idnits 2.17.1 draft-ietf-krb-wg-preauth-framework-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? -- It seems you're using the 'non-IETF stream' Licence Notice instead Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4120, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1385 has weird spacing: '...hecksum of th...' == Line 1386 has weird spacing: '... -- and the k...' == Line 1736 has weird spacing: '...ames in the K...' == Line 2021 has weird spacing: '...hecksum of th...' == Line 2022 has weird spacing: '... -- and the k...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: o There are two possibilities for armor for a TGS request. If the ticket presented in the PA-TGS-REQ authenticator is a TGT, then the client SHOULD not include the armor field in the Krbfastreq and a subkey MUST be included in the PA-TGS-REQ authenticator. In this case, the armor key is the same armor key that would be computed if the TGS-REQ authenticator was used in a FX_FAST_ARMOR_AP_REQUEST armor. If a ticket other than a TGT is being presented to the TGS, a client SHOULD use some form of FAST armor such as a ticket-based armor with a TGT as an armor ticket. Clients MAY present a non-TGT in the PA-TGS-REQ authenticator and omit the armor field, in which case the armor key is the same that would be computed if the authenticator were used in a FX_FAST_ARMOR_AP_REQUEST armor. This is the only case where a ticket other than a TGT can be used to establish an armor key; even though the armor key is computed the same as a FX_FAST_ARMOR_AP_REQUEST, a non-TGT cannot be used as an armor ticket in FX_FAST_ARMOR_AP_REQUEST. (Using the creation date from RFC4120, updated by this document, for RFC5378 checks: 2002-02-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 11, 2009) is 5551 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'EKE' is mentioned on line 161, but not defined == Missing Reference: 'IEEE1363.2' is mentioned on line 161, but not defined -- Looks like a reference, but probably isn't: '0' on line 2007 -- Looks like a reference, but probably isn't: '1' on line 2008 -- Looks like a reference, but probably isn't: '2' on line 2011 -- Looks like a reference, but probably isn't: '3' on line 2012 -- Looks like a reference, but probably isn't: '4' on line 2014 -- Looks like a reference, but probably isn't: '5' on line 2020 == Outdated reference: A later version (-12) exists of draft-ietf-krb-wg-anon-04 ** Downref: Normative reference to an Historic draft: draft-ietf-krb-wg-anon (ref. 'KRB-ANON') == Outdated reference: A later version (-03) exists of draft-sakane-krb-cross-problem-statement-02 == Outdated reference: A later version (-15) exists of draft-ietf-krb-wg-kerberos-referrals-10 Summary: 2 errors (**), 0 flaws (~~), 12 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Kerberos Working Group S. Hartman 3 Internet-Draft Painless Security 4 Updates: 4120 (if approved) L. Zhu 5 Intended status: Standards Track Microsoft Corporation 6 Expires: August 15, 2009 February 11, 2009 8 A Generalized Framework for Kerberos Pre-Authentication 9 draft-ietf-krb-wg-preauth-framework-09 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on August 15, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. 46 Abstract 48 Kerberos is a protocol for verifying the identity of principals 49 (e.g., a workstation user or a network server) on an open network. 50 The Kerberos protocol provides a mechanism called pre-authentication 51 for proving the identity of a principal and for better protecting the 52 long-term secrets of the principal. 54 This document describes a model for Kerberos pre-authentication 55 mechanisms. The model describes what state in the Kerberos request a 56 pre-authentication mechanism is likely to change. It also describes 57 how multiple pre-authentication mechanisms used in the same request 58 will interact. 60 This document also provides common tools needed by multiple pre- 61 authentication mechanisms. One of these tools is a secure channel 62 between the client and the KDC with a reply key delivery mechanism; 63 this secure channel can be used to protect the authentication 64 exchange thus eliminate offline dictionary attacks. With these 65 tools, it is relatively straightforward to chain multiple 66 authentication mechanisms, utilize a different key management system, 67 or support a new key agreement algorithm. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 72 2. Conventions and Terminology Used in This Document . . . . . . 6 73 3. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 6 74 3.1. Information Managed by the Pre-authentication Model . . . 7 75 3.2. Initial Pre-authentication Required Error . . . . . . . . 9 76 3.3. Client to KDC . . . . . . . . . . . . . . . . . . . . . . 10 77 3.4. KDC to Client . . . . . . . . . . . . . . . . . . . . . . 11 78 4. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 12 79 4.1. Client-authentication Facility . . . . . . . . . . . . . . 13 80 4.2. Strengthening-reply-key Facility . . . . . . . . . . . . . 13 81 4.3. Replacing-reply-key Facility . . . . . . . . . . . . . . . 14 82 4.4. KDC-authentication Facility . . . . . . . . . . . . . . . 15 83 5. Requirements for Pre-Authentication Mechanisms . . . . . . . . 15 84 6. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 16 85 6.1. Combining Keys . . . . . . . . . . . . . . . . . . . . . . 16 86 6.2. Protecting Requests/Responses . . . . . . . . . . . . . . 18 87 6.3. Managing States for the KDC . . . . . . . . . . . . . . . 18 88 6.4. Pre-authentication Set . . . . . . . . . . . . . . . . . . 20 89 6.5. Definition of Kerberos FAST Padata . . . . . . . . . . . . 22 90 6.5.1. FAST Armors . . . . . . . . . . . . . . . . . . . . . 23 91 6.5.2. FAST Request . . . . . . . . . . . . . . . . . . . . . 25 92 6.5.3. FAST Response . . . . . . . . . . . . . . . . . . . . 29 93 6.5.4. Authenticated Kerberos Error Messages using 94 Kerberos FAST . . . . . . . . . . . . . . . . . . . . 32 95 6.5.5. Outer and Inner Requests . . . . . . . . . . . . . . . 33 96 6.5.6. The Encrypted Challenge FAST Factor . . . . . . . . . 33 97 6.6. Authentication Strength Indication . . . . . . . . . . . . 35 98 7. Assigned Constants . . . . . . . . . . . . . . . . . . . . . . 35 99 7.1. New Errors . . . . . . . . . . . . . . . . . . . . . . . . 36 100 7.2. Key Usage Numbers . . . . . . . . . . . . . . . . . . . . 36 101 7.3. Authorization Data Elements . . . . . . . . . . . . . . . 36 102 7.4. New PA-DATA Types . . . . . . . . . . . . . . . . . . . . 36 103 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 104 8.1. Pre-authentication and Typed Data . . . . . . . . . . . . 36 105 8.2. Fast Armor Types . . . . . . . . . . . . . . . . . . . . . 38 106 8.3. FAST Options . . . . . . . . . . . . . . . . . . . . . . . 39 107 9. Security Considerations . . . . . . . . . . . . . . . . . . . 39 108 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 39 109 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40 110 11.1. Normative References . . . . . . . . . . . . . . . . . . . 40 111 11.2. Informative References . . . . . . . . . . . . . . . . . . 40 112 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 41 113 A.1. Changes since 08 . . . . . . . . . . . . . . . . . . . . . 41 114 A.2. Changes since 07 . . . . . . . . . . . . . . . . . . . . . 42 115 A.3. Changes since 06 . . . . . . . . . . . . . . . . . . . . . 42 116 Appendix B. ASN.1 module . . . . . . . . . . . . . . . . . . . . 42 117 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 119 1. Introduction 121 The core Kerberos specification [RFC4120] treats pre-authentication 122 data as an opaque typed hole in the messages to the KDC that may 123 influence the reply key used to encrypt the KDC reply. This 124 generality has been useful: pre-authentication data is used for a 125 variety of extensions to the protocol, many outside the expectations 126 of the initial designers. However, this generality makes designing 127 more common types of pre-authentication mechanisms difficult. Each 128 mechanism needs to specify how it interacts with other mechanisms. 129 Also, problems like combining a key with the long-term secrets or 130 proving the identity of the user are common to multiple mechanisms. 131 Where there are generally well-accepted solutions to these problems, 132 it is desirable to standardize one of these solutions so mechanisms 133 can avoid duplication of work. In other cases, a modular approach to 134 these problems is appropriate. The modular approach will allow new 135 and better solutions to common pre-authentication problems to be used 136 by existing mechanisms as they are developed. 138 This document specifies a framework for Kerberos pre-authentication 139 mechanisms. It defines the common set of functions that pre- 140 authentication mechanisms perform as well as how these functions 141 affect the state of the request and reply. In addition several 142 common tools needed by pre-authentication mechanisms are provided. 143 Unlike [RFC3961], this framework is not complete--it does not 144 describe all the inputs and outputs for the pre-authentication 145 mechanisms. Pre-Authentication mechanism designers should try to be 146 consistent with this framework because doing so will make their 147 mechanisms easier to implement. Kerberos implementations are likely 148 to have plugin architectures for pre-authentication; such 149 architectures are likely to support mechanisms that follow this 150 framework plus commonly used extensions. This framework also 151 facilitates combining multiple pre-authentication mechanisms, each of 152 which may represent an authentication factor, into a single multi- 153 factor pre-authentication mechanism. 155 One of these common tools is the flexible authentication secure 156 tunneling (FAST) padata type. FAST provides a protected channel 157 between the client and the KDC, and it can optionally deliver a reply 158 key within the protected channel. Based on FAST, pre-authentication 159 mechanisms can extend Kerberos with ease, to support, for example, 160 password authenticated key exchange (PAKE) protocols with zero 161 knowledge password proof (ZKPP) [EKE] [IEEE1363.2]. Any pre- 162 authentication mechanism can be encapsulated in the FAST messages as 163 defined in Section 6.5. A pre-authentication type carried within 164 FAST is called a FAST factor. Creating a FAST factor is the easiest 165 path to create a new pre-authentication mechanism. FAST factors are 166 significantly easier to analyze from a security standpoint than other 167 pre-authentication mechanisms. 169 Mechanism designers should design FAST factors, instead of new pre- 170 authentication mechanisms outside of FAST. 172 2. Conventions and Terminology Used in This Document 174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 176 document are to be interpreted as described in [RFC2119]. 178 The word padata is used as a shorthand for pre-authentication data. 180 A conversation is the set of all authentication messages exchanged 181 between the client and the client's KDCs in order to authenticate the 182 client principal. A conversation as defined here consists of all 183 messages that are necessary to complete the authentication between 184 the client and the client's KDCs. 186 If the KDC reply in an Authentication Service (AS) exchange is 187 verified, the KDC is authenticated by the client. In this document, 188 verification of the KDC reply is used as a synonym of authentication 189 of the KDC. 191 Lastly, this document should be read only after reading the documents 192 describing the Kerberos cryptography framework [RFC3961] and the core 193 Kerberos protocol [RFC4120]. This document may freely use 194 terminology and notation from these documents without reference or 195 further explanation. 197 3. Model for Pre-Authentication 199 When a Kerberos client wishes to obtain a ticket using the 200 authentication server, it sends an initial Authentication Service 201 (AS) request. If pre-authentication is required but not being used, 202 then the KDC will respond with a KDC_ERR_PREAUTH_REQUIRED error. 203 Alternatively, if the client knows what pre-authentication to use, it 204 MAY optimize away a round-trip and send an initial request with 205 padata included in the initial request. If the client includes the 206 padata computed using the wrong pre-authentication mechanism or 207 incorrect keys, the KDC MAY return KDC_ERR_PREAUTH_FAILED with no 208 indication of what padata should have been included. In that case, 209 the client MUST retry with no padata and examine the error data of 210 the KDC_ERR_PREAUTH_REQUIRED error. If the KDC includes pre- 211 authentication information in the accompanying error data of 212 KDC_ERR_PREAUTH_FAILED, the client SHOULD process the error data, and 213 then retry. 215 The conventional KDC maintains no state between two requests; 216 subsequent requests may even be processed by a different KDC. On the 217 other hand, the client treats a series of exchanges with KDCs as a 218 single conversation. Each exchange accumulates state and hopefully 219 brings the client closer to a successful authentication. 221 These models for state management are in apparent conflict. For many 222 of the simpler pre-authentication scenarios, the client uses one 223 round trip to find out what mechanisms the KDC supports. Then the 224 next request contains sufficient pre-authentication for the KDC to be 225 able to return a successful reply. For these simple scenarios, the 226 client only sends one request with pre-authentication data and so the 227 conversation is trivial. For more complex conversations, the KDC 228 needs to provide the client with a cookie to include in future 229 requests to capture the current state of the authentication session. 230 Handling of multiple round-trip mechanisms is discussed in 231 Section 6.3. 233 This framework specifies the behavior of Kerberos pre-authentication 234 mechanisms used to identify users or to modify the reply key used to 235 encrypt the KDC reply. The PA-DATA typed hole may be used to carry 236 extensions to Kerberos that have nothing to do with proving the 237 identity of the user or establishing a reply key. Such extensions 238 are outside the scope of this framework. However mechanisms that do 239 accomplish these goals should follow this framework. 241 This framework specifies the minimum state that a Kerberos 242 implementation needs to maintain while handling a request in order to 243 process pre-authentication. It also specifies how Kerberos 244 implementations process the padata at each step of the AS request 245 process. 247 3.1. Information Managed by the Pre-authentication Model 249 The following information is maintained by the client and KDC as each 250 request is being processed: 252 o The reply key used to encrypt the KDC reply 254 o How strongly the identity of the client has been authenticated 256 o Whether the reply key has been used in this conversation 258 o Whether the reply key has been replaced in this conversation 259 o Whether the contents of the KDC reply can be verified by the 260 client principal 262 Conceptually, the reply key is initially the long-term key of the 263 principal. However, principals can have multiple long-term keys 264 because of support for multiple encryption types, salts and 265 string2key parameters. As described in Section 5.2.7.5 of the 266 Kerberos protocol [RFC4120], the KDC sends PA-ETYPE-INFO2 to notify 267 the client what types of keys are available. Thus in full 268 generality, the reply key in the pre-authentication model is actually 269 a set of keys. At the beginning of a request, it is initialized to 270 the set of long-term keys advertised in the PA-ETYPE-INFO2 element on 271 the KDC. If multiple reply keys are available, the client chooses 272 which one to use. Thus the client does not need to treat the reply 273 key as a set. At the beginning of a request, the client picks a key 274 to use. 276 KDC implementations MAY choose to offer only one key in the PA-ETYPE- 277 INFO2 element. Since the KDC already knows the client's list of 278 supported enctypes from the request, no interoperability problems are 279 created by choosing a single possible reply key. This way, the KDC 280 implementation avoids the complexity of treating the reply key as a 281 set. 283 When the padata in the request is verified by the KDC, then the 284 client is known to have that key, therefore the KDC SHOULD pick the 285 same key as the reply key. 287 At the beginning of handling a message on both the client and the 288 KDC, the client's identity is not authenticated. A mechanism may 289 indicate that it has successfully authenticated the client's 290 identity. This information is useful to keep track of on the client 291 in order to know what pre-authentication mechanisms should be used. 292 The KDC needs to keep track of whether the client is authenticated 293 because the primary purpose of pre-authentication is to authenticate 294 the client identity before issuing a ticket. The handling of 295 authentication strength using various authentication mechanisms is 296 discussed in Section 6.6. 298 Initially the reply key has not been used. A pre-authentication 299 mechanism that uses the reply key to encrypt or checksum some data in 300 the generation of new keys MUST indicate that the reply key is used. 301 This state is maintained by the client and the KDC to enforce the 302 security requirement stated in Section 4.3 that the reply key SHOULD 303 NOT be replaced after it is used. 305 Initially the reply key has not been replaced. If a mechanism 306 implements the Replace Reply Key facility discussed in Section 4.3, 307 then the state MUST be updated to indicate that the reply key has 308 been replaced. Once the reply key has been replaced, knowledge of 309 the reply key is insufficient to authenticate the client. The reply 310 key is marked replaced in exactly the same situations as the KDC 311 reply is marked as not being verified to the client principal. 312 However, while mechanisms can verify the KDC reply to the client, 313 once the reply key is replaced, then the reply key remains replaced 314 for the remainder of the conversation. 316 Without pre-authentication, the client knows that the KDC reply is 317 authentic and has not been modified because it is encrypted in a 318 long-term key of the client. Only the KDC and the client know that 319 key. So at the start of a conversation, the KDC reply is presumed to 320 be verified using the client principal's long-term key. It should be 321 noted that in this document, verifying the KDC reply means 322 authenticating the KDC, and these phrases are used interchangeably. 323 Any pre-authentication mechanism that sets a new reply key not based 324 on the principal's long-term secret MUST either verify the KDC reply 325 some other way or indicate that the reply is not verified. If a 326 mechanism indicates that the reply is not verified then the client 327 implementation MUST return an error unless a subsequent mechanism 328 verifies the reply. The KDC needs to track this state so it can 329 avoid generating a reply that is not verified. 331 The typical Kerberos request does not provide a way for the client 332 machine to know that it is talking to the correct KDC. Someone who 333 can inject packets into the network between the client machine and 334 the KDC and who knows the password that the user will give to the 335 client machine can generate a KDC reply that will decrypt properly. 336 So, if the client machine needs to authenticate that the user is in 337 fact the named principal, then the client machine needs to do a TGS 338 request for itself as a service. Some pre-authentication mechanisms 339 may provide a way for the client machine to authenticate the KDC. 340 Examples of this include signing the reply that can be verified using 341 a well-known public key or providing a ticket for the client machine 342 as a service. 344 3.2. Initial Pre-authentication Required Error 346 Typically a client starts a conversation by sending an initial 347 request with no pre-authentication. If the KDC requires pre- 348 authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED message. 349 After the first reply with the KDC_ERR_PREAUTH_REQUIRED error code, 350 the KDC returns the error code KDC_ERR_MORE_PREAUTH_DATA_NEEDED 351 (defined in Section 6.3) for pre-authentication configurations that 352 use multi-round-trip mechanisms; see Section 3.4 for details of that 353 case. 355 The KDC needs to choose which mechanisms to offer the client. The 356 client needs to be able to choose what mechanisms to use from the 357 first message. For example consider the KDC that will accept 358 mechanism A followed by mechanism B or alternatively the single 359 mechanism C. A client that supports A and C needs to know that it 360 should not bother trying A. 362 Mechanisms can either be sufficient on their own or can be part of an 363 authentication set--a group of mechanisms that all need to 364 successfully complete in order to authenticate a client. Some 365 mechanisms may only be useful in authentication sets; others may be 366 useful alone or in authentication sets. For the second group of 367 mechanisms, KDC policy dictates whether the mechanism will be part of 368 an authentication set or offered alone. For each mechanism that is 369 offered alone, the KDC includes the pre-authentication type ID of the 370 mechanism in the padata sequence returned in the 371 KDC_ERR_PREAUTH_REQUIRED error. 373 The KDC SHOULD NOT send data that is encrypted in the long-term 374 password-based key of the principal. Doing so has the same security 375 exposures as the Kerberos protocol without pre-authentication. There 376 are few situations where the KDC needs to expose cipher text 377 encrypted in a weak key before the client has proven knowledge of 378 that key, and pre-authentication is desirable. 380 3.3. Client to KDC 382 This description assumes that a client has already received a 383 KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs 384 optimistic pre-authentication then the client needs to guess values 385 for the information it would normally receive from that error 386 response or use cached information obtained in prior interactions 387 with the KDC. 389 The client starts by initializing the pre-authentication state as 390 specified. It then processes the padata in the 391 KDC_ERR_PREAUTH_REQUIRED. 393 When processing the response to the KDC_ERR_PREAUTH_REQUIRED, the 394 client MAY ignore any padata it chooses unless doing so violates a 395 specification to which the client conforms. Clients conforming to 396 this specification MUST NOT ignore the padata defined in Section 6.3. 397 Clients SHOULD process padata unrelated to this framework or other 398 means of authenticating the user. Clients SHOULD choose one 399 authentication set or mechanism that could lead to authenticating the 400 user and ignore the rest. Since the list of mechanisms offered by 401 the KDC is in the decreasing preference order, clients typically 402 choose the first mechanism or authentication set that the client can 403 usefully perform. If a client chooses to ignore a padata it MUST NOT 404 process the padata, allow the padata to affect the pre-authentication 405 state, nor respond to the padata. 407 For each padata the client chooses to process, the client processes 408 the padata and modifies the pre-authentication state as required by 409 that mechanism. Padata are processed in the order received from the 410 KDC. 412 After processing the padata in the KDC error, the client generates a 413 new request. It processes the pre-authentication mechanisms in the 414 order in which they will appear in the next request, updating the 415 state as appropriate. The request is sent when it is complete. 417 3.4. KDC to Client 419 When a KDC receives an AS request from a client, it needs to 420 determine whether it will respond with an error or an AS reply. 421 There are many causes for an error to be generated that have nothing 422 to do with pre-authentication; they are discussed in the core 423 Kerberos specification. 425 From the standpoint of evaluating the pre-authentication, the KDC 426 first starts by initializing the pre-authentication state. If a PA- 427 FX-COOKIE pre-authentication data item is present, it is processed 428 first; see Section 6.3 for a definition. It then processes the 429 padata in the request. As mentioned in Section 3.3, the KDC MAY 430 ignore padata that is inappropriate for the configuration and MUST 431 ignore padata of an unknown type. The KDC MUST NOT ignore padata of 432 types used in previous messages. For example, if a KDC issues a 433 KDC_ERR_PREAUTH_REQUIRED error including padata of type x, then the 434 KDC cannot ignore padata of type x received in an AS-REQ message from 435 the client. 437 At this point the KDC decides whether it will issue an error or a 438 reply. Typically a KDC will issue a reply if the client's identity 439 has been authenticated to a sufficient degree. 441 In the case of a KDC_ERR_MORE_PREAUTH_DATA_NEEDED error, the KDC 442 first starts by initializing the pre-authentication state. Then it 443 processes any padata in the client's request in the order provided by 444 the client. Mechanisms that are not understood by the KDC are 445 ignored. Next, it generates padata for the error response, modifying 446 the pre-authentication state appropriately as each mechanism is 447 processed. The KDC chooses the order in which it will generate 448 padata (and thus the order of padata in the response), but it needs 449 to modify the pre-authentication state consistently with the choice 450 of order. For example, if some mechanism establishes an 451 authenticated client identity, then the subsequent mechanisms in the 452 generated response receive this state as input. After the padata is 453 generated, the error response is sent. Typically the errors with the 454 code KDC_ERR_MORE_PREAUTH_DATA_NEEDED in a conversation will include 455 KDC state as discussed in Section 6.3. 457 To generate a final reply, the KDC generates the padata modifying the 458 pre-authentication state as necessary. Then it generates the final 459 response, encrypting it in the current pre-authentication reply key. 461 4. Pre-Authentication Facilities 463 Pre-Authentication mechanisms can be thought of as providing various 464 conceptual facilities. This serves two useful purposes. First, 465 mechanism authors can choose only to solve one specific small 466 problem. It is often useful for a mechanism designed to offer key 467 management not to directly provide client authentication but instead 468 to allow one or more other mechanisms to handle this need. Secondly, 469 thinking about the abstract services that a mechanism provides yields 470 a minimum set of security requirements that all mechanisms providing 471 that facility must meet. These security requirements are not 472 complete; mechanisms will have additional security requirements based 473 on the specific protocol they employ. 475 A mechanism is not constrained to only offering one of these 476 facilities. While such mechanisms can be designed and are sometimes 477 useful, many pre-authentication mechanisms implement several 478 facilities. By combining multiple facilities in a single mechanism, 479 it is often easier to construct a secure, simple solution than by 480 solving the problem in full generality. Even when mechanisms provide 481 multiple facilities, they need to meet the security requirements for 482 all the facilities they provide. If the FAST factor approach is 483 used, it is likely that one or a small number of facilities can be 484 provided by a single mechanism without complicating the security 485 analysis. 487 According to Kerberos extensibility rules (Section 1.5 of the 488 Kerberos specification [RFC4120]), an extension MUST NOT change the 489 semantics of a message unless a recipient is known to understand that 490 extension. Because a client does not know that the KDC supports a 491 particular pre-authentication mechanism when it sends an initial 492 request, a pre-authentication mechanism MUST NOT change the semantics 493 of the request in a way that will break a KDC that does not 494 understand that mechanism. Similarly, KDCs MUST NOT send messages to 495 clients that affect the core semantics unless the client has 496 indicated support for the message. 498 The only state in this model that would break the interpretation of a 499 message is changing the expected reply key. If one mechanism changed 500 the reply key and a later mechanism used that reply key, then a KDC 501 that interpreted the second mechanism but not the first would fail to 502 interpret the request correctly. In order to avoid this problem, 503 extensions that change core semantics are typically divided into two 504 parts. The first part proposes a change to the core semantic--for 505 example proposes a new reply key. The second part acknowledges that 506 the extension is understood and that the change takes effect. 507 Section 4.2 discusses how to design mechanisms that modify the reply 508 key to be split into a proposal and acceptance without requiring 509 additional round trips to use the new reply key in subsequent pre- 510 authentication. Other changes in the state described in Section 3.1 511 can safely be ignored by a KDC that does not understand a mechanism. 512 Mechanisms that modify the behavior of the request outside the scope 513 of this framework need to carefully consider the Kerberos 514 extensibility rules to avoid similar problems. 516 4.1. Client-authentication Facility 518 The client authentication facility proves the identity of a user to 519 the KDC before a ticket is issued. Examples of mechanisms 520 implementing this facility include the encrypted timestamp facility 521 defined in Section 5.2.7.2 of the Kerberos specification [RFC4120]. 522 Mechanisms that provide this facility are expected to mark the client 523 as authenticated. 525 Mechanisms implementing this facility SHOULD require the client to 526 prove knowledge of the reply key before transmitting a successful KDC 527 reply. Otherwise, an attacker can intercept the pre-authentication 528 exchange and get a reply to attack. One way of proving the client 529 knows the reply key is to implement the Replace Reply Key facility 530 along with this facility. The PKINIT mechanism [RFC4556] implements 531 Client Authentication alongside Replace Reply Key. 533 If the reply key has been replaced, then mechanisms such as 534 encrypted-timestamp that rely on knowledge of the reply key to 535 authenticate the client MUST NOT be used. 537 4.2. Strengthening-reply-key Facility 539 Particularly when dealing with keys based on passwords, it is 540 desirable to increase the strength of the key by adding additional 541 secrets to it. Examples of sources of additional secrets include the 542 results of a Diffie-Hellman key exchange or key bits from the output 543 of a smart card [KRB-WG.SAM]. Typically these additional secrets can 544 be first combined with the existing reply key and then converted to a 545 protocol key using tools defined in Section 6.1. 547 Typically a mechanism implementing this facility will know that the 548 other side of the exchange supports the facility before the reply key 549 is changed. For example, a mechanism might need to learn the 550 certificate for a KDC before encrypting a new key in the public key 551 belonging to that certificate. However, if a mechanism implementing 552 this facility wishes to modify the reply key before knowing that the 553 other party in the exchange supports the mechanism, it proposes 554 modifying the reply key. The other party then includes a message 555 indicating that the proposal is accepted if it is understood and 556 meets policy. In many cases it is desirable to use the new reply key 557 for client authentication and for other facilities. Waiting for the 558 other party to accept the proposal and actually modify the reply key 559 state would add an additional round trip to the exchange. Instead, 560 mechanism designers are encouraged to include a typed hole for 561 additional padata in the message that proposes the reply key change. 562 The padata included in the typed hole are generated assuming the new 563 reply key. If the other party accepts the proposal, then these 564 padata are considered as an inner level. As with the outer level, 565 one authentication set or mechanism is typically chosen for client 566 authentication, along with auxiliary mechanisms such as KDC cookies, 567 and other mechanisms are ignored. When mechanisms include such a 568 container, the hint provided for use in authentication sets (as 569 defined in Section 6.4) MUST contain a sequence of inner mechanisms 570 along with hints for those mechanisms. The party generating the 571 proposal can determine whether the padata were processed based on 572 whether the proposal for the reply key is accepted. 574 The specific formats of the proposal message, including where padata 575 are included is a matter for the mechanism specification. Similarly, 576 the format of the message accepting the proposal is mechanism- 577 specific. 579 Mechanisms implementing this facility and including a typed hole for 580 additional padata MUST checksum that padata using a keyed checksum or 581 encrypt the padata. This requirement protects against modification 582 of the contents of the typed hole. By modifying these contents an 583 attacker might be able to choose which mechanism is used to 584 authenticate the client, or to convince a party to provide text 585 encrypted in a key that the attacker had manipulated. It is 586 important that mechanisms strengthen the reply key enough that using 587 it to checksum padata is appropriate. 589 4.3. Replacing-reply-key Facility 591 The Replace Reply Key facility replaces the key in which a successful 592 AS reply will be encrypted. This facility can only be used in cases 593 where knowledge of the reply key is not used to authenticate the 594 client. The new reply key MUST be communicated to the client and the 595 KDC in a secure manner. This facility MUST NOT be used if there can 596 be a man-in-the-middle between the client and the KDC. Mechanisms 597 implementing this facility MUST mark the reply key as replaced in the 598 pre-authentication state. Mechanisms implementing this facility MUST 599 either provide a mechanism to verify the KDC reply to the client or 600 mark the reply as unverified in the pre-authentication state. 601 Mechanisms implementing this facility SHOULD NOT be used if a 602 previous mechanism has used the reply key. 604 As with the strengthening-reply-key facility, Kerberos extensibility 605 rules require that the reply key not be changed unless both sides of 606 the exchange understand the extension. In the case of this facility 607 it will likely be the case for both sides to know that the facility 608 is available by the time that the new key is available to be used. 609 However, mechanism designers can use a container for padata in a 610 proposal message as discussed in Section 4.2 if appropriate. 612 4.4. KDC-authentication Facility 614 This facility verifies that the reply comes from the expected KDC. 615 In traditional Kerberos, the KDC and the client share a key, so if 616 the KDC reply can be decrypted then the client knows that a trusted 617 KDC responded. Note that the client machine cannot trust the client 618 unless the machine is presented with a service ticket for it 619 (typically the machine can retrieve this ticket by itself). However, 620 if the reply key is replaced, some mechanism is required to verify 621 the KDC. Pre-authentication mechanisms providing this facility allow 622 a client to determine that the expected KDC has responded even after 623 the reply key is replaced. They mark the pre-authentication state as 624 having been verified. 626 5. Requirements for Pre-Authentication Mechanisms 628 This section lists requirements for specifications of pre- 629 authentication mechanisms. 631 For each message in the pre-authentication mechanism, the 632 specification describes the pa-type value to be used and the contents 633 of the message. The processing of the message by the sender and 634 recipient is also specified. This specification needs to include all 635 modifications to the pre-authentication state. 637 Generally mechanisms have a message that can be sent in the error 638 data of the KDC_ERR_PREAUTH_REQUIRED error message or in an 639 authentication set. If the client needs information such as trusted 640 certificate authorities in order to determine if it can use the 641 mechanism, then this information should be in that message. In 642 addition, such mechanisms should also define a pa-hint to be included 643 in authentication sets. Often, the same information included in the 644 padata-value is appropriate to include in the pa-hint (as defined in 645 Section 6.4). 647 In order to ease security analysis the mechanism specification should 648 describe what facilities from this document are offered by the 649 mechanism. For each facility, the security consideration section of 650 the mechanism specification should show that the security 651 requirements of that facility are met. This requirement is 652 applicable to any FAST factor that provides authentication 653 information. 655 Significant problems have resulted in the specification of Kerberos 656 protocols because much of the KDC exchange is not protected against 657 authentication. The security considerations section should discuss 658 unauthenticated plaintext attacks. It should either show that 659 plaintext is protected or discuss what harm an attacker could do by 660 modifying the plaintext. It is generally acceptable for an attacker 661 to be able to cause the protocol negotiation to fail by modifying 662 plaintext. More significant attacks should be evaluated carefully. 664 As discussed in Section 6.3, there is no guarantee that a client will 665 use the same KDCs for all messages in a conversation. The mechanism 666 specification needs to show why the mechanism is secure in this 667 situation. The hardest problem to deal with, especially for 668 challenge/response mechanisms is to make sure that the same response 669 cannot be replayed against two KDCs while allowing the client to talk 670 to any KDC. 672 6. Tools for Use in Pre-Authentication Mechanisms 674 This section describes common tools needed by multiple pre- 675 authentication mechanisms. By using these tools mechanism designers 676 can use a modular approach to specify mechanism details and ease 677 security analysis. 679 6.1. Combining Keys 681 Frequently a weak key needs to be combined with a stronger key before 682 use. For example, passwords are typically limited in size and 683 insufficiently random, therefore it is desirable to increase the 684 strength of the keys based on passwords by adding additional secrets. 685 Additional source of secrecy may come from hardware tokens. 687 This section provides standard ways to combine two keys into one. 689 KRB-FX-CF1() is defined to combine two pass-phrases. 691 KRB-FX-CF1(UTF-8 string, UTF-8 string) -> (UTF-8 string) 692 KRB-FX-CF1(x, y) -> x || y 694 Where || denotes concatenation. The strength of the final key is 695 roughly the total strength of the individual keys being combined 696 assuming that the string_to_key() function [RFC3961] uses all its 697 input evenly. 699 An example usage of KRB-FX-CF1() is when a device provides random but 700 short passwords, the password is often combined with a personal 701 identification number (PIN). The password and the PIN can be 702 combined using KRB-FX-CF1(). 704 KRB-FX-CF2() combines two protocol keys based on the pseudo-random() 705 function defined in [RFC3961]. 707 Given two input keys, K1 and K2, where K1 and K2 can be of two 708 different enctypes, the output key of KRB-FX-CF2(), K3, is derived as 709 follows: 711 KRB-FX-CF2(protocol key, protocol key, octet string, 712 octet string) -> (protocol key) 714 PRF+(K1, pepper1) -> octet-string-1 715 PRF+(K2, pepper2) -> octet-string-2 716 KRB-FX-CF2(K1, K2, pepper1, pepper2) -> 717 random-to-key(octet-string-1 ^ octet-string-2) 719 Where ^ denotes the exclusive-OR operation. PRF+() is defined as 720 follows: 722 PRF+(protocol key, octet string) -> (octet string) 724 PRF+(key, shared-info) -> pseudo-random( key, 1 || shared-info ) || 725 pseudo-random( key, 2 || shared-info ) || 726 pseudo-random( key, 3 || shared-info ) || ... 728 Here the counter value 1, 2, 3 and so on are encoded as a one-octet 729 integer. The pseudo-random() operation is specified by the enctype 730 of the protocol key. PRF+() uses the counter to generate enough bits 731 as needed by the random-to-key() [RFC3961] function for the 732 encryption type specified for the resulting key; unneeded bits are 733 removed from the tail. Unless otherwise specified, the resulting 734 enctype of KRB-FX-CF2 is the enctype of k1. 736 Mechanism designers MUST specify the values for the input parameter 737 pepper1 and pepper2 when combining two keys using KRB-FX-CF2(). The 738 pepper1 and pepper2 MUST be distinct so that if the two keys being 739 combined are the same, the resulting key is not a trivial key. 741 6.2. Protecting Requests/Responses 743 Mechanism designers SHOULD protect clear text portions of pre- 744 authentication data. Various denial of service attacks and downgrade 745 attacks against Kerberos are possible unless plaintexts are somehow 746 protected against modification. An early design goal of Kerberos 747 Version 5 [RFC4120] was to avoid encrypting more of the 748 authentication exchange that was required. (Version 4 doubly- 749 encrypted the encrypted part of a ticket in a KDC reply, for 750 example.) This minimization of encryption reduces the load on the 751 KDC and busy servers. Also, during the initial design of Version 5, 752 the existence of legal restrictions on the export of cryptography 753 made it desirable to minimize of the number of uses of encryption in 754 the protocol. Unfortunately, performing this minimization created 755 numerous instances of unauthenticated security-relevant plaintext 756 fields. 758 If there is more than one round trip for an authentication exchange, 759 mechanism designers need to allow either the client or the KDC to 760 provide a checksum of all the messages exchanged on the wire in the 761 conversation, and the checksum is then verified by the receiver. 763 New mechanisms MUST NOT be hard-wired to use a specific algorithm. 765 Primitives defined in [RFC3961] are RECOMMENDED for integrity 766 protection and confidentiality. Mechanisms based on these primitives 767 are crypto-agile as the result of using [RFC3961] along with 768 [RFC4120]. The advantage afforded by crypto-agility is the ability 769 to incrementally deploy a fix specific to a particular algorithm thus 770 avoid a multi-year standardization and deployment cycle, when real 771 attacks do arise against that algorithm. 773 Note that data used by FAST factors (defined in Section 6.5) is 774 encrypted in a protected channel, thus they do not share the un- 775 authenticated-text issues with mechanisms designed as full-blown pre- 776 authentication mechanisms. 778 6.3. Managing States for the KDC 780 Kerberos KDCs are stateless. There is no requirement that clients 781 will choose the same KDC for the second request in a conversation. 782 Proxies or other intermediate nodes may also influence KDC selection. 783 So, each request from a client to a KDC must include sufficient 784 information that the KDC can regenerate any needed state. This is 785 accomplished by giving the client a potentially long opaque cookie in 786 responses to include in future requests in the same conversation. 787 The KDC MAY respond that a conversation is too old and needs to 788 restart by responding with a KDC_ERR_PREAUTH_EXPIRED error. 790 KDC_ERR_PREAUTH_EXPIRED TBA 792 When a client receives this error, the client SHOULD abort the 793 existing conversation, and restart a new one. 795 An example, where more than one message from the client is needed, is 796 when the client is authenticated based on a challenge-response 797 scheme. In that case, the KDC needs to keep track of the challenge 798 issued for a client authentication request. 800 The PA-FX-COOKIE padata type is defined in this section to facilitate 801 state management. This padata is sent by the KDC when the KDC 802 requires state for a future transaction. The client includes this 803 opaque token in the next message in the conversation. The token may 804 be relatively large; clients MUST be prepared for tokens somewhat 805 larger than the size of all messages in a conversation. 807 PA-FX-COOKIE TBA 808 -- Stateless cookie that is not tied to a specific KDC. 810 The corresponding padata-value field [RFC4120] contains an opaque 811 token that will be echoed by the client in its response to an error 812 from the KDC. 814 The cookie token is generated by the KDC and transmitted in a PA-FX- 815 COOKIE pre-authentication data item of a KRB-ERROR message. The 816 client MUST copy the exact cookie encapsulated in a PA-FX-COOKIE data 817 element into the next message of the same conversation. The content 818 of the cookie field is a local matter of the KDC. As a result, it is 819 not generally possible to mix KDC implementations from different 820 vendors in the same realm. However the KDC MUST construct the cookie 821 token in such a manner that a malicious client cannot subvert the 822 authentication process by manipulating the token. The KDC 823 implementation needs to consider expiration of tokens, key rollover 824 and other security issues in token design. The content of the cookie 825 field is likely specific to the pre-authentication mechanisms used to 826 authenticate the client. If a client authentication response can be 827 replayed to multiple KDCs via the PA-FX-COOKIE mechanism, an 828 expiration in the cookie is RECOMMENDED to prevent the response being 829 presented indefinitely. 831 If at least one more message for a mechanism or a mechanism set is 832 expected by the KDC, the KDC returns a 833 KDC_ERR_MORE_PREAUTH_DATA_NEEDED error with a PA-FX-COOKIE to 834 identify the conversation with the client according to Section 3.2. 835 The cookie is not expected to stay constant for a conversation: the 836 KDC is expected to generate a new cookie for each message. 838 KDC_ERR_MORE_PREAUTH_DATA_NEEDED TBA 840 6.4. Pre-authentication Set 842 If all mechanisms in a group need to successfully complete in order 843 to authenticate a client, the client and the KDC SHOULD use the PA- 844 AUTHENTICATION-SET padata element. 846 PA-AUTHENTICATION-SET TBA 848 A PA-AUTHENTICATION-SET padata element contains the ASN.1 DER 849 encoding of the PA-AUTHENTICATION-SET structure: 851 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 853 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 854 pa-type [0] Int32, 855 -- same as padata-type. 856 pa-hint [1] OCTET STRING OPTIONAL, 857 pa-value [2] OCTET STRING OPTIONAL, 858 ... 859 } 861 The pa-type field of the PA-AUTHENTICATION-SET-ELEM structure 862 contains the corresponding value of padata-type in PA-DATA [RFC4120]. 863 Associated with the pa-type is a pa-hint, which is an octet-string 864 specified by the pre-authentication mechanism. This hint may provide 865 information for the client which helps it determine whether the 866 mechanism can be used. For example a public-key mechanism might 867 include the certificate authorities it trusts in the hint info. Most 868 mechanisms today do not specify hint info; if a mechanism does not 869 specify hint info the KDC MUST NOT send a hint for that mechanism. 870 To allow future revisions of mechanism specifications to add hint 871 info, clients MUST ignore hint info received for mechanisms that the 872 client believes do not support hint info. The pa-value element of 873 the PA-AUTHENTICATION-SET-ELEM sequence is included to carry the 874 first padata-value from the KDC to the client. If the client chooses 875 this authentication set then the client MUST process this pa-value. 876 The pa-value element MUST be absent for all but the first entry in 877 the authentication set. Clients MUST ignore pa-value for the second 878 and following entries in the authentication set. 880 If the client chooses an authentication set, then its first AS-REQ 881 message MUST contain a PA-AUTHENTICATION-SET-SELECTED padata element. 882 This element contains the encoding of the PA-AUTHENTICATION-SET 883 sequence received from the KDC corresponding to the authentication 884 set that is chosen. The client MUST use the same octet values 885 received from the KDC; it cannot re-encode the sequence. This allows 886 KDCs to use bit-wise comparison to identify the selected 887 authentication set. The PA-AUTHENTICATION-SET-SELECTED padata 888 element MUST come before any padata elements from the authentication 889 set in the padata sequence in the AS-REQ message. The client MAY 890 cache authentication sets from prior messages and use them to 891 construct an optimistic initial AS-REQ. If the KDC receives a PA- 892 AUTHENTICATION-SET-SELECTED padata element that does not correspond 893 to an authentication set that it would offer, then the KDC returns 894 the KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET error. The e-data in this 895 error contains a sequence of padata just as for the 896 KDC_ERR_PREAUTH_REQUIRED error. 898 PA-AUTHENTICATION-SET-SELECTED TBA 899 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET TBA 901 The PA-AUTHENTICATION-SET appears only in the first message from the 902 KDC to the client. In particular, the client MAY fail if the 903 authentication mechanism sets change as the conversation progresses. 904 Clients MAY assume that the hints provided in the authentication set 905 contain enough information that the client knows what user interface 906 elements need to be displayed during the entire authentication 907 conversation. Exceptional circumstances such as expired passwords or 908 expired accounts may require that additional user interface be 909 displayed. Mechanism designers need to carefully consider the design 910 of their hints so that the client has this information. This way, 911 clients can construct necessary dialogue boxes or wizards based on 912 the authentication set and can present a coherent user interface. 913 Current standards for user interface do not provide an acceptable 914 experience when the client has to ask additional questions later in 915 the conversation. 917 When indicating which sets of pre-authentication mechanisms are 918 supported, the KDC includes a PA-AUTHENTICATION-SET padata element 919 for each pre-authentication mechanism set. 921 The client sends the padata-value for the first mechanism it picks in 922 the pre-authentication set, when the first mechanism completes, the 923 client and the KDC will proceed with the second mechanism, and so on 924 until all mechanisms complete successfully. The PA-FX-COOKIE as 925 defined in Section 6.3 MUST be sent by the KDC so that the 926 conversation can continue if the conversation involves multiple KDCs. 927 The cookie may not be needed in the first message containing the PA- 928 AUTHENTICATION-SET sequence as the KDC may be able to reconstruct the 929 state from the PA-AUTHENTICATION-SET-SELECTED padata. KDCs MUST 930 support clients that do not include a cookie because they 931 optimistically choose an authentication set, although they MAY always 932 return KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET and include a cookie in 933 that message. Clients that support PA-AUTHENTICATION-SET MUST 934 support PA-FX-COOKIE. 936 Before the authentication succeeds and a ticket is returned, the 937 message that the client sends is an AS_REQ and the message that the 938 KDC sends is a KRB-ERROR message. The error code in the KRB-ERROR 939 message from the KDC is KDC_ERR_MORE_PREAUTH_DATA_NEEDED as defined 940 in Section 6.3 and the accompanying e-data contains the DER encoding 941 of ASN.1 type METHOD-DATA. The KDC includes the padata elements in 942 the METHOD-DATA. If there is no padata, the e-data field is absent 943 in the KRB-ERROR message. 945 If the client sends the last message for a given mechanism, then the 946 KDC sends the first message for the next mechanism. If the next 947 mechanism does not start with a KDC-side challenge, then the KDC 948 includes a padata item with the appropriate pa-type and an empty pa- 949 data. 951 If the KDC sends the last message for a particular mechanism, the KDC 952 also includes the first padata for the next mechanism. 954 6.5. Definition of Kerberos FAST Padata 956 As described in [RFC4120], Kerberos is vulnerable to offline 957 dictionary attacks. An attacker can request an AS-REP and try 958 various passwords to see if they can decrypt the resulting ticket. 959 RFC 4120 provides the encrypted timestamp pre-authentication method 960 that ameliorates the situation somewhat by requiring that an attacker 961 observe a successful authentication. However stronger security is 962 desired in many environments. The Kerberos FAST pre-authentication 963 padata defined in this section provides a tool to significantly 964 reduce vulnerability to offline dictionary attack. When combined 965 with encrypted challenge, FAST requires an attacker to mount a 966 successful man-in-the-middle attack to observe ciphertext. When 967 combined with host keys, FAST can even protect against active 968 attacks. FAST also provides solutions to common problems for pre- 969 authentication mechanisms such as binding of the request and the 970 reply, freshness guarantee of the authentication. FAST itself, 971 however, does not authenticate the client or the KDC, instead, it 972 provides a typed hole to allow pre-authentication data be tunneled. 973 A pre-authentication data element used within FAST is called a FAST 974 factor. A FAST factor captures the minimal work required for 975 extending Kerberos to support a new pre-authentication scheme. 977 A FAST factor MUST NOT be used outside of FAST unless its 978 specification explicitly allows so. The typed holes in FAST messages 979 can also be used as generic holes for other padata that are not 980 intended to prove the client's identity, or establish the reply key. 982 New pre-authentication mechanisms SHOULD be designed as FAST factors, 983 instead of full-blown pre-authentication mechanisms. 985 FAST factors that are pre-authentication mechanisms MUST meet the 986 requirements in Section 5. 988 FAST employs an armoring scheme. The armor can be a Ticket Granting 989 Ticket (TGT) obtained by the client's machine using the host keys to 990 pre-authenticate with the KDC, or an anonymous TGT obtained based on 991 anonymous PKINIT [KRB-ANON] [RFC4556]. 993 The rest of this section describes the types of armors and the syntax 994 of the messages used by FAST. Conforming implementations MUST 995 support Kerberos FAST padata. 997 Any FAST armor scheme MUST provide a fresh armor key for each 998 conversation. Clients and KDCs can assume that if a message is 999 encrypted and integrity protected with a given armor key then it is 1000 part of the conversation using that armor key. 1002 All KDCs in a realm MUST support FAST if FAST is offered by any KDC 1003 as a pre-authentication mechanism. 1005 6.5.1. FAST Armors 1007 An armor key is used to encrypt pre-authentication data in the FAST 1008 request and the response. The KrbFastArmor structure is defined to 1009 identify the armor key. This structure contains the following two 1010 fields: the armor-type identifies the type of armors, and the armor- 1011 value is an OCTET STRING that contains the description of the armor 1012 scheme and the armor key. 1014 KrbFastArmor ::= SEQUENCE { 1015 armor-type [0] Int32, 1016 -- Type of the armor. 1017 armor-value [1] OCTET STRING, 1018 -- Value of the armor. 1019 ... 1020 } 1022 The value of the armor key is a matter of the armor type 1023 specification. Only one armor type is defined in this document. 1025 FX_FAST_ARMOR_AP_REQUEST 1 1027 The FX_FAST_ARMOR_AP_REQUEST armor is based on Kerberos tickets. 1029 Conforming implementations MUST implement the 1030 FX_FAST_ARMOR_AP_REQUEST armor type. 1032 FAST implementations MUST maintain state about whether the armor 1033 mechanism authenticates the KDC. If it does not, then a fast factor 1034 that authenticates the KDC MUST be used if the reply key is replaced. 1036 6.5.1.1. Ticket-based Armors 1038 This is a ticket-based armoring scheme. The armor-type is 1039 FX_FAST_ARMOR_AP_REQUEST, the armor-value contains an ASN.1 DER 1040 encoded AP-REQ. The ticket in the AP-REQ is called an armor ticket 1041 or an armor TGT. The subkey field in the AP-REQ MUST be present. 1042 The armor key is defined by the following function: 1044 armor_key = KRB-FX-CF2( subkey, ticket_session_key, 1045 "subkeyarmor", "ticketarmor" ) 1047 The `ticket_key' is the session key from the ticket in the ap-req. 1048 The `subkey' is the ap-req subkey. This construction guarantees that 1049 both the KDC (through the session key) and the client (through the 1050 subkey) contribute to the armor key. 1052 The server name field of the armor ticket MUST identify the TGS of 1053 the target realm. Here are three common ways in the decreasing 1054 preference order how an armor TGT SHOULD be obtained: 1056 1. If the client is authenticating from a host machine whose 1057 Kerberos realm has an authentication path to the client's realm, 1058 the host machine obtains a TGT by using the host keys. If the 1059 client's realm is different than the realm of the local host, the 1060 machine then obtains a cross-realm TGT to the client's realm as 1061 the armor ticket. Otherwise, the host's primary TGT is the armor 1062 ticket. 1064 2. If the client's host machine cannot obtain a host ticket strictly 1065 based on RFC4120, but the KDC has an asymmetric signing key whose 1066 binding with the expected KDC can be verified by the client, the 1067 client can use anonymous PKINIT [KRB-ANON] [RFC4556] to 1068 authenticate the KDC and obtain an anonymous TGT as the armor 1069 ticket. The armor ticket can also be a cross-realm TGT obtained 1070 based on the initial primary TGT obtained using anonymous PKINIT 1071 with KDC authentication. 1073 3. Otherwise, the client uses anonymous PKINIT to get an anonymous 1074 TGT without KDC authentication and that TGT is the armor ticket. 1075 Note that this mode of operation is vulnerable to man-in-the- 1076 middle attacks at the time of obtaining the initial anonymous 1077 armor TGT. 1079 If anonymous PKINIT is used, The KDC cannot know whether its signing 1080 key can be verified by the client, hence the KDC MUST be marked as 1081 unverified from the KDC's point of view while the client could be 1082 able to authenticate the KDC by verifying the KDC's signing key is 1083 bound with the expected KDC. The client needs to carefully consider 1084 the risk and benefit tradeoffs associated with active attacks before 1085 exposing cipher text encrypted using the user's long-term secrets 1086 when the armor does not authenticate the KDC. 1088 The TGS MUST reject a request if there is an AD-fx-fast-armor (TBD) 1089 element in the authenticator of the pa-tgs-req padata or if the 1090 ticket in the authenticator of a pa-tgs-req contains the AD-fx-fast- 1091 armor authorization data element. These tickets and authenticators 1092 MAY be used as FAST armor tickets but not to obtain a ticket via the 1093 TGS. This authorization data is used in a system where the 1094 encryption of the user's pre-authentication data is performed in an 1095 unprivileged user process. A privileged process can provide to the 1096 user process a host ticket, an authenticator for use with that 1097 ticket, and the sub session key contained in the authenticator. In 1098 order for the host process to ensure that the host ticket is not 1099 accidentally or intentionally misused, (i.e. the user process might 1100 use the host ticket to authenticate as the host), it MUST include a 1101 critical authorization data element of the type AD-fx-fast-armor when 1102 providing the authenticator or in the enc-authorization-data field of 1103 the TGS request used to obtain the TGT. The corresponding ad-data 1104 field of the AD-fx-fast-armor element is empty. 1106 As discussed previously, the server of an armor ticket MUST be the 1107 TGS of the realm from whom service is requested. As a result, if 1108 this armor type is used when a ticket is being validated, proxied, or 1109 in other cases where a ticket other than a TGT is presented to the 1110 TGS, a TGT will be used as an armor ticket, while another ticket will 1111 be used in the pa-tgs-req authenticator. 1113 6.5.2. FAST Request 1115 A padata type PA-FX-FAST is defined for the Kerberos FAST pre- 1116 authentication padata. The corresponding padata-value field 1117 [RFC4120] contains the DER encoding of the ASN.1 type PA-FX-FAST- 1118 REQUEST. As with all pre-authentication types, the KDC SHOULD 1119 advertise PA-FX-FAST with an empty pa-value in a PREAUTH_REQUIRED 1120 error. Clients MUST ignore the pa-value of PA-FX-FAST in an initial 1121 PREAUTH_REQUIRED error. FAST is not expected to be used in an 1122 authentication set: clients will typically use FAST padata if 1123 available and this decision should not depend on what other pre- 1124 authentication methods are available. As such, no pa-hint is defined 1125 for FAST at this time. 1127 PA-FX-FAST TBA 1128 -- Padata type for Kerberos FAST 1130 PA-FX-FAST-REQUEST ::= CHOICE { 1131 armored-data [0] KrbFastArmoredReq, 1132 ... 1133 } 1135 KrbFastArmoredReq ::= SEQUENCE { 1136 armor [0] KrbFastArmor OPTIONAL, 1137 -- Contains the armor that identifies the armor key. 1138 -- MUST be present in AS-REQ. 1139 req-checksum [1] Checksum, 1140 -- Checksum performed over the type KDC-REQ-BODY for 1141 -- the req-body field of the KDC-REQ structure defined in 1142 -- [RFC4120] 1143 -- The checksum key is the armor key, the checksum 1144 -- type is the required checksum type for the enctype of 1145 -- the armor key, and the key usage number is 1146 -- KEY_USAGE_FAST_REQ_CHKSUM. 1147 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 1148 -- The encryption key is the armor key, and the key usage 1149 -- number is KEY_USAGE_FAST_ENC. 1150 ... 1151 } 1153 KEY_USAGE_FAST_REQ_CHKSUM TBA 1154 KEY_USAGE_FAST_ENC TBA 1156 The PA-FX-FAST-REQUEST structure contains a KrbFastArmoredReq type. 1157 The KrbFastArmoredReq encapsulates the encrypted padata. 1159 The enc-fast-req field contains an encrypted KrbFastReq structure. 1160 The armor key is used to encrypt the KrbFastReq structure, and the 1161 key usage number for that encryption is KEY_USAGE_FAST_ENC. 1163 The armor key is selected as follows: 1165 o In an AS request, the armor field in the KrbFastArmoredReq 1166 structure MUST be present and the armor key is identified 1167 according to the specification of the armor type. 1169 o There are two possibilities for armor for a TGS request. If the 1170 ticket presented in the PA-TGS-REQ authenticator is a TGT, then 1171 the client SHOULD not include the armor field in the Krbfastreq 1172 and a subkey MUST be included in the PA-TGS-REQ authenticator. In 1173 this case, the armor key is the same armor key that would be 1174 computed if the TGS-REQ authenticator was used in a 1175 FX_FAST_ARMOR_AP_REQUEST armor. If a ticket other than a TGT is 1176 being presented to the TGS, a client SHOULD use some form of FAST 1177 armor such as a ticket-based armor with a TGT as an armor ticket. 1178 Clients MAY present a non-TGT in the PA-TGS-REQ authenticator and 1179 omit the armor field, in which case the armor key is the same that 1180 would be computed if the authenticator were used in a 1181 FX_FAST_ARMOR_AP_REQUEST armor. This is the only case where a 1182 ticket other than a TGT can be used to establish an armor key; 1183 even though the armor key is computed the same as a 1184 FX_FAST_ARMOR_AP_REQUEST, a non-TGT cannot be used as an armor 1185 ticket in FX_FAST_ARMOR_AP_REQUEST. 1187 The req-checksum field contains a checksum that is performed over the 1188 type KDC-REQ-BODY for the req-body field of the KDC-REQ [RFC4120] 1189 structure of the containing message. The checksum key is the armor 1190 key, and the checksum type is the required checksum type for the 1191 enctype of the armor key per [RFC3961]. This checksum is included in 1192 order to bind the FAST padata to the outer request. A KDC that 1193 implements FAST will ignore the outer request, but including a 1194 checksum is relatively cheap and may prevent confusing behavior. 1196 The KrbFastReq structure contains the following information: 1198 KrbFastReq ::= SEQUENCE { 1199 fast-options [0] FastOptions, 1200 -- Additional options. 1201 padata [1] SEQUENCE OF PA-DATA, 1202 -- padata typed holes. 1203 req-body [2] KDC-REQ-BODY, 1204 -- Contains the KDC request body as defined in Section 1205 -- 5.4.1 of [RFC4120]. 1206 -- This req-body field is preferred over the outer field 1207 -- in the KDC request. 1208 ... 1209 } 1211 The fast-options field indicates various options that are to modify 1212 the behavior of the KDC. The following options are defined: 1214 FastOptions ::= KerberosFlags 1215 -- reserved(0), 1216 -- hide-client-names(1), 1217 -- kdcfollow--referrals(16) 1219 Bits Name Description 1220 ----------------------------------------------------------------- 1221 0 RESERVED Reserved for future expansion of this 1222 field. 1223 1 hide-client-names Requesting the KDC to hide client 1224 names in the KDC response, as 1225 described next in this section. 1226 16 kdc-follow-referrals Requesting the KDC to follow referrals. 1228 Bits 1 through 15 inclusive (with bit 1 and bit 15 included) are 1229 critical options. If the KDC does not support a critical option, it 1230 MUST fail the request with KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, and 1231 there is no accompanying e-data defined in this document for this 1232 error code. Bit 16 and onward (with bit 16 included) are non- 1233 critical options. KDCs conforming to this specification ignore 1234 unknown non-critical options. 1236 KDC_ERR_UNKNOWN_FAST_OPTIONS TBA 1238 The hide-client-names Option 1240 The Kerberos response defined in [RFC4120] contains the client 1241 identity in clear text, This makes traffic analysis 1242 straightforward. The hide-client-names option is designed to 1243 complicate traffic analysis. If the hide-client-names option is 1244 set, the KDC implementing PA-FX-FAST MUST identify the client as 1245 the anonymous principal [KRB-ANON] in the KDC reply and the error 1246 response. Hence this option is set by the client if it wishes to 1247 conceal the client identity in the KDC response. A conforming KDC 1248 ignores the client principal name in the outer KDC-REQ-BODY field, 1249 and identifies the client using the cname and crealm fields in the 1250 req-body field of the KrbFastReq structure. 1252 The kdc-follow-referrals Option 1254 The Kerberos client described in [RFC4120] has to request referral 1255 TGTs along the authentication path in order to get a service 1256 ticket for the target service. The Kerberos client described in 1257 the [REFERRALS] needs to contact the AS specified in the error 1258 response in order to complete client referrals. The kdc-follow- 1259 referrals option is designed to minimize the number of messages 1260 that need to be processed by the client. This option is useful 1261 when, for example, the client may contact the KDC via a satellite 1262 link that has high network latency, or the client has limited 1263 computational capabilities. If the kdc-follow-referrals option is 1264 set, the KDC MAY act as the client to follow TGS referrals 1265 [REFERRALS], and return the service ticket to the named server 1266 principal in the client request using the reply key expected by 1267 the client. That is, rather than returning a referral, the KDC 1268 follows that referral by contacting a remote KDC and processing 1269 the referral. The kdc-referrals option can be implemented when 1270 the KDC knows the reply key. The KDC can ignore kdc-referrals 1271 option when it does not understand it or it does not allow this 1272 option based on local policy. The client SHOULD be capable of 1273 processing the KDC responses when this option is not honored by 1274 the KDC. Clients SHOULD use TCP to contact a KDC if this option 1275 is going to be used to avoid problems when the client's UDP 1276 retransmit algorithm has timeouts insufficient to allow the KDC to 1277 interact with remote KDCs. 1279 The padata field contains a list of PA-DATA structures as described 1280 in Section 5.2.7 of [RFC4120]. These PA-DATA structures can contain 1281 FAST factors. They can also be used as generic typed-holes to 1282 contain data not intended for proving the client's identity or 1283 establishing a reply key, but for protocol extensibility. 1285 The KDC-REQ-BODY in the FAST structure is used in preference to the 1286 KDC-REQ-BODY outside of the FAST pre-authentication. The outer KDC- 1287 REQ-BODY structure SHOULD be filled in for backwards compatibility 1288 with KDCs that do not support FAST. A conforming KDC ignores the 1289 outer KDC-REQ-BODY field in the KDC request. However pre- 1290 authentication data methods such as [RFC4556] that include a checksum 1291 of the KDC-REQ-BODY should checksum the outer KDC-REQ-BODY. These 1292 methods will already be bound to the inner body through the integrity 1293 protection in the FAST request. 1295 6.5.3. FAST Response 1297 The KDC that supports the PA-FX-FAST padata MUST include a PA-FX-FAST 1298 padata element in the KDC reply. In the case of an error, the PA-FX- 1299 FAST padata is included in the KDC responses according to 1300 Section 6.5.4. 1302 The corresponding padata-value field [RFC4120] for the PA-FX-FAST in 1303 the KDC response contains the DER encoding of the ASN.1 type PA-FX- 1304 FAST-REPLY. 1306 PA-FX-FAST-REPLY ::= CHOICE { 1307 armored-data [0] KrbFastArmoredRep, 1308 ... 1309 } 1311 KrbFastArmoredRep ::= SEQUENCE { 1312 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 1313 -- The encryption key is the armor key in the request, and 1314 -- the key usage number is KEY_USAGE_FAST_REP. 1315 ... 1316 } 1317 KEY_USAGE_FAST_REP TBA 1319 The PA-FX-FAST-REPLY structure contains a KrbFastArmoredRep 1320 structure. The KrbFastArmoredRep structure encapsulates the padata 1321 in the KDC reply in the encrypted form. The KrbFastResponse is 1322 encrypted with the armor key used in the corresponding request, and 1323 the key usage number is KEY_USAGE_FAST_REP. 1325 The Kerberos client who does not receive a PA-FX-FAST-REPLY in the 1326 KDC response MUST support a local policy that rejects the response. 1327 Clients MAY also support policies that fall back to other mechanisms 1328 or that do not use pre-authentication when FAST is unavailable. It 1329 is important to consider the potential downgrade attacks when 1330 deploying such a policy. 1332 The KrbFastResponse structure contains the following information: 1334 KrbFastResponse ::= SEQUENCE { 1335 padata [0] SEQUENCE OF PA-DATA, 1336 -- padata typed holes. 1337 rep-key [1] EncryptionKey OPTIONAL, 1338 -- This, if present, replaces the reply key for AS and TGS. 1339 -- MUST be absent in KRB-ERROR. 1340 finished [2] KrbFastFinished OPTIONAL, 1341 -- MUST be present if the client is authenticated, 1342 -- absent otherwise. 1343 -- Typically this is present if and only if the containing 1344 -- message is the last one in a conversation. 1345 ... 1346 } 1348 The padata field in the KrbFastResponse structure contains a list of 1349 PA-DATA structures as described in Section 5.2.7 of [RFC4120]. These 1350 PA-DATA structures are used to carry data advancing the exchange 1351 specific for the FAST factors. They can also be used as generic 1352 typed-holes for protocol extensibility. Unless otherwise specified, 1353 the KDC MUST include any padata otherwise in the outer KDC reply into 1354 this field. The padata field in the KDC reply structure outside of 1355 the PA-FX-FAST-REPLY structure typically includes only the PA-FX- 1356 FAST-REPLY padata and optionally the PA-FX-COOKIE padata. 1358 The rep-key field, if present, contains the reply key that is used to 1359 encrypted the KDC reply. The rep-key field MUST be absent in the 1360 case where an error occurs. The enctype of the rep-key is the 1361 strongest mutually supported by the KDC and the client. 1363 The finished field contains a KrbFastFinished structure. It is 1364 filled by the KDC in the final message in the conversation; it MUST 1365 be absent otherwise. In other words, this field can only be present 1366 in an AS-REP or a TGS-REP when a ticket is returned. 1368 The KrbFastFinished structure contains the following information: 1370 KrbFastFinished ::= SEQUENCE { 1371 timestamp [0] KerberosTime, 1372 usec [1] Microseconds, 1373 -- timestamp and usec represent the time on the KDC when 1374 -- the reply was generated. 1375 crealm [2] Realm, 1376 cname [3] PrincipalName, 1377 -- Contains the client realm and the client name. 1378 checksum [4] Checksum, 1379 -- Checksum performed over all the messages in the 1380 -- conversation, except the containing message. 1381 -- The checksum key is the armor key as defined in 1382 -- Section 6.5.1, and the checksum type is the required 1383 -- checksum type of the armor key. 1384 ticket-checksum [5] Checksum, 1385 -- checksum of the ticket in the KDC-REP using the armor 1386 -- and the key usage is KEY_USAGE_FAST_FINISH. 1387 -- The checksum type is the required checksum type 1388 -- of the armor key. 1389 ... 1390 } 1391 KEY_USAGE_FAST_FINISHED TBA 1393 The timestamp and usec fields represent the time on the KDC when the 1394 reply ticket was generated, these fields have the same semantics as 1395 the corresponding-identically-named fields in Section 5.6.1 of 1396 [RFC4120]. The client MUST use the KDC's time in these fields 1397 thereafter when using the returned ticket. Note that the KDC's time 1398 in AS-REP may not match the authtime in the reply ticket if the kdc- 1399 follow-referrals option is requested and honored by the KDC. The 1400 client need not confirm that the timestamp returned is within 1401 allowable clock skew: the armor key guarantees that the reply is 1402 fresh. The client MAY trust the time stamp returned. 1404 The cname and crealm fields identify the authenticated client. If 1405 facilities described in [REFERRALS] are used, the authenticated 1406 client may differ from the client in the FAST request. 1408 The checksum field contains a checksum of all the messages in the 1409 conversation prior to the containing message (the containing message 1410 is excluded). The checksum key is the armor key, and the checksum 1411 type is the required checksum type of the enctype of that key, and 1412 the key usage number is KEY_USAGE_FAST_FINISHED. The ticket-checksum 1413 is a checksum of the issued ticket using the same key and key usage. 1415 When FAST padata is included, the PA-FX-COOKIE padata as defined in 1416 Section 6.3 MUST also be included if the KDC expects at least one 1417 more message from the client in order to complete the authentication. 1419 6.5.4. Authenticated Kerberos Error Messages using Kerberos FAST 1421 If the Kerberos FAST padata was included in the request, unless 1422 otherwise specified, the e-data field of the KRB-ERROR message 1423 [RFC4120] contains the ASN.1 DER encoding of the type METHOD-DATA 1424 [RFC4120] and a PA-FX-FAST is included in the METHOD-DATA. The KDC 1425 MUST include all the padata elements such as PA-ETYPE-INFO2 and 1426 padata elements that indicate acceptable pre-authentication 1427 mechanisms [RFC4120] in the KrbFastResponse structure. 1429 The KDC MUST also include a PA-FX-ERROR padata item in the 1430 KRBFastResponse structure. The padata-value element of this sequence 1431 is the ASN.1 DER encoding of the type KRB-ERROR. The e-data field 1432 MUST be absent in the PA-FX-ERROR padata. All other fields should be 1433 the same as the outer KRB-ERROR. The client ignores the outer error 1434 and uses the combination of the padata in the KRBFastResponse and the 1435 error information in the PA-FX-ERROR. 1437 PA-FX-ERROR TBA 1439 If the Kerberos FAST padata is included in the request but not 1440 included in the error reply, it is a matter of the local policy on 1441 the client to accept the information in the error message without 1442 integrity protection. The Kerberos client MAY process an error 1443 message without a PA-FX-FAST-REPLY, if that is only intended to 1444 return better error information to the application, typically for 1445 trouble-shooting purposes. 1447 In the cases where the e-data field of the KRB-ERROR message is 1448 expected to carry a TYPED-DATA [RFC4120] element, then that 1449 information should be transmitted in a pa-data element within the 1450 KRBFastResponse structure. The padata-type is the same as the data- 1451 type would be in the typed data element and the padata-value is the 1452 same as the data-value. As discussed in Section 8, data-types and 1453 padata-types are drawn from the same namespace. For example, the 1454 TD_TRUSTED_CERTIFIERS structure is expected to be in the KRB-ERROR 1455 message when the error code is KDC_ERR_CANT_VERIFY_CERTIFICATE 1456 [RFC4556]. 1458 6.5.5. Outer and Inner Requests 1460 Typically, a client will know that FAST is being used before a 1461 request containing PA-FX-FAST is sent. So, the outer AS request 1462 typically only includes two pa-data items: PA-FX-FAST and PA-FX- 1463 COOKIE. The client MAY include additional pa-data, but the KDC MUST 1464 ignore the outer request body and any padata besides PA-FX-FAST and 1465 PA-FX-COOKIE if PA-FX-FAST is processed. In the case of the TGS 1466 request, the outer request should include PA-FX-FAST and PA-TGS-REQ. 1468 When an AS generates a response, all padata besides PA-FX-FAST and 1469 PA-FX-COOKIE should be included in PA-FX-FAST. The client MUST 1470 ignore other padata outside of PA-FX-FAST. 1472 6.5.6. The Encrypted Challenge FAST Factor 1474 The encrypted challenge FAST factor authenticates a client using the 1475 client's long-term key. This factor works similarly to the encrypted 1476 time stamp pre-authentication option described in [RFC4120]. The 1477 client encrypts a structure containing a timestamp in the challenge 1478 key. The challenge key used by the client to send a message to the 1479 KDC is KRB-FX-CF2(armor_key,long_term_key, "clientchallengearmor", 1480 "challengelongterm"). The challenge key used by the KDC encrypting 1481 to the client is KRB-FX-CF2(armor_key, long_term_key, 1482 "kdcchallengearmor", "challengelongterm"). Because the armor key is 1483 fresh and random, the challenge key is fresh and random. The only 1484 purpose of the timestamp is to limit the validity of the 1485 authentication so that a request cannot be replayed. A client MAY 1486 base the timestamp on the KDC time in a KDC error and need not 1487 maintain accurate time synchronization itself. If a client bases its 1488 time on an untrusted source, an attacker may trick the client into 1489 producing an authentication request that is valid at some future 1490 time. The attacker may be able to use this authentication request to 1491 make it appear that a client has authenticated at that future time. 1492 If ticket-based armor is used, then the lifetime of the ticket will 1493 limit the window in which an attacker can make the client appear to 1494 have authenticated. For many situations, the ability of an attacker 1495 to cause a client to appear to have authenticated is not a 1496 significant concern; the ability to avoid requiring time 1497 synchronization on clients is more valuable. 1499 The client sends a padata of type PA-ENCRYPTED-CHALLENGE the 1500 corresponding padata-value contains the DER encoding of ASN.1 type 1501 EncryptedChallenge. 1503 EncryptedChallenge ::= EncryptedData 1504 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key 1505 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the 1506 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. 1508 PA-ENCRYPTED-CHALLENGE TBA 1509 KEY_USAGE_ENC_CHALLENGE_CLIENT TBA 1510 KEY_USAGE_ENC_CHALLENGE_KDC TBA 1512 The client includes some time stamp reasonably close to the KDC's 1513 current time and encrypts it in the challenge key. Clients MAY use 1514 the current time; doing so prevents the exposure where an attacker 1515 can cause a client to appear to authenticate in the future. The 1516 client sends the request including this factor. 1518 On receiving an AS-REQ containing the PA-ENCRYPTED-CHALLENGE fast 1519 factor, the KDC decrypts the timestamp. If the decryption fails the 1520 KDC SHOULD return KDC_ERR_PREAUTH_FAILED, including PA-ETYPE-INFO2 in 1521 the KRBFastResponse in the error. The KDC confirms that the 1522 timestamp falls within its current clock skew returning 1523 KRB_APP_ERR_SKEW if not. The KDC then SHOULD check to see if the 1524 encrypted challenge is a replay. The KDC MUST NOT consider two 1525 encrypted challenges replays simply because the time stamps are the 1526 same; to be a replay, the ciphertext MUST be identical. Allowing 1527 clients to re-use time stamps avoids requiring that clients maintain 1528 state about which time stamps have been used. 1530 If the KDC accepts the encrypted challenge, it MUST include a padata 1531 element of type PA-ENCRYPTED-CHALLENGE. The KDC encrypts its current 1532 time in the challenge key. The KDC MUST replace the reply key before 1533 issuing a ticket. The client MUST check that the timestamp decrypts 1534 properly. The client MAY check that the timestamp is winthin the 1535 window of acceptable clock skew for the client. The client MUST NOT 1536 require that the timestamp be identical to the timestamp in the 1537 issued credentials or the returned message. 1539 The encrypted challenge FAST factor provides the following 1540 facilities: client-authentication and KDC authentication. This FAST 1541 factor also takes advantage of the FAST facility to replace the reply 1542 key. It does not provide the strengthening-reply-key facility. The 1543 security considerations section of this document provides an 1544 explanation why the security requirements are met. 1546 The encrypted challenge FAST factor can be useful in an 1547 authentication set. No pa-hint is defined because the only 1548 information needed by this mechanism is information contained in the 1549 PA-ETYPE-INFO2 pre-authentication data. KDCs are already required to 1550 send PA-ETYPE-INFO2. If KDCs were not required to send PA-ETYPE- 1551 INFO2 then that information would need to be part of a hint for 1552 encrypted challenge. 1554 Conforming implementations MUST support the encrypted challenge FAST 1555 factor. 1557 6.6. Authentication Strength Indication 1559 Implementations that have pre-authentication mechanisms offering 1560 significantly different strengths of client authentication MAY choose 1561 to keep track of the strength of the authentication used as an input 1562 into policy decisions. For example, some principals might require 1563 strong pre-authentication, while less sensitive principals can use 1564 relatively weak forms of pre-authentication like encrypted timestamp. 1566 An AuthorizationData data type AD-Authentication-Strength is defined 1567 for this purpose. 1569 AD-authentication-strength TBA 1571 The corresponding ad-data field contains the DER encoding of the pre- 1572 authentication data set as defined in Section 6.4. This set contains 1573 all the pre-authentication mechanisms that were used to authenticate 1574 the client. If only one pre-authentication mechanism was used to 1575 authenticate the client, the pre-authentication set contains one 1576 element. 1578 The AD-authentication-strength element MUST be included in the AD-IF- 1579 RELEVANT, thus it can be ignored if it is unknown to the receiver. 1581 7. Assigned Constants 1583 The pre-authentication framework and FAST involve using a number of 1584 Kerberos protocol constants. This section lists protocol constants 1585 first introduced in this specification drawn from registries not 1586 managed by IANA. Many of these registries would best be managed by 1587 IANA; that is a known issue that is out of scope for this document. 1588 The constants described in this section have been accounted for and 1589 will appear in the next revision of the Kerberos core specification 1590 or in a document creating IANA registries. 1592 Section 8 creates IANA registries for a different set of constants 1593 used by the extensions described in this document. 1595 7.1. New Errors 1597 KDC_ERR_PREAUTH_EXPIRED TBA 1598 KDC_ERR_MORE_PREAUTH_DATA_NEEDED TBA 1599 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET TBA 1600 KDC_ERR_UNKNOWN_FAST_OPTIONS TBA 1602 7.2. Key Usage Numbers 1604 KEY_USAGE_FAST_REQ_CHKSUM TBA 1605 KEY_USAGE_FAST_ENC TBA 1606 KEY_USAGE_FAST_REP TBA 1607 KEY_USAGE_FAST_FINISHED TBA 1608 KEY_USAGE_ENC_CHALLENGE_CLIENT TBA 1609 KEY_USAGE_ENC_CHALLENGE_KDC TBA 1611 7.3. Authorization Data Elements 1613 AD-authentication-strength TBA 1614 AD-fx-fast-armor TBA 1616 7.4. New PA-DATA Types 1618 PA-FX-COOKIE TBA 1619 PA-AUTHENTICATION-SET TBA 1620 PA-AUTHENTICATION-SET-SELECTED TBA 1621 PA-FX-FAST TBA 1622 PA-FX-ERROR TBA 1623 PA-ENCRYPTED-CHALLENGE TBA 1625 8. IANA Considerations 1627 This document creates a number of IANA registries. These registries 1628 should all be located under 1629 http://www.iana.org/assignments/kerberos-parameters. 1631 8.1. Pre-authentication and Typed Data 1633 RFC 4120 defines pre-authentication data, which can be included in a 1634 KDC request or response in order to authenticate the client or extend 1635 the protocol. In addition, it defines Typed-Data which is an 1636 extension mechanism for errors. Both pre-authentication data and 1637 typed data are carried as a 32-bit signed integer along with an octet 1638 string. The encoding of typed data and pre-authentication data is 1639 slightly different. However the types for pre-authentication data 1640 and typed-data are drawn from the same namespace. By convention, 1641 registrations starting with TD- are typed data and registration 1642 starting with PA- are pre-authentication data. It is important that 1643 these data types be drawn from the same namespace, because some 1644 errors where it would be desirable to include typed data require the 1645 e-data field to be formatted as pre-authentication data. 1647 When Kerberos FAST is used, pre-authentication data encoding is 1648 always used. 1650 There is one apparently conflicting registration between typed data 1651 and pre-authentication data. PA-GET-FROM-TYPED-DATA and TD-PADATA 1652 are both assigned the value 22. However this registration is simply 1653 a mechanism to include an element of the other encoding. The use of 1654 both should be deprecated. 1656 This document creates a registry for pre-authentication and typed 1657 data. The registration procedures are as follows. Expert review for 1658 pre-authentication mechanisms designed to authenticate users, KDCs, 1659 or establish the reply key. The expert first determines that the 1660 purpose of the method is to authenticate clients, KDCs, or to 1661 establish the reply key. If so, expert review is appropriate. The 1662 expert evaluates the security and interoperability of the 1663 specification. 1665 IETF review is required if the expert believes that the pre- 1666 authentication method is broader than these three areas. Pre- 1667 authentication methods that change the Kerberos state machine or 1668 otherwise make significant changes to the Kerberos protocol should be 1669 standards track RFCs. A concern that a particular method needs to be 1670 a standards track RFC may be raised as an objection during IETF 1671 review. 1673 Type Value Reference 1674 PA-TGS-REQ 1 RFC 4120 1675 PA-ENC-TIMESTAMP 2 RFC 4120 1676 PA-PW-SALT 3 RFC 4120 1677 [reserved] 4 1678 PA-ENC-UNIX-TIME 5 (deprecated) 1679 PA-SANDIA-SECUREID 6 1680 PA-SESAME 7 1681 PA-OSF-DCE 8 1682 PA-CYBERSAFE-SECUREID 9 1683 PA-AFS3-SALT 10 1684 PA-ETYPE-INFO 11 RFC 4120 1685 PA-SAM-CHALLENGE 12 (sam/otp) 1686 PA-SAM-RESPONSE 13 (sam/otp) 1687 PA-PK-AS-REQ_OLD 14 draft-ietf-cat-kerberos-pk-init-09 1688 PA-PK-AS-REP_OLD 15 draft-ietf-cat-kerberos-pk-init-09 1689 PA-PK-AS-REQ 16 RFC 4556 1690 PA-PK-AS-REP 17 RFC 4556 1691 PA-ETYPE-INFO2 19 RFC 4120 1692 PA-USE-SPECIFIED-KVNO 20 1693 PA-SAM-REDIRECT 21 (sam/otp) 1694 PA-GET-FROM-TYPED-DATA 22 (embedded in typed data) 1695 TD-PADATA 22 (embeds padata) 1696 PA-SAM-ETYPE-INFO 23 (sam/otp) 1697 PA-ALT-PRINC 24 (crawdad@fnal.gov) 1698 PA-SAM-CHALLENGE2 30 (kenh@pobox.com) 1699 PA-SAM-RESPONSE2 31 (kenh@pobox.com) 1700 PA-EXTRA-TGT 41 Reserved extra TGT 1701 TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS 1702 TD-KRB-PRINCIPAL 102 PrincipalName 1703 TD-KRB-REALM 103 Realm 1704 TD-TRUSTED-CERTIFIERS 104 from PKINIT 1705 TD-CERTIFICATE-INDEX 105 from PKINIT 1706 TD-APP-DEFINED-ERROR 106 application specific 1707 TD-REQ-NONCE 107 INTEGER 1708 TD-REQ-SEQ 108 INTEGER 1709 PA-PAC-REQUEST 128 MS-KILE 1711 8.2. Fast Armor Types 1713 FAST armor types are defined in Section 6.5.1. A FAST armor type is 1714 a signed 32-bit integer. FAST armor types are assigned by standards 1715 action. 1717 Type Name Description 1718 ------------------------------------------------------------ 1719 0 Reserved. 1721 1 FX_FAST_ARMOR_AP_REQUEST Ticket armor using an ap-req. 1723 8.3. FAST Options 1725 A FAST request includes a set of bit flags to indicate additional 1726 options. Bits 0-15 are critical; other bits are non-critical. 1727 Assigning bits greater than 31 may require special support in 1728 implementations. Assignment of FAST options requires standards 1729 action. 1731 Type Name Description 1732 ------------------------------------------------------------------- 1733 0 RESERVED Reserved for future expansion of this 1734 field. 1735 1 hide-client-names Requesting the KDC to hide client 1736 names in the KDC response 1737 16 kdc-follow-referrals Requesting the KDC to follow 1738 referrals 1740 9. Security Considerations 1742 The kdc-referrals option in the Kerberos FAST padata requests the KDC 1743 to act as the client to follow referrals. This can overload the KDC. 1744 To limit the damages of denied of service using this option, KDCs MAY 1745 restrict the number of simultaneous active requests with this option 1746 for any given client principal. 1748 With regarding to the facilities provided by the Encrypted Challenge 1749 FAST factor, the challenge key is derived from the client secrets and 1750 because the client secrets are known only to the client and the KDC, 1751 the verification of the EncryptedChallenge structure proves the 1752 client's identity, the verification of the EncryptedChallenge 1753 structure in the KDC reply proves that the expected KDC responded. 1754 Therefore, the Encrypted Challenge FAST factor as a pre- 1755 authentication mechanism offers the following facilities: client- 1756 authentication and KDC-authentication. There is no un-authenticated 1757 clear text introduced by the Encrypted Challenge FAST factor. 1759 10. Acknowledgements 1761 Sam Hartman would like to thank the MIT Kerberos Consortium for its 1762 funding of his time on this project. 1764 Several suggestions from Jeffrey Hutzelman based on early revisions 1765 of this documents led to significant improvements of this document. 1767 The proposal to ask one KDC to chase down the referrals and return 1768 the final ticket is based on requirements in [ID.CROSS]. 1770 Joel Webber had a proposal for a mechanism similar to FAST that 1771 created a protected tunnel for Kerberos pre-authentication. 1773 11. References 1775 11.1. Normative References 1777 [KRB-ANON] 1778 Zhu, L. and P. Leach, "Kerberos Anonymity Support", 1779 draft-ietf-krb-wg-anon-04.txt (work in progress), 2007. 1781 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1782 Requirement Levels", BCP 14, RFC 2119, March 1997. 1784 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1785 Kerberos 5", RFC 3961, February 2005. 1787 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1788 Kerberos Network Authentication Service (V5)", RFC 4120, 1789 July 2005. 1791 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial 1792 Authentication in Kerberos (PKINIT)", RFC 4556, June 2006. 1794 11.2. Informative References 1796 [ID.CROSS] 1797 Sakane, S., Zrelli, S., and M. Ishiyama , "Problem 1798 Statement on the Operation of Kerberos in a Specific 1799 System", draft-sakane-krb-cross-problem-statement-02.txt 1800 (work in progress), April 2007. 1802 [KRB-WG.SAM] 1803 Hornstein, K., Renard, K., Neuman, C., and G. Zorn, 1804 "Integrating Single-use Authentication Mechanisms with 1805 Kerberos", draft-ietf-krb-wg-kerberos-sam-02.txt (work in 1806 progress), October 2003. 1808 [REFERRALS] 1809 Raeburn, K. and L. Zhu, "Generating KDC Referrals to 1810 Locate Kerberos Realms", 1811 draft-ietf-krb-wg-kerberos-referrals-10.txt (work in 1812 progress), 2007. 1814 Appendix A. Change History 1816 RFC editor, please remove this section before publication. 1818 A.1. Changes since 08 1820 Fix a number of typos 1821 Rename anonymous flag to hide-client-name; rename kdc-referals to 1822 kdc-follow-referrals 1823 Clarify how anonymous pkinit interacts with KDC verified. 1824 Introduce AD-fx-fast-armor authorization data to deal with 1825 unprivileged processes constructing KDC requests. Note that a TGT 1826 is always used for armor tickets if the armor field is present; if 1827 you proxy or validate you'll end up with a TGT armor ticket and 1828 another ticket in the pa-tgs-req. Alternatively you can simply 1829 use the other ticket in the PA-TGS-REQ; weak consensus within WG. 1830 All KDCs in a realm MUST support FAST if it is to be offered. 1831 The cookie message is always generated by the KDC. 1832 Note that the client can trust and need not verify the time stamp 1833 in the finish message. This can seed the client's idea of KDC 1834 time. 1835 Note that the client name in the finish message may differ from 1836 the name in the request if referrals are used. 1837 Note that KDCs should advertize fast in preauth_required errors. 1838 Armor key is constructed using KRB-FX-CF2. This is true even in 1839 the TGS case; there is no security reason to do this. Using the 1840 subkey as done in draft 08 would be fine, but the current text 1841 uses the same procedure both in the TGS and AS case. 1842 Use a different challenge key in each direction in the encrypted 1843 challenge option. 1844 Note that the KDC should process PA-FX-COOKIE before other padata. 1845 KRB-FX-CF2 uses k1's enctype for the result; change around calling 1846 order so we pass in subkeys and armor keys as k1 in preference to 1847 long-term keys or ticket session keys. 1848 Clarify the relationship between authentication sets and cookies. 1849 A cookie may not be needed in the first message. Clarify how this 1850 interacts with optimistic clients. 1851 Remove text raising a concern that RFC 3961 may permit ciphertext 1852 transformations that do not change plaintext: discussion on the 1853 list came to the conclusion that RFC 3961 does not permit this. 1854 Remove binding key concept; use the armor key instead. The cookie 1855 becomes just an octet string. 1856 Include PA-FX-ERROR to protect the error information per Dublin. 1857 Returning preauth_failed in the failed to decrypt encrypted 1858 challenge seems fine; remove the issue marker 1859 Add a section describing what goes in the inner and outer request. 1860 I believe it is redundant but found it useful while putting 1861 together an implementation proposal. 1863 Use hyphen rather than underscore in the constants for pre- 1864 authentication data to be consistent with RFC 4120. 1865 Add a ticket-checksum to the finished message 1866 Remove redundant KEY_USAGE_FAST_ARMOR. 1867 Add protocol constants section for non-IANA registrations and 1868 flesh out IANA section. 1869 Clarify that kdc-req-body checksums should always use the outer 1870 body even for mechanisms like PKINIT that include their own (now 1871 redundant) checksum. 1872 Remove mechanism for encapsulating typed data in padata; just 1873 reflect the value. 1875 A.2. Changes since 07 1877 Propose replacement of authenticated timestamp with encrypted 1878 challenge. The desire to avoid clients needing time 1879 synchronization and to simply the factor. 1880 Add a requirement that any FAST armor scheme must provide a fresh 1881 key for each conversation. This allows us to assume that anything 1882 encrypted/integrity protected in the right key is fresh and not 1883 subject to cross-conversation cut and paste. 1884 Removed heartbeat padata. The KDC will double up messages if it 1885 needs to; the client simply sends its message and waits for the 1886 next response. 1887 Define PA-AUTHENTICATION-SET-SELECTED 1888 Clarify a KDC cannot ignore padata is has claimed to support 1890 A.3. Changes since 06 1892 Note that even for replace reply key it is likely that the side 1893 using the mechanism will know that the other side supports it. 1894 Since it is reasonably unlikely we'll need a container mechanism 1895 other than FAST itself, we don't need to optimize for that case. 1896 So, we want to optimize for implementation simplicity. Thus if 1897 you do have such a container mechanism interacting with 1898 authentication sets we'll assume that the hint need to describe 1899 hints for all contained mechanisms. This closes out a long- 1900 standing issue. 1901 Write up what Sam believes is the consensus on UI and prompts in 1902 the authentication set: clients MAY assume that they have all the 1903 UI information they need. 1905 Appendix B. ASN.1 module 1907 KerberosPreauthFramework { 1908 iso(1) identified-organization(3) dod(6) internet(1) 1909 security(5) kerberosV5(2) modules(4) preauth-framework(3) 1911 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 1913 IMPORTS 1914 KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum, 1915 Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY, 1916 Microseconds, KerberosFlags 1917 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 1918 dod(6) internet(1) security(5) kerberosV5(2) 1919 modules(4) krb5spec2(2) }; 1920 -- as defined in RFC 4120. 1922 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 1924 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 1925 pa-type [0] Int32, 1926 -- same as padata-type. 1927 pa-hint [1] OCTET STRING OPTIONAL, 1928 pa-value [2] OCTET STRING OPTIONAL, 1929 ... 1930 } 1932 KrbFastArmor ::= SEQUENCE { 1933 armor-type [0] Int32, 1934 -- Type of the armor. 1935 armor-value [1] OCTET STRING, 1936 -- Value of the armor. 1937 ... 1938 } 1940 PA-FX-FAST-REQUEST ::= CHOICE { 1941 armored-data [0] KrbFastArmoredReq, 1942 ... 1943 } 1945 KrbFastArmoredReq ::= SEQUENCE { 1946 armor [0] KrbFastArmor OPTIONAL, 1947 -- Contains the armor that identifies the armor key. 1948 -- MUST be present in AS-REQ. 1949 req-checksum [1] Checksum, 1950 -- Checksum performed over the type KDC-REQ-BODY for 1951 -- the req-body field of the KDC-REQ structure defined in 1952 -- [RFC4120] 1953 -- The checksum key is the armor key, the checksum 1954 -- type is the required checksum type for the enctype of 1955 -- the armor key, and the key usage number is 1956 -- KEY_USAGE_FAST_REQ_CHKSUM. 1957 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 1958 -- The encryption key is the armor key, and the key usage 1959 -- number is KEY_USAGE_FAST_ENC. 1960 ... 1961 } 1963 KrbFastReq ::= SEQUENCE { 1964 fast-options [0] FastOptions, 1965 -- Additional options. 1966 padata [1] SEQUENCE OF PA-DATA, 1967 -- padata typed holes. 1968 req-body [2] KDC-REQ-BODY, 1969 -- Contains the KDC request body as defined in Section 1970 -- 5.4.1 of [RFC4120]. 1971 -- This req-body field is preferred over the outer field 1972 -- in the KDC request. 1973 ... 1974 } 1976 FastOptions ::= KerberosFlags 1977 -- reserved(0), 1978 -- anonymous(1), 1979 -- kdc-referrals(16) 1981 PA-FX-FAST-REPLY ::= CHOICE { 1982 armored-data [0] KrbFastArmoredRep, 1983 ... 1984 } 1986 KrbFastArmoredRep ::= SEQUENCE { 1987 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 1988 -- The encryption key is the armor key in the request, and 1989 -- the key usage number is KEY_USAGE_FAST_REP. 1990 ... 1991 } 1993 KrbFastResponse ::= SEQUENCE { 1994 padata [0] SEQUENCE OF PA-DATA, 1995 -- padata typed holes. 1996 rep-key [1] EncryptionKey OPTIONAL, 1997 -- This, if present, replaces the reply key for AS and TGS. 1998 -- MUST be absent in KRB-ERROR. 1999 finished [2] KrbFastFinished OPTIONAL, 2000 -- MUST be present if the client is authenticated, 2001 -- absent otherwise. 2002 -- Typically this is present if and only if the containing 2003 -- message is the last one in a conversation. 2004 ... 2005 } 2006 KrbFastFinished ::= SEQUENCE { 2007 timestamp [0] KerberosTime, 2008 usec [1] Microseconds, 2009 -- timestamp and usec represent the time on the KDC when 2010 -- the reply was generated. 2011 crealm [2] Realm, 2012 cname [3] PrincipalName, 2013 -- Contains the client realm and the client name. 2014 checksum [4] Checksum, 2015 -- Checksum performed over all the messages in the 2016 -- conversation, except the containing message. 2017 -- The checksum key is the armor key as defined in 2018 -- Section 6.5.1, and the checksum type is the required 2019 -- checksum type of the armor key. 2020 ticket-checksum [5] Checksum, 2021 -- checksum of the ticket in the KDC-REP using the armor 2022 -- and the key usage is KEY_USAGE_FAST_FINISH. 2023 -- The checksum type is the required checksum type 2024 -- of the armor key. 2025 ... 2026 } 2028 EncryptedChallenge ::= EncryptedData 2029 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key 2030 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the 2031 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. 2032 END 2034 Authors' Addresses 2036 Sam hartman 2037 Painless Security 2039 Email: hartmans-ietf@mit.edu 2041 Larry Zhu 2042 Microsoft Corporation 2043 One Microsoft Way 2044 Redmond, WA 98052 2045 US 2047 Email: lzhu@microsoft.com