idnits 2.17.1 draft-ietf-krb-wg-gss-cb-hash-agility-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC4121]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4121, updated by this document, for RFC5378 checks: 2003-08-29) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 6, 2012) is 4494 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP S. Emery 3 Internet-Draft Oracle 4 Updates: 4121 (if approved) January 6, 2012 5 Intended status: Standards Track 6 Expires: July 9, 2012 8 Kerberos Version 5 GSS-API Channel Binding Hash Agility 9 draft-ietf-krb-wg-gss-cb-hash-agility-10.txt 11 Abstract 13 Currently, channel bindings are implemented using a MD5 hash in the 14 Kerberos Version 5 Generic Security Services Application Programming 15 Interface (GSS-API) mechanism [RFC4121]. This document updates 16 RFC4121 to allow channel bindings using algorithms negotiated based 17 on Kerberos crypto framework as defined in RFC3961. In addition, 18 because this update makes use of the last extensible field in the 19 Kerberos client-server exchange message, extensions are defined to 20 allow future protocol extensions. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on July 9, 2012. 39 Copyright Notice 41 Copyright (c) 2012 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Conventions Used in This Document . . . . . . . . . . . . . . 4 58 3. Channel Binding Hash Agility . . . . . . . . . . . . . . . . . 5 59 3.1. Structure of the Exts Field . . . . . . . . . . . . . . . 5 60 3.2. The Channel Binding Extension . . . . . . . . . . . . . . 6 61 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 62 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 63 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 64 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 66 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 67 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 69 1. Introduction 71 With the recently discovered weaknesses in the MD5 hash algorithm, 72 see [RFC6151], there is a need to use stronger hash algorithms. 73 Kerberos Version 5 Generic Security Services Application Programming 74 Interface (GSS-API) mechanism [RFC4121] uses MD5 to calculate channel 75 binding verifiers. This document specifies an update to the 76 mechanism that allows it to create channel binding information based 77 on negotiated algorithms. This will allow deploying new algorithms 78 incrementally without breaking interoperability with older 79 implementations, when new attacks arise in the future. 81 2. Conventions Used in This Document 83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 85 document are to be interpreted as described in [RFC2119]. 87 The term "little endian order" is used for brevity to refer to the 88 least-significant-octet-first encoding, while the term "big endian 89 order" is for the most-significant-octet-first encoding. 91 3. Channel Binding Hash Agility 93 When generating a channel binding verifier, Bnd, a hash is computed 94 from the channel binding fields. Initiators MUST populate the Bnd 95 field in order to maintain interoperability with existing acceptors. 96 In addition, initiators MUST populate the extension field, Exts, 97 defined below. 99 3.1. Structure of the Exts Field 101 The 0x8003 GSS checksum has the same structure described in [RFC4121] 102 except that the "Exts" field is now defined; the entire structure of 103 the 0x8003 checksum including the now defined "Exts" field follows: 105 Octet Name Description 106 ----------------------------------------------------------------- 107 0..3 Lgth Number of octets in Bnd field; Represented 108 in little-endian order; Currently contains 109 hex value 10 00 00 00 (16). 110 4..19 Bnd Channel binding information, as described in 111 section 4.1.1.2 [RFC4121]. 112 20..23 Flags Four-octet context-establishment flags in 113 little-endian order as described in section 114 4.1.1.1 [RFC4121]. 115 24..25 DlgOpt The delegation option identifier (=1) in 116 little-endian order [optional]. This field 117 and the next two fields are present if and 118 only if GSS_C_DELEG_FLAG is set as described 119 in section 4.1.1.1 [RFC4121]. 120 26..27 Dlgth The length of the Deleg field in 121 little-endian order [optional]. 122 28..(n-1) Deleg KRB_CRED message (n = Dlgth + 28) [optional]. 123 n..last Exts Extensions 125 where Exts is the concatenation of zero, one or more individual 126 extensions, each of which consists of, in order: 128 type -- big endian order unsigned integer, 32-bits, which 129 contains the type of extension 130 length -- big endian order unsigned integer, 32-bits, which 131 contains the length, in octets, of the extension data 132 encoded as an array of octets immediately following this 133 field 134 data -- octet string of extension information 136 If multiple extensions are present then there MUST be at most one 137 instance of a given extension type. 139 3.2. The Channel Binding Extension 141 When channel binding is used the Exts MUST include the following 142 extension: 144 data-type 0x00000000 146 data-value 148 The output obtained by applying the Kerberos V get_mic 149 operation [RFC3961] with key usage number 43, to the channel 150 binding data as described in [RFC4121], section 4.1.1.2 (using 151 get_mic instead of MD5). The key used is the sub-session key 152 from the authenticator, if it is present, otherwise the key 153 used is the session key from the ticket. The get_mic algorithm 154 is chosen as the "required checksum mechanism" for the 155 encryption type of the key used. 157 Initiators that are unwilling to use a MD5 hash of the channel 158 bindings MUST set the Bnd field to sixteen octets of hex value FF. 160 4. Security Considerations 162 With this mechanism initiators get no indication as to whether the 163 acceptors check or ignore channel bindings. 165 It is up to the application whether to enforce the use of channel 166 bindings or not. [RFC5056] and [RFC5554] give guidance for 167 application developers on channel bindings usage. 169 5. IANA Considerations 171 The IANA is hereby requested to create a new top-level registry 172 titled "Kerberos V GSS-API Mechanism Parameters," separate from the 173 existing Kerberos parameters registry. Within this registry, IANA is 174 requested to create a sub-registry of "Kerberos V GSS-API mechanism 175 extension types" with four-field entries (type number, type name, 176 description, and normative reference) and, initially, a single 177 registration: 0x00000000, "Channel Binding MIC," "Extension for the 178 verifier of the channel bindings," . 180 Using the guidelines for allocation as described in [RFC5226], type 181 number assignments are as follows: 183 0x00000000 - 0x000003FF IETF Review 185 0x00000400 - 0xFFFFF3FF Specification Required 187 0xFFFFF400 - 0xFFFFFFFF Private Use 189 6. Acknowledgments 191 The author would like to thank Larry Zhu, Nicolas Williams, Sam 192 Hartman, Jeffrey Hutzelman, and Simon Josefsson for their help in 193 reviewing and providing valuable feed-back of the draft. 195 7. References 197 7.1. Normative References 199 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 200 Requirement Levels", BCP 14, RFC 2119, March 1997. 202 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 203 Kerberos 5", RFC 3961, February 2005. 205 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 206 Version 5 Generic Security Service Application Program 207 Interface (GSS-API) Mechanism: Version 2", RFC 4121, 208 July 2005. 210 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 211 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 212 May 2008. 214 7.2. Informative References 216 [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure 217 Channels", RFC 5056, November 2007. 219 [RFC5554] Williams, N., "Clarifications and Extensions to the 220 Generic Security Service Application Program Interface 221 (GSS-API) for the Use of Channel Bindings", RFC 5554, 222 May 2009. 224 [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations 225 for the MD5 Message-Digest and the HMAC-MD5 Algorithms", 226 RFC 6151, March 2011. 228 Author's Address 230 Shawn Emery 231 Oracle 232 500 Eldorado Blvd 233 Building 1 234 Broomfield, CO 80021 235 USA 237 Email: shawn.emery@oracle.com