| < draft-ietf-tls-kerb-cipher-suites-03.txt | draft-ietf-tls-kerb-cipher-suites-04.txt > | |||
|---|---|---|---|---|
| INTERNET-DRAFT Ari Medvinsky | INTERNET-DRAFT Ari Medvinsky | |||
| Transport Layer Security Working Group Matthew Hur | Transport Layer Security Working Group Excite | |||
| draft-ietf-tls-kerb-cipher-suites-03.txt CyberSafe Corporation | draft-ietf-tls-kerb-cipher-suites-04.txt Matthew Hur | |||
| September 18, 1998 (Expires March 18, 1999) | August 21, 1999 (Expires January 22, 2000) CyberSafe Corporation | |||
| Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) | Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) | |||
| 0. Status Of this Memo | 0. Status Of this Memo | |||
| This document is an Internet-Draft. Internet-Drafts are working | This document is an Internet-Draft and is in full conformance with | |||
| documents of the Internet Engineering Task Force (IETF), its | all provisions of section 10 of RFC 2026. Internet-Drafts are | |||
| areas, and its working groups. Note that other groups may also | working documents of the Internet Engineering Task Force (IETF), | |||
| distribute working documents as Internet-Drafts. | its areas, and its working groups. Note that other groups may | |||
| also distribute working documents as Internet-Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six | Internet-Drafts are draft documents valid for a maximum of six | |||
| months and may be updated, replaced, or obsoleted by other | months and may be updated, replaced, or obsoleted by other | |||
| documents at any time. It is inappropriate to use Internet- | documents at any time. It is inappropriate to use Internet- | |||
| Drafts as reference material or to cite them other than as | Drafts as reference material or to cite them other than as | |||
| ``work in progress.'' | ``work in progress.'' | |||
| The list of current Internet-Drafts can be accessed at | ||||
| http://www.ietf.org/ietf/1id-abstracts.txt | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| To learn the current status of any Internet-Draft, please check | To learn the current status of any Internet-Draft, please check | |||
| the ``1id-abstracts.txt'' listing contained in the Internet- | the ``1id-abstracts.txt'' listing contained in the Internet- | |||
| Drafts Shadow Directories on ftp.is.co.za (Africa), | Drafts Shadow Directories on ftp.is.co.za (Africa), | |||
| nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), | nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), | |||
| ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). | ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). | |||
| 1. Abstract | 1. Abstract | |||
| This document proposes the addition of new cipher suites to the TLS | This document proposes the addition of new cipher suites to the TLS | |||
| protocol [1] to support Kerberos-based authentication. Kerberos | protocol [1] to support Kerberos-based authentication. Kerberos | |||
| credentials are used to achieve mutual authentication and to establish | credentials are used to achieve mutual authentication and to establish | |||
| a master secret which is subsequently used to secure client-server | a master secret which is subsequently used to secure client-server | |||
| communication. | communication. | |||
| 2. Introduction | 2. Introduction | |||
| skipping to change at line 191 ¶ | skipping to change at line 200 ¶ | |||
| concerned about the protection domain on a particular machine. | concerned about the protection domain on a particular machine. | |||
| - "MachineName" is the particular instance of the service. | - "MachineName" is the particular instance of the service. | |||
| - The Kerberos "Realm" is the domain name of the machine. | - The Kerberos "Realm" is the domain name of the machine. | |||
| 5. Summary | 5. Summary | |||
| The proposed Kerberos authentication option is added in exactly the | The proposed Kerberos authentication option is added in exactly the | |||
| same manner as a new public key algorithm would be added to TLS. | same manner as a new public key algorithm would be added to TLS. | |||
| Furthermore, it establishes the master secret in exactly the same manner. | Furthermore, it establishes the master secret in exactly the same manner. | |||
| 6. Acknowledgements | 6. Security Considerations | |||
| Kerberos ciphersuites are subject to the same security considerations as | ||||
| the TLS protocol. In addition, just as a public key implementation must | ||||
| take care to protect the private key (for example the PIN for a | ||||
| smartcard), a Kerberos implementation must take care to protect the long | ||||
| lived secret that is shared between the principal and the KDC. In | ||||
| particular, a weak password may be subject to a dictionary attack. In | ||||
| order to strengthen the initial authentication to a KDC, an implementor | ||||
| may choose to utilize secondary authentication via a token card, or one | ||||
| may utilize initial authentication to the KDC based on public key | ||||
| cryptography (commonly known as PKINIT - a product of the Common | ||||
| Authentication Technology working group of the IETF). | ||||
| 7. Acknowledgements | ||||
| We would like to thank Clifford Neuman for his invaluable comments on | We would like to thank Clifford Neuman for his invaluable comments on | |||
| earlier versions of this document. | earlier versions of this document. | |||
| 7. References | 8. References | |||
| [1] T. Dierks, C. Allen. | [1] T. Dierks, C. Allen. | |||
| The TLS Protocol, Version 1.0 - IETF Draft. | The TLS Protocol, Version 1.0 - RFC 2246. | |||
| [2] J. Kohl and C. Neuman | [2] J. Kohl and C. Neuman | |||
| The Kerberos Network Authentication Service (V5) RFC 1510. | The Kerberos Network Authentication Service (V5) RFC 1510. | |||
| Authors' Addresses | Authors' Addresses | |||
| Ari Medvinsky <arim@cybersafe.com> | Ari Medvinsky | |||
| Matthew Hur <matth@cybersafe.com> | Excite | |||
| 555 Broadway | ||||
| Redwood City, CA 94063 | ||||
| Phone +1 650 569 2119 | ||||
| E-mail: amedvins@excitecorp.com | ||||
| http://www.excite.com | ||||
| CyberSafe Corporation | Matthew Hur | |||
| 1605 NW Sammamish Raod | CyberSafe Corporation | |||
| Suite 310 | 1605 NW Sammamish Road | |||
| Issaquah, WA 98027-5378 | Issaquah WA 98027-5378 | |||
| Phone: (206) 391-6000 | Phone: +1 425 391 6000 | |||
| Fax: (206) 391-0508 | E-mail: matt.hur@cybersafe.com | |||
| http://www.cybersafe.com | http://www.cybersafe.com | |||
| End of changes. 9 change blocks. | ||||
| 13 lines changed or deleted | 39 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||