| < draft-ietf-cat-kerberos-pk-init-26.txt | draft-ietf-cat-kerberos-pk-init-27.txt > | |||
|---|---|---|---|---|
| NETWORK WORKING GROUP B. Tung | NETWORK WORKING GROUP B. Tung | |||
| Internet-Draft USC Information Sciences Institute | Internet-Draft USC Information Sciences Institute | |||
| Expires: November 24, 2005 L. Zhu | Expires: January 20, 2006 L. Zhu | |||
| Microsoft Corporation | Microsoft Corporation | |||
| May 23, 2005 | July 19, 2005 | |||
| Public Key Cryptography for Initial Authentication in Kerberos | Public Key Cryptography for Initial Authentication in Kerberos | |||
| draft-ietf-cat-kerberos-pk-init-26 | draft-ietf-cat-kerberos-pk-init-27 | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | ||||
| of Section 3 of RFC 3667. | ||||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 35 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on November 24, 2005. | This Internet-Draft will expire on January 20, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This document describes protocol extensions (hereafter called PKINIT) | This document describes protocol extensions (hereafter called PKINIT) | |||
| to the Kerberos protocol specification. These extensions provide a | to the Kerberos protocol specification. These extensions provide a | |||
| method for integrating public key cryptography into the initial | method for integrating public key cryptography into the initial | |||
| skipping to change at page 2, line 17 ¶ | skipping to change at page 2, line 17 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 | |||
| 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1 Definitions, Requirements, and Constants . . . . . . . . . 4 | 3.1 Definitions, Requirements, and Constants . . . . . . . . . 4 | |||
| 3.1.1 Required Algorithms . . . . . . . . . . . . . . . . . 4 | 3.1.1 Required Algorithms . . . . . . . . . . . . . . . . . 4 | |||
| 3.1.2 Defined Message and Encryption Types . . . . . . . . . 5 | 3.1.2 Defined Message and Encryption Types . . . . . . . . . 5 | |||
| 3.1.3 Algorithm Identifiers . . . . . . . . . . . . . . . . 6 | 3.1.3 Algorithm Identifiers . . . . . . . . . . . . . . . . 6 | |||
| 3.2 PKINIT Pre-authentication Syntax and Use . . . . . . . . . 7 | 3.2 PKINIT Pre-authentication Syntax and Use . . . . . . . . . 7 | |||
| 3.2.1 Generation of Client Request . . . . . . . . . . . . . 7 | 3.2.1 Generation of Client Request . . . . . . . . . . . . . 7 | |||
| 3.2.2 Receipt of Client Request . . . . . . . . . . . . . . 10 | 3.2.2 Receipt of Client Request . . . . . . . . . . . . . . 10 | |||
| 3.2.3 Generation of KDC Reply . . . . . . . . . . . . . . . 13 | 3.2.3 Generation of KDC Reply . . . . . . . . . . . . . . . 14 | |||
| 3.2.4 Receipt of KDC Reply . . . . . . . . . . . . . . . . . 19 | 3.2.4 Receipt of KDC Reply . . . . . . . . . . . . . . . . . 19 | |||
| 3.3 Interoperability Requirements . . . . . . . . . . . . . . 20 | 3.3 Interoperability Requirements . . . . . . . . . . . . . . 20 | |||
| 3.4 KDC Indication of PKINIT Support . . . . . . . . . . . . . 20 | 3.4 KDC Indication of PKINIT Support . . . . . . . . . . . . . 21 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 21 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 7.1 Normative References . . . . . . . . . . . . . . . . . . . 22 | 7.1 Normative References . . . . . . . . . . . . . . . . . . . 23 | |||
| 7.2 Informative References . . . . . . . . . . . . . . . . . . 24 | 7.2 Informative References . . . . . . . . . . . . . . . . . . 24 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 25 | A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 25 | |||
| Intellectual Property and Copyright Statements . . . . . . . . 30 | Intellectual Property and Copyright Statements . . . . . . . . 31 | |||
| 1. Introduction | 1. Introduction | |||
| A client typically authenticates itself to a service in Kerberos | A client typically authenticates itself to a service in Kerberos | |||
| using three distinct though related exchanges. First, the client | using three distinct though related exchanges. First, the client | |||
| requests a ticket-granting ticket (TGT) from the Kerberos | requests a ticket-granting ticket (TGT) from the Kerberos | |||
| authentication server (AS). Then, it uses the TGT to request a | authentication server (AS). Then, it uses the TGT to request a | |||
| service ticket from the Kerberos ticket-granting server (TGS). | service ticket from the Kerberos ticket-granting server (TGS). | |||
| Usually, the AS and TGS are integrated in a single device known as a | Usually, the AS and TGS are integrated in a single device known as a | |||
| Kerberos Key Distribution Center, or KDC. Finally, the client uses | Kerberos Key Distribution Center, or KDC. Finally, the client uses | |||
| the service ticket to authenticate itself to the service. | the service ticket to authenticate itself to the service. | |||
| The advantage afforded by the TGT is that the client exposes his | The advantage afforded by the TGT is that the client exposes his | |||
| long-term secrets only once. The TGT and its associated session key | long-term secrets only once. The TGT and its associated session key | |||
| can then be used for any subsequent service ticket requests. One | can then be used for any subsequent service ticket requests. One | |||
| result of this is that all further authentication is independent of | result of this is that all further authentication is independent of | |||
| the method by which the initial authentication was performed. | the method by which the initial authentication was performed. | |||
| Consequently, initial authentication provides a convenient place to | Consequently, initial authentication provides a convenient place to | |||
| integrate public-key cryptography into Kerberos authentication. | integrate public-key cryptography into Kerberos authentication. | |||
| As defined in [CLAR], Kerberos authentication exchanges use | As defined in [RFC4120], Kerberos authentication exchanges use | |||
| symmetric-key cryptography, in part for performance. One | symmetric-key cryptography, in part for performance. One | |||
| disadvantage of using symmetric-key cryptography is that the keys | disadvantage of using symmetric-key cryptography is that the keys | |||
| must be shared, so that before a client can authenticate itself, he | must be shared, so that before a client can authenticate itself, he | |||
| must already be registered with the KDC. | must already be registered with the KDC. | |||
| Conversely, public-key cryptography (in conjunction with an | Conversely, public-key cryptography (in conjunction with an | |||
| established Public Key Infrastructure) permits authentication without | established Public Key Infrastructure) permits authentication without | |||
| prior registration with a KDC. Adding it to Kerberos allows the | prior registration with a KDC. Adding it to Kerberos allows the | |||
| widespread use of Kerberized applications by clients without | widespread use of Kerberized applications by clients without | |||
| requiring them to register first with a KDC--a requirement that has | requiring them to register first with a KDC--a requirement that has | |||
| skipping to change at page 3, line 52 ¶ | skipping to change at page 3, line 52 ¶ | |||
| 2. Conventions Used in This Document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| Both the AS and the TGS are referred to as the KDC. | Both the AS and the TGS are referred to as the KDC. | |||
| In this document, the encryption key used to encrypt the enc-part | In this document, the encryption key used to encrypt the enc-part | |||
| field of the KDC-REP in the AS-REP [CLAR] is referred to as the AS | field of the KDC-REP in the AS-REP [RFC4120] is referred to as the AS | |||
| reply key. | reply key. | |||
| 3. Extensions | 3. Extensions | |||
| This section describes extensions to [CLAR] for supporting the use of | This section describes extensions to [RFC4120] for supporting the use | |||
| public-key cryptography in the initial request for a ticket. | of public-key cryptography in the initial request for a ticket. | |||
| Briefly, this document defines the following extensions to [CLAR]: | Briefly, this document defines the following extensions to [RFC4120]: | |||
| 1. The client indicates the use of public-key authentication by | 1. The client indicates the use of public-key authentication by | |||
| including a special preauthenticator in the initial request. This | including a special preauthenticator in the initial request. This | |||
| preauthenticator contains the client's public-key data and a | preauthenticator contains the client's public-key data and a | |||
| signature. | signature. | |||
| 2. The KDC tests the client's request against its authentication | 2. The KDC tests the client's request against its authentication | |||
| policy and trusted Certification Authorities (CAs). | policy and trusted Certification Authorities (CAs). | |||
| 3. If the request passes the verification tests, the KDC replies as | 3. If the request passes the verification tests, the KDC replies as | |||
| skipping to change at page 4, line 48 ¶ | skipping to change at page 4, line 48 ¶ | |||
| Section 3.1 of this document enumerates the required algorithms and | Section 3.1 of this document enumerates the required algorithms and | |||
| necessary extension message types. Section 3.2 describes the | necessary extension message types. Section 3.2 describes the | |||
| extension messages in greater detail. | extension messages in greater detail. | |||
| 3.1 Definitions, Requirements, and Constants | 3.1 Definitions, Requirements, and Constants | |||
| 3.1.1 Required Algorithms | 3.1.1 Required Algorithms | |||
| All PKINIT implementations MUST support the following algorithms: | All PKINIT implementations MUST support the following algorithms: | |||
| o AS reply key enctype: AES256-CTS-HMAC-SHA1-96 etype [RFC3962]. | o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac- | |||
| sha1-96 [RFC3962]. | ||||
| o Signature algorithm: sha-1WithRSAEncryption [RFC3279]. | o Signature algorithm: sha-1WithRSAEncryption [RFC3279]. | |||
| o AS reply key delivery method: Diffie-Hellman key exchange | o AS reply key delivery method: Diffie-Hellman key exchange | |||
| [RFC2631]. | [RFC2631]. | |||
| 3.1.2 Defined Message and Encryption Types | 3.1.2 Defined Message and Encryption Types | |||
| PKINIT makes use of the following new pre-authentication types: | PKINIT makes use of the following new pre-authentication types: | |||
| skipping to change at page 6, line 26 ¶ | skipping to change at page 6, line 26 ¶ | |||
| wrapped CMS objects encoded with BER but not DER; specifically, they | wrapped CMS objects encoded with BER but not DER; specifically, they | |||
| may not be able to decode infinite length encodings. To maximize | may not be able to decode infinite length encodings. To maximize | |||
| interoperability, implementers SHOULD encode CMS objects used in | interoperability, implementers SHOULD encode CMS objects used in | |||
| PKINIT with DER. | PKINIT with DER. | |||
| 3.1.3 Algorithm Identifiers | 3.1.3 Algorithm Identifiers | |||
| PKINIT does not define, but does make use of, the following algorithm | PKINIT does not define, but does make use of, the following algorithm | |||
| identifiers. | identifiers. | |||
| PKINIT uses the following algorithm identifiers for Diffie-Hellman | PKINIT uses the following algorithm identifier(s) for Diffie-Hellman | |||
| key agreement [RFC3279]: | key agreement [RFC3279]: | |||
| dhpublicnumber (Modular Exponential Diffie-Hellman [RFC2631]) | dhpublicnumber (Modular Exponential Diffie-Hellman [RFC2631]) | |||
| id-ecPublicKey (Elliptic Curve Diffie-Hellman [IEEE1363]) | ||||
| PKINIT uses the following signature algorithm identifiers [RFC3279]: | PKINIT uses the following signature algorithm identifiers [RFC3279]: | |||
| sha-1WithRSAEncryption (RSA with SHA1) | sha-1WithRSAEncryption (RSA with SHA1) | |||
| md5WithRSAEncryption (RSA with MD5) | md5WithRSAEncryption (RSA with MD5) | |||
| id-dsa-with-sha1 (DSA with SHA1) | id-dsa-with-sha1 (DSA with SHA1) | |||
| PKINIT uses the following encryption algorithm identifiers [RFC3447] | PKINIT uses the following encryption algorithm identifiers [RFC3447] | |||
| for encrypting the temporary key with a public key: | for encrypting the temporary key with a public key: | |||
| skipping to change at page 7, line 12 ¶ | skipping to change at page 7, line 12 ¶ | |||
| rc2-cbc (RC2, CBC mode) | rc2-cbc (RC2, CBC mode) | |||
| id-aes256-CBC (AES-256, CBC mode) | id-aes256-CBC (AES-256, CBC mode) | |||
| 3.2 PKINIT Pre-authentication Syntax and Use | 3.2 PKINIT Pre-authentication Syntax and Use | |||
| This section defines the syntax and use of the various pre- | This section defines the syntax and use of the various pre- | |||
| authentication fields employed by PKINIT. | authentication fields employed by PKINIT. | |||
| 3.2.1 Generation of Client Request | 3.2.1 Generation of Client Request | |||
| The initial authentication request (AS-REQ) is sent as per [CLAR]; in | The initial authentication request (AS-REQ) is sent as per [RFC4120]; | |||
| addition, a pre-authentication data element, whose padata-type is | in addition, a pre-authentication data element, whose padata-type is | |||
| PA_PK_AS_REQ and whose padata-value contains the DER encoding of the | PA_PK_AS_REQ and whose padata-value contains the DER encoding of the | |||
| type PA-PK-AS-REQ, is included. | type PA-PK-AS-REQ, is included. | |||
| PA-PK-AS-REQ ::= SEQUENCE { | PA-PK-AS-REQ ::= SEQUENCE { | |||
| signedAuthPack [0] IMPLICIT OCTET STRING, | signedAuthPack [0] IMPLICIT OCTET STRING, | |||
| -- Contains a CMS type ContentInfo encoded | -- Contains a CMS type ContentInfo encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- The contentType field of the type ContentInfo | -- The contentType field of the type ContentInfo | |||
| -- is id-signedData (1.2.840.113549.1.7.2), | -- is id-signedData (1.2.840.113549.1.7.2), | |||
| -- and the content field is a SignedData. | -- and the content field is a SignedData. | |||
| -- The eContentType field for the type SignedData is | -- The eContentType field for the type SignedData is | |||
| -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | |||
| -- eContent field contains the DER encoding of the | -- eContent field contains the DER encoding of the | |||
| -- type AuthPack. | -- type AuthPack. | |||
| -- AuthPack is defined below. | -- AuthPack is defined below. | |||
| trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | trustedCertifiers [1] SEQUENCE OF | |||
| ExternalPrincipalIdentifier OPTIONAL, | ||||
| -- A list of CAs, trusted by the client, that can | -- A list of CAs, trusted by the client, that can | |||
| -- be used to certify the KDC. | -- be used to certify the KDC. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each ExternalPrincipalIdentifier identifies a CA | |||
| -- certificate (thereby its public key). | -- or a CA certificate (thereby its public key). | |||
| -- The information contained in the | -- The information contained in the | |||
| -- trustedCertifiers SHOULD be used by the KDC as | -- trustedCertifiers SHOULD be used by the KDC as | |||
| -- hints to guide its selection of an appropriate | -- hints to guide its selection of an appropriate | |||
| -- certificate chain to return to the client. | -- certificate chain to return to the client. | |||
| kdcPkId [2] IMPLICIT OCTET STRING | kdcPkId [2] IMPLICIT OCTET STRING | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Contains a CMS type SignerIdentifier encoded | -- Contains a CMS type SignerIdentifier encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- Identifies, if present, a particular KDC | -- Identifies, if present, a particular KDC | |||
| -- public key that the client already has. | -- public key that the client already has. | |||
| ... | ... | |||
| } | } | |||
| DHNonce ::= OCTET STRING | DHNonce ::= OCTET STRING | |||
| TrustedCA ::= SEQUENCE { | ExternalPrincipalIdentifier ::= SEQUENCE { | |||
| caName [0] IMPLICIT OCTET STRING, | subjectName [0] IMPLICIT OCTET STRING OPTIONAL, | |||
| -- Contains a PKIX type Name encoded according to | -- Contains a PKIX type Name encoded according to | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- Identifies the certificate subject by the | ||||
| -- Identifies a CA by the CA's distinguished subject | -- distinguished subject name. | |||
| -- name. | -- REQUIRED when there is a distinguished subject | |||
| certificateSerialNumber [1] INTEGER OPTIONAL, | -- name present in the certificate. | |||
| -- Specifies the CA certificate's serial number. | issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, | |||
| -- The defintion of the certificate serial number | -- Contains a CMS type IssuerAndSerialNumber encoded | |||
| -- is taken from X.509 [X.509-97]. | -- according to [RFC3852]. | |||
| subjectKeyIdentifier [2] OCTET STRING OPTIONAL, | -- Identifies a certificate of the subject. | |||
| -- Identifies the CA's public key by a key | -- REQUIRED for TD-INVALID-CERTIFICATES and | |||
| -- TD-TRUSTED-CERTIFIERS. | ||||
| subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, | ||||
| -- Identifies the subject's public key by a key | ||||
| -- identifier. When an X.509 certificate is | -- identifier. When an X.509 certificate is | |||
| -- referenced, this key identifier matches the X.509 | -- referenced, this key identifier matches the X.509 | |||
| -- subjectKeyIdentifier extension value. When other | -- subjectKeyIdentifier extension value. When other | |||
| -- certificate formats are referenced, the documents | -- certificate formats are referenced, the documents | |||
| -- that specify the certificate format and their use | -- that specify the certificate format and their use | |||
| -- with the CMS must include details on matching the | -- with the CMS must include details on matching the | |||
| -- key identifier to the appropriate certificate | -- key identifier to the appropriate certificate | |||
| -- field. | -- field. | |||
| -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. | ||||
| ... | ... | |||
| } | } | |||
| AuthPack ::= SEQUENCE { | AuthPack ::= SEQUENCE { | |||
| pkAuthenticator [0] PKAuthenticator, | pkAuthenticator [0] PKAuthenticator, | |||
| clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | |||
| -- Type SubjectPublicKeyInfo is defined in | -- Type SubjectPublicKeyInfo is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- Specifies Diffie-Hellman domain parameters | -- Specifies Diffie-Hellman domain parameters | |||
| -- and the client's public key value [IEEE1363]. | -- and the client's public key value [IEEE1363]. | |||
| skipping to change at page 8, line 47 ¶ | skipping to change at page 9, line 4 ¶ | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Type AlgorithmIdentifier is defined in | -- Type AlgorithmIdentifier is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- List of CMS encryption types supported by the | -- List of CMS encryption types supported by the | |||
| -- client in order of (decreasing) preference. | -- client in order of (decreasing) preference. | |||
| clientDHNonce [3] DHNonce OPTIONAL, | clientDHNonce [3] DHNonce OPTIONAL, | |||
| -- Present only if the client indicates that it | -- Present only if the client indicates that it | |||
| -- wishes to reuse DH keys or to allow the KDC to | -- wishes to reuse DH keys or to allow the KDC to | |||
| -- do so (see Section 3.2.3.1). | -- do so (see Section 3.2.3.1). | |||
| ... | ... | |||
| } | } | |||
| PKAuthenticator ::= SEQUENCE { | PKAuthenticator ::= SEQUENCE { | |||
| cusec [0] INTEGER (0..999999), | cusec [0] INTEGER (0..999999), | |||
| ctime [1] KerberosTime, | ctime [1] KerberosTime, | |||
| -- cusec and ctime are used as in [CLAR], for replay | -- cusec and ctime are used as in [RFC4120], for | |||
| -- prevention. | -- replay prevention. | |||
| nonce [2] INTEGER (0..4294967295), | nonce [2] INTEGER (0..4294967295), | |||
| -- Chosen randomly; This nonce does not need to | -- Chosen randomly; This nonce does not need to | |||
| -- match with the nonce in the KDC-REQ-BODY. | -- match with the nonce in the KDC-REQ-BODY. | |||
| paChecksum [3] OCTET STRING, | paChecksum [3] OCTET STRING, | |||
| -- Contains the SHA1 checksum, performed over | -- Contains the SHA1 checksum, performed over | |||
| -- KDC-REQ-BODY. | -- KDC-REQ-BODY. | |||
| ... | ... | |||
| } | } | |||
| The ContentInfo [RFC3852] structure for the signedAuthPack field is | The ContentInfo [RFC3852] structure for the signedAuthPack field is | |||
| skipping to change at page 9, line 50 ¶ | skipping to change at page 10, line 8 ¶ | |||
| 6. The client's Diffie-Hellman public value (clientPublicValue) is | 6. The client's Diffie-Hellman public value (clientPublicValue) is | |||
| included if and only if the client wishes to use the Diffie- | included if and only if the client wishes to use the Diffie- | |||
| Hellman key agreement method. The Diffie-Hellman domain | Hellman key agreement method. The Diffie-Hellman domain | |||
| parameters [IEEE1363] for the client's public key are specified | parameters [IEEE1363] for the client's public key are specified | |||
| in the algorithm field of the type SubjectPublicKeyInfo [RFC3279] | in the algorithm field of the type SubjectPublicKeyInfo [RFC3279] | |||
| and the client's Diffie-Hellman public key value is mapped to a | and the client's Diffie-Hellman public key value is mapped to a | |||
| subjectPublicKey (a BIT STRING) according to [RFC3279]. When | subjectPublicKey (a BIT STRING) according to [RFC3279]. When | |||
| using the Diffie-Hellman key agreement method, implementations | using the Diffie-Hellman key agreement method, implementations | |||
| MUST support Oakley 1024-bit Modular Exponential (MODP) well- | MUST support Oakley 1024-bit Modular Exponential (MODP) well- | |||
| known group 2 [RFC2412] and SHOULD support Oakley 2048-bit MODP | known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group | |||
| well-known group 14 and Oakley 4096-bit MODP well-known group 16 | 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known | |||
| group 16 [RFC3526]. | ||||
| [RFC3526]. | ||||
| The Diffie-Hellman field size should be chosen so as to provide | The Diffie-Hellman field size should be chosen so as to provide | |||
| sufficient cryptographic security [RFC3766]. | sufficient cryptographic security [RFC3766]. | |||
| When MODP Diffie-Hellman is used, the exponents should have at | When MODP Diffie-Hellman is used, the exponents should have at | |||
| least twice as many bits as the symmetric keys that will be | least twice as many bits as the symmetric keys that will be | |||
| derived from them [ODL99]. | derived from them [ODL99]. | |||
| 7. The client may wish to reuse DH keys or to allow the KDC to do so | 7. The client may wish to reuse DH keys or to allow the KDC to do so | |||
| (see Section 3.2.3.1). If so, then the client includes the | (see Section 3.2.3.1). If so, then the client includes the | |||
| skipping to change at page 10, line 31 ¶ | skipping to change at page 10, line 36 ¶ | |||
| Upon receiving the client's request, the KDC validates it. This | Upon receiving the client's request, the KDC validates it. This | |||
| section describes the steps that the KDC MUST (unless otherwise | section describes the steps that the KDC MUST (unless otherwise | |||
| noted) take in validating the request. | noted) take in validating the request. | |||
| The KDC verifies the client's signature in the signedAuthPack field | The KDC verifies the client's signature in the signedAuthPack field | |||
| according to [RFC3852]. | according to [RFC3852]. | |||
| If, while validating the client's X.509 certificate [RFC3280], the | If, while validating the client's X.509 certificate [RFC3280], the | |||
| KDC cannot build a certification path to validate the client's | KDC cannot build a certification path to validate the client's | |||
| certificate, it sends back a KRB-ERROR [CLAR] message with the code | certificate, it sends back a KRB-ERROR [RFC4120] message with the | |||
| KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for this | code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for | |||
| error message is a TYPED-DATA (as defined in [CLAR]) that contains an | this error message is a TYPED-DATA (as defined in [RFC4120]) that | |||
| element whose data-type is TD_TRUSTED_CERTIFIERS, and whose data- | contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and | |||
| value contains the DER encoding of the type TD-TRUSTED-CERTIFIERS: | whose data-value contains the DER encoding of the type TD-TRUSTED- | |||
| CERTIFIERS: | ||||
| TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA | TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF | |||
| ExternalPrincipalIdentifier | ||||
| -- Identifies a list of CAs trusted by the KDC. | -- Identifies a list of CAs trusted by the KDC. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each ExternalPrincipalIdentifier identifies a CA | |||
| -- certificate (thereby its public key). | -- or a CA certificate (thereby its public key). | |||
| Upon receiving this error message, the client SHOULD retry only if it | Upon receiving this error message, the client SHOULD retry only if it | |||
| has a different set of certificates (from those of the previous | has a different set of certificates (from those of the previous | |||
| requests) that form a certification path (or a partial path) from one | requests) that form a certification path (or a partial path) from one | |||
| of the trust anchors acceptable by the KDC to its own certificate. | of the trust anchors acceptable by the KDC to its own certificate. | |||
| If, while processing the certification path, the KDC determines that | If, while processing the certification path, the KDC determines that | |||
| the signature on one of the certificates in the signedAuthPack field | the signature on one of the certificates in the signedAuthPack field | |||
| is invalid, it returns a KRB-ERROR [CLAR] message with the code | is invalid, it returns a KRB-ERROR [RFC4120] message with the code | |||
| KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error | KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error | |||
| message is a TYPED-DATA that contains an element whose data-type is | message is a TYPED-DATA that contains an element whose data-type is | |||
| TD_INVALID_CERTIFICATES, and whose data-value contains the DER | TD_INVALID_CERTIFICATES, and whose data-value contains the DER | |||
| encoding of the type TD-INVALID-CERTIFICATES: | encoding of the type TD-INVALID-CERTIFICATES: | |||
| TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING | TD-INVALID-CERTIFICATES ::= SEQUENCE OF | |||
| -- Each OCTET STRING contains a CMS type | ExternalPrincipalIdentifier | |||
| -- IssuerAndSerialNumber encoded according to | -- Each ExternalPrincipalIdentifier identifies a | |||
| -- [RFC3852]. | ||||
| -- Each IssuerAndSerialNumber identifies a | ||||
| -- certificate (sent by the client) with an invalid | -- certificate (sent by the client) with an invalid | |||
| -- signature. | -- signature. | |||
| If more than one X.509 certificate signature is invalid, the KDC MAY | If more than one X.509 certificate signature is invalid, the KDC MAY | |||
| include one IssuerAndSerialNumber per invalid signature within the | include one IssuerAndSerialNumber per invalid signature within the | |||
| TD-INVALID-CERTIFICATES. | TD-INVALID-CERTIFICATES. | |||
| The client's X.509 certificate is validated according to [RFC3280]. | The client's X.509 certificate is validated according to [RFC3280]. | |||
| Based on local policy, the KDC may also check whether any X.509 | Based on local policy, the KDC may also check whether any X.509 | |||
| skipping to change at page 12, line 33 ¶ | skipping to change at page 12, line 37 ¶ | |||
| } | } | |||
| If the KDC does not have its own binding and there is no | If the KDC does not have its own binding and there is no | |||
| KRB5PrincipalName name present in the client's X.509 certificate, or | KRB5PrincipalName name present in the client's X.509 certificate, or | |||
| if the Kerberos name in the request does not match the | if the Kerberos name in the request does not match the | |||
| KRB5PrincipalName in the client's X.509 certificate (including the | KRB5PrincipalName in the client's X.509 certificate (including the | |||
| realm name), the KDC MUST return an error message with the code | realm name), the KDC MUST return an error message with the code | |||
| KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for | KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for | |||
| this error message. | this error message. | |||
| Even if the certification path is validated and the certificate is | ||||
| mapped to the client's principal name, the KDC may decide not to | ||||
| accept the client's certificate, depending on local policy. | ||||
| The KDC MAY require the presence of an Extended Key Usage (EKU) | The KDC MAY require the presence of an Extended Key Usage (EKU) | |||
| KeyPurposeId [RFC3280] id-pkekuoid in the extensions field of the | KeyPurposeId [RFC3280] id-pkekuoid in the extensions field of the | |||
| client's X.509 certificate: | client's X.509 certificate: | |||
| id-pkekuoid OBJECT IDENTIFIER ::= | id-pkekuoid OBJECT IDENTIFIER ::= | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| pkinit(3) pkekuoid(4) } | pkinit(3) pkekuoid(4) } | |||
| -- PKINIT client authentication. | -- PKINIT client authentication. | |||
| -- Key usage bits that MUST be consistent: | -- Key usage bits that MUST be consistent: | |||
| -- digitalSignature. | -- digitalSignature. | |||
| skipping to change at page 13, line 5 ¶ | skipping to change at page 13, line 13 ¶ | |||
| If this EKU KeyPurposeId is required but it is not present or if the | If this EKU KeyPurposeId is required but it is not present or if the | |||
| client certificate is restricted not to be used for PKINIT client | client certificate is restricted not to be used for PKINIT client | |||
| authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return | authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return | |||
| an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There | an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There | |||
| is no accompanying e-data for this error message. KDCs implementing | is no accompanying e-data for this error message. KDCs implementing | |||
| this requirement SHOULD also accept the EKU KeyPurposeId id-ms-sc- | this requirement SHOULD also accept the EKU KeyPurposeId id-ms-sc- | |||
| logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there | logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there | |||
| are a large number of X.509 client certificates deployed for use with | are a large number of X.509 client certificates deployed for use with | |||
| PKINIT which have this EKU. | PKINIT which have this EKU. | |||
| If for any other reasons, the client's public key is not accepted, | As a matter of local policy, the KDC MAY decide to reject requests on | |||
| the KDC MUST return an error message with the code | the basis of the absence or presence of other specific EKU OID's. | |||
| KDC_ERR_CLIENT_NOT_TRUSTED. | ||||
| If the client's public key is not accepted, the KDC returns an error | ||||
| message with the code KDC_ERR_CLIENT_NOT_TRUSTED. | ||||
| The KDC MUST check the timestamp to ensure that the request is not a | The KDC MUST check the timestamp to ensure that the request is not a | |||
| replay, and that the time skew falls within acceptable limits. The | replay, and that the time skew falls within acceptable limits. The | |||
| recommendations for clock skew times in [CLAR] apply here. If the | recommendations for clock skew times in [RFC4120] apply here. If the | |||
| check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or | check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or | |||
| KRB_AP_ERR_SKEW, respectively. | KRB_AP_ERR_SKEW, respectively. | |||
| If the clientPublicValue is filled in, indicating that the client | If the clientPublicValue is filled in, indicating that the client | |||
| wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD | wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD | |||
| check to see if the key parameters satisfy its policy. If they do | check to see if the key parameters satisfy its policy. If they do | |||
| not, it MUST return an error message with the code | not, it MUST return an error message with the code | |||
| KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a | KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a | |||
| TYPED-DATA that contains an element whose data-type is | TYPED-DATA that contains an element whose data-type is | |||
| TD_DH_PARAMETERS, and whose data-value contains the DER encoding of | TD_DH_PARAMETERS, and whose data-value contains the DER encoding of | |||
| skipping to change at page 13, line 41 ¶ | skipping to change at page 13, line 51 ¶ | |||
| client SHOULD pick one to retry the request. | client SHOULD pick one to retry the request. | |||
| If the client included a kdcPkId field in the PA-PK-AS-REQ and the | If the client included a kdcPkId field in the PA-PK-AS-REQ and the | |||
| KDC does not possess the corresponding key, the KDC MUST ignore the | KDC does not possess the corresponding key, the KDC MUST ignore the | |||
| kdcPkId field as if the client did not include one. | kdcPkId field as if the client did not include one. | |||
| If there is a supportedCMSTypes field in the AuthPack, the KDC must | If there is a supportedCMSTypes field in the AuthPack, the KDC must | |||
| check to see if it supports any of the listed types. If it supports | check to see if it supports any of the listed types. If it supports | |||
| more than one of the types, the KDC SHOULD use the one listed first. | more than one of the types, the KDC SHOULD use the one listed first. | |||
| If it does not support any of them, it MUST return an error message | If it does not support any of them, it MUST return an error message | |||
| with the code KDC_ERR_ETYPE_NOSUPP [CLAR]. | with the code KDC_ERR_ETYPE_NOSUPP [RFC4120]. | |||
| 3.2.3 Generation of KDC Reply | 3.2.3 Generation of KDC Reply | |||
| Assuming that the client's request has been properly validated, the | Assuming that the client's request has been properly validated, the | |||
| KDC proceeds as per [CLAR], except as follows. | KDC proceeds as per [RFC4120], except as follows. | |||
| The KDC MUST set the initial flag and include an authorization data | The KDC MUST set the initial flag and include an authorization data | |||
| element of ad-type [CLAR] AD_INITIAL_VERIFIED_CAS in the issued | element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued | |||
| ticket. The ad-data [CLAR] field contains the DER encoding of the | ticket. The ad-data [RFC4120] field contains the DER encoding of the | |||
| type AD-INITIAL-VERIFIED-CAS: | type AD-INITIAL-VERIFIED-CAS: | |||
| AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA | AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF | |||
| ExternalPrincipalIdentifier | ||||
| -- Identifies the certification path based on which | -- Identifies the certification path based on which | |||
| -- the client certificate was validated. | -- the client certificate was validated. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each ExternalPrincipalIdentifier identifies a CA | |||
| -- certificate (thereby its public key). | -- or a CA certificate (thereby its public key). | |||
| The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT | The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT | |||
| containers if the list of CAs satisfies the AS' realm's local policy | containers if the list of CAs satisfies the AS' realm's local policy | |||
| (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag | (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag | |||
| [CLAR]). Furthermore, any TGS MUST copy such authorization data from | [RFC4120]). Furthermore, any TGS MUST copy such authorization data | |||
| tickets used within a PA-TGS-REQ of the TGS-REQ into the resulting | from tickets used within a PA-TGS-REQ of the TGS-REQ into the | |||
| ticket. If the list of CAs satisfies the local KDC's realm's policy, | resulting ticket. If the list of CAs satisfies the local KDC's | |||
| the TGS MAY wrap the data into the AD-IF-RELEVANT container, | realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT | |||
| otherwise it MAY unwrap the authorization data out of the AD-IF- | container, otherwise it MAY unwrap the authorization data out of the | |||
| RELEVANT container. | AD-IF-RELEVANT container. | |||
| Application servers that understand this authorization data type | Application servers that understand this authorization data type | |||
| SHOULD apply local policy to determine whether a given ticket bearing | SHOULD apply local policy to determine whether a given ticket bearing | |||
| such a type *not* contained within an AD-IF-RELEVANT container is | such a type *not* contained within an AD-IF-RELEVANT container is | |||
| acceptable. (This corresponds to the AP server checking the | acceptable. (This corresponds to the AP server checking the | |||
| transited field when the TRANSITED-POLICY-CHECKED flag has not been | transited field when the TRANSITED-POLICY-CHECKED flag has not been | |||
| set [CLAR].) If such a data type is contained within an AD-IF- | set [RFC4120].) If such a data type is contained within an AD-IF- | |||
| RELEVANT container, AP servers MAY apply local policy to determine | RELEVANT container, AP servers MAY apply local policy to determine | |||
| whether the authorization data is acceptable. | whether the authorization data is acceptable. | |||
| The content of the AS-REP is otherwise unchanged from [CLAR]. The | The content of the AS-REP is otherwise unchanged from [RFC4120]. The | |||
| KDC encrypts the reply as usual, but not with the client's long-term | KDC encrypts the reply as usual, but not with the client's long-term | |||
| key. Instead, it encrypts it with either a shared key derived from a | key. Instead, it encrypts it with either a shared key derived from a | |||
| Diffie-Hellman exchange, or a generated encryption key. The contents | Diffie-Hellman exchange, or a generated encryption key. The contents | |||
| of the PA-PK-AS-REP indicate which key delivery method is used: | of the PA-PK-AS-REP indicate which key delivery method is used: | |||
| PA-PK-AS-REP ::= CHOICE { | PA-PK-AS-REP ::= CHOICE { | |||
| dhInfo [0] DHRepInfo, | dhInfo [0] DHRepInfo, | |||
| -- Selected when Diffie-Hellman key exchange is | -- Selected when Diffie-Hellman key exchange is | |||
| -- used. | -- used. | |||
| encKeyPack [1] IMPLICIT OCTET STRING, | encKeyPack [1] IMPLICIT OCTET STRING, | |||
| skipping to change at page 17, line 12 ¶ | skipping to change at page 17, line 19 ¶ | |||
| The AS reply key is derived as follows: | The AS reply key is derived as follows: | |||
| 1. Both the KDC and the client calculate the shared secret value as | 1. Both the KDC and the client calculate the shared secret value as | |||
| follows: | follows: | |||
| a) When MODP Diffie-Hellman is used, let DHSharedSecret be the | a) When MODP Diffie-Hellman is used, let DHSharedSecret be the | |||
| shared secret value. DHSharedSecret is the value ZZ as | shared secret value. DHSharedSecret is the value ZZ as | |||
| described in Section 2.1.1 of [RFC2631]. | described in Section 2.1.1 of [RFC2631]. | |||
| b) When Elliptic Curve Diffie-Hellman (ECDH) (with each party | ||||
| contributing one key pair) is used, let DHSharedSecret be the | ||||
| x-coordinate of the shared secret value (an elliptic curve | ||||
| point). DHSharedSecret is the output of operation ECSVDP-DH as | ||||
| described in Section 7.2.1 of [IEEE1363]. | ||||
| DHSharedSecret is first padded with leading zeros such that the | DHSharedSecret is first padded with leading zeros such that the | |||
| size of DHSharedSecret in octets is the same as that of the | size of DHSharedSecret in octets is the same as that of the | |||
| modulus, then represented as a string of octets in big-endian | modulus, then represented as a string of octets in big-endian | |||
| order. | order. | |||
| Implementation note: Both the client and the KDC can cache the | Implementation note: Both the client and the KDC can cache the | |||
| triple (ya, yb, DHSharedSecret), where ya is the client's public | triple (ya, yb, DHSharedSecret), where ya is the client's public | |||
| key and yb is the KDC's public key. If both ya and yb are the | key and yb is the KDC's public key. If both ya and yb are the | |||
| same in a later exchange, the cached DHSharedSecret can be used. | same in a later exchange, the cached DHSharedSecret can be used. | |||
| 2. Let K be the key-generation seed length [RFC3961] of the AS reply | 2. Let K be the key-generation seed length [RFC3961] of the AS reply | |||
| key whose enctype is selected according to [CLAR]. | key whose enctype is selected according to [RFC4120]. | |||
| 3. Define the function octetstring2key() as follows: | 3. Define the function octetstring2key() as follows: | |||
| octetstring2key(x) == random-to-key(K-truncate( | octetstring2key(x) == random-to-key(K-truncate( | |||
| SHA1(0x00 | x) | | SHA1(0x00 | x) | | |||
| SHA1(0x01 | x) | | SHA1(0x01 | x) | | |||
| SHA1(0x02 | x) | | SHA1(0x02 | x) | | |||
| ... | ... | |||
| )) | )) | |||
| skipping to change at page 18, line 19 ¶ | skipping to change at page 18, line 23 ¶ | |||
| 3.2.3.2 Using Public Key Encryption | 3.2.3.2 Using Public Key Encryption | |||
| In this case, the PA-PK-AS-REP contains a ContentInfo structure | In this case, the PA-PK-AS-REP contains a ContentInfo structure | |||
| wrapped in an OCTET STRING. The AS reply key is encrypted in the | wrapped in an OCTET STRING. The AS reply key is encrypted in the | |||
| encKeyPack field, which contains data of type ReplyKeyPack: | encKeyPack field, which contains data of type ReplyKeyPack: | |||
| ReplyKeyPack ::= SEQUENCE { | ReplyKeyPack ::= SEQUENCE { | |||
| replyKey [0] EncryptionKey, | replyKey [0] EncryptionKey, | |||
| -- Contains the session key used to encrypt the | -- Contains the session key used to encrypt the | |||
| -- enc-part field in the AS-REP. | -- enc-part field in the AS-REP. | |||
| nonce [1] INTEGER (0..4294967295), | asChecksum [1] Checksum, | |||
| -- Contains the nonce in the PKAuthenticator of the | -- Contains the checksum of the AS-REQ | |||
| -- request. | -- corresponding to the containing AS-REP. | |||
| -- The checksum is performed over the type AS-REQ. | ||||
| -- The protocol key [RFC3961] of the checksum is the | ||||
| -- replyKey and the key usage number is 6. | ||||
| -- If the replyKey's enctype is "newer" [RFC4120] | ||||
| -- [RFC4121], the checksum is the required | ||||
| -- checksum operation [RFC3961] for that enctype. | ||||
| -- The client MUST verify this checksum upon receipt | ||||
| -- of the AS-REP. | ||||
| ... | ... | |||
| } | } | |||
| The ContentInfo [RFC3852] structure for the encKeyPack field is | The ContentInfo [RFC3852] structure for the encKeyPack field is | |||
| filled in as follows: | filled in as follows: | |||
| 1. The contentType field of the type ContentInfo is id-envelopedData | 1. The contentType field of the type ContentInfo is id-envelopedData | |||
| (as defined in [RFC3852]), and the content field is an | (as defined in [RFC3852]), and the content field is an | |||
| EnvelopedData (as defined in [RFC3852]). | EnvelopedData (as defined in [RFC3852]). | |||
| skipping to change at page 19, line 23 ¶ | skipping to change at page 19, line 35 ¶ | |||
| certificates field MUST NOT contain "root" CA certificates. | certificates field MUST NOT contain "root" CA certificates. | |||
| 7. The recipientInfos field of the type EnvelopedData is a SET which | 7. The recipientInfos field of the type EnvelopedData is a SET which | |||
| MUST contain exactly one member of type KeyTransRecipientInfo. | MUST contain exactly one member of type KeyTransRecipientInfo. | |||
| The encryptedKey of this member contains the temporary key which | The encryptedKey of this member contains the temporary key which | |||
| is encrypted using the client's public key. | is encrypted using the client's public key. | |||
| 8. The unprotectedAttrs or originatorInfo fields of the type | 8. The unprotectedAttrs or originatorInfo fields of the type | |||
| EnvelopedData MAY be present. | EnvelopedData MAY be present. | |||
| Implementations of this RSA encryption key delivery method are | ||||
| RECOMMENDED to support for RSA keys at least 2048 bits in size. | ||||
| 3.2.4 Receipt of KDC Reply | 3.2.4 Receipt of KDC Reply | |||
| Upon receipt of the KDC's reply, the client proceeds as follows. If | Upon receipt of the KDC's reply, the client proceeds as follows. If | |||
| the PA-PK-AS-REP contains the dhSignedData field, the client derives | the PA-PK-AS-REP contains the dhSignedData field, the client derives | |||
| the AS reply key using the same procedure used by the KDC as defined | the AS reply key using the same procedure used by the KDC as defined | |||
| in Section 3.2.3.1. Otherwise, the message contains the encKeyPack | in Section 3.2.3.1. Otherwise, the message contains the encKeyPack | |||
| field, and the client decrypts and extracts the temporary key in the | field, and the client decrypts and extracts the temporary key in the | |||
| encryptedKey field of the member KeyTransRecipientInfo, and then uses | encryptedKey field of the member KeyTransRecipientInfo, and then uses | |||
| that as the AS reply key. | that as the AS reply key. | |||
| In either case, the client MUST verify the signature in the | In either case, the client MUST verify the signature in the | |||
| SignedData according to [RFC3852]. The KDC's X.509 certificate MUST | SignedData according to [RFC3852]. The KDC's X.509 certificate MUST | |||
| be validated according to [RFC3280]. In addition, unless the client | be validated according to [RFC3280]. In addition, unless the client | |||
| can otherwise verify that the public key used to verify the KDC's | can otherwise verify that the public key used to verify the KDC's | |||
| signature is bound to the KDC of the target realm, the KDC's X.509 | signature is bound to the KDC of the target realm, the KDC's X.509 | |||
| certificate MUST contain a Subject Alternative Name extension | certificate MUST contain a Subject Alternative Name extension | |||
| [RFC3280] carrying an AnotherName whose type-id is id-pksan (as | [RFC3280] carrying an AnotherName whose type-id is id-pksan (as | |||
| defined in Section 3.2.2) and whose value is a KRB5PrincipalName that | defined in Section 3.2.2) and whose value is a KRB5PrincipalName that | |||
| matches the name of the TGS of the target realm (as defined in | matches the name of the TGS of the target realm (as defined in | |||
| Section 7.3 of [CLAR]). | Section 7.3 of [RFC4120]). | |||
| Based on local policy, the client MAY require that the KDC | Based on local policy, the client MAY require that the KDC | |||
| certificate contains the EKU KeyPurposeId [RFC3280] id-pkkdcekuoid: | certificate contains the EKU KeyPurposeId [RFC3280] id-pkkdcekuoid: | |||
| id-pkkdcekuoid OBJECT IDENTIFIER ::= | id-pkkdcekuoid OBJECT IDENTIFIER ::= | |||
| { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) | |||
| pkinit(3) pkkdcekuoid(5) } | pkinit(3) pkkdcekuoid(5) } | |||
| -- Signing KDC responses. | -- Signing KDC responses. | |||
| -- Key usage bits that MUST be consistent: | -- Key usage bits that MUST be consistent: | |||
| -- digitalSignature. | -- digitalSignature. | |||
| If all applicable checks are satisfied, the client then decrypts the | If all applicable checks are satisfied, the client then decrypts the | |||
| enc-part field of the KDC-REP in the AS-REP using the AS reply key, | enc-part field of the KDC-REP in the AS-REP using the AS reply key, | |||
| and then proceeds as described in [CLAR]. | and then proceeds as described in [RFC4120]. | |||
| Implementation note: CAs issuing KDC certificates SHOULD place all | Implementation note: CAs issuing KDC certificates SHOULD place all | |||
| "short" and "fully-qualified" Kerberos realm names of the KDC (one | "short" and "fully-qualified" Kerberos realm names of the KDC (one | |||
| per GeneralName [RFC3280]) into the KDC certificate to allow maximum | per GeneralName [RFC3280]) into the KDC certificate to allow maximum | |||
| flexibility. | flexibility. | |||
| 3.3 Interoperability Requirements | 3.3 Interoperability Requirements | |||
| The client MUST be capable of sending a set of certificates | The client MUST be capable of sending a set of certificates | |||
| sufficient to allow the KDC to construct a certification path for the | sufficient to allow the KDC to construct a certification path for the | |||
| skipping to change at page 20, line 43 ¶ | skipping to change at page 21, line 8 ¶ | |||
| If the KDC sends all the X.509 certificates on a certification path | If the KDC sends all the X.509 certificates on a certification path | |||
| to a trust anchor acceptable by the client, and the client can not | to a trust anchor acceptable by the client, and the client can not | |||
| verify the KDC's public key otherwise, the client MUST be able to | verify the KDC's public key otherwise, the client MUST be able to | |||
| process path validation for the KDC's certificate based on the | process path validation for the KDC's certificate based on the | |||
| certificates in the reply. | certificates in the reply. | |||
| 3.4 KDC Indication of PKINIT Support | 3.4 KDC Indication of PKINIT Support | |||
| If pre-authentication is required, but was not present in the | If pre-authentication is required, but was not present in the | |||
| request, per [CLAR] an error message with the code | request, per [RFC4120] an error message with the code | |||
| KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be | KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be | |||
| stored in the e-data field of the KRB-ERROR message to specify which | stored in the e-data field of the KRB-ERROR message to specify which | |||
| pre-authentication mechanisms are acceptable. The KDC can then | pre-authentication mechanisms are acceptable. The KDC can then | |||
| indicate the support of PKINIT by including an empty element whose | indicate the support of PKINIT by including an empty element whose | |||
| padata-type is PA_PK_AS_REQ in that METHOD-DATA object. | padata-type is PA_PK_AS_REQ in that METHOD-DATA object. | |||
| Otherwise if it is required by the KDC's local policy that the client | Otherwise if it is required by the KDC's local policy that the client | |||
| must be pre-authenticated using the pre-authentication mechanism | must be pre-authenticated using the pre-authentication mechanism | |||
| specified in this document, but no PKINIT pre-authentication was | specified in this document, but no PKINIT pre-authentication was | |||
| present in the request, an error message with the code | present in the request, an error message with the code | |||
| KDC_ERR_PREAUTH_FAILED SHOULD be returned. | KDC_ERR_PREAUTH_FAILED SHOULD be returned. | |||
| KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in | KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in | |||
| the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET | the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET | |||
| STRING), and clients MUST ignore this and any other value. Future | STRING), and clients MUST ignore this and any other value. Future | |||
| extensions to this protocol may specify other data to send instead of | extensions to this protocol may specify other data to send instead of | |||
| an empty OCTET STRING. | an empty OCTET STRING. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| The symmetric reply key size and Diffie-Hellman field size or RSA | ||||
| modulus size should be chosen so as to provide sufficient | ||||
| cryptographic security [RFC3766]. | ||||
| When MODP Diffie-Hellman is used, the exponents should have at least | ||||
| twice as many bits as the symmetric keys that will be derived from | ||||
| them [ODL99]. | ||||
| PKINIT raises certain security considerations beyond those that can | PKINIT raises certain security considerations beyond those that can | |||
| be regulated strictly in protocol definitions. We will address them | be regulated strictly in protocol definitions. We will address them | |||
| in this section. | in this section. | |||
| PKINIT extends the cross-realm model to the public-key | PKINIT extends the cross-realm model to the public-key | |||
| infrastructure. Users of PKINIT must understand security policies | infrastructure. Users of PKINIT must understand security policies | |||
| and procedures appropriate to the use of Public Key Infrastructures | and procedures appropriate to the use of Public Key Infrastructures | |||
| [RFC3280]. | [RFC3280]. | |||
| Standard Kerberos allows the possibility of interactions between | Standard Kerberos allows the possibility of interactions between | |||
| cryptosystems of varying strengths; this document adds interactions | cryptosystems of varying strengths; this document adds interactions | |||
| with public-key cryptosystems to Kerberos. Some administrative | with public-key cryptosystems to Kerberos. Some administrative | |||
| policies may allow the use of relatively weak public keys. Using | policies may allow the use of relatively weak public keys. Using | |||
| such keys to wrap data encrypted under stronger conventional | such keys to wrap data encrypted under stronger conventional | |||
| cryptosystems may be inappropriate. | cryptosystems may be inappropriate. | |||
| PKINIT requires keys for symmetric cryptosystems to be generated. | PKINIT requires keys for symmetric cryptosystems to be generated. | |||
| Some such systems contain "weak" keys. For recommendations regarding | Some such systems contain "weak" keys. For recommendations regarding | |||
| these weak keys, see [CLAR]. | these weak keys, see [RFC4120]. | |||
| PKINIT allows the use of the same RSA key pair for encryption and | PKINIT allows the use of the same RSA key pair for encryption and | |||
| signing when doing RSA encryption based key delivery. This is not | signing when doing RSA encryption based key delivery. This is not | |||
| recommended usage of RSA keys [RFC3447], by using DH based key | recommended usage of RSA keys [RFC3447], by using DH based key | |||
| delivery this is avoided. | delivery this is avoided. | |||
| Care should be taken in how certificates are chosen for the purposes | Care should be taken in how certificates are chosen for the purposes | |||
| of authentication using PKINIT. Some local policies may require that | of authentication using PKINIT. Some local policies may require that | |||
| key escrow be used for certain certificate types. Deployers of | key escrow be used for certain certificate types. Deployers of | |||
| PKINIT should be aware of the implications of using certificates that | PKINIT should be aware of the implications of using certificates that | |||
| skipping to change at page 22, line 48 ¶ | skipping to change at page 23, line 21 ¶ | |||
| been invaluable. | been invaluable. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| 7. References | 7. References | |||
| 7.1 Normative References | 7.1 Normative References | |||
| [CLAR] RFC-Editor: To be replaced by RFC number for draft-ietf- | ||||
| krb-wg-kerberos-clarifications. Work in Progress. | ||||
| [IEEE1363] | [IEEE1363] | |||
| IEEE, "Standard Specifications for Public Key | IEEE, "Standard Specifications for Public Key | |||
| Cryptography", IEEE 1363, 2000. | Cryptography", IEEE 1363, 2000. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", | [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", | |||
| RFC 2412, November 1998. | RFC 2412, November 1998. | |||
| skipping to change at page 24, line 8 ¶ | skipping to change at page 24, line 24 ¶ | |||
| [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", | [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", | |||
| RFC 3852, July 2004. | RFC 3852, July 2004. | |||
| [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for | |||
| Kerberos 5", RFC 3961, February 2005. | Kerberos 5", RFC 3961, February 2005. | |||
| [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) | [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) | |||
| Encryption for Kerberos 5", RFC 3962, February 2005. | Encryption for Kerberos 5", RFC 3962, February 2005. | |||
| [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | ||||
| Kerberos Network Authentication Service (V5)", RFC 4120, | ||||
| July 2005. | ||||
| [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos | ||||
| Version 5 Generic Security Service Application Program | ||||
| Interface (GSS-API) Mechanism: Version 2", RFC 4121, | ||||
| July 2005. | ||||
| [X.509-97] ITU-T. Recommendation X.509: The Directory - Authentication | [X.509-97] ITU-T. Recommendation X.509: The Directory - Authentication | |||
| Framework. 1997. | Framework. 1997. | |||
| [X690] ASN.1 encoding rules: Specification of Basic Encoding | [X690] ASN.1 encoding rules: Specification of Basic Encoding | |||
| Rules (BER), Canonical Encoding Rules (CER) and | Rules (BER), Canonical Encoding Rules (CER) and | |||
| Distinguished Encoding Rules (DER), ITU-T Recommendation | Distinguished Encoding Rules (DER), ITU-T Recommendation | |||
| X.690 (1997) | ISO/IEC International Standard | X.690 (1997) | ISO/IEC International Standard | |||
| 8825-1:1998. | 8825-1:1998. | |||
| 7.2 Informative References | 7.2 Informative References | |||
| skipping to change at page 25, line 4 ¶ | skipping to change at page 25, line 27 ¶ | |||
| Larry Zhu | Larry Zhu | |||
| Microsoft Corporation | Microsoft Corporation | |||
| One Microsoft Way | One Microsoft Way | |||
| Redmond, WA 98052 | Redmond, WA 98052 | |||
| US | US | |||
| Email: lzhu@microsoft.com | Email: lzhu@microsoft.com | |||
| Appendix A. PKINIT ASN.1 Module | Appendix A. PKINIT ASN.1 Module | |||
| KerberosV5-PK-INIT-SPEC { | KerberosV5-PK-INIT-SPEC { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) kerberosV5(2) modules(4) pkinit(5) | security(5) kerberosV5(2) modules(4) pkinit(5) | |||
| } DEFINITIONS EXPLICIT TAGS ::= BEGIN | } DEFINITIONS EXPLICIT TAGS ::= BEGIN | |||
| IMPORTS | IMPORTS | |||
| SubjectPublicKeyInfo, AlgorithmIdentifier | SubjectPublicKeyInfo, AlgorithmIdentifier | |||
| FROM PKIX1Explicit88 { iso (1) | FROM PKIX1Explicit88 { iso (1) | |||
| identified-organization (3) dod (6) internet (1) | identified-organization (3) dod (6) internet (1) | |||
| security (5) mechanisms (5) pkix (7) id-mod (0) | security (5) mechanisms (5) pkix (7) id-mod (0) | |||
| id-pkix1-explicit (18) } | id-pkix1-explicit (18) } | |||
| -- As defined in RFC 3280. | -- As defined in RFC 3280. | |||
| DomainParameters, EcpkParameters | DomainParameters | |||
| FROM PKIX1Algorithms88 { iso(1) | FROM PKIX1Algorithms88 { iso(1) | |||
| identified-organization(3) dod(6) | identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-algorithms(17) } | id-mod-pkix1-algorithms(17) } | |||
| -- As defined in RFC 3279. | -- As defined in RFC 3279. | |||
| KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey | KerberosTime, TYPED-DATA, PrincipalName, Realm, EncryptionKey | |||
| FROM KerberosV5Spec2 { iso(1) identified-organization(3) | FROM KerberosV5Spec2 { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) kerberosV5(2) | dod(6) internet(1) security(5) kerberosV5(2) | |||
| modules(4) krb5spec2(2) } ; | modules(4) krb5spec2(2) } ; | |||
| skipping to change at page 26, line 4 ¶ | skipping to change at page 26, line 30 ¶ | |||
| ad-initial-verified-cas INTEGER ::= 9 | ad-initial-verified-cas INTEGER ::= 9 | |||
| td-trusted-certifiers INTEGER ::= 104 | td-trusted-certifiers INTEGER ::= 104 | |||
| td-invalid-certificates INTEGER ::= 105 | td-invalid-certificates INTEGER ::= 105 | |||
| td-dh-parameters INTEGER ::= 109 | td-dh-parameters INTEGER ::= 109 | |||
| PA-PK-AS-REQ ::= SEQUENCE { | PA-PK-AS-REQ ::= SEQUENCE { | |||
| signedAuthPack [0] IMPLICIT OCTET STRING, | signedAuthPack [0] IMPLICIT OCTET STRING, | |||
| -- Contains a CMS type ContentInfo encoded | -- Contains a CMS type ContentInfo encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- The contentType field of the type ContentInfo | -- The contentType field of the type ContentInfo | |||
| -- is id-signedData (1.2.840.113549.1.7.2), | -- is id-signedData (1.2.840.113549.1.7.2), | |||
| -- and the content field is a SignedData. | -- and the content field is a SignedData. | |||
| -- The eContentType field for the type SignedData is | -- The eContentType field for the type SignedData is | |||
| -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | -- id-pkauthdata (1.3.6.1.5.2.3.1), and the | |||
| -- eContent field contains the DER encoding of the | -- eContent field contains the DER encoding of the | |||
| -- type AuthPack. | -- type AuthPack. | |||
| -- AuthPack is defined below. | -- AuthPack is defined below. | |||
| trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL, | trustedCertifiers [1] SEQUENCE OF | |||
| ExternalPrincipalIdentifier OPTIONAL, | ||||
| -- A list of CAs, trusted by the client, that can | -- A list of CAs, trusted by the client, that can | |||
| -- be used to certify the KDC. | -- be used to certify the KDC. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each ExternalPrincipalIdentifier identifies a CA | |||
| -- certificate (thereby its public key). | -- or a CA certificate (thereby its public key). | |||
| -- The information contained in the | -- The information contained in the | |||
| -- trustedCertifiers SHOULD be used by the KDC as | -- trustedCertifiers SHOULD be used by the KDC as | |||
| -- hints to guide its selection of an appropriate | -- hints to guide its selection of an appropriate | |||
| -- certificate chain to return to the client. | -- certificate chain to return to the client. | |||
| kdcPkId [2] IMPLICIT OCTET STRING | kdcPkId [2] IMPLICIT OCTET STRING | |||
| OPTIONAL, | OPTIONAL, | |||
| -- Contains a CMS type SignerIdentifier encoded | -- Contains a CMS type SignerIdentifier encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- Identifies, if present, a particular KDC | -- Identifies, if present, a particular KDC | |||
| -- public key that the client already has. | -- public key that the client already has. | |||
| ... | ... | |||
| } | } | |||
| DHNonce ::= OCTET STRING | DHNonce ::= OCTET STRING | |||
| TrustedCA ::= SEQUENCE { | ExternalPrincipalIdentifier ::= SEQUENCE { | |||
| caName [0] IMPLICIT OCTET STRING, | subjectName [0] IMPLICIT OCTET STRING OPTIONAL, | |||
| -- Contains a PKIX type Name encoded according to | -- Contains a PKIX type Name encoded according to | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- Identifies a CA by the CA's distinguished subject | -- Identifies the certificate subject by the | |||
| -- name. | -- distinguished subject name. | |||
| certificateSerialNumber [1] INTEGER OPTIONAL, | -- REQUIRED when there is a distinguished subject | |||
| -- Specifies the CA certificate's serial number. | -- name present in the certificate. | |||
| -- The defintion of the certificate serial number | issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, | |||
| -- is taken from X.509 [X.509-97]. | -- Contains a CMS type IssuerAndSerialNumber encoded | |||
| subjectKeyIdentifier [2] OCTET STRING OPTIONAL, | -- according to [RFC3852]. | |||
| -- Identifies the CA's public key by a key | -- Identifies a certificate of the subject. | |||
| -- REQUIRED for TD-INVALID-CERTIFICATES and | ||||
| -- TD-TRUSTED-CERTIFIERS. | ||||
| subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, | ||||
| -- Identifies the subject's public key by a key | ||||
| -- identifier. When an X.509 certificate is | -- identifier. When an X.509 certificate is | |||
| -- referenced, this key identifier matches the X.509 | -- referenced, this key identifier matches the X.509 | |||
| -- subjectKeyIdentifier extension value. When other | -- subjectKeyIdentifier extension value. When other | |||
| -- certificate formats are referenced, the documents | -- certificate formats are referenced, the documents | |||
| -- that specify the certificate format and their use | -- that specify the certificate format and their use | |||
| -- with the CMS must include details on matching the | -- with the CMS must include details on matching the | |||
| -- key identifier to the appropriate certificate | -- key identifier to the appropriate certificate | |||
| -- field. | -- field. | |||
| -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. | ||||
| ... | ... | |||
| } | } | |||
| AuthPack ::= SEQUENCE { | AuthPack ::= SEQUENCE { | |||
| pkAuthenticator [0] PKAuthenticator, | pkAuthenticator [0] PKAuthenticator, | |||
| clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, | |||
| -- Type SubjectPublicKeyInfo is defined in | -- Type SubjectPublicKeyInfo is defined in | |||
| -- [RFC3280]. | -- [RFC3280]. | |||
| -- Specifies Diffie-Hellman domain parameters | -- Specifies Diffie-Hellman domain parameters | |||
| -- and the client's public key value [IEEE1363]. | -- and the client's public key value [IEEE1363]. | |||
| skipping to change at page 27, line 36 ¶ | skipping to change at page 28, line 19 ¶ | |||
| clientDHNonce [3] DHNonce OPTIONAL, | clientDHNonce [3] DHNonce OPTIONAL, | |||
| -- Present only if the client indicates that it | -- Present only if the client indicates that it | |||
| -- wishes to reuse DH keys or to allow the KDC to | -- wishes to reuse DH keys or to allow the KDC to | |||
| -- do so. | -- do so. | |||
| ... | ... | |||
| } | } | |||
| PKAuthenticator ::= SEQUENCE { | PKAuthenticator ::= SEQUENCE { | |||
| cusec [0] INTEGER (0..999999), | cusec [0] INTEGER (0..999999), | |||
| ctime [1] KerberosTime, | ctime [1] KerberosTime, | |||
| -- cusec and ctime are used as in [CLAR], for replay | -- cusec and ctime are used as in [RFC4120], for | |||
| -- prevention. | -- replay prevention. | |||
| nonce [2] INTEGER (0..4294967295), | nonce [2] INTEGER (0..4294967295), | |||
| -- Chosen randomly; This nonce does not need to | -- Chosen randomly; This nonce does not need to | |||
| -- match with the nonce in the KDC-REQ-BODY. | -- match with the nonce in the KDC-REQ-BODY. | |||
| paChecksum [3] OCTET STRING, | paChecksum [3] OCTET STRING, | |||
| -- Contains the SHA1 checksum, performed over | -- Contains the SHA1 checksum, performed over | |||
| -- KDC-REQ-BODY. | -- KDC-REQ-BODY. | |||
| ... | ... | |||
| } | } | |||
| TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF TrustedCA | TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF | |||
| ExternalPrincipalIdentifier | ||||
| -- Identifies a list of CAs trusted by the KDC. | -- Identifies a list of CAs trusted by the KDC. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each ExternalPrincipalIdentifier identifies a CA | |||
| -- certificate (thereby its public key). | -- or a CA certificate (thereby its public key). | |||
| TD-INVALID-CERTIFICATES ::= SEQUENCE OF OCTET STRING | TD-INVALID-CERTIFICATES ::= SEQUENCE OF | |||
| -- Each OCTET STRING contains a CMS type | ExternalPrincipalIdentifier | |||
| -- IssuerAndSerialNumber encoded according to | -- Each ExternalPrincipalIdentifier identifies a | |||
| -- [RFC3852]. | ||||
| -- Each IssuerAndSerialNumber identifies a | ||||
| -- certificate (sent by the client) with an invalid | -- certificate (sent by the client) with an invalid | |||
| -- signature. | -- signature. | |||
| KRB5PrincipalName ::= SEQUENCE { | KRB5PrincipalName ::= SEQUENCE { | |||
| realm [0] Realm, | realm [0] Realm, | |||
| principalName [1] PrincipalName | principalName [1] PrincipalName | |||
| } | } | |||
| AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF TrustedCA | AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF | |||
| ExternalPrincipalIdentifier | ||||
| -- Identifies the certification path based on which | -- Identifies the certification path based on which | |||
| -- the client certificate was validated. | -- the client certificate was validated. | |||
| -- Each TrustedCA identifies a CA or a CA | -- Each ExternalPrincipalIdentifier identifies a CA | |||
| -- certificate (thereby its public key). | -- or a CA certificate (thereby its public key). | |||
| PA-PK-AS-REP ::= CHOICE { | PA-PK-AS-REP ::= CHOICE { | |||
| dhInfo [0] DHRepInfo, | dhInfo [0] DHRepInfo, | |||
| -- Selected when Diffie-Hellman key exchange is | -- Selected when Diffie-Hellman key exchange is | |||
| -- used. | -- used. | |||
| encKeyPack [1] IMPLICIT OCTET STRING, | encKeyPack [1] IMPLICIT OCTET STRING, | |||
| -- Selected when public key encryption is used. | -- Selected when public key encryption is used. | |||
| -- Contains a CMS type ContentInfo encoded | -- Contains a CMS type ContentInfo encoded | |||
| -- according to [RFC3852]. | -- according to [RFC3852]. | |||
| -- The contentType field of the type ContentInfo is | -- The contentType field of the type ContentInfo is | |||
| skipping to change at page 29, line 37 ¶ | skipping to change at page 30, line 19 ¶ | |||
| -- present if and only if DH keys are reused. If | -- present if and only if DH keys are reused. If | |||
| -- this field is omitted then the serverDHNonce | -- this field is omitted then the serverDHNonce | |||
| -- field MUST also be omitted. | -- field MUST also be omitted. | |||
| ... | ... | |||
| } | } | |||
| ReplyKeyPack ::= SEQUENCE { | ReplyKeyPack ::= SEQUENCE { | |||
| replyKey [0] EncryptionKey, | replyKey [0] EncryptionKey, | |||
| -- Contains the session key used to encrypt the | -- Contains the session key used to encrypt the | |||
| -- enc-part field in the AS-REP. | -- enc-part field in the AS-REP. | |||
| nonce [1] INTEGER (0..4294967295), | asChecksum [1] Checksum, | |||
| -- Contains the nonce in the PKAuthenticator of the | -- Contains the checksum of the AS-REQ | |||
| -- request. | -- corresponding to the containing AS-REP. | |||
| -- The checksum is performed over the type AS-REQ. | ||||
| -- The protocol key [RFC3961] of the checksum is the | ||||
| -- replyKey and the key usage number is 6. | ||||
| -- If the replyKey's enctype is "newer" [RFC4120] | ||||
| -- [RFC4121], the checksum is the required | ||||
| -- checksum operation [RFC3961] for that enctype. | ||||
| -- The client MUST verify this checksum upon receipt | ||||
| -- of the AS-REP. | ||||
| ... | ... | |||
| } | } | |||
| TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier | TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier | |||
| -- Each AlgorithmIdentifier specifies a set of | -- Each AlgorithmIdentifier specifies a set of | |||
| -- Diffie-Hellman domain parameters [IEEE1363]. | -- Diffie-Hellman domain parameters [IEEE1363]. | |||
| -- This list is in decreasing preference order. | -- This list is in decreasing preference order. | |||
| END | END | |||
| Intellectual Property Statement | Intellectual Property Statement | |||
| End of changes. 70 change blocks. | ||||
| 127 lines changed or deleted | 168 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||