idnits 2.17.1 draft-ietf-cat-kerberos-pk-init-31.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1852. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1829. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1836. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1842. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, -- The KDC's DH public key. -- The DH public key value is encoded as a BIT -- STRING according to [RFC3279]. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the pkAuthenticator field -- in the request if the DH keys are NOT reused, -- 0 otherwise. dhKeyExpiration [2] KerberosTime OPTIONAL, -- Expiration time for KDC's key pair, -- present if and only if the DH keys are reused. -- If present, the KDC's DH public key MUST not be -- used past the point of this expiration time. -- If this field is omitted then the serverDHNonce -- field MUST also be omitted. ... } == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, -- The KDC's DH public key. -- The DH public key value is encoded as a BIT -- STRING according to [RFC3279]. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the pkAuthenticator field -- in the request if the DH keys are NOT reused, -- 0 otherwise. dhKeyExpiration [2] KerberosTime OPTIONAL, -- Expiration time for KDC's key pair, -- present if and only if the DH keys are reused. -- If present, the KDC's DH public key MUST not be -- used past the point of this expiration time. -- If this field is omitted then the serverDHNonce -- field MUST also be omitted. ... } -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 21, 2005) is 6693 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 1651 -- Looks like a reference, but probably isn't: '1' on line 1655 -- Looks like a reference, but probably isn't: '2' on line 1640 -- Looks like a reference, but probably isn't: '3' on line 1561 == Unused Reference: 'LENSTRA' is defined on line 1414, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE1363' ** Downref: Normative reference to an Informational RFC: RFC 2412 ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) ** Obsolete normative reference: RFC 3447 (Obsoleted by RFC 8017) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) -- Possible downref: Non-RFC (?) normative reference: ref. 'X680' -- Possible downref: Non-RFC (?) normative reference: ref. 'X690' Summary: 8 errors (**), 0 flaws (~~), 5 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP L. Zhu 3 Internet-Draft Microsoft Corporation 4 Expires: June 24, 2006 B. Tung 5 USC Information Sciences Institute 6 December 21, 2005 8 Public Key Cryptography for Initial Authentication in Kerberos 9 draft-ietf-cat-kerberos-pk-init-31 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on June 24, 2006. 36 Copyright Notice 38 Copyright (C) The Internet Society (2005). 40 Abstract 42 This document describes protocol extensions (hereafter called PKINIT) 43 to the Kerberos protocol specification. These extensions provide a 44 method for integrating public key cryptography into the initial 45 authentication exchange, by using asymmetric-key signature and/or 46 encryption algorithms in pre-authentication data fields. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Conventions Used in This Document . . . . . . . . . . . . . . 5 52 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6 54 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6 55 3.1.2. Defined Message and Encryption Types . . . . . . . . . 6 56 3.1.3. Algorithm Identifiers . . . . . . . . . . . . . . . . 7 57 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9 58 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9 59 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 13 60 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 17 61 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 24 62 3.3. Interoperability Requirements . . . . . . . . . . . . . . 25 63 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 26 64 4. Security Considerations . . . . . . . . . . . . . . . . . . . 26 65 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 67 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 68 7.1. Normative References . . . . . . . . . . . . . . . . . . . 29 69 7.2. Informative References . . . . . . . . . . . . . . . . . . 31 70 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 31 71 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 36 72 Appendix C. Miscellaneous Information about Microsoft Windows 73 PKINIT Implementations . . . . . . . . . . . . . . . 38 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 75 Intellectual Property and Copyright Statements . . . . . . . . . . 41 77 1. Introduction 79 The Kerberos V5 protocol [RFC4120] involves use of a trusted third 80 party known as the Key Distribution Center (KDC) to negotiate shared 81 session keys between clients and services and provide mutual 82 authentication between them. 84 The corner-stone of Kerberos V5 is the Ticket and the Authenticator. 85 A Ticket encapsulates a symmetric key (the ticket session key) in an 86 envelope (a public message) intended for a specific service. The 87 contents of the Ticket are encrypted with a symmetric key shared 88 between the service principal and the issuing KDC. The encrypted 89 part of the Ticket contains the client principal name, amongst other 90 items. An Authenticator is a record that can be shown to have been 91 recently generated using the ticket session key in the associated 92 Ticket. The ticket session key is known by the client who requested 93 the ticket. The contents of the Authenticator are encrypted with the 94 associated ticket session key. The encrypted part of an 95 Authenticator contains a timestamp and the client principal name, 96 amongst other items. 98 As shown in Figure 1 below, the Kerberos V5 protocol consists of the 99 following message exchanges between the client and the KDC, and the 100 client and the application service: 102 - The Authentication Service (AS) Exchange 104 The client obtains an "initial" ticket from the Kerberos 105 authentication server (AS), typically a Ticket Granting Ticket 106 (TGT). The AS-REQ message and the AS-REP message are the request 107 and the reply message respectively between the client and the AS. 109 - The Ticket Granting Service (TGS) Exchange 111 The client subsequently uses the TGT to authenticate and request a 112 service ticket for a particular service, from the Kerberos ticket- 113 granting server (TGS). The TGS-REQ message and the TGS-REP 114 message are the request and the reply message respectively between 115 the client and the TGS. 117 - The Client/Server Authentication Protocol (AP) Exchange 119 The client then makes a request with an AP-REQ message, consisting 120 of a service ticket and an authenticator that certifies the 121 client's possession of the ticket session key. The server may 122 optionally reply with an AP-REP message. AP exchanges typically 123 negotiate session specific symmetric keys. 125 Usually, the AS and TGS are integrated in a single device also known 126 as the KDC. 128 Figure 1: The Message Exchanges in the Kerberos V5 Protocol 130 +--------------+ 131 +--------->| KDC | 132 AS-REQ / +-------| | 133 / / +--------------+ 134 / / ^ | 135 / |AS-REP / | 136 | | / TGS-REQ + TGS-REP 137 | | / / 138 | | / / 139 | | / +---------+ 140 | | / / 141 | | / / 142 | | / / 143 | v / v 144 ++-------+------+ +-----------------+ 145 | Client +------------>| Application | 146 | | AP-REQ | Server | 147 | |<------------| | 148 +---------------+ AP-REP +-----------------+ 150 In the AS exchange, the KDC reply contains the ticket session key, 151 amongst other items, that is encrypted using a key (the AS reply key) 152 shared between the client and the KDC. The AS reply key is typically 153 derived from the client's password for human users. Therefore for 154 human users the attack resistance strength of the Kerberos protocol 155 is no stronger than the strength of their passwords. 157 The use of asymmetric cryptography in the form of X.509 certificates 158 [RFC3280] is popular for facilitating non-repudiation and perfect 159 secrecy. An established Public Key Infrastructure (PKI) provides key 160 management and key distribution mechanisms that can be used to 161 establish authentication and secure communication. Adding public-key 162 cryptography to Kerberos provides a nice congruence to public-key 163 protocols, obviates the human users' burden to manage strong 164 passwords, and allows Kerberized applications to take advantage of 165 existing key services and identity management. 167 The advantage afforded by the Kerberos TGT is that the client exposes 168 his long-term secrets only once. The TGT and its associated session 169 key can then be used for any subsequent service ticket requests. One 170 result of this is that all further authentication is independent of 171 the method by which the initial authentication was performed. 172 Consequently, initial authentication provides a convenient place to 173 integrate public-key cryptography into Kerberos authentication. In 174 addition, the use of symmetric cryptography after the initial 175 exchange is preferred for performance. 177 This document describes the methods and data formats using which the 178 client and the KDC can use public and private key pairs to mutually 179 authenticate in the AS exchange and negotiate the AS reply key, known 180 only by the client and the KDC, to encrypt the AS-REP sent by the 181 KDC. 183 2. Conventions Used in This Document 185 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 186 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 187 document are to be interpreted as described in [RFC2119]. 189 In this protocol, both the client and the KDC have a public-private 190 key pair in order to prove their identities to each other over the 191 open network. The term "signature key" is used to refer to the 192 private key of the key pair being used. 194 The encryption key used to encrypt the enc-part field of the KDC-REP 195 in the AS-REP [RFC4120] is referred to as the AS reply key. 197 An empty sequence in an optional field can be either included or 198 omitted: both encodings are permitted and considered equivalent. 200 The term "Modular Exponential Diffie-Hellman" is used to refer to the 201 Diffie-Hellman key exchange as described in [RFC2631], in order to 202 differentiate it from other equivalent representations of the same 203 key agreement algorithm. 205 3. Extensions 207 This section describes extensions to [RFC4120] for supporting the use 208 of public-key cryptography in the initial request for a ticket. 210 Briefly, this document defines the following extensions to [RFC4120]: 212 1. The client indicates the use of public-key authentication by 213 including a special preauthenticator in the initial request. This 214 preauthenticator contains the client's public-key data and a 215 signature. 217 2. The KDC tests the client's request against its authentication 218 policy and trusted Certification Authorities (CAs). 220 3. If the request passes the verification tests, the KDC replies as 221 usual, but the reply is encrypted using either: 223 a. a key generated through a Diffie-Hellman (DH) key exchange 224 [RFC2631] [IEEE1363] with the client, signed using the KDC's 225 signature key; or 227 b. a symmetric encryption key, signed using the KDC's signature 228 key and encrypted using the client's public key. 230 Any keying material required by the client to obtain the 231 encryption key for decrypting the KDC reply is returned in a pre- 232 authentication field accompanying the usual reply. 234 4. The client validates the KDC's signature, obtains the encryption 235 key, decrypts the reply, and then proceeds as usual. 237 Section 3.1 of this document enumerates the required algorithms and 238 necessary extension message types. Section 3.2 describes the 239 extension messages in greater detail. 241 3.1. Definitions, Requirements, and Constants 243 3.1.1. Required Algorithms 245 All PKINIT implementations MUST support the following algorithms: 247 o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac- 248 sha1-96 [RFC3962]. 250 o Signature algorithm: sha-1WithRSAEncryption [RFC3279]. 252 o AS reply key delivery method: Diffie-Hellman key exchange 253 [RFC2631]. 255 In addition, implementations of this specification MUST be capable of 256 processing the Extended Key Usage (EKU) extension and the id-pkinit- 257 san (as defined in Section 3.2.2) otherName of the Subject 258 Alternative Name (SAN) extension in X.509 certificates [RFC3280], if 259 present. 261 3.1.2. Defined Message and Encryption Types 263 PKINIT makes use of the following new pre-authentication types: 265 PA_PK_AS_REQ 16 266 PA_PK_AS_REP 17 268 PKINIT also makes use of the following new authorization data type: 270 AD_INITIAL_VERIFIED_CAS 9 272 PKINIT introduces the following new error codes: 274 KDC_ERR_CLIENT_NOT_TRUSTED 62 275 KDC_ERR_INVALID_SIG 64 276 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 277 KDC_ERR_CANT_VERIFY_CERTIFICATE 70 278 KDC_ERR_INVALID_CERTIFICATE 71 279 KDC_ERR_REVOKED_CERTIFICATE 72 280 KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 281 KDC_ERR_CLIENT_NAME_MISMATCH 75 282 KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 283 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 284 KDC_ERR_HASH_IN_KDF_NOT_ACCEPTED 79 285 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 287 PKINIT uses the following typed data types for errors: 289 TD_TRUSTED_CERTIFIERS 104 290 TD_INVALID_CERTIFICATES 105 291 TD_DH_PARAMETERS 109 293 The ASN.1 module for all structures defined in this document (plus 294 IMPORT statements for all imported structures) is given in 295 Appendix A. 297 All structures defined in or imported into this document MUST be 298 encoded using Distinguished Encoding Rules (DER) [X680] [X690] 299 (unless otherwise noted). All data structures carried in OCTET 300 STRINGs must be encoded according to the rules specified in 301 corresponding specifications. 303 Interoperability note: Some implementations may not be able to decode 304 wrapped CMS objects encoded with BER; specifically, they may not be 305 able to decode indefinite length encodings. To maximize 306 interoperability, implementers SHOULD encode CMS objects used in 307 PKINIT with DER. 309 3.1.3. Algorithm Identifiers 311 PKINIT does not define, but does make use of, the following algorithm 312 identifiers. 314 PKINIT uses the following algorithm identifier(s) for Modular 315 Exponential Diffie-Hellman key agreement [RFC2631] [RFC3279]: 317 dhpublicnumber (as described in [RFC3279]) 319 PKINIT uses the following signature algorithm identifiers as defined 320 in [RFC3279]: 322 sha-1WithRSAEncryption (RSA with SHA1) 323 md5WithRSAEncryption (RSA with MD5) 324 id-dsa-with-sha1 (DSA with SHA1) 326 PKINIT uses the following encryption algorithm identifiers as defined 327 in [RFC3447] for encrypting the temporary key with a public key: 329 rsaEncryption 330 id-RSAES-OAEP 332 PKINIT uses the following algorithm identifiers [RFC3370] [RFC3565] 333 for encrypting the AS reply key with the temporary key: 335 des-ede3-cbc (three-key 3DES, CBC mode, as defined in [RFC3370]) 336 rc2-cbc (RC2, CBC mode, as defined in [RFC3370]) 337 id-aes256-CBC (AES-256, CBC mode, as defined in [RFC3565]) 339 PKINIT defines the following encryption types, for use in the etype 340 field of the AS-REQ [RFC4120] message to indicate acceptance of the 341 corresponding algorithms that can used by Cryptographic Message 342 Syntax (CMS) [RFC3852] messages in the reply: 344 id-dsa-with-sha1-CmsOID 9 345 -- Indicates that the client supports id-dsa-with-sha1. 346 md5WithRSAEncryption-CmsOID 10 347 -- Indicates that the client supports md5WithRSAEncryption. 348 sha-1WithRSAEncryption-CmsOID 11 349 -- Indicates that the client supports sha-1WithRSAEncryption. 350 rc2-cbc-EnvOID 12 351 -- Indicates that the client supports rc2-cbc. 352 rsaEncryption-EnvOID 13 353 -- Indicates that the client supports rsaEncryption. 354 id-RSAES-OAEP-EnvOID 14 355 -- Indicates that the client supports id-RSAES-OAEP. 356 des-ede3-cbc-EnvOID 15 357 -- Indicates that the client supports des-ede3-cbc. 359 3.2. PKINIT Pre-authentication Syntax and Use 361 This section defines the syntax and use of the various pre- 362 authentication fields employed by PKINIT. 364 3.2.1. Generation of Client Request 366 The initial authentication request (AS-REQ) is sent as per [RFC4120]; 367 in addition, a pre-authentication data element, whose padata-type is 368 PA_PK_AS_REQ and whose padata-value contains the DER encoding of the 369 type PA-PK-AS-REQ, is included. 371 PA-PK-AS-REQ ::= SEQUENCE { 372 signedAuthPack [0] IMPLICIT OCTET STRING, 373 -- Contains a CMS type ContentInfo encoded 374 -- according to [RFC3852]. 375 -- The contentType field of the type ContentInfo 376 -- is id-signedData (1.2.840.113549.1.7.2), 377 -- and the content field is a SignedData. 378 -- The eContentType field for the type SignedData is 379 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the 380 -- eContent field contains the DER encoding of the 381 -- type AuthPack. 382 -- AuthPack is defined below. 383 trustedCertifiers [1] SEQUENCE OF 384 ExternalPrincipalIdentifier OPTIONAL, 385 -- Contains a list of CAs, trusted by the client, 386 -- that can be used to certify the KDC. 387 -- Each ExternalPrincipalIdentifier identifies a CA 388 -- or a CA certificate (thereby its public key). 389 -- The information contained in the 390 -- trustedCertifiers SHOULD be used by the KDC as 391 -- hints to guide its selection of an appropriate 392 -- certificate chain to return to the client. 393 kdcPkId [2] IMPLICIT OCTET STRING 394 OPTIONAL, 395 -- Contains a CMS type SignerIdentifier encoded 396 -- according to [RFC3852]. 397 -- Identifies, if present, a particular KDC 398 -- public key that the client already has. 399 ... 400 } 402 DHNonce ::= OCTET STRING 404 ExternalPrincipalIdentifier ::= SEQUENCE { 405 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 406 -- Contains a PKIX type Name encoded according to 407 -- [RFC3280]. 408 -- Identifies the certificate subject by the 409 -- distinguished subject name. 410 -- REQUIRED when there is a distinguished subject 411 -- name present in the certificate. 412 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 413 -- Contains a CMS type IssuerAndSerialNumber encoded 414 -- according to [RFC3852]. 415 -- Identifies a certificate of the subject. 416 -- REQUIRED for TD-INVALID-CERTIFICATES and 417 -- TD-TRUSTED-CERTIFIERS. 418 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 419 -- Identifies the subject's public key by a key 420 -- identifier. When an X.509 certificate is 421 -- referenced, this key identifier matches the X.509 422 -- subjectKeyIdentifier extension value. When other 423 -- certificate formats are referenced, the documents 424 -- that specify the certificate format and their use 425 -- with the CMS must include details on matching the 426 -- key identifier to the appropriate certificate 427 -- field. 428 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. 429 ... 430 } 432 AuthPack ::= SEQUENCE { 433 pkAuthenticator [0] PKAuthenticator, 434 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 435 -- Type SubjectPublicKeyInfo is defined in 436 -- [RFC3280]. 437 -- Specifies Diffie-Hellman domain parameters 438 -- and the client's public key value [IEEE1363]. 439 -- The DH public key value is encoded as a BIT 440 -- STRING according to [RFC3279]. 441 -- This field is present only if the client wishes 442 -- to use the Diffie-Hellman key agreement method. 443 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 444 OPTIONAL, 445 -- Type AlgorithmIdentifier is defined in 446 -- [RFC3280]. 447 -- List of CMS encryption types supported by the 448 -- client in order of (decreasing) preference. 449 clientDHNonce [3] DHNonce OPTIONAL, 450 -- Present only if the client indicates that it 451 -- wishes to reuse DH keys or to allow the KDC to 452 -- do so (see Section 3.2.3.1). 453 ... 454 } 455 PKAuthenticator ::= SEQUENCE { 456 cusec [0] INTEGER (0..999999), 457 ctime [1] KerberosTime, 458 -- cusec and ctime are used as in [RFC4120], for 459 -- replay prevention. 460 nonce [2] INTEGER (0..4294967295), 461 -- Chosen randomly; This nonce does not need to 462 -- match with the nonce in the KDC-REQ-BODY. 463 paChecksum [3] OCTET STRING, 464 -- Contains the SHA1 checksum, performed over 465 -- KDC-REQ-BODY. 466 ... 467 } 469 The ContentInfo [RFC3852] structure contained in the signedAuthPack 470 field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and 471 is filled out as follows: 473 1. The contentType field of the type ContentInfo is id-signedData 474 (as defined in [RFC3852]), and the content field is a SignedData 475 (as defined in [RFC3852]). 477 2. The eContentType field for the type SignedData is id-pkinit- 478 authData: { iso(1) org(3) dod(6) internet(1) security(5) 479 kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS 480 implementers: the signed attribute content-type MUST be present 481 in this SignedData instance and its value is id-pkinit-authData 482 according to [RFC3852]. 484 3. The eContent field for the type SignedData contains the DER 485 encoding of the type AuthPack. 487 4. The signerInfos field of the type SignedData contains a single 488 signerInfo, which contains the signature over the type AuthPack. 490 5. The AuthPack structure contains a PKAuthenticator, the client 491 public key information, the CMS encryption types supported by the 492 client and a DHNonce. The pkAuthenticator field certifies to the 493 KDC that the client has recent knowledge of the signing key that 494 authenticates the client. The clientPublicValue field specifies 495 Diffie-Hellman domain parameters and the client's public key 496 value. The DH public key value is encoded as a BIT STRING 497 according to [RFC3279]. The clientPublicValue field is present 498 only if the client wishes to use the Diffie-Hellman key agreement 499 method. The supportedCMSTypes field specifies the list of CMS 500 encryption types supported by the client in order of (decreasing) 501 preference. The clientDHNonce field is described later in this 502 section. 504 6. The ctime field in the PKAuthenticator structure contains the 505 current time on the client's host, and the cusec field contains 506 the microsecond part of the client's timestamp. The ctime and 507 cusec fields are used together to specify a reasonably accurate 508 timestamp [RFC4120]. The nonce field is chosen randomly. The 509 paChecksum field contains a SHA1 checksum that is performed over 510 the KDC-REQ-BODY [RFC4120]. 512 7. The certificates field of the type SignedData contains 513 certificates intended to facilitate certification path 514 construction, so that the KDC can verify the signature over the 515 type AuthPack. For path validation, these certificates SHOULD be 516 sufficient to construct at least one certification path from the 517 client certificate to one trust anchor acceptable by the KDC 518 [RFC4158]. The client MUST be capable of including such a set of 519 certificates if configured to do so. The certificates field MUST 520 NOT contain "root" CA certificates. 522 8. The client's Diffie-Hellman public value (clientPublicValue) is 523 included if and only if the client wishes to use the Diffie- 524 Hellman key agreement method. The Diffie-Hellman domain 525 parameters [IEEE1363] for the client's public key are specified 526 in the algorithm field of the type SubjectPublicKeyInfo [RFC3279] 527 and the client's Diffie-Hellman public key value is mapped to a 528 subjectPublicKey (a BIT STRING) according to [RFC3279]. When 529 using the Diffie-Hellman key agreement method, implementations 530 MUST support Oakley 1024-bit Modular Exponential (MODP) well- 531 known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group 532 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known 533 group 16 [RFC3526]. 535 The Diffie-Hellman field size should be chosen so as to provide 536 sufficient cryptographic security [RFC3766]. 538 When MODP Diffie-Hellman is used, the exponents should have at 539 least twice as many bits as the symmetric keys that will be 540 derived from them [ODL99]. 542 9. The client may wish to reuse DH keys or to allow the KDC to do so 543 (see Section 3.2.3.1). If so, then the client includes the 544 clientDHNonce field. This nonce string MUST be as long as the 545 longest key length of the symmetric key types that the client 546 supports. This nonce MUST be chosen randomly. 548 The ExternalPrincipalIdentifier structure is used in this document to 549 identify the subject's public key thereby the subject principal. 550 This structure is filled out as follows: 552 1. The subjectName field contains a PKIX type Name encoded according 553 to [RFC3280]. This field identifies the certificate subject by 554 the distinguished subject name. This field is REQUIRED when 555 there is a distinguished subject name present in the certificate 556 being used. 558 2. The issuerAndSerialNumber field contains a CMS type 559 IssuerAndSerialNumber encoded according to [RFC3852]. This field 560 identifies a certificate of the subject. This field is REQUIRED 561 for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both 562 structures are defined in Section 3.2.2). 564 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's 565 public key by a key identifier. When an X.509 certificate is 566 referenced, this key identifier matches the X.509 567 subjectKeyIdentifier extension value. When other certificate 568 formats are referenced, the documents that specify the 569 certificate format and their use with the CMS must include 570 details on matching the key identifier to the appropriate 571 certificate field. This field is RECOMMENDED for TD-TRUSTED- 572 CERTIFIERS (as defined in Section 3.2.2). 574 The trustedCertifiers field of the type PA-PK-AS-REQ contains a list 575 of CAs, trusted by the client, that can be used to certify the KDC. 576 Each ExternalPrincipalIdentifier identifies a CA or a CA certificate 577 (thereby its public key). 579 The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type 580 SignerIdentifier encoded according to [RFC3852]. This field 581 identifies, if present, a particular KDC public key that the client 582 already has. 584 3.2.2. Receipt of Client Request 586 Upon receiving the client's request, the KDC validates it. This 587 section describes the steps that the KDC MUST (unless otherwise 588 noted) take in validating the request. 590 The KDC verifies the client's signature in the signedAuthPack field 591 according to [RFC3852]. 593 If, while validating the client's X.509 certificate [RFC3280], the 594 KDC cannot build a certification path to validate the client's 595 certificate, it sends back a KRB-ERROR [RFC4120] message with the 596 code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for 597 this error message is a TYPED-DATA (as defined in [RFC4120]) that 598 contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and 599 whose data-value contains the DER encoding of the type TD-TRUSTED- 600 CERTIFIERS: 602 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF 603 ExternalPrincipalIdentifier 604 -- Identifies a list of CAs trusted by the KDC. 605 -- Each ExternalPrincipalIdentifier identifies a CA 606 -- or a CA certificate (thereby its public key). 608 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the 609 TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate 610 (thereby its public key) trusted by the KDC. 612 Upon receiving this error message, the client SHOULD retry only if it 613 has a different set of certificates (from those of the previous 614 requests) that form a certification path (or a partial path) from one 615 of the trust anchors acceptable by the KDC to its own certificate. 617 If, while processing the certification path, the KDC determines that 618 the signature on one of the certificates in the signedAuthPack field 619 is invalid, it returns a KRB-ERROR [RFC4120] message with the code 620 KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error 621 message is a TYPED-DATA that contains an element whose data-type is 622 TD_INVALID_CERTIFICATES, and whose data-value contains the DER 623 encoding of the type TD-INVALID-CERTIFICATES: 625 TD-INVALID-CERTIFICATES ::= SEQUENCE OF 626 ExternalPrincipalIdentifier 627 -- Each ExternalPrincipalIdentifier identifies a 628 -- certificate (sent by the client) with an invalid 629 -- signature. 631 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the 632 TD-INVALID-CERTIFICATES structure identifies a certificate (that was 633 sent by the client) with an invalid signature. 635 If more than one X.509 certificate signature is invalid, the KDC MAY 636 include one IssuerAndSerialNumber per invalid signature within the 637 TD-INVALID-CERTIFICATES. 639 The client's X.509 certificate is validated according to [RFC3280]. 641 Based on local policy, the KDC may also check whether any X.509 642 certificates in the certification path validating the client's 643 certificate have been revoked. If any of them have been revoked, the 644 KDC MUST return an error message with the code 645 KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the 646 revocation status but is unable to do so, it SHOULD return an error 647 message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The 648 certificate or certificates affected are identified exactly as for 649 the error code KDC_ERR_INVALID_CERTIFICATE (see above). 651 Note that the TD_INVALID_CERTIFICATES error data is only used to 652 identify invalid certificates sent by the client in the request. 654 The client's public key is then used to verify the signature. If the 655 signature fails to verify, the KDC MUST return an error message with 656 the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for 657 this error message. 659 In addition to validating the client's signature, the KDC MUST also 660 check that the client's public key used to verify the client's 661 signature is bound to the client's principal name as specified in the 662 AS-REQ as follows: 664 1. If the KDC has its own binding between either the client's 665 signature-verification public key or the client's certificate and 666 the client's Kerberos principal name, it uses that binding. 668 2. Otherwise, if the client's X.509 certificate contains a Subject 669 Alternative Name (SAN) extension carrying a KRB5PrincipalName 670 (defined below) in the otherName field of the type GeneralName 671 [RFC3280], it binds the client's X.509 certificate to that name. 673 The type of the otherName field is AnotherName. The type-id field 674 of the type AnotherName is id-pkinit-san: 676 id-pkinit-san OBJECT IDENTIFIER ::= 677 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 678 x509SanAN (2) } 680 And the value field of the type AnotherName is a 681 KRB5PrincipalName. 683 KRB5PrincipalName ::= SEQUENCE { 684 realm [0] Realm, 685 principalName [1] PrincipalName 686 } 688 If the KDC does not have its own binding and there is no 689 KRB5PrincipalName name present in the client's X.509 certificate, or 690 if the Kerberos name in the request does not match the 691 KRB5PrincipalName in the client's X.509 certificate (including the 692 realm name), the KDC MUST return an error message with the code 693 KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for 694 this error message. 696 Even if the certification path is validated and the certificate is 697 mapped to the client's principal name, the KDC may decide not to 698 accept the client's certificate, depending on local policy. 700 The KDC MAY require the presence of an Extended Key Usage (EKU) 701 KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field 702 of the client's X.509 certificate: 704 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= 705 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 706 pkinit(3) keyPurposeClientAuth(4) } 707 -- PKINIT client authentication. 708 -- Key usage bits that MUST be consistent: 709 -- digitalSignature. 711 The digitalSignature key usage bit [RFC3280] MUST be asserted when 712 the intended purpose of the client's X.509 certificate is restricted 713 with the id-pkinit-KPClientAuth EKU. 715 If this EKU KeyPurposeId is required but it is not present or if the 716 client certificate is restricted not to be used for PKINIT client 717 authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return 718 an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There 719 is no accompanying e-data for this error message. KDCs implementing 720 this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc- 721 logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there 722 are a large number of X.509 client certificates deployed for use with 723 PKINIT which have this EKU. 725 As a matter of local policy, the KDC MAY decide to reject requests on 726 the basis of the absence or presence of other specific EKU OID's. 728 If the digest algorithm used in generating the CA signature for the 729 public key in any certificate of the request is not acceptable by the 730 KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code 731 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be 732 encoded in TYPED-DATA although none is defined at this point. 734 If the client's public key is not accepted with reasons other than 735 what were specified above, the KDC returns a KRB-ERROR [RFC4120] 736 message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no 737 accompanying e-data currently defined for this error message. 739 The KDC MUST check the timestamp to ensure that the request is not a 740 replay, and that the time skew falls within acceptable limits. The 741 recommendations for clock skew times in [RFC4120] apply here. If the 742 check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or 743 KRB_AP_ERR_SKEW, respectively. 745 If the clientPublicValue is filled in, indicating that the client 746 wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD 747 check to see if the key parameters satisfy its policy. If they do 748 not, it MUST return an error message with the code 749 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a 750 TYPED-DATA that contains an element whose data-type is 751 TD_DH_PARAMETERS, and whose data-value contains the DER encoding of 752 the type TD-DH-PARAMETERS: 754 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 755 -- Each AlgorithmIdentifier specifies a set of 756 -- Diffie-Hellman domain parameters [IEEE1363]. 757 -- This list is in decreasing preference order. 759 TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters 760 that the KDC supports in decreasing preference order, from which the 761 client SHOULD pick one to retry the request. 763 The AlgorithmIdentifier structure is defined in [RFC3280] and is 764 filled in according to [RFC3279]. More specifically Section 2.3.3 of 765 [RFC3279] describes how to fill in the AlgorithmIdentifier structure 766 in the case where MODP Diffie-Hellman key exchange is used. 768 If the client included a kdcPkId field in the PA-PK-AS-REQ and the 769 KDC does not possess the corresponding key, the KDC MUST ignore the 770 kdcPkId field as if the client did not include one. 772 If the digest algorithm used by the id-pkinit-authData is not 773 acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120] 774 message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. 775 The accompanying e-data MUST be encoded in TYPED-DATA although none 776 is defined at this point. 778 3.2.3. Generation of KDC Reply 780 Assuming that the client's request has been properly validated, the 781 KDC proceeds as per [RFC4120], except as follows. 783 The KDC MUST set the initial flag and include an authorization data 784 element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued 785 ticket. The ad-data [RFC4120] field contains the DER encoding of the 786 type AD-INITIAL-VERIFIED-CAS: 788 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF 789 ExternalPrincipalIdentifier 790 -- Identifies the certification path based on which 791 -- the client certificate was validated. 792 -- Each ExternalPrincipalIdentifier identifies a CA 793 -- or a CA certificate (thereby its public key). 795 The AD-INITIAL-VERIFIED-CAS structure identifies the certification 796 path based on which the client certificate was validated. Each 797 ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD- 798 INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate 799 (thereby its public key). 801 The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT 802 containers if the list of CAs satisfies the AS' realm's local policy 803 (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag 804 [RFC4120]). Furthermore, any TGS MUST copy such authorization data 805 from tickets used within a PA-TGS-REQ of the TGS-REQ into the 806 resulting ticket. If the list of CAs satisfies the local KDC's 807 realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT 808 container, otherwise it MAY unwrap the authorization data out of the 809 AD-IF-RELEVANT container. 811 Application servers that understand this authorization data type 812 SHOULD apply local policy to determine whether a given ticket bearing 813 such a type *not* contained within an AD-IF-RELEVANT container is 814 acceptable. (This corresponds to the AP server checking the 815 transited field when the TRANSITED-POLICY-CHECKED flag has not been 816 set [RFC4120].) If such a data type is contained within an AD-IF- 817 RELEVANT container, AP servers MAY apply local policy to determine 818 whether the authorization data is acceptable. 820 A pre-authentication data element, whose padata-type is PA_PK_AS_REP 821 and whose padata-value contains the DER encoding of the type PA-PK- 822 AS-REP (defined below), is included in the AS-REP [RFC4120]. 824 PA-PK-AS-REP ::= CHOICE { 825 dhInfo [0] DHRepInfo, 826 -- Selected when Diffie-Hellman key exchange is 827 -- used. 828 encKeyPack [1] IMPLICIT OCTET STRING, 829 -- Selected when public key encryption is used. 830 -- Contains a CMS type ContentInfo encoded 831 -- according to [RFC3852]. 832 -- The contentType field of the type ContentInfo is 833 -- id-envelopedData (1.2.840.113549.1.7.3). 834 -- The content field is an EnvelopedData. 835 -- The contentType field for the type EnvelopedData 836 -- is id-signedData (1.2.840.113549.1.7.2). 837 -- The eContentType field for the inner type 838 -- SignedData (when unencrypted) is 839 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the 840 -- eContent field contains the DER encoding of the 841 -- type ReplyKeyPack. 842 -- ReplyKeyPack is defined in Section 3.2.3.2. 843 ... 844 } 846 DHRepInfo ::= SEQUENCE { 847 dhSignedData [0] IMPLICIT OCTET STRING, 848 -- Contains a CMS type ContentInfo encoded according 849 -- to [RFC3852]. 850 -- The contentType field of the type ContentInfo is 851 -- id-signedData (1.2.840.113549.1.7.2), and the 852 -- content field is a SignedData. 853 -- The eContentType field for the type SignedData is 854 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the 855 -- eContent field contains the DER encoding of the 856 -- type KDCDHKeyInfo. 857 -- KDCDHKeyInfo is defined below. 858 serverDHNonce [1] DHNonce OPTIONAL, 859 -- Present if and only if dhKeyExpiration is 860 -- present in the KDCDHKeyInfo. 861 ... 862 } 864 KDCDHKeyInfo ::= SEQUENCE { 865 subjectPublicKey [0] BIT STRING, 866 -- The KDC's DH public key. 867 -- The DH public key value is encoded as a BIT 868 -- STRING according to [RFC3279]. 869 nonce [1] INTEGER (0..4294967295), 870 -- Contains the nonce in the pkAuthenticator field 871 -- in the request if the DH keys are NOT reused, 872 -- 0 otherwise. 873 dhKeyExpiration [2] KerberosTime OPTIONAL, 874 -- Expiration time for KDC's key pair, 875 -- present if and only if the DH keys are reused. 876 -- If present, the KDC's DH public key MUST not be 877 -- used past the point of this expiration time. 878 -- If this field is omitted then the serverDHNonce 879 -- field MUST also be omitted. 880 ... 881 } 883 The content of the AS-REP is otherwise unchanged from [RFC4120]. The 884 KDC encrypts the reply as usual, but not with the client's long-term 885 key. Instead, it encrypts it with either a shared key derived from a 886 Diffie-Hellman exchange, or a generated encryption key. The contents 887 of the PA-PK-AS-REP indicate which key delivery method is used. 889 In addition, the lifetime of the ticket returned by the KDC MUST NOT 890 exceed that of the client's public-private key pair. The ticket 891 lifetime, however, can be shorter than that of the client's public- 892 private key pair. For the implementations of this specification, the 893 lifetime of the client's public-private key pair is the validity 894 period in X.509 certificates [RFC3280], unless configured otherwise. 896 3.2.3.1. Using Diffie-Hellman Key Exchange 898 In this case, the PA-PK-AS-REP contains a DHRepInfo structure. 900 The ContentInfo [RFC3852] structure for the dhSignedData field is 901 filled in as follows: 903 1. The contentType field of the type ContentInfo is id-signedData 904 (as defined in [RFC3852]), and the content field is a SignedData 905 (as defined in [RFC3852]). 907 2. The eContentType field for the type SignedData is the OID value 908 for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1) 909 security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS 910 implementers: the signed attribute content-type MUST be present 911 in this SignedData instance and its value is id-pkinit-DHKeyData 912 according to [RFC3852]. 914 3. The eContent field for the type SignedData contains the DER 915 encoding of the type KDCDHKeyInfo. 917 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce 918 and optionally the expiration time of the KDC's DH key being 919 reused. The subjectPublicKey field of the type KDCDHKeyInfo 920 field identifies KDC's DH public key. This DH public key value 921 is encoded as a BIT STRING according to [RFC3279]. The nonce 922 field contains the nonce in the pkAuthenticator field in the 923 request if the DH keys are NOT reused. The value of this nonce 924 field is 0 if the DH keys are reused. The dhKeyExpiration field 925 is present if and only if the DH keys are reused. If the 926 dhKeyExpiration field is present, the KDC's public key in this 927 KDCDHKeyInfo structure MUST NOT be used past the point of this 928 expiration time. If this field is omitted then the serverDHNonce 929 field MUST also be omitted. 931 5. The signerInfos field of the type SignedData contains a single 932 signerInfo, which contains the signature over the type 933 KDCDHKeyInfo. 935 6. The certificates field of the type SignedData contains 936 certificates intended to facilitate certification path 937 construction, so that the client can verify the KDC's signature 938 over the type KDCDHKeyInfo. The information contained in the 939 trustedCertifiers in the request SHOULD be used by the KDC as 940 hints to guide its selection of an appropriate certificate chain 941 to return to the client. This field may be left empty if the KDC 942 public key specified by the kdcPkId field in the PA-PK-AS-REQ was 943 used for signing. Otherwise, for path validation, these 944 certificates SHOULD be sufficient to construct at least one 945 certification path from the KDC certificate to one trust anchor 946 acceptable by the client [RFC4158]. The KDC MUST be capable of 947 including such a set of certificates if configured to do so. The 948 certificates field MUST NOT contain "root" CA certificates. 950 7. If the client included the clientDHNonce field, then the KDC may 951 choose to reuse its DH keys. If the server reuses DH keys then 952 it MUST include an expiration time in the dhKeyExpiration field. 953 Past the point of the expiration time, the signature over the 954 type DHRepInfo is considered expired/invalid. When the server 955 reuses DH keys then it MUST include a serverDHNonce at least as 956 long as the length of keys for the symmetric encryption system 957 used to encrypt the AS reply. Note that including the 958 serverDHNonce changes how the client and server calculate the key 959 to use to encrypt the reply; see below for details. The KDC 960 SHOULD NOT reuse DH keys unless the clientDHNonce field is 961 present in the request. 963 The AS reply key is derived as follows: 965 1. Both the KDC and the client calculate the shared secret value as 966 follows: 968 a) When MODP Diffie-Hellman is used, let DHSharedSecret be the 969 shared secret value. DHSharedSecret is the value ZZ as 970 described in Section 2.1.1 of [RFC2631]. 972 DHSharedSecret is first padded with leading zeros such that the 973 size of DHSharedSecret in octets is the same as that of the 974 modulus, then represented as a string of octets in big-endian 975 order. 977 Implementation note: Both the client and the KDC can cache the 978 triple (ya, yb, DHSharedSecret), where ya is the client's public 979 key and yb is the KDC's public key. If both ya and yb are the 980 same in a later exchange, the cached DHSharedSecret can be used. 982 2. Let K be the key-generation seed length [RFC3961] of the AS reply 983 key whose enctype is selected according to [RFC4120]. 985 3. Define the function octetstring2key() as follows: 987 octetstring2key(x) == random-to-key(K-truncate( 988 SHA1(0x00 | x) | 989 SHA1(0x01 | x) | 990 SHA1(0x02 | x) | 991 ... 992 )) 994 where x is an octet string; | is the concatenation operator; 0x00, 995 0x01, 0x02, etc., are each represented as a single octet; random- 996 to-key() is an operation that generates a protocol key from a 997 bitstring of length K; and K-truncate truncates its input to the 998 first K bits. Both K and random-to-key() are as defined in the 999 kcrypto profile [RFC3961] for the enctype of the AS reply key. 1001 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be 1002 the serverDHNonce; otherwise, let both n_c and n_k be empty octet 1003 strings. 1005 5. The AS reply key k is: 1007 k = octetstring2key(DHSharedSecret | n_c | n_k) 1009 If the hash algorithm used in the key derivation function (currently 1010 only octetstring2key() is defined) is not acceptable by the KDC, the 1011 KDC MUST return a KRB-ERROR [RFC4120] message with the code 1012 KDC_ERR_HASH_IN_KDF_NOT_ACCEPTED. The accompanying e-data MUST be 1013 encoded in TYPED-DATA although none is defined at this point. 1015 3.2.3.2. Using Public Key Encryption 1017 In this case, the PA-PK-AS-REP contains the encKeyPack field where 1018 the AS reply key is encrypted. 1020 The ContentInfo [RFC3852] structure for the encKeyPack field is 1021 filled in as follows: 1023 1. The contentType field of the type ContentInfo is id-envelopedData 1024 (as defined in [RFC3852]), and the content field is an 1025 EnvelopedData (as defined in [RFC3852]). 1027 2. The contentType field for the type EnvelopedData is id- 1028 signedData: { iso (1) member-body (2) us (840) rsadsi (113549) 1029 pkcs (1) pkcs7 (7) signedData (2) }. 1031 3. The eContentType field for the inner type SignedData (when 1032 decrypted from the encryptedContent field for the type 1033 EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6) 1034 internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }. 1035 Notes to CMS implementers: the signed attribute content-type MUST 1036 be present in this SignedData instance and its value is id- 1037 pkinit-rkeyData according to [RFC3852]. 1039 4. The eContent field for the inner type SignedData contains the DER 1040 encoding of the type ReplyKeyPack (as described below). 1042 5. The signerInfos field of the inner type SignedData contains a 1043 single signerInfo, which contains the signature for the type 1044 ReplyKeyPack. 1046 6. The certificates field of the inner type SignedData contains 1047 certificates intended to facilitate certification path 1048 construction, so that the client can verify the KDC's signature 1049 for the type ReplyKeyPack. The information contained in the 1050 trustedCertifiers in the request SHOULD be used by the KDC as 1051 hints to guide its selection of an appropriate certificate chain 1052 to return to the client. This field may be left empty if the KDC 1053 public key specified by the kdcPkId field in the PA-PK-AS-REQ was 1054 used for signing. Otherwise, for path validation, these 1055 certificates SHOULD be sufficient to construct at least one 1056 certification path from the KDC certificate to one trust anchor 1057 acceptable by the client [RFC4158]. The KDC MUST be capable of 1058 including such a set of certificates if configured to do so. The 1059 certificates field MUST NOT contain "root" CA certificates. 1061 7. The recipientInfos field of the type EnvelopedData is a SET which 1062 MUST contain exactly one member of type KeyTransRecipientInfo. 1063 The encryptedKey of this member contains the temporary key which 1064 is encrypted using the client's public key. 1066 8. The unprotectedAttrs or originatorInfo fields of the type 1067 EnvelopedData MAY be present. 1069 If there is a supportedCMSTypes field in the AuthPack, the KDC must 1070 check to see if it supports any of the listed types. If it supports 1071 more than one of the types, the KDC SHOULD use the one listed first. 1072 If it does not support any of them, it MUST return an error message 1073 with the code KDC_ERR_ETYPE_NOSUPP [RFC4120]. 1075 Furthermore the KDC computes the checksum of the AS-REQ in the client 1076 request. This checksum is performed over the type AS-REQ and the 1077 protocol key [RFC3961] of the checksum operation is the replyKey and 1078 the key usage number is 6. If the replyKey's enctype is "newer" 1080 [RFC4120] [RFC4121], the checksum operation is the required checksum 1081 operation [RFC3961] of that enctype. 1083 ReplyKeyPack ::= SEQUENCE { 1084 replyKey [0] EncryptionKey, 1085 -- Contains the session key used to encrypt the 1086 -- enc-part field in the AS-REP, i.e. the 1087 -- AS reply key. 1088 asChecksum [1] Checksum, 1089 -- Contains the checksum of the AS-REQ 1090 -- corresponding to the containing AS-REP. 1091 -- The checksum is performed over the type AS-REQ. 1092 -- The protocol key [RFC3961] of the checksum is the 1093 -- replyKey and the key usage number is 6. 1094 -- If the replyKey's enctype is "newer" [RFC4120] 1095 -- [RFC4121], the checksum is the required 1096 -- checksum operation [RFC3961] for that enctype. 1097 -- The client MUST verify this checksum upon receipt 1098 -- of the AS-REP. 1099 ... 1100 } 1102 Implementations of this RSA encryption key delivery method are 1103 RECOMMENDED to support RSA keys at least 2048 bits in size. 1105 3.2.4. Receipt of KDC Reply 1107 Upon receipt of the KDC's reply, the client proceeds as follows. If 1108 the PA-PK-AS-REP contains the dhSignedData field, the client derives 1109 the AS reply key using the same procedure used by the KDC as defined 1110 in Section 3.2.3.1. Otherwise, the message contains the encKeyPack 1111 field, and the client decrypts and extracts the temporary key in the 1112 encryptedKey field of the member KeyTransRecipientInfo, and then uses 1113 that as the AS reply key. 1115 If the public key encryption method is used, the client MUST verify 1116 the asChecksum contained in the ReplyKeyPack. 1118 In either case, the client MUST verify the signature in the 1119 SignedData according to [RFC3852]. The KDC's X.509 certificate MUST 1120 be validated according to [RFC3280]. In addition, unless the client 1121 can otherwise verify that the public key used to verify the KDC's 1122 signature is bound to the KDC of the target realm, the KDC's X.509 1123 certificate MUST contain a Subject Alternative Name extension 1124 [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as 1125 defined in Section 3.2.2) and whose value is a KRB5PrincipalName that 1126 matches the name of the TGS of the target realm (as defined in 1127 Section 7.3 of [RFC4120]). 1129 Unless the client knows by some other means that the KDC certificate 1130 is intended for a Kerberos KDC, the client MUST require that the KDC 1131 certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc: 1133 id-pkinit-KPKdc OBJECT IDENTIFIER ::= 1134 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 1135 pkinit(3) keyPurposeKdc(5) } 1136 -- Signing KDC responses. 1137 -- Key usage bits that MUST be consistent: 1138 -- digitalSignature. 1140 The digitalSignature key usage bit [RFC3280] MUST be asserted when 1141 the intended purpose of the KDC's X.509 certificate is restricted 1142 with the id-pkinit-KPKdc EKU. 1144 If the KDC certificate contains the Kerberos TGS name encoded as an 1145 id-pkinit-san SAN, this certificate is certified by the issuing CA as 1146 a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required. 1148 If all applicable checks are satisfied, the client then decrypts the 1149 enc-part field of the KDC-REP in the AS-REP using the AS reply key, 1150 and then proceeds as described in [RFC4120]. 1152 Implementation note: CAs issuing KDC certificates SHOULD place all 1153 "short" and "fully-qualified" Kerberos realm names of the KDC (one 1154 per GeneralName [RFC3280]) into the KDC certificate to allow maximum 1155 flexibility. 1157 3.3. Interoperability Requirements 1159 The client MUST be capable of sending a set of certificates 1160 sufficient to allow the KDC to construct a certification path for the 1161 client's certificate, if the correct set of certificates is provided 1162 through configuration or policy. 1164 If the client sends all the X.509 certificates on a certification 1165 path to a trust anchor acceptable by the KDC, and the KDC can not 1166 verify the client's public key otherwise, the KDC MUST be able to 1167 process path validation for the client's certificate based on the 1168 certificates in the request. 1170 The KDC MUST be capable of sending a set of certificates sufficient 1171 to allow the client to construct a certification path for the KDC's 1172 certificate, if the correct set of certificates is provided through 1173 configuration or policy. 1175 If the KDC sends all the X.509 certificates on a certification path 1176 to a trust anchor acceptable by the client, and the client can not 1177 verify the KDC's public key otherwise, the client MUST be able to 1178 process path validation for the KDC's certificate based on the 1179 certificates in the reply. 1181 3.4. KDC Indication of PKINIT Support 1183 If pre-authentication is required, but was not present in the 1184 request, per [RFC4120] an error message with the code 1185 KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be 1186 stored in the e-data field of the KRB-ERROR message to specify which 1187 pre-authentication mechanisms are acceptable. The KDC can then 1188 indicate the support of PKINIT by including an empty element whose 1189 padata-type is PA_PK_AS_REQ in that METHOD-DATA object. 1191 Otherwise if it is required by the KDC's local policy that the client 1192 must be pre-authenticated using the pre-authentication mechanism 1193 specified in this document, but no PKINIT pre-authentication was 1194 present in the request, an error message with the code 1195 KDC_ERR_PREAUTH_FAILED SHOULD be returned. 1197 KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in 1198 the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET 1199 STRING), and clients MUST ignore this and any other value. Future 1200 extensions to this protocol may specify other data to send instead of 1201 an empty OCTET STRING. 1203 4. Security Considerations 1205 Kerberos error messages are not integrity protected, as a result, the 1206 domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered 1207 with by an attacker so that the set of domain parameters selected 1208 could be either weaker or not mutually preferred. Local policy can 1209 configure sets of domain parameters acceptable locally, or disallow 1210 the negotiation of DH domain parameters. 1212 The symmetric reply key size and Diffie-Hellman field size or RSA 1213 modulus size should be chosen so as to provide sufficient 1214 cryptographic security [RFC3766]. 1216 When MODP Diffie-Hellman is used, the exponents should have at least 1217 twice as many bits as the symmetric keys that will be derived from 1218 them [ODL99]. 1220 PKINIT raises certain security considerations beyond those that can 1221 be regulated strictly in protocol definitions. We will address them 1222 in this section. 1224 PKINIT extends the cross-realm model to the public-key 1225 infrastructure. Users of PKINIT must understand security policies 1226 and procedures appropriate to the use of Public Key Infrastructures 1227 [RFC3280]. 1229 In order to trust a KDC certificate that is certified by a CA as a 1230 KDC certificate for a target realm (for example, by asserting the TGS 1231 name of that Kerberos realm as an id-pkinit-san SAN and/or 1232 restricting the certificate usage by using the id-pkinit-KPKdc EKU, 1233 as described in Section 3.2.4), the client MUST verify that the KDC 1234 certificate's issuing CA is authorized to issue KDC certificates for 1235 that target realm. Otherwise, the binding between the KDC 1236 certificate and the KDC of the target realm is not established. 1238 How to validate this authorization is a matter of local policy. A 1239 way to achieve this is the configuration of specific sets of 1240 intermediary CAs and trust anchors, one of which must be on the KDC 1241 certificate's certification path [RFC3280]; and for each CA or trust 1242 anchor the realms for which it is allowed to issue certificates. 1244 In addition, if any CA is trusted to issue KDC certificates can also 1245 issue other kinds of certificates, then local policy must be able to 1246 distinguish between them: for example, it could require that KDC 1247 certificates contain the id-pkinit-KPKdc EKU or that the realm be 1248 specified with the id-pkinit-san SAN. 1250 It is the responsibility of the PKI administrators for an 1251 organization to ensure that KDC certificates are only issued to KDCs, 1252 and that clients can ascertain this using their local policy. 1254 Standard Kerberos allows the possibility of interactions between 1255 cryptosystems of varying strengths; this document adds interactions 1256 with public-key cryptosystems to Kerberos. Some administrative 1257 policies may allow the use of relatively weak public keys. Using 1258 such keys to wrap data encrypted under stronger conventional 1259 cryptosystems may be inappropriate. 1261 PKINIT requires keys for symmetric cryptosystems to be generated. 1262 Some such systems contain "weak" keys. For recommendations regarding 1263 these weak keys, see [RFC4120]. 1265 PKINIT allows the use of the same RSA key pair for encryption and 1266 signing when doing RSA encryption based key delivery. This is not 1267 recommended usage of RSA keys [RFC3447], by using DH based key 1268 delivery this is avoided. 1270 Care should be taken in how certificates are chosen for the purposes 1271 of authentication using PKINIT. Some local policies may require that 1272 key escrow be used for certain certificate types. Deployers of 1273 PKINIT should be aware of the implications of using certificates that 1274 have escrowed keys for the purposes of authentication. Because 1275 signing only certificates are normally not escrowed, by using DH 1276 based key delivery this is avoided. 1278 PKINIT does not provide for a "return routability" test to prevent 1279 attackers from mounting a denial-of-service attack on the KDC by 1280 causing it to perform unnecessary and expensive public-key 1281 operations. Strictly speaking, this is also true of standard 1282 Kerberos, although the potential cost is not as great, because 1283 standard Kerberos does not make use of public-key cryptography. By 1284 using DH based key delivery and reusing DH keys, the necessary crypto 1285 processing cost per request can be minimized. 1287 The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does 1288 permit empty SEQUENCEs to be encoded. Such empty sequences may only 1289 be used if the KDC itself vouches for the user's certificate. 1291 When the Diffie-Hellman key exchange method is used, additional pre- 1292 authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as 1293 defined in this specification) is not bound to the AS_REQ by the 1294 mechanisms discussed in this specification (meaning it may be dropped 1295 or added by attackers without being detected by either the client or 1296 the KDC). Designers of additional pre-authentication data should 1297 take that into consideration if such additional pre-authentication 1298 data can be used in conjunction with the PA_PK_AS_REQ. The future 1299 work of the Kerberos working group is expected to update the hash 1300 algorithms specified in this document and provide a generic mechanism 1301 to bind additional pre-authentication data with the accompanying 1302 AS_REQ. 1304 5. Acknowledgements 1306 The following people have made significant contributions to this 1307 draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist 1308 Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey 1309 Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M 1310 Grundman and Jeffrey Altman. 1312 Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and 1313 Chris Walstad discovered a binding issue between the AS-REQ and AS- 1314 REP in draft -26, the asChecksum field was added as the result. 1316 Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and 1317 Jonathan Trostle who wrote earlier versions of this document. 1319 The authors are indebted to the Kerberos working group chair Jeffrey 1320 Hutzelman who kept track of various issues and was enormously helpful 1321 during the creation of this document. 1323 Some of the ideas on which this document is based arose during 1324 discussions over several years between members of the SAAG, the IETF 1325 CAT working group, and the PSRG, regarding integration of Kerberos 1326 and SPX. Some ideas have also been drawn from the DASS system. 1327 These changes are by no means endorsed by these groups. This is an 1328 attempt to revive some of the goals of those groups, and this 1329 document approaches those goals primarily from the Kerberos 1330 perspective. 1332 Lastly, comments from groups working on similar ideas in DCE have 1333 been invaluable. 1335 6. IANA Considerations 1337 This document has no actions for IANA. 1339 7. References 1341 7.1. Normative References 1343 [IEEE1363] 1344 IEEE, "Standard Specifications for Public Key 1345 Cryptography", IEEE 1363, 2000. 1347 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1348 Requirement Levels", BCP 14, RFC 2119, March 1997. 1350 [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", 1351 RFC 2412, November 1998. 1353 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", 1354 RFC 2631, June 1999. 1356 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 1357 Identifiers for the Internet X.509 Public Key 1358 Infrastructure Certificate and Certificate Revocation List 1359 (CRL) Profile", RFC 3279, April 2002. 1361 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 1362 X.509 Public Key Infrastructure Certificate and 1363 Certificate Revocation List (CRL) Profile", RFC 3280, 1364 April 2002. 1366 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 1367 Algorithms", RFC 3370, August 2002. 1369 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 1370 Standards (PKCS) #1: RSA Cryptography Specifications 1371 Version 2.1", RFC 3447, February 2003. 1373 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 1374 Diffie-Hellman groups for Internet Key Exchange (IKE)", 1375 RFC 3526, May 2003. 1377 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 1378 Encryption Algorithm in Cryptographic Message Syntax 1379 (CMS)", RFC 3565, July 2003. 1381 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 1382 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 1383 RFC 3766, April 2004. 1385 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 1386 RFC 3852, July 2004. 1388 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1389 Kerberos 5", RFC 3961, February 2005. 1391 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 1392 Encryption for Kerberos 5", RFC 3962, February 2005. 1394 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1395 Kerberos Network Authentication Service (V5)", RFC 4120, 1396 July 2005. 1398 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 1399 Version 5 Generic Security Service Application Program 1400 Interface (GSS-API) Mechanism: Version 2", RFC 4121, 1401 July 2005. 1403 [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, 1404 Information technology - Abstract Syntax Notation One 1405 (ASN.1): Specification of basic notation. 1407 [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002, 1408 Information technology - ASN.1 encoding Rules: Specification 1409 of Basic Encoding Rules (BER), Canonical Encoding Rules 1410 (CER) and Distinguished Encoding Rules (DER). 1412 7.2. Informative References 1414 [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key 1415 Sizes", Journal of Cryptology 14 (2001) 255-293. 1417 [ODL99] Odlyzko, A., "Discrete logarithms: The past and the 1418 future, Designs, Codes, and Cryptography (1999)". 1420 [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. 1421 Nicholas, "Internet X.509 Public Key Infrastructure: 1422 Certification Path Building", RFC 4158, September 2005. 1424 Appendix A. PKINIT ASN.1 Module 1426 KerberosV5-PK-INIT-SPEC { 1427 iso(1) identified-organization(3) dod(6) internet(1) 1428 security(5) kerberosV5(2) modules(4) pkinit(5) 1429 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 1431 IMPORTS 1432 SubjectPublicKeyInfo, AlgorithmIdentifier 1433 FROM PKIX1Explicit88 { iso (1) 1434 identified-organization (3) dod (6) internet (1) 1435 security (5) mechanisms (5) pkix (7) id-mod (0) 1436 id-pkix1-explicit (18) } 1437 -- As defined in RFC 3280. 1439 KerberosTime, PrincipalName, Realm, EncryptionKey 1440 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 1441 dod(6) internet(1) security(5) kerberosV5(2) 1442 modules(4) krb5spec2(2) } ; 1444 id-pkinit OBJECT IDENTIFIER ::= 1445 { iso (1) org (3) dod (6) internet (1) security (5) 1446 kerberosv5 (2) pkinit (3) } 1448 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 } 1449 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 } 1450 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 } 1451 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 } 1452 id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 } 1454 id-pkinit-san OBJECT IDENTIFIER ::= 1455 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 1456 x509SanAN (2) } 1458 pa-pk-as-req INTEGER ::= 16 1459 pa-pk-as-rep INTEGER ::= 17 1461 ad-initial-verified-cas INTEGER ::= 9 1463 td-trusted-certifiers INTEGER ::= 104 1464 td-invalid-certificates INTEGER ::= 105 1465 td-dh-parameters INTEGER ::= 109 1467 PA-PK-AS-REQ ::= SEQUENCE { 1468 signedAuthPack [0] IMPLICIT OCTET STRING, 1469 -- Contains a CMS type ContentInfo encoded 1470 -- according to [RFC3852]. 1471 -- The contentType field of the type ContentInfo 1472 -- is id-signedData (1.2.840.113549.1.7.2), 1473 -- and the content field is a SignedData. 1474 -- The eContentType field for the type SignedData is 1475 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the 1476 -- eContent field contains the DER encoding of the 1477 -- type AuthPack. 1478 -- AuthPack is defined below. 1479 trustedCertifiers [1] SEQUENCE OF 1480 ExternalPrincipalIdentifier OPTIONAL, 1481 -- Contains a list of CAs, trusted by the client, 1482 -- that can be used to certify the KDC. 1483 -- Each ExternalPrincipalIdentifier identifies a CA 1484 -- or a CA certificate (thereby its public key). 1485 -- The information contained in the 1486 -- trustedCertifiers SHOULD be used by the KDC as 1487 -- hints to guide its selection of an appropriate 1488 -- certificate chain to return to the client. 1489 kdcPkId [2] IMPLICIT OCTET STRING 1490 OPTIONAL, 1491 -- Contains a CMS type SignerIdentifier encoded 1492 -- according to [RFC3852]. 1493 -- Identifies, if present, a particular KDC 1494 -- public key that the client already has. 1495 ... 1496 } 1498 DHNonce ::= OCTET STRING 1500 ExternalPrincipalIdentifier ::= SEQUENCE { 1501 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 1502 -- Contains a PKIX type Name encoded according to 1503 -- [RFC3280]. 1504 -- Identifies the certificate subject by the 1505 -- distinguished subject name. 1507 -- REQUIRED when there is a distinguished subject 1508 -- name present in the certificate. 1509 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 1510 -- Contains a CMS type IssuerAndSerialNumber encoded 1511 -- according to [RFC3852]. 1512 -- Identifies a certificate of the subject. 1513 -- REQUIRED for TD-INVALID-CERTIFICATES and 1514 -- TD-TRUSTED-CERTIFIERS. 1515 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 1516 -- Identifies the subject's public key by a key 1517 -- identifier. When an X.509 certificate is 1518 -- referenced, this key identifier matches the X.509 1519 -- subjectKeyIdentifier extension value. When other 1520 -- certificate formats are referenced, the documents 1521 -- that specify the certificate format and their use 1522 -- with the CMS must include details on matching the 1523 -- key identifier to the appropriate certificate 1524 -- field. 1525 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. 1526 ... 1527 } 1529 AuthPack ::= SEQUENCE { 1530 pkAuthenticator [0] PKAuthenticator, 1531 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 1532 -- Type SubjectPublicKeyInfo is defined in 1533 -- [RFC3280]. 1534 -- Specifies Diffie-Hellman domain parameters 1535 -- and the client's public key value [IEEE1363]. 1536 -- The DH public key value is encoded as a BIT 1537 -- STRING according to [RFC3279]. 1538 -- This field is present only if the client wishes 1539 -- to use the Diffie-Hellman key agreement method. 1540 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 1541 OPTIONAL, 1542 -- Type AlgorithmIdentifier is defined in 1543 -- [RFC3280]. 1544 -- List of CMS encryption types supported by the 1545 -- client in order of (decreasing) preference. 1546 clientDHNonce [3] DHNonce OPTIONAL, 1547 -- Present only if the client indicates that it 1548 -- wishes to reuse DH keys or to allow the KDC to 1549 -- do so. 1550 ... 1551 } 1553 PKAuthenticator ::= SEQUENCE { 1554 cusec [0] INTEGER (0..999999), 1555 ctime [1] KerberosTime, 1556 -- cusec and ctime are used as in [RFC4120], for 1557 -- replay prevention. 1558 nonce [2] INTEGER (0..4294967295), 1559 -- Chosen randomly; This nonce does not need to 1560 -- match with the nonce in the KDC-REQ-BODY. 1561 paChecksum [3] OCTET STRING, 1562 -- Contains the SHA1 checksum, performed over 1563 -- KDC-REQ-BODY. 1564 ... 1565 } 1567 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF 1568 ExternalPrincipalIdentifier 1569 -- Identifies a list of CAs trusted by the KDC. 1570 -- Each ExternalPrincipalIdentifier identifies a CA 1571 -- or a CA certificate (thereby its public key). 1573 TD-INVALID-CERTIFICATES ::= SEQUENCE OF 1574 ExternalPrincipalIdentifier 1575 -- Each ExternalPrincipalIdentifier identifies a 1576 -- certificate (sent by the client) with an invalid 1577 -- signature. 1579 KRB5PrincipalName ::= SEQUENCE { 1580 realm [0] Realm, 1581 principalName [1] PrincipalName 1582 } 1584 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF 1585 ExternalPrincipalIdentifier 1586 -- Identifies the certification path based on which 1587 -- the client certificate was validated. 1588 -- Each ExternalPrincipalIdentifier identifies a CA 1589 -- or a CA certificate (thereby its public key). 1591 PA-PK-AS-REP ::= CHOICE { 1592 dhInfo [0] DHRepInfo, 1593 -- Selected when Diffie-Hellman key exchange is 1594 -- used. 1595 encKeyPack [1] IMPLICIT OCTET STRING, 1596 -- Selected when public key encryption is used. 1597 -- Contains a CMS type ContentInfo encoded 1598 -- according to [RFC3852]. 1599 -- The contentType field of the type ContentInfo is 1600 -- id-envelopedData (1.2.840.113549.1.7.3). 1601 -- The content field is an EnvelopedData. 1602 -- The contentType field for the type EnvelopedData 1603 -- is id-signedData (1.2.840.113549.1.7.2). 1604 -- The eContentType field for the inner type 1605 -- SignedData (when unencrypted) is 1606 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the 1607 -- eContent field contains the DER encoding of the 1608 -- type ReplyKeyPack. 1609 -- ReplyKeyPack is defined below. 1610 ... 1611 } 1613 DHRepInfo ::= SEQUENCE { 1614 dhSignedData [0] IMPLICIT OCTET STRING, 1615 -- Contains a CMS type ContentInfo encoded according 1616 -- to [RFC3852]. 1617 -- The contentType field of the type ContentInfo is 1618 -- id-signedData (1.2.840.113549.1.7.2), and the 1619 -- content field is a SignedData. 1620 -- The eContentType field for the type SignedData is 1621 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the 1622 -- eContent field contains the DER encoding of the 1623 -- type KDCDHKeyInfo. 1624 -- KDCDHKeyInfo is defined below. 1625 serverDHNonce [1] DHNonce OPTIONAL, 1626 -- Present if and only if dhKeyExpiration is 1627 -- present. 1628 ... 1629 } 1631 KDCDHKeyInfo ::= SEQUENCE { 1632 subjectPublicKey [0] BIT STRING, 1633 -- The KDC's DH public key. 1634 -- The DH public key value is encoded as a BIT 1635 -- STRING according to [RFC3279]. 1636 nonce [1] INTEGER (0..4294967295), 1637 -- Contains the nonce in the pkAuthenticator field 1638 -- in the request if the DH keys are NOT reused, 1639 -- 0 otherwise. 1640 dhKeyExpiration [2] KerberosTime OPTIONAL, 1641 -- Expiration time for KDC's key pair, 1642 -- present if and only if the DH keys are reused. 1643 -- If present, the KDC's DH public key MUST not be 1644 -- used past the point of this expiration time. 1645 -- If this field is omitted then the serverDHNonce 1646 -- field MUST also be omitted. 1647 ... 1648 } 1650 ReplyKeyPack ::= SEQUENCE { 1651 replyKey [0] EncryptionKey, 1652 -- Contains the session key used to encrypt the 1653 -- enc-part field in the AS-REP, i.e. the 1654 -- AS reply key. 1655 asChecksum [1] Checksum, 1656 -- Contains the checksum of the AS-REQ 1657 -- corresponding to the containing AS-REP. 1658 -- The checksum is performed over the type AS-REQ. 1659 -- The protocol key [RFC3961] of the checksum is the 1660 -- replyKey and the key usage number is 6. 1661 -- If the replyKey's enctype is "newer" [RFC4120] 1662 -- [RFC4121], the checksum is the required 1663 -- checksum operation [RFC3961] for that enctype. 1664 -- The client MUST verify this checksum upon receipt 1665 -- of the AS-REP. 1666 ... 1667 } 1669 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 1670 -- Each AlgorithmIdentifier specifies a set of 1671 -- Diffie-Hellman domain parameters [IEEE1363]. 1672 -- This list is in decreasing preference order. 1673 END 1675 Appendix B. Test Vectors 1677 Function octetstring2key() is defined in Section 3.2.3.1. This 1678 section describes a few sets of test vectors that would be useful for 1679 implementers of octetstring2key(). 1681 Set 1 1682 ===== 1683 Input octet string x is: 1685 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1686 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1687 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1688 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1689 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1691 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1692 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1693 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1694 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1695 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1696 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1697 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1698 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1699 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1702 Output of K-truncate() when the key size is 32 octets: 1704 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83 1705 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41 1707 Set 2: 1708 ===== 1709 Input octet string x is: 1711 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1712 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1713 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1714 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1715 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1716 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1717 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1718 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1720 Output of K-truncate() when the key size is 32 octets: 1722 ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb 1723 a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e 1725 Set 3: 1726 ====== 1727 Input octet string x is: 1729 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1730 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1731 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 1732 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 1733 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 1734 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 1735 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 1736 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 1738 Output of K-truncate() when the key size is 32 octets: 1740 c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3 1741 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e 1743 Set 4: 1744 ===== 1745 Input octet string x is: 1747 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1748 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1749 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 1750 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 1751 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 1753 Output of K-truncate() when the key size is 32 octets: 1755 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a 1756 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc 1758 Appendix C. Miscellaneous Information about Microsoft Windows PKINIT 1759 Implementations 1761 Earlier revisions of the PKINIT I-D were implemented in various 1762 releases of Microsoft Windows and deployed in fairly large numbers. 1763 To enable the community to better interoperate with systems running 1764 those releases, the following information may be useful. 1766 KDC certificates issued by Windows 2000 Enterprise CAs contain a 1767 dNSName SAN with the DNS name of the host running the KDC, and the 1768 id-kp-serverAuth EKU [RFC3280]. 1770 KDC certificates issued by Windows 2003 Enterprise CAs contain a 1771 dNSName SAN with the DNS name of the host running the KDC, the id-kp- 1772 serverAuth EKU and the id-ms-kp-sc-logon EKU. 1774 It is anticipated that the next release of Windows is already too far 1775 along to allow it to support the issuing KDC certificates with id- 1776 pkinit-san SAN as specified in this RFC. Instead, they will have a 1777 dNSName SAN containing the domain name of the KDC and the intended 1778 purpose of these KDC certificates be restricted by the presence of 1779 the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU. 1781 In addition to checking that the above are present in a KDC 1782 certificate, Windows clients verify that the issuer of the KDC 1783 certificate is one of a set of allowed issuers of such certificates, 1784 so those wishing to issue KDC certificates need to configure their 1785 Windows clients appropriately. 1787 Client certificates accepted by Windows 2000 and Windows 2003 Server 1788 KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) 1789 SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN 1790 contains a UTF8 encoded string whose value is that of the Directory 1791 Service attribute UserPrincipalName of the client account object, and 1792 the purpose of including the id-ms-san-sc-logon-upn SAN in the client 1793 certificate is to validate the client mapping (in other words, the 1794 client's public key is bound to the account that has this 1795 UserPrincipalName value). 1797 It should be noted that all Microsoft Kerberos realm names are domain 1798 style realm names and strictly in upper case. In addition, the 1799 UserPrincipalName attribute is globally unique in Windows 2000 and 1800 Windows 2003. 1802 Authors' Addresses 1804 Larry Zhu 1805 Microsoft Corporation 1806 One Microsoft Way 1807 Redmond, WA 98052 1808 US 1810 Email: lzhu@microsoft.com 1812 Brian Tung 1813 USC Information Sciences Institute 1814 4676 Admiralty Way Suite 1001 1815 Marina del Rey, CA 90292 1816 US 1818 Email: brian@isi.edu 1820 Intellectual Property Statement 1822 The IETF takes no position regarding the validity or scope of any 1823 Intellectual Property Rights or other rights that might be claimed to 1824 pertain to the implementation or use of the technology described in 1825 this document or the extent to which any license under such rights 1826 might or might not be available; nor does it represent that it has 1827 made any independent effort to identify any such rights. Information 1828 on the procedures with respect to rights in RFC documents can be 1829 found in BCP 78 and BCP 79. 1831 Copies of IPR disclosures made to the IETF Secretariat and any 1832 assurances of licenses to be made available, or the result of an 1833 attempt made to obtain a general license or permission for the use of 1834 such proprietary rights by implementers or users of this 1835 specification can be obtained from the IETF on-line IPR repository at 1836 http://www.ietf.org/ipr. 1838 The IETF invites any interested party to bring to its attention any 1839 copyrights, patents or patent applications, or other proprietary 1840 rights that may cover technology that may be required to implement 1841 this standard. Please address the information to the IETF at 1842 ietf-ipr@ietf.org. 1844 Disclaimer of Validity 1846 This document and the information contained herein are provided on an 1847 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1848 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1849 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1850 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1851 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1852 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1854 Copyright Statement 1856 Copyright (C) The Internet Society (2005). This document is subject 1857 to the rights, licenses and restrictions contained in BCP 78, and 1858 except as set forth therein, the authors retain all their rights. 1860 Acknowledgment 1862 Funding for the RFC Editor function is currently provided by the 1863 Internet Society.