
| skipping to change at page 8, line 19 ¶ | skipping to change at page 8, line 31 ¶ | |||
| ... | ... | |||
| } | } | |||
| AuthPack ::= SEQUENCE { | AuthPack ::= SEQUENCE { | |||
| pkAuthenticator [0] PKAuthenticator, | pkAuthenticator [0] PKAuthenticator, | |||
| clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | |||
| -- Type SubjectPublicKeyInfo is defined in | -- Type SubjectPublicKeyInfo is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- Specifies Diffie-Hellman domain parameters | -- Specifies Diffie-Hellman domain parameters | |||
| -- and the client's public key value [IEEE1363]. | -- and the client's public key value [IEEE1363]. | |||
| -- The public key value (the subjectPublicKey field | -- The DH public key value is encoded as a BIT | |||
| -- of the type SubjectPublicKeyInfo) MUST be encoded | -- STRING, as specified in Section 2.3.3 of | |||
| -- according to [RFC3279]. | -- [RFC3279]. | |||
| -- Present only if the client wishes to use the | -- This field is present only if the client wishes | |||
| -- Diffie-Hellman key agreement method. | -- to use the Diffie-Hellman key agreement method. | |||
| supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Type AlgorithmIdentifier is defined in | -- Type AlgorithmIdentifier is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- List of CMS encryption types supported by the | -- List of CMS encryption types supported by the | |||
| -- client in order of (decreasing) preference. | -- client in order of (decreasing) preference. | |||
| clientDHNonce [3] DHNonce OPTIONAL, | clientDHNonce [3] DHNonce OPTIONAL, | |||
| -- Present only if the client indicates that it | -- Present only if the client indicates that it | |||
| -- wishes to reuse DH keys or to allow the KDC to | -- wishes to reuse DH keys or to allow the KDC to | |||
| -- do so (see Section 3.2.3.1). | -- do so (see Section 3.2.3.1). | |||
| skipping to change at page 9, line 26 ¶ | skipping to change at page 9, line 37 ¶ | |||
| 4. The signerInfos field of the type SignedData contains a single | 4. The signerInfos field of the type SignedData contains a single | |||
| signerInfo, which contains the signature over the type AuthPack. | signerInfo, which contains the signature over the type AuthPack. | |||
| 5. The certificates field of the type SignedData contains | 5. The certificates field of the type SignedData contains | |||
| certificates intended to facilitate certification path | certificates intended to facilitate certification path | |||
| construction, so that the KDC can verify the signature over the | construction, so that the KDC can verify the signature over the | |||
| type AuthPack. For path validation, these certificates SHOULD be | type AuthPack. For path validation, these certificates SHOULD be | |||
| sufficient to construct at least one certification path from the | sufficient to construct at least one certification path from the | |||
| client certificate to one trust anchor acceptable by the KDC | client certificate to one trust anchor acceptable by the KDC | |||
| [CAPATH]. The certificates field MUST NOT contain "root" CA | [CAPATH]. The client MUST be capable of including such a set of | |||
| certificates. | certificates if configured to do so. The certificates field MUST | |||
| NOT contain "root" CA certificates. | ||||
| 6. The client's Diffie-Hellman public value (clientPublicValue) is | 6. The client's Diffie-Hellman public value (clientPublicValue) is | |||
| included if and only if the client wishes to use the | included if and only if the client wishes to use the Diffie- | |||
| Diffie-Hellman key agreement method. The Diffie-Hellman domain | Hellman key agreement method. The Diffie-Hellman domain | |||
| parameters for the client's public key are specified in the | parameters [IEEE1363] for the client's public key are specified | |||
| algorithm field of the type SubjectPublicKeyInfo | in the algorithm field of the type SubjectPublicKeyInfo [RFC3279] | |||
| [IEEE1363][RFC3279] and the client's Diffie-Hellman public key | and the client's Diffie-Hellman public key value is mapped to a | |||
| value is mapped to a subjectPublicKey (a BIT STRING) according to | subjectPublicKey (a BIT STRING) according to [RFC3279]. When | |||
| [RFC3279]. When using the Diffie-Hellman key agreement method, | using the Diffie-Hellman key agreement method, implementations | |||
| implementations MUST support Oakley 1024-bit MODP well-known | MUST support Oakley 1024-bit Modular Exponential (MODP) well- | |||
| group 2 [RFC2412] and SHOULD support Oakley 2048-bit MODP | known group 2 [RFC2412] and SHOULD support Oakley 2048-bit MODP | |||
| well-known group 14 and Oakley 4096-bit MODP well-known group 16 | well-known group 14 and Oakley 4096-bit MODP well-known group 16 | |||
| [RFC3526]. | [RFC3526]. | |||
| The Diffie-Hellman field size should be chosen so as to provide | The Diffie-Hellman field size should be chosen so as to provide | |||
| sufficient cryptographic security. The following table, based on | sufficient cryptographic security [RFC3766]. | |||
| [LENSTRA], gives approximate comparable key sizes for symmetric- | ||||
| and asymmetric-key cryptosystems based on the best-known | ||||
| algorithms for attacking them. | ||||
| Symmetric | ECC | DH/DSA/RSA | ||||
| -------------+---------+------------ | ||||
| 80 | 163 | 1024 | ||||
| 112 | 233 | 2048 | ||||
| 128 | 283 | 3072 | ||||
| 192 | 409 | 7680 | ||||
| 256 | 571 | 15360 | ||||
| Table 1: Comparable key sizes (in bits) | ||||
| When Diffie-Hellma modulo a prime p is used, the exponents should | When MODP Diffie-Hellman is used, the exponents should have at | |||
| have at least twice as many bits as the symmetric keys that will | least twice as many bits as the symmetric keys that will be | |||
| be derived from them [ODL99]. | derived from them [ODL99]. | |||
| 7. The client may wish to reuse DH keys or to allow the KDC to do so | 7. The client may wish to reuse DH keys or to allow the KDC to do so | |||
| (see Section 3.2.3.1). If so, then the client includes the | (see Section 3.2.3.1). If so, then the client includes the | |||
| clientDHNonce field. This nonce string needs to be as long as | clientDHNonce field. This nonce string needs to be as long as | |||
| the longest key length of the symmetric key types that the client | the longest key length of the symmetric key types that the client | |||
| supports. This nonce MUST be chosen randomly. | supports. This nonce MUST be chosen randomly. | |||
| 3.2.2 Receipt of Client Request | 3.2.2 Receipt of Client Request | |||
| Upon receiving the client's request, the KDC validates it. This | Upon receiving the client's request, the KDC validates it. This | |||
| skipping to change at page 10, line 39 ¶ | skipping to change at page 10, line 34 ¶ | |||
| noted) take in validating the request. | noted) take in validating the request. | |||
| The KDC verifies the client's signature in the signedAuthPack field | The KDC verifies the client's signature in the signedAuthPack field | |||
| according to [RFC3852]. | according to [RFC3852]. | |||
| If, while validating the client's X.509 certificate [RFC3280], the | If, while validating the client's X.509 certificate [RFC3280], the | |||
| KDC cannot build a certification path to validate the client's | KDC cannot build a certification path to validate the client's | |||
| certificate, it sends back a KRB-ERROR [CLAR] message with the code | certificate, it sends back a KRB-ERROR [CLAR] message with the code | |||
| KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for this | KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for this | |||
| error message is a TYPED-DATA (as defined in [CLAR]) that contains an | error message is a TYPED-DATA (as defined in [CLAR]) that contains an | |||
| element whose data-type is TD_TRUSTED_CERTIFIERS, and whose | element whose data-type is TD_TRUSTED_CERTIFIERS, and whose data- | |||
| data-value contains the DER encoding of the type | value contains the DER encoding of the type TD-TRUSTED-CERTIFIERS: | |||
| TD-TRUSTED-CERTIFIERS: | ||||
| TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA | TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA | |||
| -- Identifies a list of CAs trusted by the KDC. | -- Identifies a list of CAs trusted by the KDC. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each TrustedCA identifies a CA or a CA | |||
| -- certificate (thereby its public key). | -- certificate (thereby its public key). | |||
| Upon receiving this error message, the client SHOULD retry only if it | Upon receiving this error message, the client SHOULD retry only if it | |||
| has a different set of certificates (from those of the previous | has a different set of certificates (from those of the previous | |||
| requests) that form a certification path (or a partial path) from one | requests) that form a certification path (or a partial path) from one | |||
| of the trust anchors selected by the KDC to its own certificate. | of the trust anchors acceptable by the KDC to its own certificate. | |||
| If, while processing the certification path, the KDC determines that | If, while processing the certification path, the KDC determines that | |||
| the signature on one of the certificates in the signedAuthPack field | the signature on one of the certificates in the signedAuthPack field | |||
| is invalid, it returns a KRB-ERROR [CLAR] message with the code | is invalid, it returns a KRB-ERROR [CLAR] message with the code | |||
| KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error | KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error | |||
| message is a TYPED-DATA that contains an element whose data-type is | message is a TYPED-DATA that contains an element whose data-type is | |||
| TD_INVALID_CERTIFICATES, and whose data-value contains the DER | TD_INVALID_CERTIFICATES, and whose data-value contains the DER | |||
| encoding of the type TD-INVALID-CERTIFICATES: | encoding of the type TD-INVALID-CERTIFICATES: | |||
| TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING | TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING | |||
| -- Each OCTET STRING contains a CMS type | -- Each OCTET STRING contains a CMS type | |||
| -- IssuerAndSerialNumber encoded according to | -- IssuerAndSerialNumber encoded according to | |||
| -- [RFC3852]. | -- [RFC3852]. | |||
| -- Each IssuerAndSerialNumber indentifies a | -- Each IssuerAndSerialNumber identifies a | |||
| -- certificate (sent by the client) with an invalid | -- certificate (sent by the client) with an invalid | |||
| -- signature. | -- signature. | |||
| If more than one X.509 certificate signature is invalid, the KDC MAY | If more than one X.509 certificate signature is invalid, the KDC MAY | |||
| send one TYPED-DATA element per invalid signature. | include one IssuerAndSerialNumber per invalid signature within the | |||
| TD-INVALID-CERTIFICATES. | ||||
| The client's X.509 certificate is validated according to [RFC3280]. | ||||
| Based on local policy, the KDC may also check whether any X.509 | Based on local policy, the KDC may also check whether any X.509 | |||
| certificates in the certification path validating the client's | certificates in the certification path validating the client's | |||
| certificate have been revoked. If any of them have been revoked, the | certificate have been revoked. If any of them have been revoked, the | |||
| KDC MUST return an error message with the code | KDC MUST return an error message with the code | |||
| KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the | KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the | |||
| revocation status but is unable to do so, it SHOULD return an error | revocation status but is unable to do so, it SHOULD return an error | |||
| message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The | message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The | |||
| certificate or certificates affected are identified exactly as for | certificate or certificates affected are identified exactly as for | |||
| the error code KDC_ERR_INVALID_CERTIFICATE (see above). | the error code KDC_ERR_INVALID_CERTIFICATE (see above). | |||
| Note that the TD_INVALID_CERTIFICATES error data is only used to | ||||
| identify invalid certificates sent by the client in the request. | ||||
| The client's public key is then used to verify the signature. If the | The client's public key is then used to verify the signature. If the | |||
| signature fails to verify, the KDC MUST return an error message with | signature fails to verify, the KDC MUST return an error message with | |||
| the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for | the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for | |||
| this error message. | this error message. | |||
| In addition to validating the client's signature, the KDC MUST also | In addition to validating the client's signature, the KDC MUST also | |||
| check that the client's public key used to verify the client's | check that the client's public key used to verify the client's | |||
| signature is bound to the client's principal name as specified in the | signature is bound to the client's principal name as specified in the | |||
| AS-REQ as follows: | AS-REQ as follows: | |||
| 1. If the KDC has its own binding between either the client's | 1. If the KDC has its own binding between either the client's | |||
| signature-verification public key or the client's certificate and | signature-verification public key or the client's certificate and | |||
| the client's Kerberos principal name, it uses that binding. | the client's Kerberos principal name, it uses that binding. | |||
| 2. Otherwise, if the client's X.509 certificate contains a Subject | 2. Otherwise, if the client's X.509 certificate contains a Subject | |||
| Alternative Name (SAN) extension [RFC3280] with a | Alternative Name (SAN) extension carrying a KRB5PrincipalName | |||
| KRB5PrincipalName (defined below) in the otherName field, it binds | (defined below) in the otherName field of the type GeneralName | |||
| the client's X.509 certificate to that name. | [RFC3280], it binds the client's X.509 certificate to that name. | |||
| The otherName field (of type AnotherName) in the SAN extension | ||||
| MUST contain KRB5PrincipalName as defined below. | ||||
| The type-id field of the type AnotherName is id-pksan: | The type of the otherName field is AnotherName. The type-id field | |||
| of the type AnotherName is id-pksan: | ||||
| id-pksan OBJECT IDENTIFIER ::= | id-pksan OBJECT IDENTIFIER ::= | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| x509-sanan (2) } | x509-sanan (2) } | |||
| The value field of the type AnotherName is the DER encoding of the | And the value field of the type AnotherName is a | |||
| following ASN.1 type: | KRB5PrincipalName. | |||
| KRB5PrincipalName ::= SEQUENCE { | KRB5PrincipalName ::= SEQUENCE { | |||
| realm [0] Realm, | realm [0] Realm, | |||
| principalName [1] PrincipalName | principalName [1] PrincipalName | |||
| } | } | |||
| If the KDC does not have its own binding and there is no | If the KDC does not have its own binding and there is no | |||
| KRB5PrincipalName name present in the client's X.509 certificate, and | KRB5PrincipalName name present in the client's X.509 certificate, or | |||
| if the Kerberos name in the request does not match the | if the Kerberos name in the request does not match the | |||
| KRB5PrincipalName in the client's X.509 certificate (including the | KRB5PrincipalName in the client's X.509 certificate (including the | |||
| realm name), the KDC MUST return an error message with the code | realm name), the KDC MUST return an error message with the code | |||
| KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for | KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for | |||
| this error message. | this error message. | |||
| The KDC MAY require the presence of an Extended Key Usage (EKU) | The KDC MAY require the presence of an Extended Key Usage (EKU) | |||
| KeyPurposeId [RFC3280] id-pkekuoid in the extensions field of the | KeyPurposeId [RFC3280] id-pkekuoid in the extensions field of the | |||
| client's X.509 certificate: | client's X.509 certificate: | |||
| id-pkekuoid OBJECT IDENTIFIER ::= | id-pkekuoid OBJECT IDENTIFIER ::= | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| pkinit(3) pkekuoid(4) } | pkinit(3) pkekuoid(4) } | |||
| -- PKINIT client authentication. | -- PKINIT client authentication. | |||
| -- Key usage bits that MUST be consistent: | -- Key usage bits that MUST be consistent: | |||
| -- digitalSignature; | -- digitalSignature. | |||
| -- Key usage bits that MAY be consistent: | ||||
| -- nonRepudiation, and (keyEncipherment or keyAgreement). | ||||
| If this EKU is required but is missing, the KDC MUST return an error | If this EKU KeyPurposeId is required but it is not present or if the | |||
| message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There is no | client certificate is restricted not to be used for PKINIT client | |||
| accompanying e-data for this error message. KDCs implementing this | authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return | |||
| requirement SHOULD also accept the EKU KeyPurposeId id-ms-sc-logon | an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There | |||
| (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there are a | is no accompanying e-data for this error message. KDCs implementing | |||
| large number of X.509 client certificates deployed for use with | this requirement SHOULD also accept the EKU KeyPurposeId id-ms-sc- | |||
| logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there | ||||
| are a large number of X.509 client certificates deployed for use with | ||||
| PKINIT which have this EKU. | PKINIT which have this EKU. | |||
| If for any other reasons, the client's public key is not accepted, | If for any other reasons, the client's public key is not accepted, | |||
| the KDC MUST return an error message with the code | the KDC MUST return an error message with the code | |||
| KDC_ERR_CLIENT_NOT_TRUSTED. | KDC_ERR_CLIENT_NOT_TRUSTED. | |||
| The KDC MUST check the timestamp to ensure that the request is not a | The KDC MUST check the timestamp to ensure that the request is not a | |||
| replay, and that the time skew falls within acceptable limits. The | replay, and that the time skew falls within acceptable limits. The | |||
| recommendations for clock skew times in [CLAR] apply here. If the | recommendations for clock skew times in [CLAR] apply here. If the | |||
| check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or | check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or | |||
| skipping to change at page 13, line 34 ¶ | skipping to change at page 13, line 37 ¶ | |||
| -- This list is in decreasing preference order. | -- This list is in decreasing preference order. | |||
| TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters | TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters | |||
| that the KDC supports in decreasing preference order, from which the | that the KDC supports in decreasing preference order, from which the | |||
| client SHOULD pick one to retry the request. | client SHOULD pick one to retry the request. | |||
| If the client included a kdcPkId field in the PA-PK-AS-REQ and the | If the client included a kdcPkId field in the PA-PK-AS-REQ and the | |||
| KDC does not possess the corresponding key, the KDC MUST ignore the | KDC does not possess the corresponding key, the KDC MUST ignore the | |||
| kdcPkId field as if the client did not include one. | kdcPkId field as if the client did not include one. | |||
| If the client included a trustedCertifiers field, and the KDC does | ||||
| not possesses the private key for any one of the listed certifiers, | ||||
| the KDC MUST ignore the trustedCertifiers field as if the client did | ||||
| not include any. | ||||
| If there is a supportedCMSTypes field in the AuthPack, the KDC must | If there is a supportedCMSTypes field in the AuthPack, the KDC must | |||
| check to see if it supports any of the listed types. If it supports | check to see if it supports any of the listed types. If it supports | |||
| more than one of the types, the KDC SHOULD use the one listed first. | more than one of the types, the KDC SHOULD use the one listed first. | |||
| If it does not support any of them, it MUST return an error message | If it does not support any of them, it MUST return an error message | |||
| with the code KDC_ERR_ETYPE_NOSUPP [CLAR]. | with the code KDC_ERR_ETYPE_NOSUPP [CLAR]. | |||
| 3.2.3 Generation of KDC Reply | 3.2.3 Generation of KDC Reply | |||
| Assuming that the client's request has been properly validated, the | Assuming that the client's request has been properly validated, the | |||
| KDC proceeds as per [CLAR], except as follows. | KDC proceeds as per [CLAR], except as follows. | |||
| skipping to change at page 14, line 17 ¶ | skipping to change at page 14, line 15 ¶ | |||
| AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA | AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA | |||
| -- Identifies the certification path based on which | -- Identifies the certification path based on which | |||
| -- the client certificate was validated. | -- the client certificate was validated. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each TrustedCA identifies a CA or a CA | |||
| -- certificate (thereby its public key). | -- certificate (thereby its public key). | |||
| The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT | The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT | |||
| containers if the list of CAs satisfies the AS' realm's local policy | containers if the list of CAs satisfies the AS' realm's local policy | |||
| (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag | (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag | |||
| [CLAR]). Furthermore, any TGS MUST copy such authorization data from | [CLAR]). Furthermore, any TGS MUST copy such authorization data from | |||
| tickets used in a PA-TGS-REQ [CLAR] of the TGS-REQ to the resulting | tickets used within a PA-TGS-REQ of the TGS-REQ into the resulting | |||
| ticket, and it can wrap or unwrap the data into or out-of the | ticket. If the list of CAs satisfies the local KDC's realm's policy, | |||
| AD-IF-RELEVANT container, depends on if the list of CAs satisfies the | the TGS MAY wrap the data into the AD-IF-RELEVANT container, | |||
| TGS' realm's local policy. | otherwise it MAY unwrap the authorization data out of the AD-IF- | |||
| RELEVANT container. | ||||
| Application servers that understand this authorization data type | Application servers that understand this authorization data type | |||
| SHOULD apply local policy to determine whether a given ticket bearing | SHOULD apply local policy to determine whether a given ticket bearing | |||
| such a type *not* contained within an AD-IF-RELEVANT container is | such a type *not* contained within an AD-IF-RELEVANT container is | |||
| acceptable. (This corresponds to the AP server checking the | acceptable. (This corresponds to the AP server checking the | |||
| transited field when the TRANSITED-POLICY-CHECKED flag has not been | transited field when the TRANSITED-POLICY-CHECKED flag has not been | |||
| set [CLAR].) If such a data type is contained within an | set [CLAR].) If such a data type is contained within an AD-IF- | |||
| AD-IF-RELEVANT container, AP servers MAY apply local policy to | RELEVANT container, AP servers MAY apply local policy to determine | |||
| determine whether the authorization data is acceptable. | whether the authorization data is acceptable. | |||
| The content of the AS-REP is otherwise unchanged from [CLAR]. The | The content of the AS-REP is otherwise unchanged from [CLAR]. The | |||
| KDC encrypts the reply as usual, but not with the client's long-term | KDC encrypts the reply as usual, but not with the client's long-term | |||
| key. Instead, it encrypts it with either a shared key derived from a | key. Instead, it encrypts it with either a shared key derived from a | |||
| Diffie-Hellman exchange, or a generated encryption key. The contents | Diffie-Hellman exchange, or a generated encryption key. The contents | |||
| of the PA-PK-AS-REP indicate which key delivery method is used: | of the PA-PK-AS-REP indicate which key delivery method is used: | |||
| PA-PK-AS-REP ::= CHOICE { | PA-PK-AS-REP ::= CHOICE { | |||
| dhInfo [0] DHRepInfo, | dhInfo [0] DHRepInfo, | |||
| -- Selected when Diffie-Hellman key exchange is | -- Selected when Diffie-Hellman key exchange is | |||
| skipping to change at page 15, line 31 ¶ | skipping to change at page 15, line 29 ¶ | |||
| -- type KDCDHKeyInfo. | -- type KDCDHKeyInfo. | |||
| -- KDCDHKeyInfo is defined below. | -- KDCDHKeyInfo is defined below. | |||
| serverDHNonce [1] DHNonce OPTIONAL | serverDHNonce [1] DHNonce OPTIONAL | |||
| -- Present if and only if dhKeyExpiration is | -- Present if and only if dhKeyExpiration is | |||
| -- present in the KDCDHKeyInfo. | -- present in the KDCDHKeyInfo. | |||
| } | } | |||
| KDCDHKeyInfo ::= SEQUENCE { | KDCDHKeyInfo ::= SEQUENCE { | |||
| subjectPublicKey [0] BIT STRING, | subjectPublicKey [0] BIT STRING, | |||
| -- KDC's DH public key. | -- KDC's DH public key. | |||
| -- The DH pubic key value is mapped to a BIT STRING | -- The DH public key value is encoded as a BIT | |||
| -- according to [RFC3279]. | -- STRING, as specified in Section 2.3.3 of | |||
| -- [RFC3279]. | ||||
| nonce [1] INTEGER (0..4294967295), | nonce [1] INTEGER (0..4294967295), | |||
| -- Contains the nonce in the PKAuthenticator of the | -- Contains the nonce in the PKAuthenticator of the | |||
| -- request if DH keys are NOT reused, | -- request if DH keys are NOT reused, | |||
| -- 0 otherwise. | -- 0 otherwise. | |||
| dhKeyExpiration [2] KerberosTime OPTIONAL, | dhKeyExpiration [2] KerberosTime OPTIONAL, | |||
| -- Expiration time for KDC's key pair, | -- Expiration time for KDC's key pair, | |||
| -- present if and only if DH keys are reused. If | -- present if and only if DH keys are reused. If | |||
| -- this field is omitted then the serverDHNonce | -- this field is omitted then the serverDHNonce | |||
| -- field MUST also be omitted. See Section 3.2.3.1. | -- field MUST also be omitted. See Section 3.2.3.1. | |||
| ... | ... | |||
| skipping to change at page 16, line 23 ¶ | skipping to change at page 16, line 23 ¶ | |||
| 3. The eContent field for the type SignedData contains the DER | 3. The eContent field for the type SignedData contains the DER | |||
| encoding of the type KDCDHKeyInfo. | encoding of the type KDCDHKeyInfo. | |||
| 4. The signerInfos field of the type SignedData contains a single | 4. The signerInfos field of the type SignedData contains a single | |||
| signerInfo, which contains the signature over the type | signerInfo, which contains the signature over the type | |||
| KDCDHKeyInfo. | KDCDHKeyInfo. | |||
| 5. The certificates field of the type SignedData contains | 5. The certificates field of the type SignedData contains | |||
| certificates intended to facilitate certification path | certificates intended to facilitate certification path | |||
| construction, so that the client can verify the KDC's signature | construction, so that the client can verify the KDC's signature | |||
| over the type KDCDHKeyInfo. This field may only be left empty if | over the type KDCDHKeyInfo. The information contained in the | |||
| the KDC public key specified by the kdcPkId field in the | trustedCertifiers in the request SHOULD be used by the KDC as | |||
| PA-PK-AS-REQ was used for signing. Otherwise, for path | hints to guide its selection of an appropriate certificate chain | |||
| validation, these certificates SHOULD be sufficient to construct | to return to the client. This field may only. be left empty if | |||
| at least one certification path from the KDC certificate to one | the KDC public key specified by the kdcPkId field in the PA-PK- | |||
| trust anchor acceptable by the client [CAPATH]. The certificates | AS-REQ was used for signing. Otherwise, for path validation, | |||
| field MUST NOT contain "root" CA certificates. | these certificates SHOULD be sufficient to construct at least one | |||
| certification path from the KDC certificate to one trust anchor | ||||
| acceptable by the client [CAPATH]. The KDC MUST be capable of | ||||
| including such a set of certificates if configured to do so. The | ||||
| certificates field MUST NOT contain "root" CA certificates. | ||||
| 6. If the client included the clientDHNonce field, then the KDC may | 6. If the client included the clientDHNonce field, then the KDC may | |||
| choose to reuse its DH keys (see Section 3.2.3.1). If the server | choose to reuse its DH keys (see Section 3.2.3.1). If the server | |||
| reuses DH keys then it MUST include an expiration time in the | reuses DH keys then it MUST include an expiration time in the | |||
| dhKeyExperiation field. Past the point of the expiration time, | dhKeyExpiration field. Past the point of the expiration time, | |||
| the signature over the type DHRepInfo is considered | the signature over the type DHRepInfo is considered expired/ | |||
| expired/invalid. When the server reuses DH keys then it MUST | invalid. When the server reuses DH keys then it MUST include a | |||
| include a serverDHNonce at least as long as the length of keys | serverDHNonce at least as long as the length of keys for the | |||
| for the symmetric encryption system used to encrypt the AS reply. | symmetric encryption system used to encrypt the AS reply. Note | |||
| Note that including the serverDHNonce changes how the client and | that including the serverDHNonce changes how the client and | |||
| server calculate the key to use to encrypt the reply; see below | server calculate the key to use to encrypt the reply; see below | |||
| for details. The KDC SHOULD NOT reuse DH keys unless the | for details. The KDC SHOULD NOT reuse DH keys unless the | |||
| clientDHNonce field is present in the request. | clientDHNonce field is present in the request. | |||
| The KDC AS reply key is derived as follows: | The AS reply key is derived as follows: | |||
| 1. Both the KDC and the client calculate the shared secret value as | 1. Both the KDC and the client calculate the shared secret value as | |||
| follows: | follows: | |||
| a) When Diffie-Hellman modulo a prime p ([RFC2631]) is used, let | a) When MODP Diffie-Hellman is used, let DHSharedSecret be the | |||
| DHSharedSecret be the shared secret value. | shared secret value. DHSharedSecret is the value ZZ as | |||
| described in Section 2.1.1 of [RFC2631]. | ||||
| b) When Elliptic Curve Diffie-Hellman (ECDH) (with each party | b) When Elliptic Curve Diffie-Hellman (ECDH) (with each party | |||
| contributing one key pair) [IEEE1363] is used, let | contributing one key pair) is used, let DHSharedSecret be the | |||
| DHSharedSecret be the x-coordinate of the shared secret value | x-coordinate of the shared secret value (an elliptic curve | |||
| (an elliptic curve point). | point). DHSharedSecret is the output of operation ECSVDP-DH as | |||
| described in Section 7.2.1 of [IEEE1363]. | ||||
| DHSharedSecret is first padded with leading zeros such that the | DHSharedSecret is first padded with leading zeros such that the | |||
| size of DHSharedSecret in octets is the same as that of the | size of DHSharedSecret in octets is the same as that of the | |||
| modulus, then represented as a string of octets in big-endian | modulus, then represented as a string of octets in big-endian | |||
| order. | order. | |||
| Implementation note: Both the client and the KDC can cache the | Implementation note: Both the client and the KDC can cache the | |||
| triple (ya, yb, DHSharedSecret), where ya is the client's public | triple (ya, yb, DHSharedSecret), where ya is the client's public | |||
| key and yb is the KDC's public key. If both ya and yb are the | key and yb is the KDC's public key. If both ya and yb are the | |||
| same in a later exchange, the cached DHSharedSecret can be used. | same in a later exchange, the cached DHSharedSecret can be used. | |||
| 2. Let K be the key-generation seed length [RFC3961] of the KDC AS | 2. Let K be the key-generation seed length [RFC3961] of the AS reply | |||
| reply key whose enctype is selected according to [CLAR]. | key whose enctype is selected according to [CLAR]. | |||
| 3. Define the function octetstring2key() as follows: | 3. Define the function octetstring2key() as follows: | |||
| octetstring2key(x) == random-to-key(K-truncate( | octetstring2key(x) == random-to-key(K-truncate( | |||
| SHA1(0x00 | x) | | SHA1(0x00 | x) | | |||
| SHA1(0x01 | x) | | SHA1(0x01 | x) | | |||
| SHA1(0x02 | x) | | SHA1(0x02 | x) | | |||
| ... | ... | |||
| )) | )) | |||
| where x is an octet string; | is the concatenation operator; 0x00, | where x is an octet string; | is the concatenation operator; 0x00, | |||
| 0x01, 0x02, etc., are each represented as a single octet; | 0x01, 0x02, etc., are each represented as a single octet; random- | |||
| random-to-key() is an operation that generates a protocol key from | to-key() is an operation that generates a protocol key from a | |||
| a bitstring of length K; and K-truncate truncates its input to the | bitstring of length K; and K-truncate truncates its input to the | |||
| first K bits. Both K and random-to-key() are as defined in the | first K bits. Both K and random-to-key() are as defined in the | |||
| kcrypto profile [RFC3961] for the enctype of the KDC AS reply key. | kcrypto profile [RFC3961] for the enctype of the AS reply key. | |||
| 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be | 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be | |||
| the serverDHNonce; otherwise, let both n_c and n_k be empty octet | the serverDHNonce; otherwise, let both n_c and n_k be empty octet | |||
| strings. | strings. | |||
| 5. The KDC AS reply key k is: | 5. The AS reply key k is: | |||
| k = octetstring2key(DHSharedSecret | n_c | n_k) | k = octetstring2key(DHSharedSecret | n_c | n_k) | |||
| 3.2.3.2 Using Public Key Encryption | 3.2.3.2 Using Public Key Encryption | |||
| In this case, the PA-PK-AS-REP contains a ContentInfo structure | In this case, the PA-PK-AS-REP contains a ContentInfo structure | |||
| wrapped in an OCTET STRING. The KDC AS reply key is encrypted in the | wrapped in an OCTET STRING. The AS reply key is encrypted in the | |||
| encKeyPack field, which contains data of type ReplyKeyPack: | encKeyPack field, which contains data of type ReplyKeyPack: | |||
| ReplyKeyPack ::= SEQUENCE { | ReplyKeyPack ::= SEQUENCE { | |||
| replyKey [0] EncryptionKey, | replyKey [0] EncryptionKey, | |||
| -- Contains the session key used to encrypt the | -- Contains the session key used to encrypt the | |||
| -- enc-part field in the AS-REP. | -- enc-part field in the AS-REP. | |||
| nonce [1] INTEGER (0..4294967295), | nonce [1] INTEGER (0..4294967295), | |||
| -- Contains the nonce in the PKAuthenticator of the | -- Contains the nonce in the PKAuthenticator of the | |||
| -- request. | -- request. | |||
| ... | ... | |||
| } | } | |||
| The ContentInfo [RFC3852] structure for the encKeyPack field is | The ContentInfo [RFC3852] structure for the encKeyPack field is | |||
| filled in as follows: | filled in as follows: | |||
| 1. The contentType field of the type ContentInfo is id-envelopedData | 1. The contentType field of the type ContentInfo is id-envelopedData | |||
| (as defined in [RFC3852]), and the content field is an | (as defined in [RFC3852]), and the content field is an | |||
| EnvelopedData (as defined in [RFC3852]). | EnvelopedData (as defined in [RFC3852]). | |||
| 2. The contentType field for the type EnvelopedData is | 2. The contentType field for the type EnvelopedData is id- | |||
| id-signedData: { iso (1) member-body (2) us (840) rsadsi (113549) | signedData: { iso (1) member-body (2) us (840) rsadsi (113549) | |||
| pkcs (1) pkcs7 (7) signedData (2) }. | pkcs (1) pkcs7 (7) signedData (2) }. | |||
| 3. The eContentType field for the inner type SignedData (when | 3. The eContentType field for the inner type SignedData (when | |||
| decrypted from the encryptedContent field for the type | decrypted from the encryptedContent field for the type | |||
| EnvelopedData) is id-pkrkeydata: { iso(1) org(3) dod(6) | EnvelopedData) is id-pkrkeydata: { iso(1) org(3) dod(6) | |||
| internet(1) security(5) kerberosv5(2) pkinit(3) pkrkeydata(3) }. | internet(1) security(5) kerberosv5(2) pkinit(3) pkrkeydata(3) }. | |||
| 4. The eContent field for the inner type SignedData contains the DER | 4. The eContent field for the inner type SignedData contains the DER | |||
| encoding of the type ReplyKeyPack. | encoding of the type ReplyKeyPack. | |||
| 5. The signerInfos field of the inner type SignedData contains a | 5. The signerInfos field of the inner type SignedData contains a | |||
| single signerInfo, which contains the signature over the type | single signerInfo, which contains the signature over the type | |||
| ReplyKeyPack. | ReplyKeyPack. | |||
| 6. The certificates field of the inner type SignedData contains | 6. The certificates field of the inner type SignedData contains | |||
| certificates intended to facilitate certification path | certificates intended to facilitate certification path | |||
| construction, so that the client can verify the KDC's signature | construction, so that the client can verify the KDC's signature | |||
| over the type ReplyKeyPack. This field may only be left empty if | over the type ReplyKeyPack. The information contained in the | |||
| the KDC public key specified by the kdcPkId field in the | trustedCertifiers in the request SHOULD be used by the KDC as | |||
| PA-PK-AS-REQ was used for signing. Otherwise, for path | hints to guide its selection of an appropriate certificate chain | |||
| validation, these certificates SHOULD be sufficient to construct | to return to the client. This field may only be left empty if | |||
| at least one certification path from the KDC certificate to one | the KDC public key specified by the kdcPkId field in the PA-PK- | |||
| trust anchor acceptable by the client [CAPATH]. The certificates | AS-REQ was used for signing. Otherwise, for path validation, | |||
| field MUST NOT contain "root" CA certificates. | these certificates SHOULD be sufficient to construct at least one | |||
| certification path from the KDC certificate to one trust anchor | ||||
| acceptable by the client [CAPATH]. The KDC MUST be capable of | ||||
| including such a set of certificates if configured to do so. The | ||||
| certificates field MUST NOT contain "root" CA certificates. | ||||
| 7. The recipientInfos field of the type EnvelopedData is a SET which | 7. The recipientInfos field of the type EnvelopedData is a SET which | |||
| MUST contain exactly one member of type KeyTransRecipientInfo. | MUST contain exactly one member of type KeyTransRecipientInfo. | |||
| The encryptedKey of this member contains the temporary key which | The encryptedKey of this member contains the temporary key which | |||
| is encrypted using the client's public key. | is encrypted using the client's public key. | |||
| 8. The unprotectedAttrs or originatorInfo fields of the type | 8. The unprotectedAttrs or originatorInfo fields of the type | |||
| EnvelopedData MAY be present. | EnvelopedData MAY be present. | |||
| 3.2.4 Receipt of KDC Reply | 3.2.4 Receipt of KDC Reply | |||
| Upon receipt of the KDC's reply, the client proceeds as follows. If | Upon receipt of the KDC's reply, the client proceeds as follows. If | |||
| the PA-PK-AS-REP contains the dhSignedData field, the client derives | the PA-PK-AS-REP contains the dhSignedData field, the client derives | |||
| the KDC AS reply key using the same procedure used by the KDC as | the AS reply key using the same procedure used by the KDC as defined | |||
| defined in Section 3.2.3.1. Otherwise, the message contains the | in Section 3.2.3.1. Otherwise, the message contains the encKeyPack | |||
| encKeyPack field, and the client decrypts and extracts the temporary | field, and the client decrypts and extracts the temporary key in the | |||
| key in the encryptedKey field of the member KeyTransRecipientInfo, | encryptedKey field of the member KeyTransRecipientInfo, and then uses | |||
| and then uses that as the KDC AS reply key. | that as the AS reply key. | |||
| In either case, the client MUST verify the signature in the | In either case, the client MUST verify the signature in the | |||
| SignedData according to [RFC3852]. Unless the client can otherwise | SignedData according to [RFC3852]. The KDC's X.509 certificate MUST | |||
| prove that the public key used to verify the KDC's signature is bound | be validated according to [RFC3280]. In addition, unless the client | |||
| to the target KDC, the KDC's X.509 certificate MUST satisfy at least | can otherwise verify that the public key used to verify the KDC's | |||
| one of the following two requirements: | signature is bound to the KDC of the target realm, the KDC's X.509 | |||
| certificate MUST contain a Subject Alternative Name extension | ||||
| 1. The certificate contains a Subject Alternative Name (SAN) | [RFC3280] carrying an AnotherName whose type-id is id-pksan (as | |||
| extension [RFC3280] carrying a dNSName and that name value | defined in Section 3.2.2) and whose value is a KRB5PrincipalName that | |||
| matches the following name format: | matches the name of the TGS of the target realm (as defined in | |||
| Section 7.3 of [CLAR]). | ||||
| _Service._Proto.Realm | ||||
| Where the Service name is the string literal "kerberos", the | ||||
| Proto can be "udp" or "tcp", and the Realm is the domain style | ||||
| Kerberos realm name [CLAR] of the target KDC. This name format | ||||
| is identical to the owner label format used in the DNS SRV | ||||
| records for specifying the KDC location as described in [CLAR]. | ||||
| For example, the X.509 certificate for the KDC of the Kerberos | ||||
| realm "EXAMPLE.COM" would contain a dNSName value of | ||||
| "_kerberos._tcp.EXAMPLE.COM" or "_kerberos._udp.EXAMPLE.COM". | ||||
| 2. The certificate contains the EKU KeyPurposeId [RFC3280] | Based on local policy, the client MAY require that the KDC | |||
| id-pkkdcekuoid (defined below) and an SAN extension [RFC3280] | certificate contains the EKU KeyPurposeId [RFC3280] id-pkkdcekuoid: | |||
| carrying an AnotherName whose type-id is id-pksan (as defined in | ||||
| Section 3.2.2) and whose value contains a KRB5PrincipalName name, | ||||
| and the realm name of that KRB5PrincipalName matches the realm | ||||
| name of the target KDC. | ||||
| id-pkkdcekuoid OBJECT IDENTIFIER ::= | id-pkkdcekuoid OBJECT IDENTIFIER ::= | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| pkinit(3) pkkdcekuoid(5) } | pkinit(3) pkkdcekuoid(5) } | |||
| -- Signing KDC responses. | -- Signing KDC responses. | |||
| -- Key usage bits that MUST be consistent: | -- Key usage bits that MUST be consistent: | |||
| -- digitalSignature. | ||||
| If no SAN id-pksan extension is present (but the id-pkkdcekuoid | -- digitalSignature. | |||
| EKU is) in the KDC's X.509 certificate, and the client has a | ||||
| priori knowledge of the KDC's hostname (or IP address), the | ||||
| client SHOULD accept the KDC's X.509 certificate if that | ||||
| certificate contains an SAN extension carrying a dNSName and the | ||||
| dNSName value matches the hostname (or the IP address) of the KDC | ||||
| with which the client believes it is communicating. | ||||
| Matching rules used for the dNSName value are specified in [RFC3280]. | ||||
| If all applicable checks are satisfied, the client then decrypts the | If all applicable checks are satisfied, the client then decrypts the | |||
| enc-part field of the KDC-REP in the AS-REP using the KDC AS reply | enc-part field of the KDC-REP in the AS-REP using the AS reply key, | |||
| key, and then proceeds as described in [CLAR]. | and then proceeds as described in [CLAR]. | |||
| Implementation note: CAs issuing KDC certificates SHOULD place all | Implementation note: CAs issuing KDC certificates SHOULD place all | |||
| "short" and "fully-qualified" Kerberos realm names of the KDC (one | "short" and "fully-qualified" Kerberos realm names of the KDC (one | |||
| per SAN extension) into the KDC certificate to allow maximum | per GeneralName [RFC3280]) into the KDC certificate to allow maximum | |||
| flexibility. | flexibility. | |||
| 3.3 Interoperability Requirements | 3.3 Interoperability Requirements | |||
| The client MUST be capable of sending a set of certificates | The client MUST be capable of sending a set of certificates | |||
| sufficient to allow the KDC to construct a certification path for the | sufficient to allow the KDC to construct a certification path for the | |||
| client's certificate, if the correct set of certificates is provided | client's certificate, if the correct set of certificates is provided | |||
| through configuration or policy. | through configuration or policy. | |||
| If the client sends all the X.509 certificates on a certification | If the client sends all the X.509 certificates on a certification | |||
| skipping to change at page 22, line 24 ¶ | skipping to change at page 22, line 18 ¶ | |||
| The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does | The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does | |||
| permit empty SEQUENCEs to be encoded. Such empty sequences may only | permit empty SEQUENCEs to be encoded. Such empty sequences may only | |||
| be used if the KDC itself vouches for the user's certificate. | be used if the KDC itself vouches for the user's certificate. | |||
| 5. Acknowledgements | 5. Acknowledgements | |||
| The following people have made significant contributions to this | The following people have made significant contributions to this | |||
| draft: Paul Leach, Kristin Lauter, Sam Hartman, Love Hornquist | draft: Paul Leach, Kristin Lauter, Sam Hartman, Love Hornquist | |||
| Astrand, Ken Raeburn, Nicolas Williams, John Wray, Jonathan Trostle, | Astrand, Ken Raeburn, Nicolas Williams, John Wray, Jonathan Trostle, | |||
| Tom Yu, Jeffrey Hutzelman, David Cross, Dan Simon, Karthik Jaganathan | Tom Yu, Jeffrey Hutzelman, David Cross, Dan Simon, Karthik | |||
| and Chaskiel M Grundman. | Jaganathan, Chaskiel M Grundman and Stefan Santesson. | |||
| Special thanks to Clifford Neuman, Matthew Hur and Sasha Medvinsky | Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and | |||
| who wrote earlier versions of this document. | Jonathan Trostle who wrote earlier versions of this document. | |||
| The authors are indebt to the Kerberos working group chair Jeffrey | The authors are indebted to the Kerberos working group chair Jeffrey | |||
| Hutzelman who kept track of various issues and was enormously helpful | Hutzelman who kept track of various issues and was enormously helpful | |||
| during the creation of this document. | during the creation of this document. | |||
| Some of the ideas on which this document is based arose during | Some of the ideas on which this document is based arose during | |||
| discussions over several years between members of the SAAG, the IETF | discussions over several years between members of the SAAG, the IETF | |||
| CAT working group, and the PSRG, regarding integration of Kerberos | CAT working group, and the PSRG, regarding integration of Kerberos | |||
| and SPX. Some ideas have also been drawn from the DASS system. | and SPX. Some ideas have also been drawn from the DASS system. | |||
| These changes are by no means endorsed by these groups. This is an | These changes are by no means endorsed by these groups. This is an | |||
| attempt to revive some of the goals of those groups, and this | attempt to revive some of the goals of those groups, and this | |||
| document approaches those goals primarily from the Kerberos | document approaches those goals primarily from the Kerberos | |||
| skipping to change at page 23, line 25 ¶ | skipping to change at page 23, line 18 ¶ | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", | [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", | |||
| RFC 2412, November 1998. | RFC 2412, November 1998. | |||
| [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", | [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", | |||
| RFC 2631, June 1999. | RFC 2631, June 1999. | |||
| [RFC3279] Bassham, L., Polk, W. and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, April 2002. | (CRL) Profile", RFC 3279, April 2002. | |||
| [RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet | [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet | |||
| X.509 Public Key Infrastructure Certificate and | X.509 Public Key Infrastructure Certificate and | |||
| Certificate Revocation List (CRL) Profile", RFC 3280, | Certificate Revocation List (CRL) Profile", RFC 3280, | |||
| April 2002. | April 2002. | |||
| [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) | [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) | |||
| Algorithms", RFC 3370, August 2002. | Algorithms", RFC 3370, August 2002. | |||
| [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography | [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography | |||
| Standards (PKCS) #1: RSA Cryptography Specifications | Standards (PKCS) #1: RSA Cryptography Specifications | |||
| Version 2.1", RFC 3447, February 2003. | Version 2.1", RFC 3447, February 2003. | |||
| [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) | |||
| Diffie-Hellman groups for Internet Key Exchange (IKE)", | Diffie-Hellman groups for Internet Key Exchange (IKE)", | |||
| RFC 3526, May 2003. | RFC 3526, May 2003. | |||
| [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) | [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) | |||
| Encryption Algorithm in Cryptographic Message Syntax | Encryption Algorithm in Cryptographic Message Syntax | |||
| (CMS)", RFC 3565, July 2003. | (CMS)", RFC 3565, July 2003. | |||
| [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For | ||||
| Public Keys Used For Exchanging Symmetric Keys", BCP 86, | ||||
| RFC 3766, April 2004. | ||||
| [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", | [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", | |||
| RFC 3852, July 2004. | RFC 3852, July 2004. | |||
| [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | |||
| Kerberos 5", RFC 3961, February 2005. | Kerberos 5", RFC 3961, February 2005. | |||
| [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) | ||||
| Encryption for Kerberos 5", RFC 3962, February 2005. | ||||
| [X.509-97] ITU-T. Recommendation X.509: The Directory - Authentication | [X.509-97] ITU-T. Recommendation X.509: The Directory - Authentication | |||
| Framework. 1997. | Framework. 1997. | |||
| [X690] ASN.1 encoding rules: Specification of Basic Encoding | [X690] ASN.1 encoding rules: Specification of Basic Encoding | |||
| Rules (BER), Canonical Encoding Rules (CER) and | Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER), ITU-T Recommendation | Distinguished Encoding Rules (DER), ITU-T Recommendation | |||
| X.690 (1997) | ISO/IEC International Standard | X.690 (1997) | ISO/IEC International Standard | |||
| 8825-1:1998. | 8825-1:1998. | |||
| 7.2 Informative References | 7.2 Informative References | |||
| skipping to change at page 26, line 15 ¶ | skipping to change at page 26, line 15 ¶ | |||
| -- The contentType field of the type ContentInfo | -- The contentType field of the type ContentInfo | |||
| -- is id-signedData (1.2.840.113549.1.7.2), | -- is id-signedData (1.2.840.113549.1.7.2), | |||
| -- and the content field is a SignedData. | -- and the content field is a SignedData. | |||
| -- The eContentType field for the type SignedData is | -- The eContentType field for the type SignedData is | |||
| -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | |||
| -- eContent field contains the DER encoding of the | -- eContent field contains the DER encoding of the | |||
| -- type AuthPack. | -- type AuthPack. | |||
| -- AuthPack is defined below. | -- AuthPack is defined below. | |||
| trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | |||
| -- A list of CAs, trusted by the client, that can | -- A list of CAs, trusted by the client, that can | |||
| -- be used as the trust anchor to validate the KDC's | -- be used to certify the KDC. | |||
| -- signature. | ||||
| -- Each TrustedCA identifies a CA or a CA | -- Each TrustedCA identifies a CA or a CA | |||
| -- certificate (thereby its public key). | -- certificate (thereby its public key). | |||
| -- The information contained in the | ||||
| -- trustedCertifiers SHOULD be used by the KDC as | ||||
| -- hints to guide its selection of an appropriate | ||||
| -- certificate chain to return to the client. | ||||
| kdcPkId [2] IMPLICIT OCTET STRING | kdcPkId [2] IMPLICIT OCTET STRING | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Contains a CMS type SignerIdentifier encoded | -- Contains a CMS type SignerIdentifier encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- Identifies, if present, a particular KDC | -- Identifies, if present, a particular KDC | |||
| -- public key that the client already has. | -- public key that the client already has. | |||
| ... | ... | |||
| } | } | |||
| DHNonce ::= OCTET STRING | DHNonce ::= OCTET STRING | |||
| skipping to change at page 26, line 50 ¶ | skipping to change at page 27, line 4 ¶ | |||
| subjectKeyIdentifier [2] OCTET STRING OPTIONAL, | subjectKeyIdentifier [2] OCTET STRING OPTIONAL, | |||
| -- Identifies the CA's public key by a key | -- Identifies the CA's public key by a key | |||
| -- identifier. When an X.509 certificate is | -- identifier. When an X.509 certificate is | |||
| -- referenced, this key identifier matches the X.509 | -- referenced, this key identifier matches the X.509 | |||
| -- subjectKeyIdentifier extension value. When other | -- subjectKeyIdentifier extension value. When other | |||
| -- certificate formats are referenced, the documents | -- certificate formats are referenced, the documents | |||
| -- that specify the certificate format and their use | -- that specify the certificate format and their use | |||
| -- with the CMS must include details on matching the | -- with the CMS must include details on matching the | |||
| -- key identifier to the appropriate certificate | -- key identifier to the appropriate certificate | |||
| -- field. | -- field. | |||
| ... | ... | |||
| } | } | |||
| AuthPack ::= SEQUENCE { | AuthPack ::= SEQUENCE { | |||
| pkAuthenticator [0] PKAuthenticator, | pkAuthenticator [0] PKAuthenticator, | |||
| clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | |||
| -- Type SubjectPublicKeyInfo is defined in | -- Type SubjectPublicKeyInfo is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- Specifies Diffie-Hellman domain parameters | -- Specifies Diffie-Hellman domain parameters | |||
| -- and the client's public key value [IEEE1363]. | -- and the client's public key value [IEEE1363]. | |||
| -- The public key value (the subjectPublicKey field | -- The DH public key value is encoded as a BIT | |||
| -- of the type SubjectPublicKeyInfo) MUST be encoded | -- STRING, as specified in Section 2.3.3 of | |||
| -- according to [RFC3279]. | -- [RFC3279]. | |||
| -- Present only if the client wishes to use the | -- This field is present only if the client wishes | |||
| -- Diffie-Hellman key agreement method. | -- to use the Diffie-Hellman key agreement method. | |||
| supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Type AlgorithmIdentifier is defined in | -- Type AlgorithmIdentifier is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- List of CMS encryption types supported by the | -- List of CMS encryption types supported by the | |||
| -- client in order of (decreasing) preference. | -- client in order of (decreasing) preference. | |||
| clientDHNonce [3] DHNonce OPTIONAL, | clientDHNonce [3] DHNonce OPTIONAL, | |||
| -- Present only if the client indicates that it | -- Present only if the client indicates that it | |||
| -- wishes to reuse DH keys or to allow the KDC to | -- wishes to reuse DH keys or to allow the KDC to | |||
| -- do so. | -- do so. | |||
| skipping to change at page 28, line 4 ¶ | skipping to change at page 28, line 9 ¶ | |||
| TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA | TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA | |||
| -- Identifies a list of CAs trusted by the KDC. | -- Identifies a list of CAs trusted by the KDC. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each TrustedCA identifies a CA or a CA | |||
| -- certificate (thereby its public key). | -- certificate (thereby its public key). | |||
| TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING | TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING | |||
| -- Each OCTET STRING contains a CMS type | -- Each OCTET STRING contains a CMS type | |||
| -- IssuerAndSerialNumber encoded according to | -- IssuerAndSerialNumber encoded according to | |||
| -- [RFC3852]. | -- [RFC3852]. | |||
| -- Each IssuerAndSerialNumber identifies a | ||||
| -- Each IssuerAndSerialNumber indentifies a | ||||
| -- certificate (sent by the client) with an invalid | -- certificate (sent by the client) with an invalid | |||
| -- signature. | -- signature. | |||
| KRB5PrincipalName ::= SEQUENCE { | KRB5PrincipalName ::= SEQUENCE { | |||
| realm [0] Realm, | realm [0] Realm, | |||
| principalName [1] PrincipalName | principalName [1] PrincipalName | |||
| } | } | |||
| AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA | AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA | |||
| -- Identifies the certification path based on which | -- Identifies the certification path based on which | |||
| skipping to change at page 28, line 49 ¶ | skipping to change at page 29, line 4 ¶ | |||
| ... | ... | |||
| } | } | |||
| DHRepInfo ::= SEQUENCE { | DHRepInfo ::= SEQUENCE { | |||
| dhSignedData [0] IMPLICIT OCTET STRING, | dhSignedData [0] IMPLICIT OCTET STRING, | |||
| -- Contains a CMS type ContentInfo encoded according | -- Contains a CMS type ContentInfo encoded according | |||
| -- to [RFC3852]. | -- to [RFC3852]. | |||
| -- The contentType field of the type ContentInfo is | -- The contentType field of the type ContentInfo is | |||
| -- id-signedData (1.2.840.113549.1.7.2), and the | -- id-signedData (1.2.840.113549.1.7.2), and the | |||
| -- content field is a SignedData. | -- content field is a SignedData. | |||
| -- The eContentType field for the type SignedData is | -- The eContentType field for the type SignedData is | |||
| -- id-pkdhkeydata (1.3.6.1.5.2.3.2), and the | -- id-pkdhkeydata (1.3.6.1.5.2.3.2), and the | |||
| -- eContent field contains the DER encoding of the | -- eContent field contains the DER encoding of the | |||
| -- type KDCDHKeyInfo. | -- type KDCDHKeyInfo. | |||
| -- KDCDHKeyInfo is defined below. | -- KDCDHKeyInfo is defined below. | |||
| serverDHNonce [1] DHNonce OPTIONAL | serverDHNonce [1] DHNonce OPTIONAL | |||
| -- Present if and only if dhKeyExpiration is | -- Present if and only if dhKeyExpiration is | |||
| -- present. | -- present. | |||
| } | } | |||
| KDCDHKeyInfo ::= SEQUENCE { | KDCDHKeyInfo ::= SEQUENCE { | |||
| subjectPublicKey [0] BIT STRING, | subjectPublicKey [0] BIT STRING, | |||
| -- KDC's DH public key. | -- KDC's DH public key. | |||
| -- The DH pubic key value is mapped to a BIT STRING | -- The DH public key value is encoded as a BIT | |||
| -- according to [RFC3279]. | -- STRING, as specified in Section 2.3.3 of | |||
| -- [RFC3279]. | ||||
| nonce [1] INTEGER (0..4294967295), | nonce [1] INTEGER (0..4294967295), | |||
| -- Contains the nonce in the PKAuthenticator of the | -- Contains the nonce in the PKAuthenticator of the | |||
| -- request if DH keys are NOT reused, | -- request if DH keys are NOT reused, | |||
| -- 0 otherwise. | -- 0 otherwise. | |||
| dhKeyExpiration [2] KerberosTime OPTIONAL, | dhKeyExpiration [2] KerberosTime OPTIONAL, | |||
| -- Expiration time for KDC's key pair, | -- Expiration time for KDC's key pair, | |||
| -- present if and only if DH keys are reused. If | -- present if and only if DH keys are reused. If | |||
| -- this field is omitted then the serverDHNonce | -- this field is omitted then the serverDHNonce | |||
| -- field MUST also be omitted. | -- field MUST also be omitted. | |||
| ... | ... | |||
| End of changes. 87 change blocks. | ||||
| 219 lines changed or deleted | 212 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||