idnits 2.17.1 draft-ietf-krb-wg-preauth-framework-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1757. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1768. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1775. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1781. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC4120, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC4120, updated by this document, for RFC5378 checks: 2002-02-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 8, 2007) is 6136 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'EKE' is mentioned on line 140, but not defined == Missing Reference: 'IEEE1363.2' is mentioned on line 140, but not defined == Missing Reference: 'X60' is mentioned on line 778, but not defined == Missing Reference: 'X690' is mentioned on line 778, but not defined -- Looks like a reference, but probably isn't: '0' on line 1715 -- Looks like a reference, but probably isn't: '1' on line 1719 -- Looks like a reference, but probably isn't: '2' on line 1690 -- Looks like a reference, but probably isn't: '3' on line 1691 -- Looks like a reference, but probably isn't: '4' on line 1693 == Outdated reference: A later version (-12) exists of draft-ietf-krb-wg-anon-04 ** Downref: Normative reference to an Historic draft: draft-ietf-krb-wg-anon (ref. 'KRB-ANON') == Outdated reference: A later version (-15) exists of draft-ietf-krb-wg-kerberos-referrals-10 == Outdated reference: A later version (-03) exists of draft-sakane-krb-cross-problem-statement-02 Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 13 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Kerberos Working Group L. Zhu 3 Internet-Draft Microsoft Corporation 4 Updates: 4120 (if approved) S. Hartman 5 Intended status: Standards Track MIT 6 Expires: January 9, 2008 July 8, 2007 8 A Generalized Framework for Kerberos Pre-Authentication 9 draft-ietf-krb-wg-preauth-framework-06 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on January 9, 2008. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2007). 40 Abstract 42 Kerberos is a protocol for verifying the identity of principals 43 (e.g., a workstation user or a network server) on an open network. 44 The Kerberos protocol provides a mechanism called pre-authentication 45 for proving the identity of a principal and for better protecting the 46 long-term secret of the principal. 48 This document describes a model for Kerberos pre-authentication 49 mechanisms. The model describes what state in the Kerberos request a 50 pre-authentication mechanism is likely to change. It also describes 51 how multiple pre-authentication mechanisms used in the same request 52 will interact. 54 This document also provides common tools needed by multiple pre- 55 authentication mechanisms. One of these tools is a secure channel 56 between the client and the KDC with a reply key delivery mechanism; 57 this secure channel can be used to protect the authentication 58 exchange thus eliminate offline dictionary attacks. With these 59 tools, it is relatively straightforward to chain multiple 60 authentication mechanisms, utilize a different key management system, 61 or support a new key agreement algorithm. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 66 2. Conventions and Terminology Used in This Document . . . . . . 5 67 3. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 5 68 3.1. Information Managed by the Pre-authentication Model . . . 6 69 3.2. Initial Pre-authentication Required Error . . . . . . . . 8 70 3.3. Client to KDC . . . . . . . . . . . . . . . . . . . . . . 9 71 3.4. KDC to Client . . . . . . . . . . . . . . . . . . . . . . 10 72 4. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 10 73 4.1. Client-authentication Facility . . . . . . . . . . . . . . 12 74 4.2. Strengthening-reply-key Facility . . . . . . . . . . . . . 12 75 4.3. Replacing-reply-key Facility . . . . . . . . . . . . . . . 13 76 4.4. KDC-authentication Facility . . . . . . . . . . . . . . . 14 77 5. Requirements for Pre-Authentication Mechanisms . . . . . . . . 14 78 6. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 15 79 6.1. Combining Keys . . . . . . . . . . . . . . . . . . . . . . 15 80 6.2. Protecting Requests/Responses . . . . . . . . . . . . . . 16 81 6.3. Managing States for the KDC . . . . . . . . . . . . . . . 17 82 6.4. Pre-authentication Set . . . . . . . . . . . . . . . . . . 19 83 6.5. Definition of Kerberos FAST Padata . . . . . . . . . . . . 21 84 6.5.1. FAST Armors . . . . . . . . . . . . . . . . . . . . . 22 85 6.5.2. FAST Request . . . . . . . . . . . . . . . . . . . . . 23 86 6.5.3. FAST Response . . . . . . . . . . . . . . . . . . . . 27 87 6.5.4. Authenticated Kerberos Error Messages using 88 Kerberos FAST . . . . . . . . . . . . . . . . . . . . 29 89 6.5.5. The Authenticated Timestamp FAST Factor . . . . . . . 30 90 6.6. Authentication Strength Indication . . . . . . . . . . . . 32 91 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 92 8. Security Considerations . . . . . . . . . . . . . . . . . . . 33 93 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34 94 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34 95 10.1. Normative References . . . . . . . . . . . . . . . . . . . 34 96 10.2. Informative References . . . . . . . . . . . . . . . . . . 34 97 Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 35 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38 99 Intellectual Property and Copyright Statements . . . . . . . . . . 39 101 1. Introduction 103 The core Kerberos specification [RFC4120] treats pre-authentication 104 data as an opaque typed hole in the messages to the KDC that may 105 influence the reply key used to encrypt the KDC reply. This 106 generality has been useful: pre-authentication data is used for a 107 variety of extensions to the protocol, many outside the expectations 108 of the initial designers. However, this generality makes designing 109 more common types of pre-authentication mechanisms difficult. Each 110 mechanism needs to specify how it interacts with other mechanisms. 111 Also, problems like combining a key with the long-term secret or 112 proving the identity of the user are common to multiple mechanisms. 113 Where there are generally well-accepted solutions to these problems, 114 it is desirable to standardize one of these solutions so mechanisms 115 can avoid duplication of work. In other cases, a modular approach to 116 these problems is appropriate. The modular approach will allow new 117 and better solutions to common pre-authentication problems to be used 118 by existing mechanisms as they are developed. 120 This document specifies a framework for Kerberos pre-authentication 121 mechanisms. It defines the common set of functions that pre- 122 authentication mechanisms perform as well as how these functions 123 affect the state of the request and reply. In addition several 124 common tools needed by pre-authentication mechanisms are provided. 125 Unlike [RFC3961], this framework is not complete--it does not 126 describe all the inputs and outputs for the pre-authentication 127 mechanisms. Pre-Authentication mechanism designers should try to be 128 consistent with this framework because doing so will make their 129 mechanisms easier to implement. Kerberos implementations are likely 130 to have plugin architectures for pre-authentication; such 131 architectures are likely to support mechanisms that follow this 132 framework plus commonly used extensions. 134 One of these common tools is the flexible authentication secure 135 tunneling (FAST) padata type. FAST provides a protected channel 136 between the client and the KDC, and it can optionally deliver a reply 137 key within the protected channel. Based on FAST, pre-authentication 138 mechanisms can extend Kerberos with ease, to support, for example, 139 password authenticated key exchange (PAKE) protocols with zero 140 knowledge password proof (ZKPP) [EKE] [IEEE1363.2]. Any pre- 141 authentication mechanism can be encapsulated in the FAST messages as 142 defined in Section 6.5. A pre-authentication type carried within 143 FAST is called a FAST factor. Creating a FAST factor is the easiest 144 path to create a new pre-authentication mechanism. FAST factors are 145 significantly easier to analyze from a security standpoint than other 146 pre-authentication mechanisms. 148 Mechanism designers should design FAST factors, instead of new pre- 149 authentication mechanisms outside of FAST. 151 2. Conventions and Terminology Used in This Document 153 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 154 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 155 document are to be interpreted as described in [RFC2119]. 157 The word padata is used as a shorthand for pre-authentication data. 159 A conversation is the set of all authentication messages exchanged 160 between the client and the KDCs in order to authenticate the client 161 principal. A conversation as defined here consists of all messages 162 that are necessary to complete the authentication between the client 163 and the KDC. 165 Lastly, this document should be read only after reading the documents 166 describing the Kerberos cryptography framework [RFC3961] and the core 167 Kerberos protocol [RFC4120]. This document may freely use 168 terminology and notation from these documents without reference or 169 further explanation. 171 3. Model for Pre-Authentication 173 When a Kerberos client wishes to obtain a ticket using the 174 authentication server, it sends an initial Authentication Service 175 (AS) request. If pre-authentication is required but not being used, 176 then the KDC will respond with a KDC_ERR_PREAUTH_REQUIRED error. 177 Alternatively, if the client knows what pre-authentication to use, it 178 MAY optimize away a round-trip and send an initial request with 179 padata included in the initial request. If the client includes the 180 padata computed using the wrong pre-authentication mechanism or 181 incorrect keys, the KDC MAY return KDC_ERR_PREAUTH_FAILED with no 182 indication of what padata should have been included. In that case, 183 the client MUST retry with no padata and examine the error data of 184 the KDC_ERR_PREAUTH_REQUIRED error. If the KDC includes pre- 185 authentication information in the accompanying error data of 186 KDC_ERR_PREAUTH_FAILED, the client SHOULD process the error data, and 187 then retry. 189 The conventional KDC maintains no state between two requests; 190 subsequent requests may even be processed by a different KDC. On the 191 other hand, the client treats a series of exchanges with KDCs as a 192 single conversation. Each exchange accumulates state and hopefully 193 brings the client closer to a successful authentication. 195 These models for state management are in apparent conflict. For many 196 of the simpler pre-authentication scenarios, the client uses one 197 round trip to find out what mechanisms the KDC supports. Then the 198 next request contains sufficient pre-authentication for the KDC to be 199 able to return a successful reply. For these simple scenarios, the 200 client only sends one request with pre-authentication data and so the 201 conversation is trivial. For more complex conversations, the KDC 202 needs to provide the client with a cookie to include in future 203 requests to capture the current state of the authentication session. 204 Handling of multiple round-trip mechanisms is discussed in 205 Section 6.3. 207 This framework specifies the behavior of Kerberos pre-authentication 208 mechanisms used to identify users or to modify the reply key used to 209 encrypt the KDC reply. The PA-DATA typed hole may be used to carry 210 extensions to Kerberos that have nothing to do with proving the 211 identity of the user or establishing a reply key. Such extensions 212 are outside the scope of this framework. However mechanisms that do 213 accomplish these goals should follow this framework. 215 This framework specifies the minimum state that a Kerberos 216 implementation needs to maintain while handling a request in order to 217 process pre-authentication. It also specifies how Kerberos 218 implementations process the padata at each step of the AS request 219 process. 221 3.1. Information Managed by the Pre-authentication Model 223 The following information is maintained by the client and KDC as each 224 request is being processed: 226 o The reply key used to encrypt the KDC reply 228 o How strongly the identity of the client has been authenticated 230 o Whether the reply key has been used in this conversation 232 o Whether the reply key has been replaced in this conversation 234 o Whether the contents of the KDC reply can be verified by the 235 client principal 237 Conceptually, the reply key is initially the long-term key of the 238 principal. However, principals can have multiple long-term keys 239 because of support for multiple encryption types, salts and 240 string2key parameters. As described in Section 5.2.7.5 of the 241 Kerberos protocol [RFC4120], the KDC sends PA-ETYPE-INFO2 to notify 242 the client what types of keys are available. Thus in full 243 generality, the reply key in the pre-authentication model is actually 244 a set of keys. At the beginning of a request, it is initialized to 245 the set of long-term keys advertised in the PA-ETYPE-INFO2 element on 246 the KDC. If multiple reply keys are available, the client chooses 247 which one to use. Thus the client does not need to treat the reply 248 key as a set. At the beginning of a request, the client picks a 249 reply key to use. 251 KDC implementations MAY choose to offer only one key in the PA-ETYPE- 252 INFO2 element. Since the KDC already knows the client's list of 253 supported enctypes from the request, no interoperability problems are 254 created by choosing a single possible reply key. This way, the KDC 255 implementation avoids the complexity of treating the reply key as a 256 set. 258 When the padata in the request is verified by the KDC, then the 259 client is known to have that key, therefore the KDC SHOULD pick the 260 same key as the reply key. 262 At the beginning of handling a message on both the client and the 263 KDC, the client's identity is not authenticated. A mechanism may 264 indicate that it has successfully authenticated the client's 265 identity. This information is useful to keep track of on the client 266 in order to know what pre-authentication mechanisms should be used. 267 The KDC needs to keep track of whether the client is authenticated 268 because the primary purpose of pre-authentication is to authenticate 269 the client identity before issuing a ticket. The handling of 270 authentication strength using various authentication mechanisms is 271 discussed in Section 6.6. 273 Initially the reply key has not been used. A pre-authentication 274 mechanism that uses the reply key to encrypt or checksum some data in 275 the generation of new keys MUST indicate that the reply key is used. 276 This state is maintained by the client and the KDC to enforce the 277 security requirement stated in Section 4.3 that the reply key cannot 278 be replaced after it is used. 280 Initially the reply key has not been replaced. If a mechanism 281 implements the Replace Reply Key facility discussed in Section 4.3, 282 then the state MUST be updated to indicate that the reply key has 283 been replaced. Once the reply key has been replaced, knowledge of 284 the reply key is insufficient to authenticate the client. The reply 285 key is marked replaced in exactly the same situations as the KDC 286 reply is marked as not being verified to the client principal. 287 However, while mechanisms can verify the KDC reply to the client, 288 once the reply key is replaced, then the reply key remains replaced 289 for the remainder of the conversation. 291 Without pre-authentication, the client knows that the KDC reply is 292 authentic and has not been modified because it is encrypted in a 293 long-term key of the client. Only the KDC and the client know that 294 key. So at the start of handling any message the KDC reply is 295 presumed to be verified using the client principal's long-term key. 296 Any pre-authentication mechanism that sets a new reply key not based 297 on the principal's long-term secret MUST either verify the KDC reply 298 some other way or indicate that the reply is not verified. If a 299 mechanism indicates that the reply is not verified then the client 300 implementation MUST return an error unless a subsequent mechanism 301 verifies the reply. The KDC needs to track this state so it can 302 avoid generating a reply that is not verified. 304 The typical Kerberos request does not provide a way for the client 305 machine to know that it is talking to the correct KDC. Someone who 306 can inject packets into the network between the client machine and 307 the KDC and who knows the password that the user will give to the 308 client machine can generate a KDC reply that will decrypt properly. 309 So, if the client machine needs to authenticate that the user is in 310 fact the named principal, then the client machine needs to do a TGS 311 request for itself as a service. Some pre-authentication mechanisms 312 may provide a way for the client to authenticate the KDC. Examples 313 of this include signing the reply that can be verified using a well- 314 known public key or providing a ticket for the client machine as a 315 service. 317 3.2. Initial Pre-authentication Required Error 319 Typically a client starts a conversation by sending an initial 320 request with no pre-authentication. If the KDC requires pre- 321 authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED message. 322 After the first reply with the KDC_ERR_PREAUTH_REQUIRED error code, 323 the KDC returns the error code KDC_ERR_MORE_PREAUTH_DATA_NEEDED 324 (defined in Section 6.3) for pre-authentication configurations that 325 use multi-round-trip mechanisms; see Section 3.4 for details of that 326 case. 328 The KDC needs to choose which mechanisms to offer the client. The 329 client needs to be able to choose what mechanisms to use from the 330 first message. For example consider the KDC that will accept 331 mechanism A followed by mechanism B or alternatively the single 332 mechanism C. A client that supports A and C needs to know that it 333 should not bother trying A. 335 Mechanisms can either be sufficient on their own or can be part of an 336 authentication set--a group of mechanisms that all need to 337 successfully complete in order to authenticate a client. Some 338 mechanisms may only be useful in authentication sets; others may be 339 useful alone or in authentication sets. For the second group of 340 mechanisms, KDC policy dictates whether the mechanism will be part of 341 an authentication set or offered alone. For each mechanism that is 342 offered alone, the KDC includes the pre-authentication type ID of the 343 mechanism in the padata sequence returned in the 344 KDC_ERR_PREAUTH_REQUIRED error. 346 The KDC SHOULD NOT send data that is encrypted in the long-term 347 password-based key of the principal. Doing so has the same security 348 exposures as the Kerberos protocol without pre-authentication. There 349 are few situations where pre-authentication is desirable and where 350 the KDC needs to expose cipher text encrypted in a weak key before 351 the client has proven knowledge of that key. 353 3.3. Client to KDC 355 This description assumes that a client has already received a 356 KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs 357 optimistic pre-authentication then the client needs to optimistically 358 guess values for the information it would normally receive from that 359 error response. 361 The client starts by initializing the pre-authentication state as 362 specified. It then processes the padata in the 363 KDC_ERR_PREAUTH_REQUIRED. 365 When processing the response to the KDC_ERR_PREAUTH_REQUIRED, the 366 client MAY ignore any padata it chooses unless doing so violates a 367 specification to which the client conforms. Clients conforming to 368 this specification MUST NOT ignore the padata defined in Section 6.3. 369 Clients SHOULD process padata unrelated to this framework or other 370 means of authenticating the user. Clients SHOULD choose one 371 authentication set or mechanism that could lead to authenticating the 372 user and ignore the rest. Since the list of mechanisms offered by 373 the KDC is in the decreasing preference order, clients typically 374 choose the first mechanism or authentication set that the client can 375 usefully perform. If a client chooses to ignore a padata it MUST NOT 376 process the padata, allow the padata to affect the pre-authentication 377 state, nor respond to the padata. 379 For each padata the client chooses to process, the client processes 380 the padata and modifies the pre-authentication state as required by 381 that mechanism. Padata are processed in the order received from the 382 KDC. 384 After processing the padata in the KDC error, the client generates a 385 new request. It processes the pre-authentication mechanisms in the 386 order in which they will appear in the next request, updating the 387 state as appropriate. The request is sent when it is complete. 389 3.4. KDC to Client 391 When a KDC receives an AS request from a client, it needs to 392 determine whether it will respond with an error or an AS reply. 393 There are many causes for an error to be generated that have nothing 394 to do with pre-authentication; they are discussed in the core 395 Kerberos specification. 397 From the standpoint of evaluating the pre-authentication, the KDC 398 first starts by initializing the pre-authentication state. It then 399 processes the padata in the request. As mentioned in Section 3.3, 400 the KDC MAY ignore padata that is inappropriate for the configuration 401 and MUST ignore padata of an unknown type. 403 At this point the KDC decides whether it will issue a pre- 404 authentication required error or a reply. Typically a KDC will issue 405 a reply if the client's identity has been authenticated to a 406 sufficient degree. 408 In the case of a KDC_ERR_MORE_PREAUTH_DATA_NEEDED error, the KDC 409 first starts by initializing the pre-authentication state. Then it 410 processes any padata in the client's request in the order provided by 411 the client. Mechanisms that are not understood by the KDC are 412 ignored. Mechanisms that are inappropriate for the client principal 413 or the request SHOULD also be ignored. Next, it generates padata for 414 the error response, modifying the pre-authentication state 415 appropriately as each mechanism is processed. The KDC chooses the 416 order in which it will generate padata (and thus the order of padata 417 in the response), but it needs to modify the pre-authentication state 418 consistently with the choice of order. For example, if some 419 mechanism establishes an authenticated client identity, then the 420 subsequent mechanisms in the generated response receive this state as 421 input. After the padata is generated, the error response is sent. 422 Typically the errors with the code KDC_ERR_MORE_PREAUTH_DATA_NEEDED 423 in a converstation will include KDC state as discussed in 424 Section 6.3. 426 To generate a final reply, the KDC generates the padata modifying the 427 pre-authentication state as necessary. Then it generates the final 428 response, encrypting it in the current pre-authentication reply key. 430 4. Pre-Authentication Facilities 432 Pre-Authentication mechanisms can be thought of as providing various 433 conceptual facilities. This serves two useful purposes. First, 434 mechanism authors can choose only to solve one specific small 435 problem. It is often useful for a mechanism designed to offer key 436 management not to directly provide client authentication but instead 437 to allow one or more other mechanisms to handle this need. Secondly, 438 thinking about the abstract services that a mechanism provides yields 439 a minimum set of security requirements that all mechanisms providing 440 that facility must meet. These security requirements are not 441 complete; mechanisms will have additional security requirements based 442 on the specific protocol they employ. 444 A mechanism is not constrained to only offering one of these 445 facilities. While such mechanisms can be designed and are sometimes 446 useful, many pre-authentication mechanisms implement several 447 facilities. By combining multiple facilities in a single mechanism, 448 it is often easier to construct a secure, simple solution than by 449 solving the problem in full generality. Even when mechanisms provide 450 multiple facilities, they need to meet the security requirements for 451 all the facilities they provide. If the FAST factor approach is 452 used, it is likely that one or a small number of facilities can be 453 provided by a single mechanism without complicating the security 454 analysis. 456 According to Kerberos extensibility rules (Section 1.5 of the 457 Kerberos specification [RFC4120]), an extension MUST NOT change the 458 semantics of a message unless a recipient is known to understand that 459 extension. Because a client does not know that the KDC supports a 460 particular pre-authentication mechanism when it sends an initial 461 request, a pre-authentication mechanism MUST NOT change the semantics 462 of the request in a way that will break a KDC that does not 463 understand that mechanism. Similarly, KDCs MUST NOT send messages to 464 clients that affect the core semantics unless the client has 465 indicated support for the message. 467 The only state in this model that would break the interpretation of a 468 message is changing the expected reply key. If one mechanism changed 469 the reply key and a later mechanism used that reply key, then a KDC 470 that interpreted the second mechanism but not the first would fail to 471 interpret the request correctly. In order to avoid this problem, 472 extensions that change core semantics are typically divided into two 473 parts. The first part proposes a change to the core semantic--for 474 example proposes a new reply key. The second part acknowledges that 475 the extension is understood and that the change takes effect. 476 Section 4.2 discusses how to design mechanisms that modify the reply 477 key to be split into a proposal and acceptance without requiring 478 additional round trips to use the new reply key in subsequent pre- 479 authentication. Other changes in the state described in Section 3.1 480 can safely be ignored by a KDC that does not understand a mechanism. 481 Mechanisms that modify the behavior of the request outside the scope 482 of this framework need to carefully consider the Kerberos 483 extensibility rules to avoid similar problems. 485 4.1. Client-authentication Facility 487 The client authentication facility proves the identity of a user to 488 the KDC before a ticket is issued. Examples of mechanisms 489 implementing this facility include the encrypted timestamp facility 490 defined in Section 5.2.7.2 of the Kerberos specification [RFC4120]. 491 Mechanisms that provide this facility are expected to mark the client 492 as authenticated. 494 Mechanisms implementing this facility SHOULD require the client to 495 prove knowledge of the reply key before transmitting a successful KDC 496 reply. Otherwise, an attacker can intercept the pre-authentication 497 exchange and get a reply to attack. One way of proving the client 498 knows the reply key is to implement the Replace Reply Key facility 499 along with this facility. The PKINIT mechanism [RFC4556] implements 500 Client Authentication alongside Replace Reply Key. 502 If the reply key has been replaced, then mechanisms such as 503 encrypted-timestamp that rely on knowledge of the reply key to 504 authenticate the client MUST NOT be used. 506 4.2. Strengthening-reply-key Facility 508 Particularly, when dealing with keys based on passwords, it is 509 desirable to increase the strength of the key by adding additional 510 secrets to it. Examples of sources of additional secrets include the 511 results of a Diffie-Hellman key exchange or key bits from the output 512 of a smart card [KRB-WG.SAM]. Typically these additional secrets can 513 be first combined with the existing reply key and then converted to a 514 protocol key using tools defined in Section 6.1. 516 If a mechanism implementing this facility wishes to modify the reply 517 key before knowing that the other party in the exchange supports the 518 mechanism, it proposes modifying the reply key. The other party then 519 includes a message indicating that the proposal is accepted if it is 520 understood and meets policy. In many cases it is desirable to use 521 the new reply key for client authentication and for other facilities. 522 Waiting for the other party to accept the proposal and actually 523 modify the reply key state would add an additional round trip to the 524 exchange. Instead, mechanism designers are encouraged to include a 525 typed hole for additional padata in the message that proposes the 526 reply key change. The padata included in the typed hole are 527 generated assuming the new reply key. If the other party accepts the 528 proposal, then these padata are considered as an inner level. As 529 with the outer level, one authentication set or mechanism is 530 typically chosen for client authentication, along with auxiliary 531 mechanisms such as KDC cookies, and other mechanisms are ignored. 532 [[anchor5: Containers like this need more thought. For example if 533 you are constructing an authentication set do you expect to use a 534 strengthen reply key mechanism in conjunction with something else, do 535 you include the something else in the hint of the strengthen 536 mechanism or as its own entry. It's easier to configure and express 537 the authentication set as its own entry. However if you do that' the 538 composition of the mechanisms looks in practice than it appears in 539 the authentication set.]] The party generating the proposal can 540 determine whether the padata were processed based on whether the 541 proposal for the reply key is accepted. 543 The specific formats of the proposal message, including where padata 544 are included is a matter for the mechanism specification. Similarly, 545 the format of the message accepting the proposal is mechanism- 546 specific. 548 Mechanisms implementing this facility and including a typed hole for 549 additional padata MUST checksum that padata using a keyed checksum or 550 encrypt the padata. This requirement protects against modification 551 of the contents of the typed hole. By modifying these contents an 552 attacker might be able to choose which mechanism is used to 553 authenticate the client, or to convince a party to provide text 554 encrypted in a key that the attacker had manipulated. It is 555 important that mechanisms strengthen the reply key enough that using 556 it to checksum padata is appropriate. 558 4.3. Replacing-reply-key Facility 560 The Replace Reply Key facility replaces the key in which a successful 561 AS reply will be encrypted. This facility can only be used in cases 562 where knowledge of the reply key is not used to authenticate the 563 client. The new reply key MUST be communicated to the client and the 564 KDC in a secure manner. Mechanisms implementing this facility MUST 565 mark the reply key as replaced in the pre-authentication state. 566 Mechanisms implementing this facility MUST either provide a mechanism 567 to verify the KDC reply to the client or mark the reply as unverified 568 in the pre-authentication state. Mechanisms implementing this 569 facility SHOULD NOT be used if a previous mechanism has used the 570 reply key. 572 As with the strengthening-reply-key facility, Kerberos extensibility 573 rules require that the reply key not be changed unless both sides of 574 the exchange understand the extension. In the case of this facility 575 it will likely be more common for both sides to know that the 576 facility is available by the time that the new key is available to be 577 used. However, mechanism designers can use a container for padata in 578 a proposal message as discussed in Section 4.2 if appropriate. 580 4.4. KDC-authentication Facility 582 This facility verifies that the reply comes from the expected KDC. 583 In traditional Kerberos, the KDC and the client share a key, so if 584 the KDC reply can be decrypted then the client knows that a trusted 585 KDC responded. Note that the client machine cannot trust the client 586 unless the machine is presented with a service ticket for it 587 (typically the machine can retrieve this ticket by itself). However, 588 if the reply key is replaced, some mechanism is required to verify 589 the KDC. Pre-authentication mechanisms providing this facility allow 590 a client to determine that the expected KDC has responded even after 591 the reply key is replaced. They mark the pre-authentication state as 592 having been verified. 594 5. Requirements for Pre-Authentication Mechanisms 596 This section lists requirements for specifications of pre- 597 authentication mechanisms. 599 For each message in the pre-authentication mechanism, the 600 specification describes the pa-type value to be used and the contents 601 of the message. The processing of the message by the sender and 602 recipient is also specified. This specification needs to include all 603 modifications to the pre-authentication state. 605 Generally mechanisms have a message that can be sent in the error 606 data of the KDC_ERR_PREAUTH_REQUIRED error message or in an 607 authentication set. If the client needs information such as trusted 608 certificate authorities in order to determine if it can use the 609 mechanism, then this information should be in that message. In 610 addition, such mechanisms should also define a pa-hint to be included 611 in authentication sets. Often, the same information included in the 612 padata-value is appropriate to include in the pa-hint (as defined in 613 Section 6.4). 615 In order to ease security analysis the mechanism specification should 616 describe what facilities from this document are offered by the 617 mechanism. For each facility, the security consideration section of 618 the mechanism specification should show that the security 619 requirements of that facility are met. This requirement is 620 applicable to any FAST factor that provides authentication 621 information. 623 Significant problems have resulted in the specification of Kerberos 624 protocols because much of the KDC exchange is not protected against 625 authentication. The security considerations section should discuss 626 unauthenticated plaintext attacks. It should either show that 627 plaintext is protected or discuss what harm an attacker could do by 628 modifying the plaintext. It is generally acceptable for an attacker 629 to be able to cause the protocol negotiation to fail by modifying 630 plaintext. More significant attacks should be evaluated carefully. 632 As discussed in Section 6.3, there is no guarantee that a client will 633 use the same KDCs for all messages in a conversation. The mechanism 634 specification needs to show why the mechanism is secure in this 635 situation. The hardest problem to deal with, especially for 636 challenge/response mechanisms is to make sure that the same response 637 cannot be replayed against two KDCs while allowing the client to talk 638 to any KDC. 640 6. Tools for Use in Pre-Authentication Mechanisms 642 This section describes common tools needed by multiple pre- 643 authentication mechanisms. By using these tools mechanism designers 644 can use a modular approach to specify mechanism details and ease 645 security analysis. 647 6.1. Combining Keys 649 Frequently a weak key needs to be combined with a stronger key before 650 use. For example, passwords are typically limited in size and 651 insufficiently random, therefore it is desirable to increase the 652 strength of the keys based on passwords by adding additional secrets. 653 Additional source of secrecy may come from hardware tokens. 655 This section provides standard ways to combine two keys into one. 657 KRB-FX-CF1() is defined to combine two pass-phrases. 659 KRB-FX-CF1(UTF-8 string, UTF-8 string) -> (UTF-8 string) 660 KRB-FX-CF1(x, y) -> x || y 662 Where || denotes concatenation. The strength of the final key is 663 roughly the total strength of the individual keys being combined 664 assuming that the string_to_key() function [RFC3961] uses all its 665 input evenly. 667 An example usage of KRB-FX-CF1() is when a device provides random but 668 short passwords, the password is often combined with a personal 669 identification number (PIN). The password and the PIN can be 670 combined using KRB-FX-CF1(). 672 KRB-FX-CF2() combines two protocol keys based on the pseudo-random() 673 function defined in [RFC3961]. 675 Given two input keys, K1 and K2, where K1 and K2 can be of two 676 different enctypes, the output key of KRB-FX-CF2(), K3, is derived as 677 follows: 679 KRB-FX-CF2(protocol key, protocol key, octet string, 680 octet string) -> (protocol key) 682 PRF+(K1, pepper1) -> octet-string-1 683 PRF+(K2, pepper2) -> octet-string-2 684 KRB-FX-CF2(K1, K2, pepper1, pepper2) -> 685 random-to-key(octet-string-1 ^ octet-string-2) 687 Where ^ denotes the exclusive-OR operation. PRF+() is defined as 688 follows: 690 PRF+(protocol key, octet string) -> (octet string) 692 PRF+(key, shared-info) -> pseudo-random( key, 1 || shared-info ) || 693 pseudo-random( key, 2 || shared-info ) || 694 pseudo-random( key, 3 || shared-info ) || ... 696 Here the counter value 1, 2, 3 and so on are encoded as a one-octet 697 integer. The pseudo-random() operation is specified by the enctype 698 of the protocol key. PRF+() uses the counter to generate enough bits 699 as needed by the random-to-key() [RFC3961] function for the 700 encryption type specified for the resulting key; unneeded bits are 701 removed from the tail. 703 Mechanism designers MUST specify the values for the input parameter 704 pepper1 and pepper2 when combining two keys using KRB-FX-CF2(). The 705 pepper1 and pepper2 MUST be distinct so that if the two keys being 706 combined are the same, the resulting key is not a trivial key. 708 6.2. Protecting Requests/Responses 710 Mechanism designers SHOULD protect clear text portions of pre- 711 authentication data. Various denial of service attacks and downgrade 712 attacks against Kerberos are possible unless plaintexts are somehow 713 protected against modification. An early design goal of Kerberos 714 Version 5 [RFC4120] was to avoid encrypting more of the 715 authentication exchange that was required. (Version 4 doubly- 716 encrypted the encrypted part of a ticket in a KDC reply, for 717 example.) This minimization of encryption reduces the load on the 718 KDC and busy servers. Also, during the initial design of Version 5, 719 the existence of legal restrictions on the export of cryptography 720 made it desirable to minimize of the number of uses of encryption in 721 the protocol. Unfortunately, performing this minimization created 722 numerous instances of unauthenticated security-relevant plaintext 723 fields. 725 If there is more than one roundtrip for an authentication exchange, 726 mechanism designers need to allow either the client or the KDC to 727 provide a checksum of all the messages exchanged on the wire in the 728 conversation, and the checksum is then verified by the receiver. 730 New mechanisms MUST NOT be hard-wired to use a specific algorithm. 732 Primitives defined in [RFC3961] are RECOMMENDED for integrity 733 protection and confidentiality. Mechanisms based on these primitives 734 are crypto-agile as the result of using [RFC3961] along with 735 [RFC4120]. The advantage afforded by crypto-agility is the ability 736 to avoid a multi-year standardization and deployment cycle to fix a 737 problem that is specific to a particular algorithm, when real attacks 738 do arise against that algorithm. 740 Note that data used by FAST factors (defined in Section 6.5) is 741 encrypted in a protected channel, thus they do not share the un- 742 authenticated-text issues with mechanisms designed as full-blown pre- 743 authentication mechanisms. 745 6.3. Managing States for the KDC 747 Kerberos KDCs are stateless. There is no requirement that clients 748 will choose the same KDC for the second request in a conversation. 749 Proxies or other intermediate nodes may also influence KDC selection. 750 So, each request from a client to a KDC must include sufficient 751 information that the KDC can regenerate any needed state. This is 752 accomplished by giving the client a potentially long opaque cookie in 753 responses to include in future requests in the same conversation. 754 The KDC MAY respond that a conversation is too old and needs to 755 restart by responding with a KDC_ERR_PREAUTH_EXPIRED error. 757 KDC_ERR_PREAUTH_EXPIRED TBA 759 When a client receives this error, the client SHOULD abort the 760 existing conversation, and restart a new one. 762 An example, where more than one message from the client is needed, is 763 when the client is authenticated based on a challenge-response 764 scheme. In that case, the KDC needs to keep track of the challenge 765 issued for a client authentication request. 767 The PA-FX-COOKIE pdata type is defined in this section to facilitate 768 state management. This padata is sent by the KDC when the KDC 769 requires state for a future transaction. The client includes this 770 opaque token in the next message in the conversation. The token may 771 be relatively large; clients MUST be prepared for tokens somewhat 772 larger than the size of all messages in a conversation. 774 PA_FX_COOKIE TBA 775 -- Stateless cookie that is not tied to a specific KDC. 777 The corresponding padata-value field [RFC4120] contains the 778 Distinguished Encoding Rules (DER) [X60] [X690] encoding of the 779 following Abstract Syntax Notation One (ASN.1) type PA-FX-COOKIE: 781 PA-FX-COOKIE ::= SEQUENCE { 782 conversationId [0] OCTET STRING, 783 -- Contains the identifier of this conversation. This field 784 -- must contain the same value for all the messages 785 -- within the same conversation. 786 enc-binding-key [1] EncryptedData OPTIONAL, 787 -- EncryptionKey -- 788 -- This field is present when and only when a FAST 789 -- padata as defined in Section 6.5 is included. 790 -- The encrypted data, when decrypted, contains an 791 -- EncryptionKey structure. 792 -- This encryption key is encrypted using the armor key 793 -- (defined in Section 6.5.1), and the key usage for the 794 -- encryption is KEY_USAGE_FAST_BINDING_KEY. 795 -- Present only once in a converstation. 796 cookie [2] OCTET STRING OPTIONAL, 797 -- Opaque data, for use to associate all the messages in 798 -- a single conversation between the client and the KDC. 799 -- This is generated by the KDC and the client MUST copy 800 -- the exact cookie encapsulated in a PA_FX_COOKIE data 801 -- element into the next message of the same conversation. 802 ... 803 } 804 KEY_USAGE_FAST_BINDING_KEY TBA 806 The conversationId field contains a sufficiently-long rand number 807 that uniquely identifies the conversation. If a PA_FX_COOKIE padata 808 is present in one message, a PA_FX_COOKIE structure MUST be present 809 in all subsequent messages of the same converstation between the 810 client and the KDC, with the same conversationId value. 812 The enc-binding-key field is present when and only when a FAST padata 813 (defined in Section 6.5) is included. The enc-binding-key field is 814 present only once in a conversation. It MUST be ignored if it is 815 present in a subsequent message of the same conversation. The 816 encrypted data, when decrypted, contains an EncryptionKey structure 817 that is called the binding key. The binding key is encrypted using 818 the armor key (defined in Section 6.5.1), and the key usage for the 819 encryption is KEY_USAGE_FAST_BINDING_KEY. 821 If a Kerberos FAST padata as defined in Section 6.5 is included in 822 one message, it MUST be included in all subsequent messages of the 823 same conversation. 825 When FAST padata as defined Section 6.5 is included, the PA-FX-COOKIE 826 padata MUST be included. 828 The cookie token is generated by the KDC and the client MUST copy the 829 exact cookie encapsulated in a PA_FX_COOKIE data element into the 830 next message of the same conversation. The content of the cookie 831 field is a local matter of the KDC. However the KDC MUST construct 832 the cookie token in such a manner that a malicious client cannot 833 subvert the authentication process by manipulating the token. The 834 KDC implementation needs to consider expiration of tokens, key 835 rollover and other security issues in token design. The content of 836 the cookie field is likely specific to the pre-authentication 837 mechanisms used to authenticate the client. If a client 838 authentication response can be replayed to multiple KDCs via the 839 PA_FX_COOKIE mechanism, an expiration in the cookie is RECOMMENDED to 840 prevent the response being presented indefinitely. 842 If at least one more message for a mechanism or a mechanism set is 843 expected by the KDC, the KDC returns a 844 KDC_ERR_MORE_PREAUTH_DATA_NEEDED error with a PA_FX_COOKIE to 845 identify the conversation with the client according to Section 6.5.4. 847 KDC_ERR_MORE_PREAUTH_DATA_NEEDED TBA 849 6.4. Pre-authentication Set 851 If all mechanisms in a group need to successfully complete in order 852 to authenticate a client, the client and the KDC SHOULD use the 853 PA_AUTHENTICATION_SET padata element. 855 A PA_AUTHENTICATION_SET padata element contains the ASN.1 DER 856 encoding of the PA-AUTHENTICATION-SET structure: 858 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 860 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 861 pa-type [0] Int32, 862 -- same as padata-type. 863 pa-hint [1] OCTET STRING, 864 -- hint data. 865 ... 866 } 868 The pa-type field of the PA-AUTHENTICATION-SET-ELEM structure 869 contains the corresponding value of padata-type in PA-DATA [RFC4120]. 870 Associated with the pa-type is a pa-hint, which is an octet-string 871 specified by the pre-authentication mechanism. This hint may provide 872 information for the client which helps it determine whether the 873 mechanism can be used. For example a public-key mechanism might 874 include the certificate authorities it trusts in the hint info. Most 875 mechanisms today do not specify hint info; if a mechanism does not 876 specify hint info the KDC MUST NOT send a hint for that mechanism. 877 To allow future revisions of mechanism specifications to add hint 878 info, clients MUST ignore hint info received for mechanisms that the 879 client believes do not support hint info. If a member of the pre- 880 authentication mechanism set that requires a challenge, a separate 881 padata that carries the challenge SHOULD be included along with the 882 pre-authentication set padata. 884 The PA-AUTHENTICATION-SET appears only in the first message from the 885 KDC to the client. In particular, the client should not be prepared 886 for the future authentication mechanisms to change as the 887 conversation progresses. [[anchor9: I think this is correct; we 888 should discuss and if the WG agrees the text should reflect this.]] 890 When indicating which sets of pre-authentication mechanisms are 891 supported, the KDC includes a PA-AUTHENTICATION-SET padata element 892 for each pre-authentication mechanism set. 894 The client sends the padata-value for the first mechanism it picks in 895 the pre-authentication set, when the first mechanism completes, the 896 client and the KDC will proceed with the second mechanism, and so on 897 until all mechanisms complete successfully. The PA_FX_COOKIE as 898 defined in Section 6.3 MUST be sent by the KDC along with the first 899 message that contains a PA-AUTHENTICATION-SET, in order to keep track 900 of KDC states. 902 Before the authentication succeeds and a ticket is returned, the 903 message that the client sends is an AS_REQ and the message that the 904 KDC sends is a KRB-ERROR message. The error code in the KRB-ERROR 905 message from the KDC is KDC_ERR_MORE_PREAUTH_DATA_NEEDED as defined 906 in Section 6.3 and the accompanying e-data contains the DER encoding 907 of ASN.1 type METHOD-DATA. The KDC includes the padata elements in 908 the METHOD-DATA. If there is no padata, the e-data field is absent 909 in the KRB-ERROR message. 911 If one mechanism completes on the client side, and the client expects 912 the KDC to send the next padata for the next pre-authentication 913 mechanism before the authentication succeeds, the client sends an 914 AS_REQ with a padata of type PA_FX_HEARTBEAT. 916 PA_FX_HEARTBEAT TBA 918 The padata-value for the PA_FX_HEARTBEAT is empty. 920 If one mechanism completes on the KDC side, and the KDC expects the 921 client to send the next padata for the next pre-authentication 922 mechanism before the authentication succeeds, the KDC sends a KRB- 923 ERROR message with the code KDC_ERR_MORE_PREAUTH_DATA_NEEDED and 924 includes a padata of type PA_FX_HEARTBEAT. 926 [[anchor10: It's much easier to design UIs if you can determine ahead 927 of time what all the elements of your dialogue will need to be. If 928 we mandate that the pa-hints need to be sufficient that you can 929 determine what information you will require from a user ahead of time 930 we can simplify the UI for login. I propose that we make this 931 requirement. WG agreement required.]] 933 6.5. Definition of Kerberos FAST Padata 935 As described in [RFC4120], Kerberos is vulnerable to offline 936 dictionary attacks. An attacker can request an AS-REP and try 937 various passwords to see if they can decrypt the resulting ticket. 938 RFC 4120 provides the entrypted timestap pre-authentication method 939 that ameliorates the situation somewhat by requiring that an attacker 940 observe a successful authentication. However stronger security is 941 desired in many environments. The Kerberos FAST pre-authentication 942 padata defined in this section provides a tool to significantly 943 reduce vulnerability to offline dictionary attack. When combined 944 with encrypted timestamp, FAST requires an attacker to mount a 945 successful man-in-the-middle attack to observe ciphertext. When 946 combined with host keys, FAST can even protect against active 947 attacks. FAST also provides solutions to common problems for pre- 948 authentication mechanisms such as binding of the request and the 949 reply, freshness guarantee of the authentication. FAST itself, 950 however, does not authenticate the client or the KDC, instead, it 951 provides a typed hole to allow pre-authentication data be tunneled. 952 A pre-authentication data element used within FAST is called a FAST 953 factor. A FAST factor captures the minimal work required for 954 extending Kerberos to support a new pre-authentication scheme. 956 A FAST factor MUST NOT be used outside of FAST unless its 957 specification explicitly allows so. The typed holes in FAST messages 958 can also be used as generic holes for other padata that are not 959 intended to prove the client's identity, or establish the reply key. 961 New pre-authentication mechanisms SHOULD be designed as FAST factors, 962 instead of full-blown pre-authentication mechanisms. 964 FAST factors that are pre-authentication mechanisms MUST meet the 965 requirements in Section 5. 967 FAST employs an armoring scheme. The armor can be a Ticket Granting 968 Ticket (TGT) obtained by the client's machine using the host keys to 969 pre-authenticate with the KDC, or an anonymous TGT obtained based on 970 anonymous PKINIT [KRB-ANON] [RFC4556]. 972 The rest of this section describes the types of armors and the syntax 973 of the messages used by FAST. Conforming implementations MUST 974 support Kerberos FAST padata. 976 6.5.1. FAST Armors 978 An armor key is used to encrypt pre-authentication data in the FAST 979 request and the response. The KrbFastArmor structure is defined to 980 identify the armor key. This structure contains the following two 981 fields: the armor-type identifies the type of armors, and the armor- 982 value as an OCTET STRING contains the description of the armor scheme 983 and the armor key. 985 KrbFastArmor ::= SEQUENCE { 986 armor-type [0] Int32, 987 -- Type of the armor. 988 armor-value [1] OCTET STRING, 989 -- Value of the armor. 990 ... 991 } 993 The value of the armor key is a matter of the armor type 994 specification. Only one armor type is defined in this document. 996 FX_FAST_ARMOR_AP_REQUEST TBA 998 The FX_FAST_ARMOR_AP_REQUEST armor is based on Kerberos tickets. 1000 Conforming implementations MUST implement the 1001 FX_FAST_ARMOR_AP_REQUEST armor type. 1003 6.5.1.1. Ticket-based Armors 1005 This is a ticket-based armoring scheme. The armor-type is 1006 FX_FAST_ARMOR_AP_REQUEST, the armor-value contains an ASN.1 DER 1007 encoded AP-REQ. The ticket in the AP-REQ is called an armor ticket 1008 or an armor TGT. The subkey field in the AP-REQ MUST be present. 1009 The armor key is the subkey in the AP-REQ authenticator. 1011 The server name field of the armor ticket MUST identify the TGS of 1012 the target realm. Here are three ways in the decreasing preference 1013 order how an armor TGT SHOULD be obtained: 1015 1. If the client is authenticating from a host machine whose 1016 Kerberos realm has a trust path to the client's realm, the host 1017 machine obtains a TGT by pre-authenticating intitialy the realm 1018 of the host machine using the host keys. If the client's realm 1019 is different than the realm of the local host, the machine then 1020 obtains a cross-realm TGT to the client's realm as the armor 1021 ticket. Otherwise, the host's primary TGT is the armor ticket. 1023 2. If the client's host machine cannot obtain a host ticket strictly 1024 based on RFC4120, but the KDC has an asymmetric signing key that 1025 the client can verify the binding between the public key of the 1026 signing key and the expected KDC, the client can use anonymous 1027 PKINIT [KRB-ANON] [RFC4556] to authenticate the KDC and obtain an 1028 anonymous TGT as the armor ticket. The armor key can be a cross- 1029 team TGT obtained based on the initial primary TGT obtained using 1030 anonymous PKINIT with KDC authentication. 1032 3. Otherwise, the client uses anonymous PKINIT to get an anonymous 1033 TGT without KDC authentication and that TGT is the armor ticket. 1034 Note that this mode of operation is vulnerable to man-in-the- 1035 middle attacks at the time of obtaining the initial anonymous 1036 armor TGT. The armor key can be a cross-team TGT obtained based 1037 on the initial primary TGT obtained using anonymous PKINIT 1038 without KDC authentication. 1040 Because the KDC does not know if the client is able to trust the 1041 ticket it has, the KDC MUST initialize the pre-authentication state 1042 to an unverified KDC. 1044 6.5.2. FAST Request 1046 A padata type PA_FX_FAST is defined for the Kerberos FAST pre- 1047 authentication padata. The corresponding padata-value field 1048 [RFC4120] contains the DER encoding of the ASN.1 type PA-FX-FAST- 1049 REQUEST. 1051 PA_FX_FAST TBA 1052 -- Padata type for Kerberos FAST 1054 PA-FX-FAST-REQUEST ::= CHOICE { 1055 armored-data [0] KrbFastArmoredReq, 1056 ... 1057 } 1059 KrbFastArmoredReq ::= SEQUENCE { 1060 armor [0] KrbFastArmor OPTIONAL, 1061 -- Contains the armor that identifies the armor key. 1062 -- MUST be present in AS-REQ. 1063 -- MUST be absent in TGS-REQ. 1064 req-checksum [1] Checksum, 1065 -- Checksum performed over the type KDC-REQ-BODY for 1066 -- the req-body field of the KDC-REQ structure defined in 1067 -- [RFC4120] 1068 -- The checksum key is the armor key, the checksum 1069 -- type is the required checksum type for the enctype of 1070 -- the armor key, and the key usage number is 1071 -- KEY_USAGE_FAST_REA_CHKSUM. 1072 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 1073 -- The encryption key is the armor key, and the key usage 1074 -- number is KEY_USAGE_FAST_ENC. 1075 ... 1076 } 1078 KEY_USAGE_FAST_REA_CHKSUM TBA 1079 KEY_USAGE_FAST_ENC TBA 1081 The PA-FX-FAST-REQUEST structure contains a KrbFastArmoredReq type. 1082 The KrbFastArmoredReq encapsulates the encrypted padata. 1084 The enc-fast-req field contains an encrypted KrbFastReq structure. 1085 The armor key is used to encrypt the KrbFastReq structure, and the 1086 key usage number for that encryption is KEY_USAGE_FAST_ARMOR. 1088 KEY_USAGE_FAST_ARMOR TBA 1090 The armor key is selected as follows: 1092 o In an AS request, the armor field in the KrbFastArmoredReq 1093 structure MUST be present and the armor key is identified 1094 according to the specification of the armor type. 1096 o In a TGS request, the armor field in the KrbFastArmoredReq 1097 structure MUST NOT be present and the subkey in the AP-REQ 1098 authenticator in the PA-TGS-REQ PA-DATA MUST be present. In this 1099 case, the armor key is that subkey in the AP-REQ authenticator. 1101 The req-checksum field contains a checksum that is performed over the 1102 type KDC-REQ-BODY for the req-body field of the KDC-REQ [RFC4120] 1103 structure of the containing message. The checksum key is the armor 1104 key, and the checksum type is the required checksum type for the 1105 enctype of the armor key per [RFC3961]. [[anchor12: Is this checksum 1106 still needed if we include a full kdc-req-body]] 1108 The KrbFastReq structure contains the following information: 1110 KrbFastReq ::= SEQUENCE { 1111 fast-options [0] FastOptions, 1112 -- Additional options. 1113 padata [1] SEQUENCE OF PA-DATA, 1114 -- padata typed holes. 1115 req-body [2] KDC-REQ-BODY, 1116 -- Contains the KDC request body as defined in Section 1117 -- 5.4.1 of [RFC4120]. The req-body field in the KDC-REQ 1118 -- structure [RFC4120] MUST be ignored. 1119 -- The client name and realm in the KDC-REQ [RFC4120] 1120 -- MUST NOT be present for AS-REQ and TGS-REQ when 1121 -- Kerberos FAST padata is included in the request. 1122 ... 1123 } 1125 [[anchor13: See mailing list discussion about whether client name 1126 absent is correct.]] 1128 The fast-options field indicates various options that are to modify 1129 the behavior of the KDC. The following options are defined: 1131 FastOptions ::= KerberosFlags 1132 -- reserved(0), 1133 -- anonymous(1), 1134 -- kdc-referrals(16) 1136 Bits Name Description 1137 ----------------------------------------------------------------- 1138 0 RESERVED Reserved for future expansion of this field. 1139 1 anonymous Requesting the KDC to hide client names in 1140 the KDC response, as described next in this 1141 section. 1142 16 kdc-referrals Requesting the KDC to follow referrals, as 1143 described next in this section. 1145 Bits 1 through 15 (with bit 2 and bit 15 included) are critical 1146 options. If the KDC does not support a critical option, it MUST fail 1147 the request with KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS (there is no 1148 accompanying e-data defined in this document for this error code). 1149 Bit 16 and onward (with bit 16 included) are non-critical options. 1150 KDCs conforming to this specification ignores unknown non-critical 1151 options. 1153 KDC_ERR_UNKNOWN_FAST_OPTIONS TBA 1155 The anonymous Option 1157 The Kerberos response defined in [RFC4120] contains the client 1158 identity in clear text, This makes traffic analysis 1159 straightforward. The anonymous option is designed to complicate 1160 traffic analysis. If the anonymous option is set, the KDC 1161 implementing PA_FX_FAST MUST identify the client as the anonymous 1162 principal in the KDC reply and the error response. Hence this 1163 option is set by the client if it wishes to conceal the client 1164 identity in the KDC response. 1166 The kdc-referrals Option 1168 The Kerberos client described in [RFC4120] has to request referral 1169 TGTs along the authentication path in order to get a service 1170 ticket for the target service. The Kerberos client described in 1171 the [REFERRALS] need to contact the AS specified in the error 1172 response in order to complete client referrals. The kdc-referrals 1173 option is designed to minimize the number of messages that need to 1174 be processed by the client. This option is useful when, for 1175 example, the client may contact the KDC via a satellite link that 1176 has high network latency, or the client has limited computational 1177 capabilities. If the kdc-referrals option is set, the KDC that 1178 honors this option acts as the client to follow AS referrals and 1179 TGS referrals [REFERRALS], and return the service ticket to the 1180 named server principal in the client request using the reply key 1181 expected by the client. The kdc-referrals option can be 1182 implemented when the KDC knows the reply key. The KDC can ignore 1183 kdc-referrals option when it does not understand it or it does not 1184 allow this option based on local policy. The client SHOULD be 1185 able to process the KDC responses when this option is not honored 1186 by the KDC. 1188 The padata field contains a list of PA-DATA structures as described 1189 in Section 5.2.7 of [RFC4120]. These PA-DATA structures can contain 1190 FAST factors. They can also be used as generic typed-holes to 1191 contain data not intended for proving the client's identity or 1192 establishing a reply key, but for protocol extensibility. 1194 The KDC-REQ-BODY in the FAST structure is used in preference to the 1195 KDC-REQ-BODY outside of the FAST pre-authentication. This outer 1196 structure SHOULD be filled in for backwards compatibility with KDCs 1197 that do not support FAST. The client MAY fill in the cname and 1198 crealm fields in the kdc-req-body in the KrbFastReq structure and 1199 leave the cname field and the crealm field in KDC-REQ absent, in 1200 order to conceal the client's identity in the AS-REQ.[[anchor14: 1201 Absent is probably wrong. Presumably we want a name similar to the 1202 anonymous principal name.]] 1204 6.5.3. FAST Response 1206 The KDC that supports the PA_FX_FAST padata MUST include a PA_FX_FAST 1207 padata element in the KDC reply. In the case of an error, the 1208 PA_FX_FAST padata is included in the KDC responses according to 1209 Section 6.5.4. 1211 The corresponding padata-value field [RFC4120] for the PA_FX_FAST in 1212 the KDC response contains the DER encoding of the ASN.1 type PA-FX- 1213 FAST-REPLY. 1215 PA-FX-FAST-REPLY ::= CHOICE { 1216 armored-data [0] KrbFastArmoredRep, 1217 ... 1218 } 1220 KrbFastArmoredRep ::= SEQUENCE { 1221 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 1222 -- The encryption key is the armor key in the request, and 1223 -- the key usage number is KEY_USAGE_FAST_REP. 1224 ... 1225 } 1226 KEY_USAGE_FAST_REP TBA 1228 The PA-FX-FAST-REPLY structure contains a KrbFastArmoredRep 1229 structure. The KrbFastArmoredRep structure encapsulates the padata 1230 in the KDC reply in the encrypted form. The KrbFastResponse is 1231 encrypted with the armor key used in the corresponding request, and 1232 the key usage number is KEY_USAGE_FAST_REP. 1234 The Kerberos client who does not receive a PA-FX-FAST-REPLY in the 1235 KDC response MUST support a local policy that rejects the response. 1236 Clients MAY also support policies that fall back to other mechanisms 1237 or that do not use pre-authentication when FAST is unavailable. It 1238 is important to consider the potential downgrade attacks when 1239 deploying such a policy. 1241 The KrbFastResponse structure contains the following information: 1243 KrbFastResponse ::= SEQUENCE { 1244 padata [0] SEQUENCE OF PA-DATA, 1245 -- padata typed holes. 1246 rep-key [1] EncryptionKey OPTIONAL, 1247 -- This, if present, replaces the reply key for AS and TGS. 1248 -- MUST be absent in KRB-ERROR. 1249 finished [2] KrbFastFinished OPTIONAL, 1250 -- MUST be present if the client is authenticated, 1251 -- absent otherwise. 1252 -- Typically this is present if and only if the containing 1253 -- message is the last one in a conversation. 1254 ... 1255 } 1257 The padata field in the KrbFastResponse structure contains a list of 1258 PA-DATA structures as described in Section 5.2.7 of [RFC4120]. These 1259 PA-DATA structures are used to carry data advancing the exchange 1260 specific for the FAST factors. They can also be used as generic 1261 typed-holes for protocol extensibility. 1263 The rep-key field, if present, contains the reply key that is used to 1264 encrypted the KDC reply. The rep-key field MUST be absent in the 1265 case where an error occurs. The enctype of the rep-key is the 1266 strongest mutually supported by the KDC and the client. 1268 The finished field contains a KrbFastFinished structure. It is 1269 filled by the KDC in the final message in the conversation; it MUST 1270 be absent otherwise. In other words, this field can only be present 1271 in an AS-REP or a TGS-REP when a ticket is returned. 1273 The KrbFastFinished structure contains the following information: 1275 KrbFastFinished ::= SEQUENCE { 1276 timestamp [0] KerberosTime, 1277 usec [1] Microseconds, 1278 -- timestamp and usec represent the time on the KDC when 1279 -- the reply was generated. 1280 crealm [2] Realm, 1281 cname [3] PrincipalName, 1282 -- Contains the client realm and the client name. 1283 checksum [4] Checksum, 1284 -- Checksum performed over all the messages in the 1285 -- conversation, except the containing message. 1286 -- The checksum key is the binding key as defined in 1287 -- Section 6.3, and the checksum type is the required 1288 -- checksum type of the binding key. 1289 ... 1290 } 1291 KEY_USAGE_FAST_FINISHED TBA 1293 The timestamp and usec fields represent the time on the KDC when the 1294 reply ticket was generated, these fields have the same semantics as 1295 the corresponding-identically-named fields in Section 5.6.1 of 1296 [RFC4120]. The client MUST use the KDC's time in these fields 1297 thereafter when using the returned ticket. Note that the KDC's time 1298 in AS-REP may not match the authtime in the reply ticket if the kdc- 1299 referrals option is requested and honored by the KDC. 1301 The cname and crealm fields identify the authenticated client. 1303 The checksum field contains a checksum of all the messages in the 1304 conversation prior to the containing message (the containing message 1305 is excluded). The checksum key is the binding key as defined in 1306 Section 6.3, and the checksum type is the required checksum type of 1307 the enctype of that key, and the key usage number is 1308 KEY_USAGE_FAST_FINISHED. [[anchor15: Examples would be good here; 1309 what all goes into the checksum?]] 1311 When FAST padata is included, the PA-FX-COOKIE padata as defined in 1312 Section 6.3 MUST also be included if the KDC expects at least one 1313 more message from the client in order to complete the authentication. 1315 6.5.4. Authenticated Kerberos Error Messages using Kerberos FAST 1317 If the Kerberos FAST padata was included in the request, unless 1318 otherwise specified, the e-data field of the KRB-ERROR message 1319 [RFC4120] contains the ASN.1 DER encoding of the type METHOD-DATA 1320 [RFC4120] and a PA_FX_FAST is included in the METHOD-DATA. The KDC 1321 MUST include all the padata elements such as PA-ETYPE-INFO2 and 1322 padata elments that indicate acceptable pre-authentication mechanisms 1323 [RFC4120] and in the KrbFastResponse structure. 1325 If the Kerberos FAST padata is included in the request but not 1326 included in the error reply, it is a matter of the local policy on 1327 the client to accept the information in the error message without 1328 integrity protection. The Kerberos client MAY process an error 1329 message without a PA-FX-FAST-REPLY, if that is only intended to 1330 return better error information to the application, typically for 1331 trouble-shooting purposes. 1333 In the cases where the e-data field of the KRB-ERROR message is 1334 expected to carry a TYPED-DATA [RFC4120] element, the 1335 PA_FX_TYPED_DATA padata is included in the KrbFastResponse structure 1336 to encapsulate the TYPED-DATA [RFC4120] elements. For example, the 1337 TD_TRUSTED_CERTIFIERS structure is expected to be in the KRB-ERROR 1338 message when the error code is KDC_ERR_CANT_VERIFY_CERTIFICATE 1340 [RFC4556]. 1342 PA_FX_TYPED_DATA TBA 1343 -- This is the padata element that encapsulates a TYPED-DATA 1344 -- structure. 1346 The corresponding padata-value for the PA_FX_TYPED_DATA padata type 1347 contains the DER encoding of the ASN.1 type TYPED-DATA [RFC4120]. 1349 6.5.5. The Authenticated Timestamp FAST Factor 1351 The encrypted time stamp [RFC4120] padata can be used as a FAST 1352 factor to authenticate the client and it does not expose the cipher 1353 text derived using the client's long term keys. However this FAST 1354 factor is not risk-free from current intellectual property claims as 1355 of the time of this writing. To provide a clearn replacement FAST 1356 factor that closely matches the encrypted timestamp FAST factor, the 1357 authenticated timestamp pre-authentication is introduced in this 1358 section. 1360 The authenticated timestamp FAST factor authenticates a client by 1361 means of computing a checksum over a time-stamped structure using the 1362 client's long term keys. The padata-type is 1363 PA_AUTHENTICATED_TIMESTAMP and the corresponding padata-value 1364 contains the DER encoding of ASN.1 type AuthenticatedTimestamp. 1366 AuthenticatedTimestampToBeSigned ::= SEQUENCE { 1367 timestamp [0] PA-ENC-TS-ENC, 1368 -- Contains the timestamp field of the corresponding 1369 -- AuthenticatedTimestamp structure. 1370 req-body [1] KDC-REQ-BODY OPTIONAL, 1371 -- MUST contain the req-body field of the KDC-REQ 1372 -- structure in the containing AS-REQ for the client 1373 -- request. 1374 -- MUST be Absent for the KDC reply. 1375 ... 1376 } 1378 AuthenticatedTimestamp ::= SEQUENCE { 1379 timestamp [0] PA-ENC-TS-ENC, 1380 -- Filled out according to Section 5.2.7.2 of [RFC4120]. 1381 -- Contains the client's current time for the client, 1382 -- and the KDC's current time for the KDC. 1383 checksum [1] CheckSum, 1384 -- The checksum is performed over the type 1385 -- AuthenticatedTimestampToBeSigned and the key usage is 1386 -- KEY_USAGE_AUTHENTICATED_TS_CLIENT for the client and 1387 _ KEY_USAGE_AUTHENTICATED_TS_KDC for the KDC 1388 ... 1389 } 1391 KEY_USAGE_AUTHENTICATED_TS_CLIENT TBA 1392 KEY_USAGE_AUTHENTICATED_TS_KDC TBA 1394 The client fills out the AuthenticatedTimestamp structure as follows: 1396 o The timestamp field in the AuthenticatedTimestamp structure is 1397 filled out with the client's current time according to Section 1398 5.2.7.2 of [RFC4120]. 1400 o The checksum field in the AuthenticatedTimestamp structure is 1401 performed over the type AuthenticatedTimestampToBeSigned. The 1402 checksum key is one of the client's long term keys. The key usage 1403 for the checksum operation is KEY_USAGE_AUTHENTICATED_TS_CLIENT. 1404 The checksum type is the required checksum type for the strongest 1405 enctype mutually supported by the client and the KDC. 1407 o Within the AuthenticatedTimestampToBeSigned structure, the 1408 timestamp field contains the timestamp field of the corresponding 1409 AuthenticatedTimestamp structure, and the req-body field MUST 1410 contain the req-body field of the KDC-REQ structure in the 1411 containing AS-REQ. 1413 Upon receipt of the PA_AUTHENTICATED_TIMESTAMP FAST factor, the KDC 1414 MUST process the padata in a way similar to that of the encrypted 1415 timestamp padata. The KDC MUST verify the checksum in the 1416 AuthenticatedTimestamp structure and the timestamp is within the 1417 window of acceptable clock skew for the KDC. 1419 When the authenticated timestamp FAST factor is accepted by the KDC, 1420 the KDC MUST include a PA_AUTHENTICATED_TIMESTAMP as a FAST factor in 1421 in a successful KDC reply and it MUST include the rep-key field as 1422 defined in Section 6.5.3. 1424 The KDC fills out the AuthenticatedTimestamp structure as follows: 1426 o The timestamp field in the AuthenticatedTimestamp structure is 1427 filled out with the KDC's current time according to Section 1428 5.2.7.2 of [RFC4120]. 1430 o The checksum field in the AuthenticatedTimestamp structure is 1431 performed over the type AuthenticatedTimestampToBeSigned. The 1432 checksum key is the reply key picked from the client's long term 1433 keys according to [RFC4120]. The key usage for the checksum 1434 operation is KEY_USAGE_AUTHENTICATED_TS_KDC. The checksum type is 1435 the required checksum type for the checksum key. 1437 o Within the AuthenticatedTimestampToBeSigned structure, the 1438 timestamp field contains the timestamp field of the corresponding 1439 AuthenticatedTimestamp structure, and the req-body field MUST be 1440 absent. 1442 Upon receipt of the PA_AUTHENTICATED_TIMESTAMP FAST factor in the KDC 1443 reply, the client MUST verify the checksum in the 1444 AuthenticatedTimestamp structure and the timestamp is within the 1445 window of acceptable clock skew for the client. The successful 1446 verificaiton of the PA_AUTHENTICATED_TIMESTAMP padata authenticates 1447 the KDC. 1449 The authenticated timestamp FAST factor provides the following 1450 facilities: client-authentication, replacing-reply-key, KDC- 1451 authentication. It does not provide the strengthening-reply-key 1452 facility. The security considerations section of this document 1453 provides an explanation why the security requirements are met. 1455 Conforming implementations MUST support the authenticated timestamp 1456 FAST factor. 1458 6.6. Authentication Strength Indication 1460 Implementations that have pre-authentication mechanisms offering 1461 significantly different strengths of client authentication MAY choose 1462 to keep track of the strength of the authentication used as an input 1463 into policy decisions. For example, some principals might require 1464 strong pre-authentication, while less sensitive principals can use 1465 relatively weak forms of pre-authentication like encrypted timestamp. 1467 An AuthorizationData data type AD-Authentication-Strength is defined 1468 for this purpose. 1470 AD-authentication-strength TBA 1472 The corresponding ad-data field contains the DER encoding of the pre- 1473 authentication data set as defined in Section 6.4. This set contains 1474 all the pre-authentication mechanisms that were used to authenticate 1475 the client. If only one pre-authentication mechanism was used to 1476 authenticate the client, the pre-authentication set contains one 1477 element. 1479 The AD-authentication-strength element MUST be included in the AD-IF- 1480 RELEVANT, thus it can be ignored if it is unknown to the receiver. 1482 7. IANA Considerations 1484 This document defines several new pa-data types, key usages and error 1485 codes. In addition it would be good to track which pa-data items are 1486 only to be used as FAST factors. 1488 8. Security Considerations 1490 The kdc-referrals option in the Kerberos FAST padata requests the KDC 1491 to act as the client to follow referrals. This can overload the KDC. 1492 To limit the damages of denied of service using this option, KDCs MAY 1493 restrict the number of simultaneous active requests with this option 1494 for any given client principal. 1496 Because the client secrets are known only to the client and the KDC, 1497 the verification of the authenticated timestamp proves the client's 1498 identity, the verification of the authenticated timestamp in the KDC 1499 reply proves that the expected KDC responded. The encrypted reply 1500 key is contained in the rep-key in the PA-FX-FAST-REPLY. Therefore, 1501 the authenticated timestamp FAST factor as a pre-authentication 1502 mechanism offers the following facilities: client-authentication, 1503 replacing-reply-key, KDC-authentication. There is no un- 1504 authenticated clear text introduced by the authenticated timestamp 1505 FAST factor. 1507 9. Acknowledgements 1509 Several suggestions from Jeffery Hutzman based on early revisions of 1510 this documents led to significant improvements of this document. 1512 The proposal to ask one KDC to chase down the referrals and return 1513 the final ticket is based on requirements in [ID.CROSS]. 1515 Joel Webber had a proposal for a mechanism similar to FAST that 1516 created a protected tunnel for Kerberos pre-authentication. 1518 10. References 1520 10.1. Normative References 1522 [KRB-ANON] 1523 Zhu, L. and P. Leach, "Kerberos Anonymity Support", 1524 draft-ietf-krb-wg-anon-04.txt (work in progress), 2007. 1526 [REFERRALS] 1527 Raeburn, K. and L. Zhu, "Generating KDC Referrals to 1528 Locate Kerberos Realms", 1529 draft-ietf-krb-wg-kerberos-referrals-10.txt (work in 1530 progress), 2007. 1532 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1533 Requirement Levels", BCP 14, RFC 2119, March 1997. 1535 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1536 Kerberos 5", RFC 3961, February 2005. 1538 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1539 Kerberos Network Authentication Service (V5)", RFC 4120, 1540 July 2005. 1542 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial 1543 Authentication in Kerberos (PKINIT)", RFC 4556, June 2006. 1545 10.2. Informative References 1547 [ID.CROSS] 1548 Sakane, S., Zrelli, S., and M. Ishiyama , "Problem 1549 Statement on the Operation of Kerberos in a Specific 1550 System", draft-sakane-krb-cross-problem-statement-02.txt 1551 (work in progress), April 2007. 1553 [KRB-WG.SAM] 1554 Hornstein, K., Renard, K., Neuman, C., and G. Zorn, 1555 "Integrating Single-use Authentication Mechanisms with 1556 Kerberos", draft-ietf-krb-wg-kerberos-sam-02.txt (work in 1557 progress), October 2003. 1559 Appendix A. ASN.1 module 1561 KerberosPreauthFramework { 1562 iso(1) identified-organization(3) dod(6) internet(1) 1563 security(5) kerberosV5(2) modules(4) preauth-framework(3) 1564 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 1566 IMPORTS 1567 KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum, 1568 Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY 1569 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 1570 dod(6) internet(1) security(5) kerberosV5(2) 1571 modules(4) krb5spec2(2) }; 1572 -- as defined in RFC 4120. 1574 PA-FX-COOKIE ::= SEQUENCE { 1575 conversationId [0] OCTET STRING, 1576 -- Contains the identifier of this conversation. This field 1577 -- must contain the same value for all the messages 1578 -- within the same conversation. 1579 enc-binding-key [1] EncryptedData OPTIONAL, 1580 -- EncryptionKey -- 1581 -- This field is present when and only when a FAST 1582 -- padata as defined in Section 6.5 is included. 1583 -- The encrypted data, when decrypted, contains an 1584 -- EncryptionKey structure. 1585 -- This encryption key is encrypted using the armor key 1586 -- (defined in Section 6.5.1), and the key usage for the 1587 -- encryption is KEY_USAGE_FAST_BINDING_KEY. 1588 cookie [2] OCTET STRING OPTIONAL, 1589 -- Opaque data, for use to associate all the messages in 1590 -- a single conversation between the client and the KDC. 1591 -- This is generated by the KDC and the client MUST copy 1592 -- the exact cookie encapsulated in a PA_FX_COOKIE data 1593 -- element into the next message of the same conversation. 1594 ... 1595 } 1597 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 1599 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 1600 pa-type [0] Int32, 1601 -- same as padata-type. 1602 pa-hint [1] OCTET STRING, 1603 -- hint data. 1604 ... 1605 } 1607 KrbFastArmor ::= SEQUENCE { 1608 armor-type [0] Int32, 1609 -- Type of the armor. 1610 armor-value [1] OCTET STRING, 1611 -- Value of the armor. 1612 ... 1613 } 1615 PA-FX-FAST-REQUEST ::= CHOICE { 1616 armored-data [0] KrbFastArmoredReq, 1617 ... 1618 } 1620 KrbFastArmoredReq ::= SEQUENCE { 1621 armor [0] KrbFastArmor OPTIONAL, 1622 -- Contains the armor that identifies the armor key. 1623 -- MUST be present in AS-REQ. 1624 -- MUST be absent in TGS-REQ. 1625 req-checksum [1] Checksum, 1626 -- Checksum performed over the type KDC-REQ-BODY for 1627 -- the req-body field of the KDC-REQ structure defined in 1628 -- [RFC4120] 1629 -- The checksum key is the armor key, the checksum 1630 -- type is the required checksum type for the enctype of 1631 -- the armor key, and the key usage number is 1632 -- KEY_USAGE_FAST_REA_CHKSUM. 1633 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 1634 -- The encryption key is the armor key, and the key usage 1635 -- number is KEY_USAGE_FAST_ENC. 1636 ... 1637 } 1639 KrbFastReq ::= SEQUENCE { 1640 fast-options [0] FastOptions, 1641 -- Additional options. 1642 padata [1] SEQUENCE OF PA-DATA, 1643 -- padata typed holes. 1644 req-body [2] KDC-REQ-BODY, 1645 -- Contains the KDC request body as defined in Section 1646 -- 5.4.1 of [RFC4120]. The req-body field in the KDC-REQ 1647 -- structure [RFC4120] MUST be ignored. 1648 -- The client name and realm in the KDC-REQ [RFC4120] 1649 -- MUST NOT be present for AS-REQ and TGS-REQ when 1650 -- Kerberos FAST padata is included in the request. 1651 ... 1652 } 1654 FastOptions ::= KerberosFlags 1655 -- reserved(0), 1656 -- anonymous(1), 1657 -- kdc-referrals(16) 1659 PA-FX-FAST-REPLY ::= CHOICE { 1660 armored-data [0] KrbFastArmoredRep, 1661 ... 1662 } 1664 KrbFastArmoredRep ::= SEQUENCE { 1665 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 1666 -- The encryption key is the armor key in the request, and 1667 -- the key usage number is KEY_USAGE_FAST_REP. 1668 ... 1669 } 1671 KrbFastResponse ::= SEQUENCE { 1672 padata [0] SEQUENCE OF PA-DATA, 1673 -- padata typed holes. 1674 rep-key [1] EncryptionKey OPTIONAL, 1675 -- This, if present, replaces the reply key for AS and TGS. 1676 -- MUST be absent in KRB-ERROR. 1677 finished [2] KrbFastFinished OPTIONAL, 1678 -- MUST be present if the client is authenticated, 1679 -- absent otherwise. 1680 -- Typically this is present if and only if the containing 1681 -- message is the last one in a conversation. 1682 ... 1683 } 1685 KrbFastFinished ::= SEQUENCE { 1686 timestamp [0] KerberosTime, 1687 usec [1] Microseconds, 1688 -- timestamp and usec represent the time on the KDC when 1689 -- the reply was generated. 1690 crealm [2] Realm, 1691 cname [3] PrincipalName, 1692 -- Contains the client realm and the client name. 1693 checksum [4] Checksum, 1694 -- Checksum performed over all the messages in the 1695 -- conversation, except the containing message. 1696 -- The checksum key is the binding key as defined in 1697 -- Section 6.3, and the checksum type is the required 1698 -- checksum type of the binding key. 1699 ... 1700 } 1702 AuthenticatedTimestampToBeSigned ::= SEQUENCE { 1703 timestamp [0] PA-ENC-TS-ENC, 1704 -- Contains the timestamp field of the corresponding 1705 -- AuthenticatedTimestamp structure. 1706 req-body [1] KDC-REQ-BODY OPTIONAL, 1707 -- MUST contain the req-body field of the KDC-REQ 1708 -- structure in the containing AS-REQ for the client 1709 -- request. 1710 -- MUST be Absent for the KDC reply. 1711 ... 1712 } 1714 AuthenticatedTimestamp ::= SEQUENCE { 1715 timestamp [0] PA-ENC-TS-ENC, 1716 -- Filled out according to Section 5.2.7.2 of [RFC4120]. 1717 -- Contains the client's current time for the client, 1718 -- and the KDC's current time for the KDC. 1719 checksum [1] CheckSum, 1720 -- The checksum is performed over the type 1721 -- AuthenticatedTimestampToBeSigned and the key usage is 1722 -- KEY_USAGE_AUTHENTICATED_TS_CLIENT for the client and 1723 _ KEY_USAGE_AUTHENTICATED_TS_KDC for the KDC 1724 ... 1725 } 1726 END 1728 Authors' Addresses 1730 Larry Zhu 1731 Microsoft Corporation 1732 One Microsoft Way 1733 Redmond, WA 98052 1734 US 1736 Email: lzhu@microsoft.com 1738 Sam hartman 1739 MIT 1741 Email: hartmans@mit.edu 1743 Full Copyright Statement 1745 Copyright (C) The IETF Trust (2007). 1747 This document is subject to the rights, licenses and restrictions 1748 contained in BCP 78, and except as set forth therein, the authors 1749 retain all their rights. 1751 This document and the information contained herein are provided on an 1752 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1753 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1754 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1755 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1756 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1757 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1759 Intellectual Property 1761 The IETF takes no position regarding the validity or scope of any 1762 Intellectual Property Rights or other rights that might be claimed to 1763 pertain to the implementation or use of the technology described in 1764 this document or the extent to which any license under such rights 1765 might or might not be available; nor does it represent that it has 1766 made any independent effort to identify any such rights. Information 1767 on the procedures with respect to rights in RFC documents can be 1768 found in BCP 78 and BCP 79. 1770 Copies of IPR disclosures made to the IETF Secretariat and any 1771 assurances of licenses to be made available, or the result of an 1772 attempt made to obtain a general license or permission for the use of 1773 such proprietary rights by implementers or users of this 1774 specification can be obtained from the IETF on-line IPR repository at 1775 http://www.ietf.org/ipr. 1777 The IETF invites any interested party to bring to its attention any 1778 copyrights, patents or patent applications, or other proprietary 1779 rights that may cover technology that may be required to implement 1780 this standard. Please address the information to the IETF at 1781 ietf-ipr@ietf.org. 1783 Acknowledgment 1785 Funding for the RFC Editor function is provided by the IETF 1786 Administrative Support Activity (IASA).