idnits 2.17.1 draft-ietf-cat-kerberos-pk-init-33.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1904. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1881. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1888. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1894. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 32) being 98 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, -- The KDC's DH public key. -- The DH public key value is encoded as a BIT -- STRING according to [RFC3279]. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the pkAuthenticator field -- in the request if the DH keys are NOT reused, -- 0 otherwise. dhKeyExpiration [2] KerberosTime OPTIONAL, -- Expiration time for KDC's key pair, -- present if and only if the DH keys are reused. -- If present, the KDC's DH public key MUST not be -- used past the point of this expiration time. -- If this field is omitted then the serverDHNonce -- field MUST also be omitted. ... } == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: KDCDHKeyInfo ::= SEQUENCE { subjectPublicKey [0] BIT STRING, -- The KDC's DH public key. -- The DH public key value is encoded as a BIT -- STRING according to [RFC3279]. nonce [1] INTEGER (0..4294967295), -- Contains the nonce in the pkAuthenticator field -- in the request if the DH keys are NOT reused, -- 0 otherwise. dhKeyExpiration [2] KerberosTime OPTIONAL, -- Expiration time for KDC's key pair, -- present if and only if the DH keys are reused. -- If present, the KDC's DH public key MUST not be -- used past the point of this expiration time. -- If this field is omitted then the serverDHNonce -- field MUST also be omitted. ... } -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 24, 2006) is 6667 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 1703 -- Looks like a reference, but probably isn't: '1' on line 1707 -- Looks like a reference, but probably isn't: '2' on line 1692 -- Looks like a reference, but probably isn't: '3' on line 1612 == Unused Reference: 'RFC3565' is defined on line 1422, but no explicit reference was found in the text == Unused Reference: 'LENSTRA' is defined on line 1457, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE1363' ** Downref: Normative reference to an Informational RFC: RFC 2412 ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) ** Obsolete normative reference: RFC 3447 (Obsoleted by RFC 8017) ** Obsolete normative reference: RFC 3852 (Obsoleted by RFC 5652) -- Possible downref: Non-RFC (?) normative reference: ref. 'X680' -- Possible downref: Non-RFC (?) normative reference: ref. 'X690' Summary: 8 errors (**), 0 flaws (~~), 7 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP L. Zhu 3 Internet-Draft Microsoft Corporation 4 Expires: July 28, 2006 B. Tung 5 USC Information Sciences Institute 6 January 24, 2006 8 Public Key Cryptography for Initial Authentication in Kerberos 9 draft-ietf-cat-kerberos-pk-init-33 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on July 28, 2006. 36 Copyright Notice 38 Copyright (C) The Internet Society (2006). 40 Abstract 42 This document describes protocol extensions (hereafter called PKINIT) 43 to the Kerberos protocol specification. These extensions provide a 44 method for integrating public key cryptography into the initial 45 authentication exchange, by using asymmetric-key signature and/or 46 encryption algorithms in pre-authentication data fields. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Conventions Used in This Document . . . . . . . . . . . . . . 5 52 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5 53 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6 54 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6 55 3.1.2. Defined Message and Encryption Types . . . . . . . . . 7 56 3.1.3. Kerberos Encryption Types Defined for CMS 57 Algorithm Identifiers . . . . . . . . . . . . . . . . 8 58 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9 59 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9 60 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 14 61 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 18 62 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 25 63 3.3. Interoperability Requirements . . . . . . . . . . . . . . 26 64 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 26 65 4. Security Considerations . . . . . . . . . . . . . . . . . . . 27 66 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29 67 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 68 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 69 7.1. Normative References . . . . . . . . . . . . . . . . . . . 30 70 7.2. Informative References . . . . . . . . . . . . . . . . . . 32 71 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 32 72 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 37 73 Appendix C. Miscellaneous Information about Microsoft Windows 74 PKINIT Implementations . . . . . . . . . . . . . . . 39 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 76 Intellectual Property and Copyright Statements . . . . . . . . . . 42 78 1. Introduction 80 The Kerberos V5 protocol [RFC4120] involves use of a trusted third 81 party known as the Key Distribution Center (KDC) to negotiate shared 82 session keys between clients and services and provide mutual 83 authentication between them. 85 The corner-stone of Kerberos V5 is the Ticket and the Authenticator. 86 A Ticket encapsulates a symmetric key (the ticket session key) in an 87 envelope (a public message) intended for a specific service. The 88 contents of the Ticket are encrypted with a symmetric key shared 89 between the service principal and the issuing KDC. The encrypted 90 part of the Ticket contains the client principal name, amongst other 91 items. An Authenticator is a record that can be shown to have been 92 recently generated using the ticket session key in the associated 93 Ticket. The ticket session key is known by the client who requested 94 the ticket. The contents of the Authenticator are encrypted with the 95 associated ticket session key. The encrypted part of an 96 Authenticator contains a timestamp and the client principal name, 97 amongst other items. 99 As shown in Figure 1 below, the Kerberos V5 protocol consists of the 100 following message exchanges between the client and the KDC, and the 101 client and the application service: 103 - The Authentication Service (AS) Exchange 105 The client obtains an "initial" ticket from the Kerberos 106 authentication server (AS), typically a Ticket Granting Ticket 107 (TGT). The AS-REQ message and the AS-REP message are the request 108 and the reply message respectively between the client and the AS. 110 - The Ticket Granting Service (TGS) Exchange 112 The client subsequently uses the TGT to authenticate and request a 113 service ticket for a particular service, from the Kerberos ticket- 114 granting server (TGS). The TGS-REQ message and the TGS-REP 115 message are the request and the reply message respectively between 116 the client and the TGS. 118 - The Client/Server Authentication Protocol (AP) Exchange 120 The client then makes a request with an AP-REQ message, consisting 121 of a service ticket and an authenticator that certifies the 122 client's possession of the ticket session key. The server may 123 optionally reply with an AP-REP message. AP exchanges typically 124 negotiate session specific symmetric keys. 126 Usually, the AS and TGS are integrated in a single device also known 127 as the KDC. 129 Figure 1: The Message Exchanges in the Kerberos V5 Protocol 131 +--------------+ 132 +--------->| KDC | 133 AS-REQ / +-------| | 134 / / +--------------+ 135 / / ^ | 136 / |AS-REP / | 137 | | / TGS-REQ + TGS-REP 138 | | / / 139 | | / / 140 | | / +---------+ 141 | | / / 142 | | / / 143 | | / / 144 | v / v 145 ++-------+------+ +-----------------+ 146 | Client +------------>| Application | 147 | | AP-REQ | Server | 148 | |<------------| | 149 +---------------+ AP-REP +-----------------+ 151 In the AS exchange, the KDC reply contains the ticket session key, 152 amongst other items, that is encrypted using a key (the AS reply key) 153 shared between the client and the KDC. The AS reply key is typically 154 derived from the client's password for human users. Therefore for 155 human users the attack resistance strength of the Kerberos protocol 156 is no stronger than the strength of their passwords. 158 The use of asymmetric cryptography in the form of X.509 certificates 159 [RFC3280] is popular for facilitating data origin authentication and 160 perfect secrecy. An established Public Key Infrastructure (PKI) 161 provides key management and key distribution mechanisms that can be 162 used to establish authentication and secure communication. Adding 163 public-key cryptography to Kerberos provides a nice congruence to 164 public-key protocols, obviates the human users' burden to manage 165 strong passwords, and allows Kerberized applications to take 166 advantage of existing key services and identity management. 168 The advantage afforded by the Kerberos TGT is that the client exposes 169 his long-term secrets only once. The TGT and its associated session 170 key can then be used for any subsequent service ticket requests. One 171 result of this is that all further authentication is independent of 172 the method by which the initial authentication was performed. 173 Consequently, initial authentication provides a convenient place to 174 integrate public-key cryptography into Kerberos authentication. In 175 addition, the use of symmetric cryptography after the initial 176 exchange is preferred for performance. 178 This document describes the methods and data formats using which the 179 client and the KDC can use public and private key pairs to mutually 180 authenticate in the AS exchange and negotiate the AS reply key, known 181 only by the client and the KDC, to encrypt the AS-REP sent by the 182 KDC. 184 2. Conventions Used in This Document 186 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 187 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 188 document are to be interpreted as described in [RFC2119]. 190 In this protocol, both the client and the KDC have a public-private 191 key pair in order to prove their identities to each other over the 192 open network. The term "signature key" is used to refer to the 193 private key of the key pair being used. 195 The encryption key used to encrypt the enc-part field of the KDC-REP 196 in the AS-REP [RFC4120] is referred to as the AS reply key. 198 An empty sequence in an optional field can be either included or 199 omitted: both encodings are permitted and considered equivalent. 201 The term "Modular Exponential Diffie-Hellman" is used to refer to the 202 Diffie-Hellman key exchange as described in [RFC2631], in order to 203 differentiate it from other equivalent representations of the same 204 key agreement algorithm. 206 3. Extensions 208 This section describes extensions to [RFC4120] for supporting the use 209 of public-key cryptography in the initial request for a ticket. 211 Briefly, this document defines the following extensions to [RFC4120]: 213 1. The client indicates the use of public-key authentication by 214 including a special preauthenticator in the initial request. This 215 preauthenticator contains the client's public-key data and a 216 signature. 218 2. The KDC tests the client's request against its authentication 219 policy and trusted Certification Authorities (CAs). 221 3. If the request passes the verification tests, the KDC replies as 222 usual, but the reply is encrypted using either: 224 a. a key generated through a Diffie-Hellman (DH) key exchange 225 [RFC2631] [IEEE1363] with the client, signed using the KDC's 226 signature key; or 228 b. a symmetric encryption key, signed using the KDC's signature 229 key and encrypted using the client's public key. 231 Any keying material required by the client to obtain the 232 encryption key for decrypting the KDC reply is returned in a pre- 233 authentication field accompanying the usual reply. 235 4. The client validates the KDC's signature, obtains the encryption 236 key, decrypts the reply, and then proceeds as usual. 238 Section 3.1 of this document enumerates the required algorithms and 239 necessary extension message types. Section 3.2 describes the 240 extension messages in greater detail. 242 3.1. Definitions, Requirements, and Constants 244 3.1.1. Required Algorithms 246 All PKINIT implementations MUST support the following algorithms: 248 o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac- 249 sha1-96 [RFC3962]. 251 o Signature algorithm: sha-1WithRSAEncryption [RFC3279]. 253 o AS reply key delivery method: Diffie-Hellman key exchange 254 [RFC2631]. 256 o Algorithms identified in the contentEncryptionAlgorithm field of 257 the type EncryptedContentInfo [RFC3852] for encrypting the 258 temporary key in the encryptedKey field of the type 259 KeyTransRecipientInfo [RFC3852] with a public key, as described in 260 Section 3.2.3.2: rsaEncryption [RFC3447] [RFC3279]. 262 o Algorithms identified in the contentEncryptionAlgorithm field of 263 the type EncryptedContentInfo [RFC3852] for encrypting the AS 264 reply key with the temporary key contained in the encryptedKey 265 field of the type KeyTransRecipientInfo [RFC3852], as described in 266 Section 3.2.3.2: des-ede3-cbc (three-key 3DES, CBC mode) 267 [RFC3370]. 269 In addition, implementations of this specification MUST be capable of 270 processing the Extended Key Usage (EKU) extension and the id-pkinit- 271 san (as defined in Section 3.2.2) otherName of the Subject 272 Alternative Name (SAN) extension in X.509 certificates [RFC3280]. 274 3.1.2. Defined Message and Encryption Types 276 PKINIT makes use of the following new pre-authentication types: 278 PA_PK_AS_REQ 16 279 PA_PK_AS_REP 17 281 PKINIT also makes use of the following new authorization data type: 283 AD_INITIAL_VERIFIED_CAS 9 285 PKINIT introduces the following new error codes: 287 KDC_ERR_CLIENT_NOT_TRUSTED 62 288 KDC_ERR_INVALID_SIG 64 289 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 290 KDC_ERR_CANT_VERIFY_CERTIFICATE 70 291 KDC_ERR_INVALID_CERTIFICATE 71 292 KDC_ERR_REVOKED_CERTIFICATE 72 293 KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 294 KDC_ERR_CLIENT_NAME_MISMATCH 75 295 KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 296 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 297 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 298 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 300 PKINIT uses the following typed data types for errors: 302 TD_TRUSTED_CERTIFIERS 104 303 TD_INVALID_CERTIFICATES 105 304 TD_DH_PARAMETERS 109 306 The ASN.1 module for all structures defined in this document (plus 307 IMPORT statements for all imported structures) is given in 308 Appendix A. 310 All structures defined in or imported into this document MUST be 311 encoded using Distinguished Encoding Rules (DER) [X680] [X690] 312 (unless otherwise noted). All data structures carried in OCTET 313 STRINGs must be encoded according to the rules specified in 314 corresponding specifications. 316 Interoperability note: Some implementations may not be able to decode 317 wrapped Cryptographic Message Syntax (CMS) [RFC3852] objects encoded 318 with BER; specifically, they may not be able to decode indefinite 319 length encodings. To maximize interoperability, implementers SHOULD 320 encode CMS objects used in PKINIT with DER. 322 3.1.3. Kerberos Encryption Types Defined for CMS Algorithm Identifiers 324 PKINIT defines the following Kerberos encryption type numbers 325 [RFC3961], which can be used in the etype field of the AS-REQ 326 [RFC4120] message to indicate to the KDC the client's acceptance of 327 the corresponding algorithms (including public encryption algorithms, 328 bulk encryption algorithms, and signature algorithms) for use with 329 Cryptographic Message Syntax (CMS) [RFC3852]. 331 Per [RFC4120], the encryption types in the etype field are in the 332 decreasing preference order of the client. Note that there is no 333 significance in the relative order between any two of different types 334 of algorithms: public key encryption algorithms, bulk encryption 335 algorithms and signature algorithms. 337 The presence of each of these encryption types in the etype field is 338 equivalent to the presence of the corresponding algorithm Object 339 Identifier (OID) in the supportedCMSTypes field as described in 340 Section 3.2.1. And the preference order expressed in the 341 supportedCMSTypes field would override the preference order listed in 342 the etype field. 344 Kerberos Encryption Type Name Num Corresponding Algorithm OID 345 ============================== === =============================== 346 id-dsa-with-sha1-CmsOID 9 id-dsa-with-sha1 [RFC3279] 347 md5WithRSAEncryption-CmsOID 10 md5WithRSAEncryption [RFC3279] 348 sha-1WithRSAEncryption-CmsOID 11 sha-1WithRSAEncryption [RFC3279] 349 rc2-cbc-EnvOID 12 rc2-cbc [RFC3370] 350 rsaEncryption-EnvOID 13 rsaEncryption [RFC3447][RFC3279] 351 id-RSAES-OAEP-EnvOID 14 id-RSAES-OAEP [RFC3447][RFC3279] 352 des-ede3-cbc-EnvOID 15 des-ede3-cbc [RFC3370] 354 The above encryption type numbers are used only to indicate support 355 for the use of the corresponding algorithms in PKINIT; they do not 356 correspond to actual Kerberos encryption types [RFC3961] and MUST NOT 357 be used in the etype field of the Kerberos EncryptedData type 358 [RFC4120]. The practice of assigning Kerberos encryption type 359 numbers to indicate support for CMS algorithms is considered 360 deprecated, and new numbers should not be assigned for this purpose. 362 Instead, the supportedCMSTypes field should be used to identify the 363 algorithms supported by the client and the preference order of the 364 client. 366 For maximum interoperability, however, PKINIT clients wishing to 367 indicate to the KDC the support for one or more of the algorithms 368 listed above SHOULD include the corresponding encryption type 369 number(s) in the etype field of the AS-REQ. 371 3.2. PKINIT Pre-authentication Syntax and Use 373 This section defines the syntax and use of the various pre- 374 authentication fields employed by PKINIT. 376 3.2.1. Generation of Client Request 378 The initial authentication request (AS-REQ) is sent as per [RFC4120]; 379 in addition, a pre-authentication data element, whose padata-type is 380 PA_PK_AS_REQ and whose padata-value contains the DER encoding of the 381 type PA-PK-AS-REQ, is included. 383 PA-PK-AS-REQ ::= SEQUENCE { 384 signedAuthPack [0] IMPLICIT OCTET STRING, 385 -- Contains a CMS type ContentInfo encoded 386 -- according to [RFC3852]. 387 -- The contentType field of the type ContentInfo 388 -- is id-signedData (1.2.840.113549.1.7.2), 389 -- and the content field is a SignedData. 390 -- The eContentType field for the type SignedData is 391 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the 392 -- eContent field contains the DER encoding of the 393 -- type AuthPack. 394 -- AuthPack is defined below. 395 trustedCertifiers [1] SEQUENCE OF 396 ExternalPrincipalIdentifier OPTIONAL, 397 -- Contains a list of CAs, trusted by the client, 398 -- that can be used to certify the KDC. 399 -- Each ExternalPrincipalIdentifier identifies a CA 400 -- or a CA certificate (thereby its public key). 401 -- The information contained in the 402 -- trustedCertifiers SHOULD be used by the KDC as 403 -- hints to guide its selection of an appropriate 404 -- certificate chain to return to the client. 405 kdcPkId [2] IMPLICIT OCTET STRING 406 OPTIONAL, 407 -- Contains a CMS type SignerIdentifier encoded 408 -- according to [RFC3852]. 409 -- Identifies, if present, a particular KDC 410 -- public key that the client already has. 411 ... 412 } 414 DHNonce ::= OCTET STRING 416 ExternalPrincipalIdentifier ::= SEQUENCE { 417 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 418 -- Contains a PKIX type Name encoded according to 419 -- [RFC3280]. 420 -- Identifies the certificate subject by the 421 -- distinguished subject name. 422 -- REQUIRED when there is a distinguished subject 423 -- name present in the certificate. 424 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 425 -- Contains a CMS type IssuerAndSerialNumber encoded 426 -- according to [RFC3852]. 427 -- Identifies a certificate of the subject. 428 -- REQUIRED for TD-INVALID-CERTIFICATES and 429 -- TD-TRUSTED-CERTIFIERS. 430 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 431 -- Identifies the subject's public key by a key 432 -- identifier. When an X.509 certificate is 433 -- referenced, this key identifier matches the X.509 434 -- subjectKeyIdentifier extension value. When other 435 -- certificate formats are referenced, the documents 436 -- that specify the certificate format and their use 437 -- with the CMS must include details on matching the 438 -- key identifier to the appropriate certificate 439 -- field. 440 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. 441 ... 442 } 444 AuthPack ::= SEQUENCE { 445 pkAuthenticator [0] PKAuthenticator, 446 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 447 -- Type SubjectPublicKeyInfo is defined in 448 -- [RFC3280]. 449 -- Specifies Diffie-Hellman domain parameters 450 -- and the client's public key value [IEEE1363]. 451 -- The DH public key value is encoded as a BIT 452 -- STRING according to [RFC3279]. 453 -- This field is present only if the client wishes 454 -- to use the Diffie-Hellman key agreement method. 455 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 456 OPTIONAL, 457 -- Type AlgorithmIdentifier is defined in 458 -- [RFC3280]. 459 -- List of CMS public key encryption algorithm 460 -- identifiers, bulk encryption algorithm 461 -- identifiers, or signature algorithm identifiers 462 -- supported by the client in order of (decreasing) 463 -- preference. 464 clientDHNonce [3] DHNonce OPTIONAL, 465 -- Present only if the client indicates that it 466 -- wishes to reuse DH keys or to allow the KDC to 467 -- do so (see Section 3.2.3.1). 468 ... 469 } 471 PKAuthenticator ::= SEQUENCE { 472 cusec [0] INTEGER (0..999999), 473 ctime [1] KerberosTime, 474 -- cusec and ctime are used as in [RFC4120], for 475 -- replay prevention. 476 nonce [2] INTEGER (0..4294967295), 477 -- Chosen randomly; This nonce does not need to 478 -- match with the nonce in the KDC-REQ-BODY. 479 paChecksum [3] OCTET STRING OPTIONAL, 480 -- MUST be present. 481 -- Contains the SHA1 checksum, performed over 482 -- KDC-REQ-BODY. 483 ... 484 } 486 The ContentInfo [RFC3852] structure contained in the signedAuthPack 487 field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and 488 is filled out as follows: 490 1. The contentType field of the type ContentInfo is id-signedData 491 (as defined in [RFC3852]), and the content field is a SignedData 492 (as defined in [RFC3852]). 494 2. The eContentType field for the type SignedData is id-pkinit- 495 authData: { iso(1) org(3) dod(6) internet(1) security(5) 496 kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS 497 implementers: the signed attribute content-type MUST be present 498 in this SignedData instance and its value is id-pkinit-authData 499 according to [RFC3852]. 501 3. The eContent field for the type SignedData contains the DER 502 encoding of the type AuthPack. 504 4. The signerInfos field of the type SignedData contains a single 505 signerInfo, which contains the signature over the type AuthPack. 507 5. The AuthPack structure contains a PKAuthenticator, the client 508 public key information, the CMS encryption types supported by the 509 client and a DHNonce. The pkAuthenticator field certifies to the 510 KDC that the client has recent knowledge of the signing key that 511 authenticates the client. The clientPublicValue field specifies 512 Diffie-Hellman domain parameters and the client's public key 513 value. The DH public key value is encoded as a BIT STRING 514 according to [RFC3279]. The clientPublicValue field is present 515 only if the client wishes to use the Diffie-Hellman key agreement 516 method. The supportedCMSTypes field specifies the list of CMS 517 algorithm identifiers that are supported by the client in order 518 of (decreasing) preference, and can be used to identify a 519 signature algorithm or a public key encryption algorithm in the 520 keyEncryptionAlgorithm field of the type KeyTransRecipientInfo or 521 a bulk encryption algorithm in the contentEncryptionAlgorithm 522 field of the type EncryptedContentInfo [RFC3852] when encrypting 523 the AS reply key as described in Section 3.2.3.2. However, there 524 is no significance in the relative order between any two of 525 different types of algorithms: public key encryption algorithms, 526 bulk encryption algorithms and signature algorithms. The 527 clientDHNonce field is described later in this section. 529 6. The ctime field in the PKAuthenticator structure contains the 530 current time on the client's host, and the cusec field contains 531 the microsecond part of the client's timestamp. The ctime and 532 cusec fields are used together to specify a reasonably accurate 533 timestamp [RFC4120]. The nonce field is chosen randomly. The 534 paChecksum field MUST be present and it contains a SHA1 checksum 535 that is performed over the KDC-REQ-BODY [RFC4120]. In order to 536 ease future migration from the use of SHA1, the paChecksum field 537 is made optional syntactically: when the request is extended to 538 negotiate hash algorithms, the new client wishing not to use SHA1 539 will send the request in the extended message syntax without the 540 paChecksum field. The KDC conforming to this specification MUST 541 return a KRB-ERROR [RFC4120] message with the code 542 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (see Section 3.2.3). That 543 will allow a new client to retry with SHA1 if allowed by the 544 local policy. 546 7. The certificates field of the type SignedData contains 547 certificates intended to facilitate certification path 548 construction, so that the KDC can verify the signature over the 549 type AuthPack. For path validation, these certificates SHOULD be 550 sufficient to construct at least one certification path from the 551 client certificate to one trust anchor acceptable by the KDC 553 [RFC4158]. The client MUST be capable of including such a set of 554 certificates if configured to do so. The certificates field MUST 555 NOT contain "root" CA certificates. 557 8. The client's Diffie-Hellman public value (clientPublicValue) is 558 included if and only if the client wishes to use the Diffie- 559 Hellman key agreement method. The Diffie-Hellman domain 560 parameters [IEEE1363] for the client's public key are specified 561 in the algorithm field of the type SubjectPublicKeyInfo [RFC3279] 562 and the client's Diffie-Hellman public key value is mapped to a 563 subjectPublicKey (a BIT STRING) according to [RFC3279]. When 564 using the Diffie-Hellman key agreement method, implementations 565 MUST support Oakley 1024-bit Modular Exponential (MODP) well- 566 known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group 567 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known 568 group 16 [RFC3526]. 570 The Diffie-Hellman field size should be chosen so as to provide 571 sufficient cryptographic security [RFC3766]. 573 When MODP Diffie-Hellman is used, the exponents should have at 574 least twice as many bits as the symmetric keys that will be 575 derived from them [ODL99]. 577 9. The client may wish to reuse DH keys or to allow the KDC to do so 578 (see Section 3.2.3.1). If so, then the client includes the 579 clientDHNonce field. This nonce string MUST be as long as the 580 longest key length of the symmetric key types that the client 581 supports. This nonce MUST be chosen randomly. 583 The ExternalPrincipalIdentifier structure is used in this document to 584 identify the subject's public key thereby the subject principal. 585 This structure is filled out as follows: 587 1. The subjectName field contains a PKIX type Name encoded according 588 to [RFC3280]. This field identifies the certificate subject by 589 the distinguished subject name. This field is REQUIRED when 590 there is a distinguished subject name present in the certificate 591 being used. 593 2. The issuerAndSerialNumber field contains a CMS type 594 IssuerAndSerialNumber encoded according to [RFC3852]. This field 595 identifies a certificate of the subject. This field is REQUIRED 596 for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both 597 structures are defined in Section 3.2.2). 599 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's 600 public key by a key identifier. When an X.509 certificate is 601 referenced, this key identifier matches the X.509 602 subjectKeyIdentifier extension value. When other certificate 603 formats are referenced, the documents that specify the 604 certificate format and their use with the CMS must include 605 details on matching the key identifier to the appropriate 606 certificate field. This field is RECOMMENDED for TD-TRUSTED- 607 CERTIFIERS (as defined in Section 3.2.2). 609 The trustedCertifiers field of the type PA-PK-AS-REQ contains a list 610 of CAs, trusted by the client, that can be used to certify the KDC. 611 Each ExternalPrincipalIdentifier identifies a CA or a CA certificate 612 (thereby its public key). 614 The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type 615 SignerIdentifier encoded according to [RFC3852]. This field 616 identifies, if present, a particular KDC public key that the client 617 already has. 619 3.2.2. Receipt of Client Request 621 Upon receiving the client's request, the KDC validates it. This 622 section describes the steps that the KDC MUST (unless otherwise 623 noted) take in validating the request. 625 The KDC verifies the client's signature in the signedAuthPack field 626 according to [RFC3852]. 628 If, while validating the client's X.509 certificate [RFC3280], the 629 KDC cannot build a certification path to validate the client's 630 certificate, it sends back a KRB-ERROR [RFC4120] message with the 631 code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for 632 this error message is a TYPED-DATA (as defined in [RFC4120]) that 633 contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and 634 whose data-value contains the DER encoding of the type TD-TRUSTED- 635 CERTIFIERS: 637 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF 638 ExternalPrincipalIdentifier 639 -- Identifies a list of CAs trusted by the KDC. 640 -- Each ExternalPrincipalIdentifier identifies a CA 641 -- or a CA certificate (thereby its public key). 643 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the 644 TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate 645 (thereby its public key) trusted by the KDC. 647 Upon receiving this error message, the client SHOULD retry only if it 648 has a different set of certificates (from those of the previous 649 requests) that form a certification path (or a partial path) from one 650 of the trust anchors acceptable by the KDC to its own certificate. 652 If, while processing the certification path, the KDC determines that 653 the signature on one of the certificates in the signedAuthPack field 654 is invalid, it returns a KRB-ERROR [RFC4120] message with the code 655 KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error 656 message is a TYPED-DATA that contains an element whose data-type is 657 TD_INVALID_CERTIFICATES, and whose data-value contains the DER 658 encoding of the type TD-INVALID-CERTIFICATES: 660 TD-INVALID-CERTIFICATES ::= SEQUENCE OF 661 ExternalPrincipalIdentifier 662 -- Each ExternalPrincipalIdentifier identifies a 663 -- certificate (sent by the client) with an invalid 664 -- signature. 666 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the 667 TD-INVALID-CERTIFICATES structure identifies a certificate (that was 668 sent by the client) with an invalid signature. 670 If more than one X.509 certificate signature is invalid, the KDC MAY 671 include one IssuerAndSerialNumber per invalid signature within the 672 TD-INVALID-CERTIFICATES. 674 The client's X.509 certificate is validated according to [RFC3280]. 676 Based on local policy, the KDC may also check whether any X.509 677 certificates in the certification path validating the client's 678 certificate have been revoked. If any of them have been revoked, the 679 KDC MUST return an error message with the code 680 KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the 681 revocation status but is unable to do so, it SHOULD return an error 682 message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The 683 certificate or certificates affected are identified exactly as for 684 the error code KDC_ERR_INVALID_CERTIFICATE (see above). 686 Note that the TD_INVALID_CERTIFICATES error data is only used to 687 identify invalid certificates sent by the client in the request. 689 The client's public key is then used to verify the signature. If the 690 signature fails to verify, the KDC MUST return an error message with 691 the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for 692 this error message. 694 In addition to validating the client's signature, the KDC MUST also 695 check that the client's public key used to verify the client's 696 signature is bound to the client's principal name as specified in the 697 AS-REQ as follows: 699 1. If the KDC has its own binding between either the client's 700 signature-verification public key or the client's certificate and 701 the client's Kerberos principal name, it uses that binding. 703 2. Otherwise, if the client's X.509 certificate contains a Subject 704 Alternative Name (SAN) extension carrying a KRB5PrincipalName 705 (defined below) in the otherName field of the type GeneralName 706 [RFC3280], it binds the client's X.509 certificate to that name. 708 The type of the otherName field is AnotherName. The type-id field 709 of the type AnotherName is id-pkinit-san: 711 id-pkinit-san OBJECT IDENTIFIER ::= 712 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 713 x509SanAN (2) } 715 And the value field of the type AnotherName is a 716 KRB5PrincipalName. 718 KRB5PrincipalName ::= SEQUENCE { 719 realm [0] Realm, 720 principalName [1] PrincipalName 721 } 723 If the Kerberos client name in the AS-REQ does not match a name bound 724 by the KDC (the binding can be in the certificate, for example as 725 described above), or if there is no binding found by the KDC, the KDC 726 MUST return an error message with the code 727 KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for 728 this error message. 730 Even if the certification path is validated and the certificate is 731 mapped to the client's principal name, the KDC may decide not to 732 accept the client's certificate, depending on local policy. 734 The KDC MAY require the presence of an Extended Key Usage (EKU) 735 KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field 736 of the client's X.509 certificate: 738 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= 739 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 740 pkinit(3) keyPurposeClientAuth(4) } 741 -- PKINIT client authentication. 742 -- Key usage bits that MUST be consistent: 744 -- digitalSignature. 746 The digitalSignature key usage bit [RFC3280] MUST be asserted when 747 the intended purpose of the client's X.509 certificate is restricted 748 with the id-pkinit-KPClientAuth EKU. 750 If this EKU KeyPurposeId is required but it is not present or if the 751 client certificate is restricted not to be used for PKINIT client 752 authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return 753 an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There 754 is no accompanying e-data for this error message. KDCs implementing 755 this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc- 756 logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there 757 are a large number of X.509 client certificates deployed for use with 758 PKINIT which have this EKU. 760 As a matter of local policy, the KDC MAY decide to reject requests on 761 the basis of the absence or presence of other specific EKU OID's. 763 If the digest algorithm used in generating the CA signature for the 764 public key in any certificate of the request is not acceptable by the 765 KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code 766 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be 767 encoded in TYPED-DATA although none is defined at this point. 769 If the client's public key is not accepted with reasons other than 770 what were specified above, the KDC returns a KRB-ERROR [RFC4120] 771 message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no 772 accompanying e-data currently defined for this error message. 774 The KDC MUST check the timestamp to ensure that the request is not a 775 replay, and that the time skew falls within acceptable limits. The 776 recommendations for clock skew times in [RFC4120] apply here. If the 777 check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or 778 KRB_AP_ERR_SKEW, respectively. 780 If the clientPublicValue is filled in, indicating that the client 781 wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD 782 check to see if the key parameters satisfy its policy. If they do 783 not, it MUST return an error message with the code 784 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a 785 TYPED-DATA that contains an element whose data-type is 786 TD_DH_PARAMETERS, and whose data-value contains the DER encoding of 787 the type TD-DH-PARAMETERS: 789 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 790 -- Each AlgorithmIdentifier specifies a set of 791 -- Diffie-Hellman domain parameters [IEEE1363]. 793 -- This list is in decreasing preference order. 795 TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters 796 that the KDC supports in decreasing preference order, from which the 797 client SHOULD pick one to retry the request. 799 The AlgorithmIdentifier structure is defined in [RFC3280] and is 800 filled in according to [RFC3279]. More specifically Section 2.3.3 of 801 [RFC3279] describes how to fill in the AlgorithmIdentifier structure 802 in the case where MODP Diffie-Hellman key exchange is used. 804 If the client included a kdcPkId field in the PA-PK-AS-REQ and the 805 KDC does not possess the corresponding key, the KDC MUST ignore the 806 kdcPkId field as if the client did not include one. 808 If the digest algorithm used by the id-pkinit-authData is not 809 acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120] 810 message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED. 811 The accompanying e-data MUST be encoded in TYPED-DATA although none 812 is defined at this point. 814 3.2.3. Generation of KDC Reply 816 If the paChecksum filed in the request is not present, the KDC 817 conforming to this specification MUST return a KRB-ERROR [RFC4120] 818 message with the code KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED. The 819 accompanying e-data MUST be encoded in TYPED-DATA (no error data is 820 defined by this specification). 822 Assuming that the client's request has been properly validated, the 823 KDC proceeds as per [RFC4120], except as follows. 825 The KDC MUST set the initial flag and include an authorization data 826 element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued 827 ticket. The ad-data [RFC4120] field contains the DER encoding of the 828 type AD-INITIAL-VERIFIED-CAS: 830 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF 831 ExternalPrincipalIdentifier 832 -- Identifies the certification path based on which 833 -- the client certificate was validated. 834 -- Each ExternalPrincipalIdentifier identifies a CA 835 -- or a CA certificate (thereby its public key). 837 The AD-INITIAL-VERIFIED-CAS structure identifies the certification 838 path based on which the client certificate was validated. Each 839 ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD- 840 INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate 841 (thereby its public key). 843 Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization 844 data does permit empty SEQUENCEs to be encoded. Such empty sequences 845 may only be used if the KDC itself vouches for the user's 846 certificate. 848 The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT 849 containers if the list of CAs satisfies the AS' realm's local policy 850 (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag 851 [RFC4120]). Furthermore, any TGS MUST copy such authorization data 852 from tickets used within a PA-TGS-REQ of the TGS-REQ into the 853 resulting ticket. If the list of CAs satisfies the local KDC's 854 realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT 855 container, otherwise it MAY unwrap the authorization data out of the 856 AD-IF-RELEVANT container. 858 Application servers that understand this authorization data type 859 SHOULD apply local policy to determine whether a given ticket bearing 860 such a type *not* contained within an AD-IF-RELEVANT container is 861 acceptable. (This corresponds to the AP server checking the 862 transited field when the TRANSITED-POLICY-CHECKED flag has not been 863 set [RFC4120].) If such a data type is contained within an AD-IF- 864 RELEVANT container, AP servers MAY apply local policy to determine 865 whether the authorization data is acceptable. 867 A pre-authentication data element, whose padata-type is PA_PK_AS_REP 868 and whose padata-value contains the DER encoding of the type PA-PK- 869 AS-REP (defined below), is included in the AS-REP [RFC4120]. 871 PA-PK-AS-REP ::= CHOICE { 872 dhInfo [0] DHRepInfo, 873 -- Selected when Diffie-Hellman key exchange is 874 -- used. 875 encKeyPack [1] IMPLICIT OCTET STRING, 876 -- Selected when public key encryption is used. 877 -- Contains a CMS type ContentInfo encoded 878 -- according to [RFC3852]. 879 -- The contentType field of the type ContentInfo is 880 -- id-envelopedData (1.2.840.113549.1.7.3). 881 -- The content field is an EnvelopedData. 882 -- The contentType field for the type EnvelopedData 883 -- is id-signedData (1.2.840.113549.1.7.2). 884 -- The eContentType field for the inner type 885 -- SignedData (when unencrypted) is 886 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the 887 -- eContent field contains the DER encoding of the 888 -- type ReplyKeyPack. 890 -- ReplyKeyPack is defined in Section 3.2.3.2. 891 ... 892 } 894 DHRepInfo ::= SEQUENCE { 895 dhSignedData [0] IMPLICIT OCTET STRING, 896 -- Contains a CMS type ContentInfo encoded according 897 -- to [RFC3852]. 898 -- The contentType field of the type ContentInfo is 899 -- id-signedData (1.2.840.113549.1.7.2), and the 900 -- content field is a SignedData. 901 -- The eContentType field for the type SignedData is 902 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the 903 -- eContent field contains the DER encoding of the 904 -- type KDCDHKeyInfo. 905 -- KDCDHKeyInfo is defined below. 906 serverDHNonce [1] DHNonce OPTIONAL, 907 -- Present if and only if dhKeyExpiration is 908 -- present in the KDCDHKeyInfo. 909 ... 910 } 912 KDCDHKeyInfo ::= SEQUENCE { 913 subjectPublicKey [0] BIT STRING, 914 -- The KDC's DH public key. 915 -- The DH public key value is encoded as a BIT 916 -- STRING according to [RFC3279]. 917 nonce [1] INTEGER (0..4294967295), 918 -- Contains the nonce in the pkAuthenticator field 919 -- in the request if the DH keys are NOT reused, 920 -- 0 otherwise. 921 dhKeyExpiration [2] KerberosTime OPTIONAL, 922 -- Expiration time for KDC's key pair, 923 -- present if and only if the DH keys are reused. 924 -- If present, the KDC's DH public key MUST not be 925 -- used past the point of this expiration time. 926 -- If this field is omitted then the serverDHNonce 927 -- field MUST also be omitted. 928 ... 929 } 931 The content of the AS-REP is otherwise unchanged from [RFC4120]. The 932 KDC encrypts the reply as usual, but not with the client's long-term 933 key. Instead, it encrypts it with either a shared key derived from a 934 Diffie-Hellman exchange, or a generated encryption key. The contents 935 of the PA-PK-AS-REP indicate which key delivery method is used. 937 In addition, the lifetime of the ticket returned by the KDC MUST NOT 938 exceed that of the client's public-private key pair. The ticket 939 lifetime, however, can be shorter than that of the client's public- 940 private key pair. For the implementations of this specification, the 941 lifetime of the client's public-private key pair is the validity 942 period in X.509 certificates [RFC3280], unless configured otherwise. 944 3.2.3.1. Using Diffie-Hellman Key Exchange 946 In this case, the PA-PK-AS-REP contains a DHRepInfo structure. 948 The ContentInfo [RFC3852] structure for the dhSignedData field is 949 filled in as follows: 951 1. The contentType field of the type ContentInfo is id-signedData 952 (as defined in [RFC3852]), and the content field is a SignedData 953 (as defined in [RFC3852]). 955 2. The eContentType field for the type SignedData is the OID value 956 for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1) 957 security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS 958 implementers: the signed attribute content-type MUST be present 959 in this SignedData instance and its value is id-pkinit-DHKeyData 960 according to [RFC3852]. 962 3. The eContent field for the type SignedData contains the DER 963 encoding of the type KDCDHKeyInfo. 965 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce 966 and optionally the expiration time of the KDC's DH key being 967 reused. The subjectPublicKey field of the type KDCDHKeyInfo 968 field identifies KDC's DH public key. This DH public key value 969 is encoded as a BIT STRING according to [RFC3279]. The nonce 970 field contains the nonce in the pkAuthenticator field in the 971 request if the DH keys are NOT reused. The value of this nonce 972 field is 0 if the DH keys are reused. The dhKeyExpiration field 973 is present if and only if the DH keys are reused. If the 974 dhKeyExpiration field is present, the KDC's public key in this 975 KDCDHKeyInfo structure MUST NOT be used past the point of this 976 expiration time. If this field is omitted then the serverDHNonce 977 field MUST also be omitted. 979 5. The signerInfos field of the type SignedData contains a single 980 signerInfo, which contains the signature over the type 981 KDCDHKeyInfo. 983 6. The certificates field of the type SignedData contains 984 certificates intended to facilitate certification path 985 construction, so that the client can verify the KDC's signature 986 over the type KDCDHKeyInfo. The information contained in the 987 trustedCertifiers in the request SHOULD be used by the KDC as 988 hints to guide its selection of an appropriate certificate chain 989 to return to the client. This field may be left empty if the KDC 990 public key specified by the kdcPkId field in the PA-PK-AS-REQ was 991 used for signing. Otherwise, for path validation, these 992 certificates SHOULD be sufficient to construct at least one 993 certification path from the KDC certificate to one trust anchor 994 acceptable by the client [RFC4158]. The KDC MUST be capable of 995 including such a set of certificates if configured to do so. The 996 certificates field MUST NOT contain "root" CA certificates. 998 7. If the client included the clientDHNonce field, then the KDC may 999 choose to reuse its DH keys. If the server reuses DH keys then 1000 it MUST include an expiration time in the dhKeyExpiration field. 1001 Past the point of the expiration time, the signature over the 1002 type DHRepInfo is considered expired/invalid. When the server 1003 reuses DH keys then it MUST include a serverDHNonce at least as 1004 long as the length of keys for the symmetric encryption system 1005 used to encrypt the AS reply. Note that including the 1006 serverDHNonce changes how the client and server calculate the key 1007 to use to encrypt the reply; see below for details. The KDC 1008 SHOULD NOT reuse DH keys unless the clientDHNonce field is 1009 present in the request. 1011 The AS reply key is derived as follows: 1013 1. Both the KDC and the client calculate the shared secret value as 1014 follows: 1016 a) When MODP Diffie-Hellman is used, let DHSharedSecret be the 1017 shared secret value. DHSharedSecret is the value ZZ as 1018 described in Section 2.1.1 of [RFC2631]. 1020 DHSharedSecret is first padded with leading zeros such that the 1021 size of DHSharedSecret in octets is the same as that of the 1022 modulus, then represented as a string of octets in big-endian 1023 order. 1025 Implementation note: Both the client and the KDC can cache the 1026 triple (ya, yb, DHSharedSecret), where ya is the client's public 1027 key and yb is the KDC's public key. If both ya and yb are the 1028 same in a later exchange, the cached DHSharedSecret can be used. 1030 2. Let K be the key-generation seed length [RFC3961] of the AS reply 1031 key whose enctype is selected according to [RFC4120]. 1033 3. Define the function octetstring2key() as follows: 1035 octetstring2key(x) == random-to-key(K-truncate( 1036 SHA1(0x00 | x) | 1037 SHA1(0x01 | x) | 1038 SHA1(0x02 | x) | 1039 ... 1040 )) 1042 where x is an octet string; | is the concatenation operator; 0x00, 1043 0x01, 0x02, etc., are each represented as a single octet; random- 1044 to-key() is an operation that generates a protocol key from a 1045 bitstring of length K; and K-truncate truncates its input to the 1046 first K bits. Both K and random-to-key() are as defined in the 1047 kcrypto profile [RFC3961] for the enctype of the AS reply key. 1049 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be 1050 the serverDHNonce; otherwise, let both n_c and n_k be empty octet 1051 strings. 1053 5. The AS reply key k is: 1055 k = octetstring2key(DHSharedSecret | n_c | n_k) 1057 3.2.3.2. Using Public Key Encryption 1059 In this case, the PA-PK-AS-REP contains the encKeyPack field where 1060 the AS reply key is encrypted. 1062 The ContentInfo [RFC3852] structure for the encKeyPack field is 1063 filled in as follows: 1065 1. The contentType field of the type ContentInfo is id-envelopedData 1066 (as defined in [RFC3852]), and the content field is an 1067 EnvelopedData (as defined in [RFC3852]). 1069 2. The contentType field for the type EnvelopedData is id- 1070 signedData: { iso (1) member-body (2) us (840) rsadsi (113549) 1071 pkcs (1) pkcs7 (7) signedData (2) }. 1073 3. The eContentType field for the inner type SignedData (when 1074 decrypted from the encryptedContent field for the type 1075 EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6) 1076 internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }. 1077 Notes to CMS implementers: the signed attribute content-type MUST 1078 be present in this SignedData instance and its value is id- 1079 pkinit-rkeyData according to [RFC3852]. 1081 4. The eContent field for the inner type SignedData contains the DER 1082 encoding of the type ReplyKeyPack (as described below). 1084 5. The signerInfos field of the inner type SignedData contains a 1085 single signerInfo, which contains the signature for the type 1086 ReplyKeyPack. 1088 6. The certificates field of the inner type SignedData contains 1089 certificates intended to facilitate certification path 1090 construction, so that the client can verify the KDC's signature 1091 for the type ReplyKeyPack. The information contained in the 1092 trustedCertifiers in the request SHOULD be used by the KDC as 1093 hints to guide its selection of an appropriate certificate chain 1094 to return to the client. This field may be left empty if the KDC 1095 public key specified by the kdcPkId field in the PA-PK-AS-REQ was 1096 used for signing. Otherwise, for path validation, these 1097 certificates SHOULD be sufficient to construct at least one 1098 certification path from the KDC certificate to one trust anchor 1099 acceptable by the client [RFC4158]. The KDC MUST be capable of 1100 including such a set of certificates if configured to do so. The 1101 certificates field MUST NOT contain "root" CA certificates. 1103 7. The recipientInfos field of the type EnvelopedData is a SET which 1104 MUST contain exactly one member of type KeyTransRecipientInfo. 1105 The encryptedKey of this member contains the temporary key which 1106 is encrypted using the client's public key. 1108 8. The unprotectedAttrs or originatorInfo fields of the type 1109 EnvelopedData MAY be present. 1111 If there is a supportedCMSTypes field in the AuthPack, the KDC must 1112 check to see if it supports any of the listed types. If it supports 1113 more than one of the types, the KDC SHOULD use the one listed first. 1114 If it does not support any of them, it MUST return an error message 1115 with the code KDC_ERR_ETYPE_NOSUPP [RFC4120]. 1117 Furthermore the KDC computes the checksum of the AS-REQ in the client 1118 request. This checksum is performed over the type AS-REQ and the 1119 protocol key [RFC3961] of the checksum operation is the replyKey and 1120 the key usage number is 6. If the replyKey's enctype is "newer" 1121 [RFC4120] [RFC4121], the checksum operation is the required checksum 1122 operation [RFC3961] of that enctype. 1124 ReplyKeyPack ::= SEQUENCE { 1125 replyKey [0] EncryptionKey, 1126 -- Contains the session key used to encrypt the 1127 -- enc-part field in the AS-REP, i.e. the 1128 -- AS reply key. 1129 asChecksum [1] Checksum, 1130 -- Contains the checksum of the AS-REQ 1131 -- corresponding to the containing AS-REP. 1132 -- The checksum is performed over the type AS-REQ. 1133 -- The protocol key [RFC3961] of the checksum is the 1134 -- replyKey and the key usage number is 6. 1135 -- If the replyKey's enctype is "newer" [RFC4120] 1136 -- [RFC4121], the checksum is the required 1137 -- checksum operation [RFC3961] for that enctype. 1138 -- The client MUST verify this checksum upon receipt 1139 -- of the AS-REP. 1140 ... 1141 } 1143 Implementations of this RSA encryption key delivery method are 1144 RECOMMENDED to support RSA keys at least 2048 bits in size. 1146 3.2.4. Receipt of KDC Reply 1148 Upon receipt of the KDC's reply, the client proceeds as follows. If 1149 the PA-PK-AS-REP contains the dhSignedData field, the client derives 1150 the AS reply key using the same procedure used by the KDC as defined 1151 in Section 3.2.3.1. Otherwise, the message contains the encKeyPack 1152 field, and the client decrypts and extracts the temporary key in the 1153 encryptedKey field of the member KeyTransRecipientInfo, and then uses 1154 that as the AS reply key. 1156 If the public key encryption method is used, the client MUST verify 1157 the asChecksum contained in the ReplyKeyPack. 1159 In either case, the client MUST verify the signature in the 1160 SignedData according to [RFC3852]. The KDC's X.509 certificate MUST 1161 be validated according to [RFC3280]. In addition, unless the client 1162 can otherwise verify that the public key used to verify the KDC's 1163 signature is bound to the KDC of the target realm, the KDC's X.509 1164 certificate MUST contain a Subject Alternative Name extension 1165 [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as 1166 defined in Section 3.2.2) and whose value is a KRB5PrincipalName that 1167 matches the name of the TGS of the target realm (as defined in 1168 Section 7.3 of [RFC4120]). 1170 Unless the client knows by some other means that the KDC certificate 1171 is intended for a Kerberos KDC, the client MUST require that the KDC 1172 certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc: 1174 id-pkinit-KPKdc OBJECT IDENTIFIER ::= 1175 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 1176 pkinit(3) keyPurposeKdc(5) } 1177 -- Signing KDC responses. 1178 -- Key usage bits that MUST be consistent: 1179 -- digitalSignature. 1181 The digitalSignature key usage bit [RFC3280] MUST be asserted when 1182 the intended purpose of the KDC's X.509 certificate is restricted 1183 with the id-pkinit-KPKdc EKU. 1185 If the KDC certificate contains the Kerberos TGS name encoded as an 1186 id-pkinit-san SAN, this certificate is certified by the issuing CA as 1187 a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required. 1189 If all applicable checks are satisfied, the client then decrypts the 1190 enc-part field of the KDC-REP in the AS-REP using the AS reply key, 1191 and then proceeds as described in [RFC4120]. 1193 3.3. Interoperability Requirements 1195 The client MUST be capable of sending a set of certificates 1196 sufficient to allow the KDC to construct a certification path for the 1197 client's certificate, if the correct set of certificates is provided 1198 through configuration or policy. 1200 If the client sends all the X.509 certificates on a certification 1201 path to a trust anchor acceptable by the KDC, and the KDC can not 1202 verify the client's public key otherwise, the KDC MUST be able to 1203 process path validation for the client's certificate based on the 1204 certificates in the request. 1206 The KDC MUST be capable of sending a set of certificates sufficient 1207 to allow the client to construct a certification path for the KDC's 1208 certificate, if the correct set of certificates is provided through 1209 configuration or policy. 1211 If the KDC sends all the X.509 certificates on a certification path 1212 to a trust anchor acceptable by the client, and the client can not 1213 verify the KDC's public key otherwise, the client MUST be able to 1214 process path validation for the KDC's certificate based on the 1215 certificates in the reply. 1217 3.4. KDC Indication of PKINIT Support 1219 If pre-authentication is required, but was not present in the 1220 request, per [RFC4120] an error message with the code 1221 KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be 1222 stored in the e-data field of the KRB-ERROR message to specify which 1223 pre-authentication mechanisms are acceptable. The KDC can then 1224 indicate the support of PKINIT by including an empty element whose 1225 padata-type is PA_PK_AS_REQ in that METHOD-DATA object. 1227 Otherwise if it is required by the KDC's local policy that the client 1228 must be pre-authenticated using the pre-authentication mechanism 1229 specified in this document, but no PKINIT pre-authentication was 1230 present in the request, an error message with the code 1231 KDC_ERR_PREAUTH_FAILED SHOULD be returned. 1233 KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in 1234 the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET 1235 STRING), and clients MUST ignore this and any other value. Future 1236 extensions to this protocol may specify other data to send instead of 1237 an empty OCTET STRING. 1239 4. Security Considerations 1241 The security of cryptographic algorithms is dependent on generating 1242 secret quantities [RFC4086]. The number of truly random bits is 1243 extremely important to determining the attack resistance strength of 1244 the cryptosystem, for example, the secret Diffie-Hellman exponents 1245 must be chosen based on n truly random bits (where n is the system 1246 security requirement). The security of the overall system is 1247 significantly weakened by using insufficient random inputs: a 1248 sophisticated attacker may find it easier to reproduce the 1249 environment that produced the secret quantities and to search the 1250 resulting small set of possibilities than to locate the quantities in 1251 the whole of the potential number space. 1253 Kerberos error messages are not integrity protected, as a result, the 1254 domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered 1255 with by an attacker so that the set of domain parameters selected 1256 could be either weaker or not mutually preferred. Local policy can 1257 configure sets of domain parameters acceptable locally, or disallow 1258 the negotiation of DH domain parameters. 1260 The symmetric reply key size and Diffie-Hellman field size or RSA 1261 modulus size should be chosen so as to provide sufficient 1262 cryptographic security [RFC3766]. 1264 When MODP Diffie-Hellman is used, the exponents should have at least 1265 twice as many bits as the symmetric keys that will be derived from 1266 them [ODL99]. 1268 PKINIT raises certain security considerations beyond those that can 1269 be regulated strictly in protocol definitions. We will address them 1270 in this section. 1272 PKINIT extends the cross-realm model to the public-key 1273 infrastructure. Users of PKINIT must understand security policies 1274 and procedures appropriate to the use of Public Key Infrastructures 1275 [RFC3280]. 1277 In order to trust a KDC certificate that is certified by a CA as a 1278 KDC certificate for a target realm (for example, by asserting the TGS 1279 name of that Kerberos realm as an id-pkinit-san SAN and/or 1280 restricting the certificate usage by using the id-pkinit-KPKdc EKU, 1281 as described in Section 3.2.4), the client MUST verify that the KDC 1282 certificate's issuing CA is authorized to issue KDC certificates for 1283 that target realm. Otherwise, the binding between the KDC 1284 certificate and the KDC of the target realm is not established. 1286 How to validate this authorization is a matter of local policy. A 1287 way to achieve this is the configuration of specific sets of 1288 intermediary CAs and trust anchors, one of which must be on the KDC 1289 certificate's certification path [RFC3280]; and for each CA or trust 1290 anchor the realms for which it is allowed to issue certificates. 1292 In addition, if any CA is trusted to issue KDC certificates can also 1293 issue other kinds of certificates, then local policy must be able to 1294 distinguish between them: for example, it could require that KDC 1295 certificates contain the id-pkinit-KPKdc EKU or that the realm be 1296 specified with the id-pkinit-san SAN. 1298 It is the responsibility of the PKI administrators for an 1299 organization to ensure that KDC certificates are only issued to KDCs, 1300 and that clients can ascertain this using their local policy. 1302 Standard Kerberos allows the possibility of interactions between 1303 cryptosystems of varying strengths; this document adds interactions 1304 with public-key cryptosystems to Kerberos. Some administrative 1305 policies may allow the use of relatively weak public keys. When 1306 using such weak asymmetric keys to protect/exchange stronger 1307 symmetric Keys, the attack resistant strength of the overall system 1308 is no better than that of these weak keys [RFC3766]. 1310 PKINIT requires keys for symmetric cryptosystems to be generated. 1311 Some such systems contain "weak" keys. For recommendations regarding 1312 these weak keys, see [RFC4120]. 1314 PKINIT allows the use of the same RSA key pair for encryption and 1315 signing when doing RSA encryption based key delivery. This is not 1316 recommended usage of RSA keys [RFC3447], by using DH based key 1317 delivery this is avoided. 1319 Care should be taken in how certificates are chosen for the purposes 1320 of authentication using PKINIT. Some local policies may require that 1321 key escrow be used for certain certificate types. Deployers of 1322 PKINIT should be aware of the implications of using certificates that 1323 have escrowed keys for the purposes of authentication. Because 1324 signing only certificates are normally not escrowed, by using DH 1325 based key delivery this is avoided. 1327 PKINIT does not provide for a "return routability" test to prevent 1328 attackers from mounting a denial-of-service attack on the KDC by 1329 causing it to perform unnecessary and expensive public-key 1330 operations. Strictly speaking, this is also true of standard 1331 Kerberos, although the potential cost is not as great, because 1332 standard Kerberos does not make use of public-key cryptography. By 1333 using DH based key delivery and reusing DH keys, the necessary crypto 1334 processing cost per request can be minimized. 1336 When the Diffie-Hellman key exchange method is used, additional pre- 1337 authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as 1338 defined in this specification) is not bound to the AS_REQ by the 1339 mechanisms discussed in this specification (meaning it may be dropped 1340 or added by attackers without being detected by either the client or 1341 the KDC). Designers of additional pre-authentication data should 1342 take that into consideration if such additional pre-authentication 1343 data can be used in conjunction with the PA_PK_AS_REQ. The future 1344 work of the Kerberos working group is expected to update the hash 1345 algorithms specified in this document and provide a generic mechanism 1346 to bind additional pre-authentication data with the accompanying 1347 AS_REQ. 1349 5. Acknowledgements 1351 The following people have made significant contributions to this 1352 draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist 1353 Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey 1354 Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M 1355 Grundman and Jeffrey Altman. 1357 Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and 1358 Chris Walstad discovered a binding issue between the AS-REQ and AS- 1359 REP in draft -26, the asChecksum field was added as the result. 1361 Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and 1362 Jonathan Trostle who wrote earlier versions of this document. 1364 The authors are indebted to the Kerberos working group chair Jeffrey 1365 Hutzelman who kept track of various issues and was enormously helpful 1366 during the creation of this document. 1368 Some of the ideas on which this document is based arose during 1369 discussions over several years between members of the SAAG, the IETF 1370 CAT working group, and the PSRG, regarding integration of Kerberos 1371 and SPX. Some ideas have also been drawn from the DASS system. 1372 These changes are by no means endorsed by these groups. This is an 1373 attempt to revive some of the goals of those groups, and this 1374 document approaches those goals primarily from the Kerberos 1375 perspective. 1377 Lastly, comments from groups working on similar ideas in DCE have 1378 been invaluable. 1380 6. IANA Considerations 1382 This document has no actions for IANA. 1384 7. References 1386 7.1. Normative References 1388 [IEEE1363] 1389 IEEE, "Standard Specifications for Public Key 1390 Cryptography", IEEE 1363, 2000. 1392 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1393 Requirement Levels", BCP 14, RFC 2119, March 1997. 1395 [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", 1396 RFC 2412, November 1998. 1398 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", 1399 RFC 2631, June 1999. 1401 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 1402 Identifiers for the Internet X.509 Public Key 1403 Infrastructure Certificate and Certificate Revocation List 1404 (CRL) Profile", RFC 3279, April 2002. 1406 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 1407 X.509 Public Key Infrastructure Certificate and 1408 Certificate Revocation List (CRL) Profile", RFC 3280, 1409 April 2002. 1411 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 1412 Algorithms", RFC 3370, August 2002. 1414 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography 1415 Standards (PKCS) #1: RSA Cryptography Specifications 1416 Version 2.1", RFC 3447, February 2003. 1418 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) 1419 Diffie-Hellman groups for Internet Key Exchange (IKE)", 1420 RFC 3526, May 2003. 1422 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 1423 Encryption Algorithm in Cryptographic Message Syntax 1424 (CMS)", RFC 3565, July 2003. 1426 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 1427 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 1428 RFC 3766, April 2004. 1430 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)", 1431 RFC 3852, July 2004. 1433 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1434 Kerberos 5", RFC 3961, February 2005. 1436 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) 1437 Encryption for Kerberos 5", RFC 3962, February 2005. 1439 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 1440 Requirements for Security", BCP 106, RFC 4086, June 2005. 1442 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1443 Kerberos Network Authentication Service (V5)", RFC 4120, 1444 July 2005. 1446 [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, 1447 Information technology - Abstract Syntax Notation One 1448 (ASN.1): Specification of basic notation. 1450 [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002, 1451 Information technology - ASN.1 encoding Rules: Specification 1452 of Basic Encoding Rules (BER), Canonical Encoding Rules 1453 (CER) and Distinguished Encoding Rules (DER). 1455 7.2. Informative References 1457 [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key 1458 Sizes", Journal of Cryptology 14 (2001) 255-293. 1460 [ODL99] Odlyzko, A., "Discrete logarithms: The past and the 1461 future, Designs, Codes, and Cryptography (1999)". 1462 April 1999. 1464 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 1465 Version 5 Generic Security Service Application Program 1466 Interface (GSS-API) Mechanism: Version 2", RFC 4121, 1467 July 2005. 1469 [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R. 1470 Nicholas, "Internet X.509 Public Key Infrastructure: 1471 Certification Path Building", RFC 4158, September 2005. 1473 Appendix A. PKINIT ASN.1 Module 1475 KerberosV5-PK-INIT-SPEC { 1476 iso(1) identified-organization(3) dod(6) internet(1) 1477 security(5) kerberosV5(2) modules(4) pkinit(5) 1478 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 1480 IMPORTS 1481 SubjectPublicKeyInfo, AlgorithmIdentifier 1482 FROM PKIX1Explicit88 { iso (1) 1483 identified-organization (3) dod (6) internet (1) 1484 security (5) mechanisms (5) pkix (7) id-mod (0) 1485 id-pkix1-explicit (18) } 1486 -- As defined in RFC 3280. 1488 KerberosTime, PrincipalName, Realm, EncryptionKey 1489 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 1490 dod(6) internet(1) security(5) kerberosV5(2) 1491 modules(4) krb5spec2(2) } ; 1493 id-pkinit OBJECT IDENTIFIER ::= 1494 { iso (1) org (3) dod (6) internet (1) security (5) 1495 kerberosv5 (2) pkinit (3) } 1497 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 } 1498 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 } 1499 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 } 1500 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 } 1501 id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 } 1503 id-pkinit-san OBJECT IDENTIFIER ::= 1504 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2) 1505 x509SanAN (2) } 1507 pa-pk-as-req INTEGER ::= 16 1508 pa-pk-as-rep INTEGER ::= 17 1510 ad-initial-verified-cas INTEGER ::= 9 1512 td-trusted-certifiers INTEGER ::= 104 1513 td-invalid-certificates INTEGER ::= 105 1514 td-dh-parameters INTEGER ::= 109 1516 PA-PK-AS-REQ ::= SEQUENCE { 1517 signedAuthPack [0] IMPLICIT OCTET STRING, 1518 -- Contains a CMS type ContentInfo encoded 1519 -- according to [RFC3852]. 1520 -- The contentType field of the type ContentInfo 1521 -- is id-signedData (1.2.840.113549.1.7.2), 1522 -- and the content field is a SignedData. 1523 -- The eContentType field for the type SignedData is 1524 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the 1525 -- eContent field contains the DER encoding of the 1526 -- type AuthPack. 1527 -- AuthPack is defined below. 1528 trustedCertifiers [1] SEQUENCE OF 1529 ExternalPrincipalIdentifier OPTIONAL, 1530 -- Contains a list of CAs, trusted by the client, 1531 -- that can be used to certify the KDC. 1532 -- Each ExternalPrincipalIdentifier identifies a CA 1533 -- or a CA certificate (thereby its public key). 1534 -- The information contained in the 1535 -- trustedCertifiers SHOULD be used by the KDC as 1536 -- hints to guide its selection of an appropriate 1537 -- certificate chain to return to the client. 1538 kdcPkId [2] IMPLICIT OCTET STRING 1539 OPTIONAL, 1540 -- Contains a CMS type SignerIdentifier encoded 1541 -- according to [RFC3852]. 1542 -- Identifies, if present, a particular KDC 1543 -- public key that the client already has. 1544 ... 1545 } 1547 DHNonce ::= OCTET STRING 1548 ExternalPrincipalIdentifier ::= SEQUENCE { 1549 subjectName [0] IMPLICIT OCTET STRING OPTIONAL, 1550 -- Contains a PKIX type Name encoded according to 1551 -- [RFC3280]. 1552 -- Identifies the certificate subject by the 1553 -- distinguished subject name. 1554 -- REQUIRED when there is a distinguished subject 1555 -- name present in the certificate. 1556 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL, 1557 -- Contains a CMS type IssuerAndSerialNumber encoded 1558 -- according to [RFC3852]. 1559 -- Identifies a certificate of the subject. 1560 -- REQUIRED for TD-INVALID-CERTIFICATES and 1561 -- TD-TRUSTED-CERTIFIERS. 1562 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL, 1563 -- Identifies the subject's public key by a key 1564 -- identifier. When an X.509 certificate is 1565 -- referenced, this key identifier matches the X.509 1566 -- subjectKeyIdentifier extension value. When other 1567 -- certificate formats are referenced, the documents 1568 -- that specify the certificate format and their use 1569 -- with the CMS must include details on matching the 1570 -- key identifier to the appropriate certificate 1571 -- field. 1572 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS. 1573 ... 1574 } 1576 AuthPack ::= SEQUENCE { 1577 pkAuthenticator [0] PKAuthenticator, 1578 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL, 1579 -- Type SubjectPublicKeyInfo is defined in 1580 -- [RFC3280]. 1581 -- Specifies Diffie-Hellman domain parameters 1582 -- and the client's public key value [IEEE1363]. 1583 -- The DH public key value is encoded as a BIT 1584 -- STRING according to [RFC3279]. 1585 -- This field is present only if the client wishes 1586 -- to use the Diffie-Hellman key agreement method. 1587 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier 1588 OPTIONAL, 1589 -- Type AlgorithmIdentifier is defined in 1590 -- [RFC3280]. 1591 -- List of CMS public key encryption algorithm 1592 -- identifiers, bulk encryption algorithm 1593 -- identifiers, or signature algorithm identifiers 1594 -- supported by the client in order of (decreasing) 1595 -- preference. 1597 clientDHNonce [3] DHNonce OPTIONAL, 1598 -- Present only if the client indicates that it 1599 -- wishes to reuse DH keys or to allow the KDC to 1600 -- do so. 1601 ... 1602 } 1604 PKAuthenticator ::= SEQUENCE { 1605 cusec [0] INTEGER (0..999999), 1606 ctime [1] KerberosTime, 1607 -- cusec and ctime are used as in [RFC4120], for 1608 -- replay prevention. 1609 nonce [2] INTEGER (0..4294967295), 1610 -- Chosen randomly; This nonce does not need to 1611 -- match with the nonce in the KDC-REQ-BODY. 1612 paChecksum [3] OCTET STRING OPTIONAL, 1613 -- MUST be present. 1614 -- Contains the SHA1 checksum, performed over 1615 -- KDC-REQ-BODY. 1616 ... 1617 } 1619 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF 1620 ExternalPrincipalIdentifier 1621 -- Identifies a list of CAs trusted by the KDC. 1622 -- Each ExternalPrincipalIdentifier identifies a CA 1623 -- or a CA certificate (thereby its public key). 1625 TD-INVALID-CERTIFICATES ::= SEQUENCE OF 1626 ExternalPrincipalIdentifier 1627 -- Each ExternalPrincipalIdentifier identifies a 1628 -- certificate (sent by the client) with an invalid 1629 -- signature. 1631 KRB5PrincipalName ::= SEQUENCE { 1632 realm [0] Realm, 1633 principalName [1] PrincipalName 1634 } 1636 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF 1637 ExternalPrincipalIdentifier 1638 -- Identifies the certification path based on which 1639 -- the client certificate was validated. 1640 -- Each ExternalPrincipalIdentifier identifies a CA 1641 -- or a CA certificate (thereby its public key). 1643 PA-PK-AS-REP ::= CHOICE { 1644 dhInfo [0] DHRepInfo, 1645 -- Selected when Diffie-Hellman key exchange is 1646 -- used. 1647 encKeyPack [1] IMPLICIT OCTET STRING, 1648 -- Selected when public key encryption is used. 1649 -- Contains a CMS type ContentInfo encoded 1650 -- according to [RFC3852]. 1651 -- The contentType field of the type ContentInfo is 1652 -- id-envelopedData (1.2.840.113549.1.7.3). 1653 -- The content field is an EnvelopedData. 1654 -- The contentType field for the type EnvelopedData 1655 -- is id-signedData (1.2.840.113549.1.7.2). 1656 -- The eContentType field for the inner type 1657 -- SignedData (when unencrypted) is 1658 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the 1659 -- eContent field contains the DER encoding of the 1660 -- type ReplyKeyPack. 1661 -- ReplyKeyPack is defined below. 1662 ... 1663 } 1665 DHRepInfo ::= SEQUENCE { 1666 dhSignedData [0] IMPLICIT OCTET STRING, 1667 -- Contains a CMS type ContentInfo encoded according 1668 -- to [RFC3852]. 1669 -- The contentType field of the type ContentInfo is 1670 -- id-signedData (1.2.840.113549.1.7.2), and the 1671 -- content field is a SignedData. 1672 -- The eContentType field for the type SignedData is 1673 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the 1674 -- eContent field contains the DER encoding of the 1675 -- type KDCDHKeyInfo. 1676 -- KDCDHKeyInfo is defined below. 1677 serverDHNonce [1] DHNonce OPTIONAL, 1678 -- Present if and only if dhKeyExpiration is 1679 -- present. 1680 ... 1681 } 1683 KDCDHKeyInfo ::= SEQUENCE { 1684 subjectPublicKey [0] BIT STRING, 1685 -- The KDC's DH public key. 1686 -- The DH public key value is encoded as a BIT 1687 -- STRING according to [RFC3279]. 1688 nonce [1] INTEGER (0..4294967295), 1689 -- Contains the nonce in the pkAuthenticator field 1690 -- in the request if the DH keys are NOT reused, 1691 -- 0 otherwise. 1692 dhKeyExpiration [2] KerberosTime OPTIONAL, 1693 -- Expiration time for KDC's key pair, 1694 -- present if and only if the DH keys are reused. 1695 -- If present, the KDC's DH public key MUST not be 1696 -- used past the point of this expiration time. 1697 -- If this field is omitted then the serverDHNonce 1698 -- field MUST also be omitted. 1699 ... 1700 } 1702 ReplyKeyPack ::= SEQUENCE { 1703 replyKey [0] EncryptionKey, 1704 -- Contains the session key used to encrypt the 1705 -- enc-part field in the AS-REP, i.e. the 1706 -- AS reply key. 1707 asChecksum [1] Checksum, 1708 -- Contains the checksum of the AS-REQ 1709 -- corresponding to the containing AS-REP. 1710 -- The checksum is performed over the type AS-REQ. 1711 -- The protocol key [RFC3961] of the checksum is the 1712 -- replyKey and the key usage number is 6. 1713 -- If the replyKey's enctype is "newer" [RFC4120] 1714 -- [RFC4121], the checksum is the required 1715 -- checksum operation [RFC3961] for that enctype. 1716 -- The client MUST verify this checksum upon receipt 1717 -- of the AS-REP. 1718 ... 1719 } 1721 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier 1722 -- Each AlgorithmIdentifier specifies a set of 1723 -- Diffie-Hellman domain parameters [IEEE1363]. 1724 -- This list is in decreasing preference order. 1725 END 1727 Appendix B. Test Vectors 1729 Function octetstring2key() is defined in Section 3.2.3.1. This 1730 section describes a few sets of test vectors that would be useful for 1731 implementers of octetstring2key(). 1733 Set 1 1734 ===== 1735 Input octet string x is: 1737 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1738 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1739 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1741 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1742 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1743 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1744 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1745 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1746 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1747 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1748 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1749 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1751 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1752 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1754 Output of K-truncate() when the key size is 32 octets: 1756 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83 1757 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41 1759 Set 2: 1760 ===== 1761 Input octet string x is: 1763 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1764 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1765 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1766 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1767 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1768 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1769 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1772 Output of K-truncate() when the key size is 32 octets: 1774 ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb 1775 a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e 1777 Set 3: 1778 ====== 1779 Input octet string x is: 1781 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1782 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1783 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 1784 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 1785 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 1786 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 1787 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 1788 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 1790 Output of K-truncate() when the key size is 32 octets: 1792 c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3 1793 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e 1795 Set 4: 1796 ===== 1797 Input octet string x is: 1799 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1800 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1801 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 1802 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 1803 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 1805 Output of K-truncate() when the key size is 32 octets: 1807 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a 1808 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc 1810 Appendix C. Miscellaneous Information about Microsoft Windows PKINIT 1811 Implementations 1813 Earlier revisions of the PKINIT I-D were implemented in various 1814 releases of Microsoft Windows and deployed in fairly large numbers. 1815 To enable the community to better interoperate with systems running 1816 those releases, the following information may be useful. 1818 KDC certificates issued by Windows 2000 Enterprise CAs contain a 1819 dNSName SAN with the DNS name of the host running the KDC, and the 1820 id-kp-serverAuth EKU [RFC3280]. 1822 KDC certificates issued by Windows 2003 Enterprise CAs contain a 1823 dNSName SAN with the DNS name of the host running the KDC, the id-kp- 1824 serverAuth EKU and the id-ms-kp-sc-logon EKU. 1826 It is anticipated that the next release of Windows is already too far 1827 along to allow it to support the issuing KDC certificates with id- 1828 pkinit-san SAN as specified in this RFC. Instead, they will have a 1829 dNSName SAN containing the domain name of the KDC and the intended 1830 purpose of these KDC certificates be restricted by the presence of 1831 the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU. 1833 In addition to checking that the above are present in a KDC 1834 certificate, Windows clients verify that the issuer of the KDC 1835 certificate is one of a set of allowed issuers of such certificates, 1836 so those wishing to issue KDC certificates need to configure their 1837 Windows clients appropriately. 1839 Client certificates accepted by Windows 2000 and Windows 2003 Server 1840 KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) 1841 SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN 1842 contains a UTF8 encoded string whose value is that of the Directory 1843 Service attribute UserPrincipalName of the client account object, and 1844 the purpose of including the id-ms-san-sc-logon-upn SAN in the client 1845 certificate is to validate the client mapping (in other words, the 1846 client's public key is bound to the account that has this 1847 UserPrincipalName value). 1849 It should be noted that all Microsoft Kerberos realm names are domain 1850 style realm names and strictly in upper case. In addition, the 1851 UserPrincipalName attribute is globally unique in Windows 2000 and 1852 Windows 2003. 1854 Authors' Addresses 1856 Larry Zhu 1857 Microsoft Corporation 1858 One Microsoft Way 1859 Redmond, WA 98052 1860 US 1862 Email: lzhu@microsoft.com 1864 Brian Tung 1865 USC Information Sciences Institute 1866 4676 Admiralty Way Suite 1001 1867 Marina del Rey, CA 90292 1868 US 1870 Email: brian@isi.edu 1872 Intellectual Property Statement 1874 The IETF takes no position regarding the validity or scope of any 1875 Intellectual Property Rights or other rights that might be claimed to 1876 pertain to the implementation or use of the technology described in 1877 this document or the extent to which any license under such rights 1878 might or might not be available; nor does it represent that it has 1879 made any independent effort to identify any such rights. Information 1880 on the procedures with respect to rights in RFC documents can be 1881 found in BCP 78 and BCP 79. 1883 Copies of IPR disclosures made to the IETF Secretariat and any 1884 assurances of licenses to be made available, or the result of an 1885 attempt made to obtain a general license or permission for the use of 1886 such proprietary rights by implementers or users of this 1887 specification can be obtained from the IETF on-line IPR repository at 1888 http://www.ietf.org/ipr. 1890 The IETF invites any interested party to bring to its attention any 1891 copyrights, patents or patent applications, or other proprietary 1892 rights that may cover technology that may be required to implement 1893 this standard. Please address the information to the IETF at 1894 ietf-ipr@ietf.org. 1896 Disclaimer of Validity 1898 This document and the information contained herein are provided on an 1899 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1900 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1901 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1902 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1903 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1904 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1906 Copyright Statement 1908 Copyright (C) The Internet Society (2006). This document is subject 1909 to the rights, licenses and restrictions contained in BCP 78, and 1910 except as set forth therein, the authors retain all their rights. 1912 Acknowledgment 1914 Funding for the RFC Editor function is currently provided by the 1915 Internet Society.