idnits 2.17.1 draft-ietf-krb-wg-preauth-framework-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4120, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1421 has weird spacing: '...hecksum of th...' == Line 1786 has weird spacing: '...ames in the K...' == Line 2081 has weird spacing: '...hecksum of th...' == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: o There are two possibilities for armor for a TGS request. If the ticket presented in the PA-TGS-REQ authenticator is a TGT, then the client SHOULD not include the armor field in the Krbfastreq and a subkey MUST be included in the PA-TGS-REQ authenticator. In this case, the armor key is the same armor key that would be computed if the TGS-REQ authenticator was used in a FX_FAST_ARMOR_AP_REQUEST armor. If a ticket other than a TGT is being presented to the TGS, a client SHOULD use some form of FAST armor such as a ticket-based armor with a TGT as an armor ticket. Clients MAY present a non-TGT in the PA-TGS-REQ authenticator and omit the armor field, in which case the armor key is the same that would be computed if the authenticator were used in a FX_FAST_ARMOR_AP_REQUEST armor. This is the only case where a ticket other than a TGT can be used to establish an armor key; even though the armor key is computed the same as a FX_FAST_ARMOR_AP_REQUEST, a non-TGT cannot be used as an armor ticket in FX_FAST_ARMOR_AP_REQUEST. (Using the creation date from RFC4120, updated by this document, for RFC5378 checks: 2002-02-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 9, 2009) is 5526 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'EKE' is mentioned on line 163, but not defined == Missing Reference: 'IEEE1363.2' is mentioned on line 163, but not defined -- Looks like a reference, but probably isn't: '0' on line 2067 -- Looks like a reference, but probably isn't: '1' on line 2068 -- Looks like a reference, but probably isn't: '2' on line 2071 -- Looks like a reference, but probably isn't: '3' on line 2072 -- Looks like a reference, but probably isn't: '4' on line 2074 -- Looks like a reference, but probably isn't: '5' on line 2080 == Outdated reference: A later version (-12) exists of draft-ietf-krb-wg-anon-04 ** Downref: Normative reference to an Historic draft: draft-ietf-krb-wg-anon (ref. 'KRB-ANON') == Outdated reference: A later version (-03) exists of draft-sakane-krb-cross-problem-statement-02 == Outdated reference: A later version (-15) exists of draft-ietf-krb-wg-kerberos-referrals-10 Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Kerberos Working Group S. Hartman 3 Internet-Draft Painless Security 4 Updates: 4120 (if approved) L. Zhu 5 Intended status: Standards Track Microsoft Corporation 6 Expires: September 10, 2009 March 9, 2009 8 A Generalized Framework for Kerberos Pre-Authentication 9 draft-ietf-krb-wg-preauth-framework-10 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on September 10, 2009. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 Kerberos is a protocol for verifying the identity of principals 48 (e.g., a workstation user or a network server) on an open network. 50 The Kerberos protocol provides a mechanism called pre-authentication 51 for proving the identity of a principal and for better protecting the 52 long-term secrets of the principal. 54 This document describes a model for Kerberos pre-authentication 55 mechanisms. The model describes what state in the Kerberos request a 56 pre-authentication mechanism is likely to change. It also describes 57 how multiple pre-authentication mechanisms used in the same request 58 will interact. 60 This document also provides common tools needed by multiple pre- 61 authentication mechanisms. One of these tools is a secure channel 62 between the client and the KDC with a reply key delivery mechanism; 63 this secure channel can be used to protect the authentication 64 exchange thus eliminate offline dictionary attacks. With these 65 tools, it is relatively straightforward to chain multiple 66 authentication mechanisms, utilize a different key management system, 67 or support a new key agreement algorithm. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 72 2. Conventions and Terminology Used in This Document . . . . . . 6 73 3. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 6 74 3.1. Information Managed by the Pre-authentication Model . . . 7 75 3.2. Initial Pre-authentication Required Error . . . . . . . . 9 76 3.3. Client to KDC . . . . . . . . . . . . . . . . . . . . . . 10 77 3.4. KDC to Client . . . . . . . . . . . . . . . . . . . . . . 11 78 4. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 12 79 4.1. Client-authentication Facility . . . . . . . . . . . . . . 13 80 4.2. Strengthening-reply-key Facility . . . . . . . . . . . . . 14 81 4.3. Replacing-reply-key Facility . . . . . . . . . . . . . . . 15 82 4.4. KDC-authentication Facility . . . . . . . . . . . . . . . 15 83 5. Requirements for Pre-Authentication Mechanisms . . . . . . . . 15 84 6. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 16 85 6.1. Combining Keys . . . . . . . . . . . . . . . . . . . . . . 17 86 6.2. Protecting Requests/Responses . . . . . . . . . . . . . . 18 87 6.3. Managing States for the KDC . . . . . . . . . . . . . . . 19 88 6.4. Pre-authentication Set . . . . . . . . . . . . . . . . . . 20 89 6.5. Definition of Kerberos FAST Padata . . . . . . . . . . . . 23 90 6.5.1. FAST Armors . . . . . . . . . . . . . . . . . . . . . 24 91 6.5.2. FAST Request . . . . . . . . . . . . . . . . . . . . . 26 92 6.5.3. FAST Response . . . . . . . . . . . . . . . . . . . . 30 93 6.5.4. Authenticated Kerberos Error Messages using 94 Kerberos FAST . . . . . . . . . . . . . . . . . . . . 33 95 6.5.5. Outer and Inner Requests . . . . . . . . . . . . . . . 34 96 6.5.6. The Encrypted Challenge FAST Factor . . . . . . . . . 34 97 6.6. Authentication Strength Indication . . . . . . . . . . . . 36 98 7. Assigned Constants . . . . . . . . . . . . . . . . . . . . . . 36 99 7.1. New Errors . . . . . . . . . . . . . . . . . . . . . . . . 37 100 7.2. Key Usage Numbers . . . . . . . . . . . . . . . . . . . . 37 101 7.3. Authorization Data Elements . . . . . . . . . . . . . . . 37 102 7.4. New PA-DATA Types . . . . . . . . . . . . . . . . . . . . 37 103 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 104 8.1. Pre-authentication and Typed Data . . . . . . . . . . . . 37 105 8.2. Fast Armor Types . . . . . . . . . . . . . . . . . . . . . 39 106 8.3. FAST Options . . . . . . . . . . . . . . . . . . . . . . . 40 107 9. Security Considerations . . . . . . . . . . . . . . . . . . . 40 108 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 40 109 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41 110 11.1. Normative References . . . . . . . . . . . . . . . . . . . 41 111 11.2. Informative References . . . . . . . . . . . . . . . . . . 41 112 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 42 113 A.1. Changes since 09 . . . . . . . . . . . . . . . . . . . . . 42 114 A.2. Changes since 08 . . . . . . . . . . . . . . . . . . . . . 42 115 A.3. Changes since 07 . . . . . . . . . . . . . . . . . . . . . 43 116 A.4. Changes since 06 . . . . . . . . . . . . . . . . . . . . . 43 118 Appendix B. ASN.1 module . . . . . . . . . . . . . . . . . . . . 44 119 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 46 121 1. Introduction 123 The core Kerberos specification [RFC4120] treats pre-authentication 124 data as an opaque typed hole in the messages to the KDC that may 125 influence the reply key used to encrypt the KDC reply. This 126 generality has been useful: pre-authentication data is used for a 127 variety of extensions to the protocol, many outside the expectations 128 of the initial designers. However, this generality makes designing 129 more common types of pre-authentication mechanisms difficult. Each 130 mechanism needs to specify how it interacts with other mechanisms. 131 Also, problems like combining a key with the long-term secrets or 132 proving the identity of the user are common to multiple mechanisms. 133 Where there are generally well-accepted solutions to these problems, 134 it is desirable to standardize one of these solutions so mechanisms 135 can avoid duplication of work. In other cases, a modular approach to 136 these problems is appropriate. The modular approach will allow new 137 and better solutions to common pre-authentication problems to be used 138 by existing mechanisms as they are developed. 140 This document specifies a framework for Kerberos pre-authentication 141 mechanisms. It defines the common set of functions that pre- 142 authentication mechanisms perform as well as how these functions 143 affect the state of the request and reply. In addition several 144 common tools needed by pre-authentication mechanisms are provided. 145 Unlike [RFC3961], this framework is not complete--it does not 146 describe all the inputs and outputs for the pre-authentication 147 mechanisms. Pre-Authentication mechanism designers should try to be 148 consistent with this framework because doing so will make their 149 mechanisms easier to implement. Kerberos implementations are likely 150 to have plugin architectures for pre-authentication; such 151 architectures are likely to support mechanisms that follow this 152 framework plus commonly used extensions. This framework also 153 facilitates combining multiple pre-authentication mechanisms, each of 154 which may represent an authentication factor, into a single multi- 155 factor pre-authentication mechanism. 157 One of these common tools is the flexible authentication secure 158 tunneling (FAST) padata type. FAST provides a protected channel 159 between the client and the KDC, and it can optionally deliver a reply 160 key within the protected channel. Based on FAST, pre-authentication 161 mechanisms can extend Kerberos with ease, to support, for example, 162 password authenticated key exchange (PAKE) protocols with zero 163 knowledge password proof (ZKPP) [EKE] [IEEE1363.2]. Any pre- 164 authentication mechanism can be encapsulated in the FAST messages as 165 defined in Section 6.5. A pre-authentication type carried within 166 FAST is called a FAST factor. Creating a FAST factor is the easiest 167 path to create a new pre-authentication mechanism. FAST factors are 168 significantly easier to analyze from a security standpoint than other 169 pre-authentication mechanisms. 171 Mechanism designers should design FAST factors, instead of new pre- 172 authentication mechanisms outside of FAST. 174 2. Conventions and Terminology Used in This Document 176 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 177 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 178 document are to be interpreted as described in [RFC2119]. 180 This document should be read only after reading the documents 181 describing the Kerberos cryptography framework [RFC3961] and the core 182 Kerberos protocol [RFC4120]. This document may freely use 183 terminology and notation from these documents without reference or 184 further explanation. 186 The word padata is used as a shorthand for pre-authentication data. 188 A conversation is the set of all authentication messages exchanged 189 between the client and the client's Authentication Service (AS) in 190 order to authenticate the client principal. A conversation as 191 defined here consists of all messages that are necessary to complete 192 the authentication between the client and the client's AS. In the 193 Ticket Exchange Service (TGS) exchange, a conversation consists of 194 the request message and the reply message. The term conversation is 195 defined here for both AS and TGS for convenience of discussion. See 196 Section 6.3 for specific rules on the extent of a conversation in the 197 AS-REQ case. Prior to this framework, implementations needed to use 198 implementation-specific heuristics to determine the extent of a 199 conversation. 201 If the KDC reply in an AS exchange is verified, the KDC is 202 authenticated by the client. In this document, verification of the 203 KDC reply is used as a synonym of authentication of the KDC. 205 3. Model for Pre-Authentication 207 When a Kerberos client wishes to obtain a ticket using the 208 authentication server, it sends an initial Authentication Service 209 (AS) request. If pre-authentication is required but not being used, 210 then the KDC will respond with a KDC_ERR_PREAUTH_REQUIRED error. 211 Alternatively, if the client knows what pre-authentication to use, it 212 MAY optimize away a round-trip and send an initial request with 213 padata included in the initial request. If the client includes the 214 padata computed using the wrong pre-authentication mechanism or 215 incorrect keys, the KDC MAY return KDC_ERR_PREAUTH_FAILED with no 216 indication of what padata should have been included. In that case, 217 the client MUST retry with no padata and examine the error data of 218 the KDC_ERR_PREAUTH_REQUIRED error. If the KDC includes pre- 219 authentication information in the accompanying error data of 220 KDC_ERR_PREAUTH_FAILED, the client SHOULD process the error data, and 221 then retry. 223 The conventional KDC maintains no state between two requests; 224 subsequent requests may even be processed by a different KDC. On the 225 other hand, the client treats a series of exchanges with KDCs as a 226 single conversation. Each exchange accumulates state and hopefully 227 brings the client closer to a successful authentication. 229 These models for state management are in apparent conflict. For many 230 of the simpler pre-authentication scenarios, the client uses one 231 round trip to find out what mechanisms the KDC supports. Then the 232 next request contains sufficient pre-authentication for the KDC to be 233 able to return a successful reply. For these simple scenarios, the 234 client only sends one request with pre-authentication data and so the 235 conversation is trivial. For more complex conversations, the KDC 236 needs to provide the client with a cookie to include in future 237 requests to capture the current state of the authentication session. 238 Handling of multiple round-trip mechanisms is discussed in 239 Section 6.3. 241 This framework specifies the behavior of Kerberos pre-authentication 242 mechanisms used to identify users or to modify the reply key used to 243 encrypt the KDC reply. The PA-DATA typed hole may be used to carry 244 extensions to Kerberos that have nothing to do with proving the 245 identity of the user or establishing a reply key. Such extensions 246 are outside the scope of this framework. However mechanisms that do 247 accomplish these goals should follow this framework. 249 This framework specifies the minimum state that a Kerberos 250 implementation needs to maintain while handling a request in order to 251 process pre-authentication. It also specifies how Kerberos 252 implementations process the padata at each step of the AS request 253 process. 255 3.1. Information Managed by the Pre-authentication Model 257 The following information is maintained by the client and KDC as each 258 request is being processed: 260 o The reply key used to encrypt the KDC reply 261 o How strongly the identity of the client has been authenticated 263 o Whether the reply key has been used in this conversation 265 o Whether the reply key has been replaced in this conversation 267 o Whether the contents of the KDC reply can be verified by the 268 client principal 270 Conceptually, the reply key is initially the long-term key of the 271 principal. However, principals can have multiple long-term keys 272 because of support for multiple encryption types, salts and 273 string2key parameters. As described in Section 5.2.7.5 of the 274 Kerberos protocol [RFC4120], the KDC sends PA-ETYPE-INFO2 to notify 275 the client what types of keys are available. Thus in full 276 generality, the reply key in the pre-authentication model is actually 277 a set of keys. At the beginning of a request, it is initialized to 278 the set of long-term keys advertised in the PA-ETYPE-INFO2 element on 279 the KDC. If multiple reply keys are available, the client chooses 280 which one to use. Thus the client does not need to treat the reply 281 key as a set. At the beginning of a request, the client picks a key 282 to use. 284 KDC implementations MAY choose to offer only one key in the PA-ETYPE- 285 INFO2 element. Since the KDC already knows the client's list of 286 supported enctypes from the request, no interoperability problems are 287 created by choosing a single possible reply key. This way, the KDC 288 implementation avoids the complexity of treating the reply key as a 289 set. 291 When the padata in the request is verified by the KDC, then the 292 client is known to have that key, therefore the KDC SHOULD pick the 293 same key as the reply key. 295 At the beginning of handling a message on both the client and the 296 KDC, the client's identity is not authenticated. A mechanism may 297 indicate that it has successfully authenticated the client's 298 identity. This information is useful to keep track of on the client 299 in order to know what pre-authentication mechanisms should be used. 300 The KDC needs to keep track of whether the client is authenticated 301 because the primary purpose of pre-authentication is to authenticate 302 the client identity before issuing a ticket. The handling of 303 authentication strength using various authentication mechanisms is 304 discussed in Section 6.6. 306 Initially the reply key has not been used. A pre-authentication 307 mechanism that uses the reply key to encrypt or checksum some data in 308 the generation of new keys MUST indicate that the reply key is used. 309 This state is maintained by the client and the KDC to enforce the 310 security requirement stated in Section 4.3 that the reply key SHOULD 311 NOT be replaced after it is used. 313 Initially the reply key has not been replaced. If a mechanism 314 implements the Replace Reply Key facility discussed in Section 4.3, 315 then the state MUST be updated to indicate that the reply key has 316 been replaced. Once the reply key has been replaced, knowledge of 317 the reply key is insufficient to authenticate the client. The reply 318 key is marked replaced in exactly the same situations as the KDC 319 reply is marked as not being verified to the client principal. 320 However, while mechanisms can verify the KDC reply to the client, 321 once the reply key is replaced, then the reply key remains replaced 322 for the remainder of the conversation. 324 Without pre-authentication, the client knows that the KDC reply is 325 authentic and has not been modified because it is encrypted in a 326 long-term key of the client. Only the KDC and the client know that 327 key. So at the start of a conversation, the KDC reply is presumed to 328 be verified using the client principal's long-term key. It should be 329 noted that in this document, verifying the KDC reply means 330 authenticating the KDC, and these phrases are used interchangeably. 331 Any pre-authentication mechanism that sets a new reply key not based 332 on the principal's long-term secret MUST either verify the KDC reply 333 some other way or indicate that the reply is not verified. If a 334 mechanism indicates that the reply is not verified then the client 335 implementation MUST return an error unless a subsequent mechanism 336 verifies the reply. The KDC needs to track this state so it can 337 avoid generating a reply that is not verified. 339 The typical Kerberos request does not provide a way for the client 340 machine to know that it is talking to the correct KDC. Someone who 341 can inject packets into the network between the client machine and 342 the KDC and who knows the password that the user will give to the 343 client machine can generate a KDC reply that will decrypt properly. 344 So, if the client machine needs to authenticate that the user is in 345 fact the named principal, then the client machine needs to do a TGS 346 request for itself as a service. Some pre-authentication mechanisms 347 may provide a way for the client machine to authenticate the KDC. 348 Examples of this include signing the reply that can be verified using 349 a well-known public key or providing a ticket for the client machine 350 as a service. 352 3.2. Initial Pre-authentication Required Error 354 Typically a client starts a conversation by sending an initial 355 request with no pre-authentication. If the KDC requires pre- 356 authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED message. 357 After the first reply with the KDC_ERR_PREAUTH_REQUIRED error code, 358 the KDC returns the error code KDC_ERR_MORE_PREAUTH_DATA_NEEDED 359 (defined in Section 6.3) for pre-authentication configurations that 360 use multi-round-trip mechanisms; see Section 3.4 for details of that 361 case. 363 The KDC needs to choose which mechanisms to offer the client. The 364 client needs to be able to choose what mechanisms to use from the 365 first message. For example consider the KDC that will accept 366 mechanism A followed by mechanism B or alternatively the single 367 mechanism C. A client that supports A and C needs to know that it 368 should not bother trying A. 370 Mechanisms can either be sufficient on their own or can be part of an 371 authentication set--a group of mechanisms that all need to 372 successfully complete in order to authenticate a client. Some 373 mechanisms may only be useful in authentication sets; others may be 374 useful alone or in authentication sets. For the second group of 375 mechanisms, KDC policy dictates whether the mechanism will be part of 376 an authentication set or offered alone. For each mechanism that is 377 offered alone, the KDC includes the pre-authentication type ID of the 378 mechanism in the padata sequence returned in the 379 KDC_ERR_PREAUTH_REQUIRED error. 381 The KDC SHOULD NOT send data that is encrypted in the long-term 382 password-based key of the principal. Doing so has the same security 383 exposures as the Kerberos protocol without pre-authentication. There 384 are few situations where the KDC needs to expose cipher text 385 encrypted in a weak key before the client has proven knowledge of 386 that key, and pre-authentication is desirable. 388 3.3. Client to KDC 390 This description assumes that a client has already received a 391 KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs 392 optimistic pre-authentication then the client needs to guess values 393 for the information it would normally receive from that error 394 response or use cached information obtained in prior interactions 395 with the KDC. 397 The client starts by initializing the pre-authentication state as 398 specified. It then processes the padata in the 399 KDC_ERR_PREAUTH_REQUIRED. 401 When processing the response to the KDC_ERR_PREAUTH_REQUIRED, the 402 client MAY ignore any padata it chooses unless doing so violates a 403 specification to which the client conforms. Clients conforming to 404 this specification MUST NOT ignore the padata defined in Section 6.3. 405 Clients SHOULD process padata unrelated to this framework or other 406 means of authenticating the user. Clients SHOULD choose one 407 authentication set or mechanism that could lead to authenticating the 408 user and ignore the rest. Since the list of mechanisms offered by 409 the KDC is in the decreasing preference order, clients typically 410 choose the first mechanism or authentication set that the client can 411 usefully perform. If a client chooses to ignore a padata it MUST NOT 412 process the padata, allow the padata to affect the pre-authentication 413 state, nor respond to the padata. 415 For each padata the client chooses to process, the client processes 416 the padata and modifies the pre-authentication state as required by 417 that mechanism. Padata are processed in the order received from the 418 KDC. 420 After processing the padata in the KDC error, the client generates a 421 new request. It processes the pre-authentication mechanisms in the 422 order in which they will appear in the next request, updating the 423 state as appropriate. The request is sent when it is complete. 425 3.4. KDC to Client 427 When a KDC receives an AS request from a client, it needs to 428 determine whether it will respond with an error or an AS reply. 429 There are many causes for an error to be generated that have nothing 430 to do with pre-authentication; they are discussed in the core 431 Kerberos specification. 433 From the standpoint of evaluating the pre-authentication, the KDC 434 first starts by initializing the pre-authentication state. If a PA- 435 FX-COOKIE pre-authentication data item is present, it is processed 436 first; see Section 6.3 for a definition. It then processes the 437 padata in the request. As mentioned in Section 3.3, the KDC MAY 438 ignore padata that is inappropriate for the configuration and MUST 439 ignore padata of an unknown type. The KDC MUST NOT ignore padata of 440 types used in previous messages. For example, if a KDC issues a 441 KDC_ERR_PREAUTH_REQUIRED error including padata of type x, then the 442 KDC cannot ignore padata of type x received in an AS-REQ message from 443 the client. 445 At this point the KDC decides whether it will issue an error or a 446 reply. Typically a KDC will issue a reply if the client's identity 447 has been authenticated to a sufficient degree. 449 In the case of a KDC_ERR_MORE_PREAUTH_DATA_NEEDED error, the KDC 450 first starts by initializing the pre-authentication state. Then it 451 processes any padata in the client's request in the order provided by 452 the client. Mechanisms that are not understood by the KDC are 453 ignored. Next, it generates padata for the error response, modifying 454 the pre-authentication state appropriately as each mechanism is 455 processed. The KDC chooses the order in which it will generate 456 padata (and thus the order of padata in the response), but it needs 457 to modify the pre-authentication state consistently with the choice 458 of order. For example, if some mechanism establishes an 459 authenticated client identity, then the subsequent mechanisms in the 460 generated response receive this state as input. After the padata is 461 generated, the error response is sent. Typically the errors with the 462 code KDC_ERR_MORE_PREAUTH_DATA_NEEDED in a conversation will include 463 KDC state as discussed in Section 6.3. 465 To generate a final reply, the KDC generates the padata modifying the 466 pre-authentication state as necessary. Then it generates the final 467 response, encrypting it in the current pre-authentication reply key. 469 4. Pre-Authentication Facilities 471 Pre-Authentication mechanisms can be thought of as providing various 472 conceptual facilities. This serves two useful purposes. First, 473 mechanism authors can choose only to solve one specific small 474 problem. It is often useful for a mechanism designed to offer key 475 management not to directly provide client authentication but instead 476 to allow one or more other mechanisms to handle this need. Secondly, 477 thinking about the abstract services that a mechanism provides yields 478 a minimum set of security requirements that all mechanisms providing 479 that facility must meet. These security requirements are not 480 complete; mechanisms will have additional security requirements based 481 on the specific protocol they employ. 483 A mechanism is not constrained to only offering one of these 484 facilities. While such mechanisms can be designed and are sometimes 485 useful, many pre-authentication mechanisms implement several 486 facilities. By combining multiple facilities in a single mechanism, 487 it is often easier to construct a secure, simple solution than by 488 solving the problem in full generality. Even when mechanisms provide 489 multiple facilities, they need to meet the security requirements for 490 all the facilities they provide. If the FAST factor approach is 491 used, it is likely that one or a small number of facilities can be 492 provided by a single mechanism without complicating the security 493 analysis. 495 According to Kerberos extensibility rules (Section 1.5 of the 496 Kerberos specification [RFC4120]), an extension MUST NOT change the 497 semantics of a message unless a recipient is known to understand that 498 extension. Because a client does not know that the KDC supports a 499 particular pre-authentication mechanism when it sends an initial 500 request, a pre-authentication mechanism MUST NOT change the semantics 501 of the request in a way that will break a KDC that does not 502 understand that mechanism. Similarly, KDCs MUST NOT send messages to 503 clients that affect the core semantics unless the client has 504 indicated support for the message. 506 The only state in this model that would break the interpretation of a 507 message is changing the expected reply key. If one mechanism changed 508 the reply key and a later mechanism used that reply key, then a KDC 509 that interpreted the second mechanism but not the first would fail to 510 interpret the request correctly. In order to avoid this problem, 511 extensions that change core semantics are typically divided into two 512 parts. The first part proposes a change to the core semantic--for 513 example proposes a new reply key. The second part acknowledges that 514 the extension is understood and that the change takes effect. 515 Section 4.2 discusses how to design mechanisms that modify the reply 516 key to be split into a proposal and acceptance without requiring 517 additional round trips to use the new reply key in subsequent pre- 518 authentication. Other changes in the state described in Section 3.1 519 can safely be ignored by a KDC that does not understand a mechanism. 520 Mechanisms that modify the behavior of the request outside the scope 521 of this framework need to carefully consider the Kerberos 522 extensibility rules to avoid similar problems. 524 4.1. Client-authentication Facility 526 The client authentication facility proves the identity of a user to 527 the KDC before a ticket is issued. Examples of mechanisms 528 implementing this facility include the encrypted timestamp facility 529 defined in Section 5.2.7.2 of the Kerberos specification [RFC4120]. 530 Mechanisms that provide this facility are expected to mark the client 531 as authenticated. 533 Mechanisms implementing this facility SHOULD require the client to 534 prove knowledge of the reply key before transmitting a successful KDC 535 reply. Otherwise, an attacker can intercept the pre-authentication 536 exchange and get a reply to attack. One way of proving the client 537 knows the reply key is to implement the Replace Reply Key facility 538 along with this facility. The PKINIT mechanism [RFC4556] implements 539 Client Authentication alongside Replace Reply Key. 541 If the reply key has been replaced, then mechanisms such as 542 encrypted-timestamp that rely on knowledge of the reply key to 543 authenticate the client MUST NOT be used. 545 4.2. Strengthening-reply-key Facility 547 Particularly when dealing with keys based on passwords, it is 548 desirable to increase the strength of the key by adding additional 549 secrets to it. Examples of sources of additional secrets include the 550 results of a Diffie-Hellman key exchange or key bits from the output 551 of a smart card [KRB-WG.SAM]. Typically these additional secrets can 552 be first combined with the existing reply key and then converted to a 553 protocol key using tools defined in Section 6.1. 555 Typically a mechanism implementing this facility will know that the 556 other side of the exchange supports the facility before the reply key 557 is changed. For example, a mechanism might need to learn the 558 certificate for a KDC before encrypting a new key in the public key 559 belonging to that certificate. However, if a mechanism implementing 560 this facility wishes to modify the reply key before knowing that the 561 other party in the exchange supports the mechanism, it proposes 562 modifying the reply key. The other party then includes a message 563 indicating that the proposal is accepted if it is understood and 564 meets policy. In many cases it is desirable to use the new reply key 565 for client authentication and for other facilities. Waiting for the 566 other party to accept the proposal and actually modify the reply key 567 state would add an additional round trip to the exchange. Instead, 568 mechanism designers are encouraged to include a typed hole for 569 additional padata in the message that proposes the reply key change. 570 The padata included in the typed hole are generated assuming the new 571 reply key. If the other party accepts the proposal, then these 572 padata are considered as an inner level. As with the outer level, 573 one authentication set or mechanism is typically chosen for client 574 authentication, along with auxiliary mechanisms such as KDC cookies, 575 and other mechanisms are ignored. When mechanisms include such a 576 container, the hint provided for use in authentication sets (as 577 defined in Section 6.4) MUST contain a sequence of inner mechanisms 578 along with hints for those mechanisms. The party generating the 579 proposal can determine whether the padata were processed based on 580 whether the proposal for the reply key is accepted. 582 The specific formats of the proposal message, including where padata 583 are included is a matter for the mechanism specification. Similarly, 584 the format of the message accepting the proposal is mechanism- 585 specific. 587 Mechanisms implementing this facility and including a typed hole for 588 additional padata MUST checksum that padata using a keyed checksum or 589 encrypt the padata. This requirement protects against modification 590 of the contents of the typed hole. By modifying these contents an 591 attacker might be able to choose which mechanism is used to 592 authenticate the client, or to convince a party to provide text 593 encrypted in a key that the attacker had manipulated. It is 594 important that mechanisms strengthen the reply key enough that using 595 it to checksum padata is appropriate. 597 4.3. Replacing-reply-key Facility 599 The Replace Reply Key facility replaces the key in which a successful 600 AS reply will be encrypted. This facility can only be used in cases 601 where knowledge of the reply key is not used to authenticate the 602 client. The new reply key MUST be communicated to the client and the 603 KDC in a secure manner. This facility MUST NOT be used if there can 604 be a man-in-the-middle between the client and the KDC. Mechanisms 605 implementing this facility MUST mark the reply key as replaced in the 606 pre-authentication state. Mechanisms implementing this facility MUST 607 either provide a mechanism to verify the KDC reply to the client or 608 mark the reply as unverified in the pre-authentication state. 609 Mechanisms implementing this facility SHOULD NOT be used if a 610 previous mechanism has used the reply key. 612 As with the strengthening-reply-key facility, Kerberos extensibility 613 rules require that the reply key not be changed unless both sides of 614 the exchange understand the extension. In the case of this facility 615 it will likely be the case for both sides to know that the facility 616 is available by the time that the new key is available to be used. 617 However, mechanism designers can use a container for padata in a 618 proposal message as discussed in Section 4.2 if appropriate. 620 4.4. KDC-authentication Facility 622 This facility verifies that the reply comes from the expected KDC. 623 In traditional Kerberos, the KDC and the client share a key, so if 624 the KDC reply can be decrypted then the client knows that a trusted 625 KDC responded. Note that the client machine cannot trust the client 626 unless the machine is presented with a service ticket for it 627 (typically the machine can retrieve this ticket by itself). However, 628 if the reply key is replaced, some mechanism is required to verify 629 the KDC. Pre-authentication mechanisms providing this facility allow 630 a client to determine that the expected KDC has responded even after 631 the reply key is replaced. They mark the pre-authentication state as 632 having been verified. 634 5. Requirements for Pre-Authentication Mechanisms 636 This section lists requirements for specifications of pre- 637 authentication mechanisms. 639 For each message in the pre-authentication mechanism, the 640 specification describes the pa-type value to be used and the contents 641 of the message. The processing of the message by the sender and 642 recipient is also specified. This specification needs to include all 643 modifications to the pre-authentication state. 645 Generally mechanisms have a message that can be sent in the error 646 data of the KDC_ERR_PREAUTH_REQUIRED error message or in an 647 authentication set. If the client needs information such as trusted 648 certificate authorities in order to determine if it can use the 649 mechanism, then this information should be in that message. In 650 addition, such mechanisms should also define a pa-hint to be included 651 in authentication sets. Often, the same information included in the 652 padata-value is appropriate to include in the pa-hint (as defined in 653 Section 6.4). 655 In order to ease security analysis the mechanism specification should 656 describe what facilities from this document are offered by the 657 mechanism. For each facility, the security consideration section of 658 the mechanism specification should show that the security 659 requirements of that facility are met. This requirement is 660 applicable to any FAST factor that provides authentication 661 information. 663 Significant problems have resulted in the specification of Kerberos 664 protocols because much of the KDC exchange is not protected against 665 authentication. The security considerations section should discuss 666 unauthenticated plaintext attacks. It should either show that 667 plaintext is protected or discuss what harm an attacker could do by 668 modifying the plaintext. It is generally acceptable for an attacker 669 to be able to cause the protocol negotiation to fail by modifying 670 plaintext. More significant attacks should be evaluated carefully. 672 As discussed in Section 6.3, there is no guarantee that a client will 673 use the same KDCs for all messages in a conversation. The mechanism 674 specification needs to show why the mechanism is secure in this 675 situation. The hardest problem to deal with, especially for 676 challenge/response mechanisms is to make sure that the same response 677 cannot be replayed against two KDCs while allowing the client to talk 678 to any KDC. 680 6. Tools for Use in Pre-Authentication Mechanisms 682 This section describes common tools needed by multiple pre- 683 authentication mechanisms. By using these tools mechanism designers 684 can use a modular approach to specify mechanism details and ease 685 security analysis. 687 6.1. Combining Keys 689 Frequently a weak key needs to be combined with a stronger key before 690 use. For example, passwords are typically limited in size and 691 insufficiently random, therefore it is desirable to increase the 692 strength of the keys based on passwords by adding additional secrets. 693 Additional source of secrecy may come from hardware tokens. 695 This section provides standard ways to combine two keys into one. 697 KRB-FX-CF1() is defined to combine two pass-phrases. 699 KRB-FX-CF1(UTF-8 string, UTF-8 string) -> (UTF-8 string) 700 KRB-FX-CF1(x, y) -> x || y 702 Where || denotes concatenation. The strength of the final key is 703 roughly the total strength of the individual keys being combined 704 assuming that the string_to_key() function [RFC3961] uses all its 705 input evenly. 707 An example usage of KRB-FX-CF1() is when a device provides random but 708 short passwords, the password is often combined with a personal 709 identification number (PIN). The password and the PIN can be 710 combined using KRB-FX-CF1(). 712 KRB-FX-CF2() combines two protocol keys based on the pseudo-random() 713 function defined in [RFC3961]. 715 Given two input keys, K1 and K2, where K1 and K2 can be of two 716 different enctypes, the output key of KRB-FX-CF2(), K3, is derived as 717 follows: 719 KRB-FX-CF2(protocol key, protocol key, octet string, 720 octet string) -> (protocol key) 722 PRF+(K1, pepper1) -> octet-string-1 723 PRF+(K2, pepper2) -> octet-string-2 724 KRB-FX-CF2(K1, K2, pepper1, pepper2) -> 725 random-to-key(octet-string-1 ^ octet-string-2) 727 Where ^ denotes the exclusive-OR operation. PRF+() is defined as 728 follows: 730 PRF+(protocol key, octet string) -> (octet string) 732 PRF+(key, shared-info) -> pseudo-random( key, 1 || shared-info ) || 733 pseudo-random( key, 2 || shared-info ) || 734 pseudo-random( key, 3 || shared-info ) || ... 736 Here the counter value 1, 2, 3 and so on are encoded as a one-octet 737 integer. The pseudo-random() operation is specified by the enctype 738 of the protocol key. PRF+() uses the counter to generate enough bits 739 as needed by the random-to-key() [RFC3961] function for the 740 encryption type specified for the resulting key; unneeded bits are 741 removed from the tail. Unless otherwise specified, the resulting 742 enctype of KRB-FX-CF2 is the enctype of k1. 744 Mechanism designers MUST specify the values for the input parameter 745 pepper1 and pepper2 when combining two keys using KRB-FX-CF2(). The 746 pepper1 and pepper2 MUST be distinct so that if the two keys being 747 combined are the same, the resulting key is not a trivial key. 749 6.2. Protecting Requests/Responses 751 Mechanism designers SHOULD protect clear text portions of pre- 752 authentication data. Various denial of service attacks and downgrade 753 attacks against Kerberos are possible unless plaintexts are somehow 754 protected against modification. An early design goal of Kerberos 755 Version 5 [RFC4120] was to avoid encrypting more of the 756 authentication exchange that was required. (Version 4 doubly- 757 encrypted the encrypted part of a ticket in a KDC reply, for 758 example.) This minimization of encryption reduces the load on the 759 KDC and busy servers. Also, during the initial design of Version 5, 760 the existence of legal restrictions on the export of cryptography 761 made it desirable to minimize of the number of uses of encryption in 762 the protocol. Unfortunately, performing this minimization created 763 numerous instances of unauthenticated security-relevant plaintext 764 fields. 766 If there is more than one round trip for an authentication exchange, 767 mechanism designers need to allow either the client or the KDC to 768 provide a checksum of all the messages exchanged on the wire in the 769 conversation, and the checksum is then verified by the receiver. 771 New mechanisms MUST NOT be hard-wired to use a specific algorithm. 773 Primitives defined in [RFC3961] are RECOMMENDED for integrity 774 protection and confidentiality. Mechanisms based on these primitives 775 are crypto-agile as the result of using [RFC3961] along with 776 [RFC4120]. The advantage afforded by crypto-agility is the ability 777 to incrementally deploy a fix specific to a particular algorithm thus 778 avoid a multi-year standardization and deployment cycle, when real 779 attacks do arise against that algorithm. 781 Note that data used by FAST factors (defined in Section 6.5) is 782 encrypted in a protected channel, thus they do not share the un- 783 authenticated-text issues with mechanisms designed as full-blown pre- 784 authentication mechanisms. 786 6.3. Managing States for the KDC 788 Kerberos KDCs are stateless. There is no requirement that clients 789 will choose the same KDC for the second request in a conversation. 790 Proxies or other intermediate nodes may also influence KDC selection. 791 So, each request from a client to a KDC must include sufficient 792 information that the KDC can regenerate any needed state. This is 793 accomplished by giving the client a potentially long opaque cookie in 794 responses to include in future requests in the same conversation. 795 The KDC MAY respond that a conversation is too old and needs to 796 restart by responding with a KDC_ERR_PREAUTH_EXPIRED error. 798 KDC_ERR_PREAUTH_EXPIRED 90 800 When a client receives this error, the client SHOULD abort the 801 existing conversation, and restart a new one. 803 An example, where more than one message from the client is needed, is 804 when the client is authenticated based on a challenge-response 805 scheme. In that case, the KDC needs to keep track of the challenge 806 issued for a client authentication request. 808 The PA-FX-COOKIE padata type is defined in this section to facilitate 809 state management in the AS exchange. This padata is sent by the KDC 810 when the KDC requires state for a future transaction. The client 811 includes this opaque token in the next message in the conversation. 812 The token may be relatively large; clients MUST be prepared for 813 tokens somewhat larger than the size of all messages in a 814 conversation. 816 PA-FX-COOKIE 133 817 -- Stateless cookie that is not tied to a specific KDC. 819 The corresponding padata-value field [RFC4120] contains an opaque 820 token that will be echoed by the client in its response to an error 821 from the KDC. 823 The cookie token is generated by the KDC and transmitted in a PA-FX- 824 COOKIE pre-authentication data item of a KRB-ERROR message. The 825 client MUST copy the exact cookie encapsulated in a PA-FX-COOKIE data 826 element into the next message of the same conversation. The content 827 of the cookie field is a local matter of the KDC. As a result, it is 828 not generally possible to mix KDC implementations from different 829 vendors in the same realm. However the KDC MUST construct the cookie 830 token in such a manner that a malicious client cannot subvert the 831 authentication process by manipulating the token. The KDC 832 implementation needs to consider expiration of tokens, key rollover 833 and other security issues in token design. The content of the cookie 834 field is likely specific to the pre-authentication mechanisms used to 835 authenticate the client. If a client authentication response can be 836 replayed to multiple KDCs via the PA-FX-COOKIE mechanism, an 837 expiration in the cookie is RECOMMENDED to prevent the response being 838 presented indefinitely. 840 If at least one more message for a mechanism or a mechanism set is 841 expected by the KDC, the KDC returns a 842 KDC_ERR_MORE_PREAUTH_DATA_NEEDED error with a PA-FX-COOKIE to 843 identify the conversation with the client according to Section 3.2. 844 The cookie is not expected to stay constant for a conversation: the 845 KDC is expected to generate a new cookie for each message. 847 KDC_ERR_MORE_PREAUTH_DATA_NEEDED 91 849 A client MAY throw away the state associated with a conversation and 850 begin a new conversation by discarding its state and not including a 851 cooking in the first message of a conversation. KDCs that comply 852 with this specification MUST include a cookie in a response when the 853 client can continue the conversation. In particular, a KDC MUST 854 include a cookie in a KDC_ERR_PREAUTH_REQUIRED or 855 KDC_ERR_MORE_PREAUTH_DATA_NEEDED. KDCs SHOULD include a cookie in 856 errors containing additional information allowing a client to retry. 857 One reasonable strategy for meeting these requirements is to always 858 include a cookie in KDC errors. 860 A KDC MAY indicate that it is terminating a conversation by not 861 including a cookie in a response. When FAST is used, clients can 862 assume that the absence of a cookie means that the KDC is ending the 863 conversation. Clients also need to deal with KDCs prior to this 864 specification that do not include cookies; if cookies nor FAST are 865 used in a conversation, the absence of a cookie is not a strong 866 indication that the KDC is terminating the conversation. 868 6.4. Pre-authentication Set 870 If all mechanisms in a group need to successfully complete in order 871 to authenticate a client, the client and the KDC SHOULD use the PA- 872 AUTHENTICATION-SET padata element. 874 PA-AUTHENTICATION-SET 134 876 A PA-AUTHENTICATION-SET padata element contains the ASN.1 DER 877 encoding of the PA-AUTHENTICATION-SET structure: 879 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 881 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 882 pa-type [0] Int32, 883 -- same as padata-type. 884 pa-hint [1] OCTET STRING OPTIONAL, 885 pa-value [2] OCTET STRING OPTIONAL, 886 ... 887 } 889 The pa-type field of the PA-AUTHENTICATION-SET-ELEM structure 890 contains the corresponding value of padata-type in PA-DATA [RFC4120]. 891 Associated with the pa-type is a pa-hint, which is an octet-string 892 specified by the pre-authentication mechanism. This hint may provide 893 information for the client which helps it determine whether the 894 mechanism can be used. For example a public-key mechanism might 895 include the certificate authorities it trusts in the hint info. Most 896 mechanisms today do not specify hint info; if a mechanism does not 897 specify hint info the KDC MUST NOT send a hint for that mechanism. 898 To allow future revisions of mechanism specifications to add hint 899 info, clients MUST ignore hint info received for mechanisms that the 900 client believes do not support hint info. The pa-value element of 901 the PA-AUTHENTICATION-SET-ELEM sequence is included to carry the 902 first padata-value from the KDC to the client. If the client chooses 903 this authentication set then the client MUST process this pa-value. 904 The pa-value element MUST be absent for all but the first entry in 905 the authentication set. Clients MUST ignore pa-value for the second 906 and following entries in the authentication set. 908 If the client chooses an authentication set, then its first AS-REQ 909 message MUST contain a PA-AUTH-SET-SELECTED padata element. This 910 element contains the encoding of the PA-AUTHENTICATION-SET sequence 911 received from the KDC corresponding to the authentication set that is 912 chosen. The client MUST use the same octet values received from the 913 KDC; it cannot re-encode the sequence. This allows KDCs to use bit- 914 wise comparison to identify the selected authentication set. The PA- 915 AUTH-SET-SELECTED padata element MUST come before any padata elements 916 from the authentication set in the padata sequence in the AS-REQ 917 message. The client MAY cache authentication sets from prior 918 messages and use them to construct an optimistic initial AS-REQ. If 919 the KDC receives a PA-AUTH-SET-SELECTED padata element that does not 920 correspond to an authentication set that it would offer, then the KDC 921 returns the KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET error. The e-data 922 in this error contains a sequence of padata just as for the 923 KDC_ERR_PREAUTH_REQUIRED error. 925 PA-AUTH-SET-SELECTED 135 926 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92 928 The PA-AUTHENTICATION-SET appears only in the first message from the 929 KDC to the client. In particular, the client MAY fail if the 930 authentication mechanism sets change as the conversation progresses. 931 Clients MAY assume that the hints provided in the authentication set 932 contain enough information that the client knows what user interface 933 elements need to be displayed during the entire authentication 934 conversation. Exceptional circumstances such as expired passwords or 935 expired accounts may require that additional user interface be 936 displayed. Mechanism designers needs to carefully consider the 937 design of their hints so that the client has this information. This 938 way, clients can construct necessary dialogue boxes or wizards based 939 on the authentication set and can present a coherent user interface. 940 Current standards for user interface do not provide an acceptable 941 experience when the client has to ask additional questions later in 942 the conversation. 944 When indicating which sets of pre-authentication mechanisms are 945 supported, the KDC includes a PA-AUTHENTICATION-SET padata element 946 for each pre-authentication mechanism set. 948 The client sends the padata-value for the first mechanism it picks in 949 the pre-authentication set, when the first mechanism completes, the 950 client and the KDC will proceed with the second mechanism, and so on 951 until all mechanisms complete successfully. The PA-FX-COOKIE as 952 defined in Section 6.3 MUST be sent by the KDC so that the 953 conversation can continue if the conversation involves multiple KDCs. 954 The cookie may not be needed in the first message containing the PA- 955 AUTHENTICATION-SET sequence as the KDC may be able to reconstruct the 956 state from the PA-AUTHENTICATION-SET-SELECTED padata. KDCs MUST 957 support clients that do not include a cookie because they 958 optimistically choose an authentication set, although they MAY always 959 return KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET and include a cookie in 960 that message. Clients that support PA-AUTHENTICATION-SET MUST 961 support PA-FX-COOKIE. 963 Before the authentication succeeds and a ticket is returned, the 964 message that the client sends is an AS_REQ and the message that the 965 KDC sends is a KRB-ERROR message. The error code in the KRB-ERROR 966 message from the KDC is KDC_ERR_MORE_PREAUTH_DATA_NEEDED as defined 967 in Section 6.3 and the accompanying e-data contains the DER encoding 968 of ASN.1 type METHOD-DATA. The KDC includes the padata elements in 969 the METHOD-DATA. If there is no padata, the e-data field is absent 970 in the KRB-ERROR message. 972 If the client sends the last message for a given mechanism, then the 973 KDC sends the first message for the next mechanism. If the next 974 mechanism does not start with a KDC-side challenge, then the KDC 975 includes a padata item with the appropriate pa-type and an empty pa- 976 data. 978 If the KDC sends the last message for a particular mechanism, the KDC 979 also includes the first padata for the next mechanism. 981 6.5. Definition of Kerberos FAST Padata 983 As described in [RFC4120], Kerberos is vulnerable to offline 984 dictionary attacks. An attacker can request an AS-REP and try 985 various passwords to see if they can decrypt the resulting ticket. 986 RFC 4120 provides the encrypted timestamp pre-authentication method 987 that ameliorates the situation somewhat by requiring that an attacker 988 observe a successful authentication. However stronger security is 989 desired in many environments. The Kerberos FAST pre-authentication 990 padata defined in this section provides a tool to significantly 991 reduce vulnerability to offline dictionary attack. When combined 992 with encrypted challenge, FAST requires an attacker to mount a 993 successful man-in-the-middle attack to observe ciphertext. When 994 combined with host keys, FAST can even protect against active 995 attacks. FAST also provides solutions to common problems for pre- 996 authentication mechanisms such as binding of the request and the 997 reply, freshness guarantee of the authentication. FAST itself, 998 however, does not authenticate the client or the KDC, instead, it 999 provides a typed hole to allow pre-authentication data be tunneled. 1000 A pre-authentication data element used within FAST is called a FAST 1001 factor. A FAST factor captures the minimal work required for 1002 extending Kerberos to support a new pre-authentication scheme. 1004 A FAST factor MUST NOT be used outside of FAST unless its 1005 specification explicitly allows so. The typed holes in FAST messages 1006 can also be used as generic holes for other padata that are not 1007 intended to prove the client's identity, or establish the reply key. 1009 New pre-authentication mechanisms SHOULD be designed as FAST factors, 1010 instead of full-blown pre-authentication mechanisms. 1012 FAST factors that are pre-authentication mechanisms MUST meet the 1013 requirements in Section 5. 1015 FAST employs an armoring scheme. The armor can be a Ticket Granting 1016 Ticket (TGT) obtained by the client's machine using the host keys to 1017 pre-authenticate with the KDC, or an anonymous TGT obtained based on 1018 anonymous PKINIT [KRB-ANON] [RFC4556]. 1020 The rest of this section describes the types of armors and the syntax 1021 of the messages used by FAST. Conforming implementations MUST 1022 support Kerberos FAST padata. 1024 Any FAST armor scheme MUST provide a fresh armor key for each 1025 conversation. Clients and KDCs can assume that if a message is 1026 encrypted and integrity protected with a given armor key then it is 1027 part of the conversation using that armor key. 1029 All KDCs in a realm MUST support FAST if FAST is offered by any KDC 1030 as a pre-authentication mechanism. 1032 6.5.1. FAST Armors 1034 An armor key is used to encrypt pre-authentication data in the FAST 1035 request and the response. The KrbFastArmor structure is defined to 1036 identify the armor key. This structure contains the following two 1037 fields: the armor-type identifies the type of armors, and the armor- 1038 value is an OCTET STRING that contains the description of the armor 1039 scheme and the armor key. 1041 KrbFastArmor ::= SEQUENCE { 1042 armor-type [0] Int32, 1043 -- Type of the armor. 1044 armor-value [1] OCTET STRING, 1045 -- Value of the armor. 1046 ... 1047 } 1049 The value of the armor key is a matter of the armor type 1050 specification. Only one armor type is defined in this document. 1052 FX_FAST_ARMOR_AP_REQUEST 1 1054 The FX_FAST_ARMOR_AP_REQUEST armor is based on Kerberos tickets. 1056 Conforming implementations MUST implement the 1057 FX_FAST_ARMOR_AP_REQUEST armor type. 1059 FAST implementations MUST maintain state about whether the armor 1060 mechanism authenticates the KDC. If it does not, then a fast factor 1061 that authenticates the KDC MUST be used if the reply key is replaced. 1063 6.5.1.1. Ticket-based Armors 1065 This is a ticket-based armoring scheme. The armor-type is 1066 FX_FAST_ARMOR_AP_REQUEST, the armor-value contains an ASN.1 DER 1067 encoded AP-REQ. The ticket in the AP-REQ is called an armor ticket 1068 or an armor TGT. The subkey field in the AP-REQ MUST be present. 1069 The armor key is defined by the following function: 1071 armor_key = KRB-FX-CF2( subkey, ticket_session_key, 1072 "subkeyarmor", "ticketarmor" ) 1074 The `ticket_key' is the session key from the ticket in the ap-req. 1075 The `subkey' is the ap-req subkey. This construction guarantees that 1076 both the KDC (through the session key) and the client (through the 1077 subkey) contribute to the armor key. 1079 The server name field of the armor ticket MUST identify the TGS of 1080 the target realm. Here are three common ways in the decreasing 1081 preference order how an armor TGT SHOULD be obtained: 1083 1. If the client is authenticating from a host machine whose 1084 Kerberos realm has an authentication path to the client's realm, 1085 the host machine obtains a TGT by using the host keys. If the 1086 client's realm is different than the realm of the local host, the 1087 machine then obtains a cross-realm TGT to the client's realm as 1088 the armor ticket. Otherwise, the host's primary TGT is the armor 1089 ticket. 1091 2. If the client's host machine cannot obtain a host ticket strictly 1092 based on RFC4120, but the KDC has an asymmetric signing key whose 1093 binding with the expected KDC can be verified by the client, the 1094 client can use anonymous PKINIT [KRB-ANON] [RFC4556] to 1095 authenticate the KDC and obtain an anonymous TGT as the armor 1096 ticket. The armor ticket can also be a cross-realm TGT obtained 1097 based on the initial primary TGT obtained using anonymous PKINIT 1098 with KDC authentication. 1100 3. Otherwise, the client uses anonymous PKINIT to get an anonymous 1101 TGT without KDC authentication and that TGT is the armor ticket. 1102 Note that this mode of operation is vulnerable to man-in-the- 1103 middle attacks at the time of obtaining the initial anonymous 1104 armor TGT. 1106 If anonymous PKINIT is used to obtain the armor ticket, the KDC 1107 cannot know whether its signing key can be verified by the client, 1108 hence the KDC MUST be marked as unverified from the KDC's point of 1109 view while the client could be able to authenticate the KDC by 1110 verifying the KDC's signing key is bound with the expected KDC. The 1111 client needs to carefully consider the risk and benefit tradeoffs 1112 associated with active attacks before exposing cipher text encrypted 1113 using the user's long-term secrets when the armor does not 1114 authenticate the KDC. 1116 The TGS MUST reject a request if there is an AD-fx-fast-armor (TBD) 1117 element in the authenticator of the pa-tgs-req padata or if the 1118 ticket in the authenticator of a pa-tgs-req contains the AD-fx-fast- 1119 armor authorization data element. These tickets and authenticators 1120 MAY be used as FAST armor tickets but not to obtain a ticket via the 1121 TGS. This authorization data is used in a system where the 1122 encryption of the user's pre-authentication data is performed in an 1123 unprivileged user process. A privileged process can provide to the 1124 user process a host ticket, an authenticator for use with that 1125 ticket, and the sub session key contained in the authenticator. In 1126 order for the host process to ensure that the host ticket is not 1127 accidentally or intentionally misused, (i.e. the user process might 1128 use the host ticket to authenticate as the host), it MUST include a 1129 critical authorization data element of the type AD-fx-fast-armor when 1130 providing the authenticator or in the enc-authorization-data field of 1131 the TGS request used to obtain the TGT. The corresponding ad-data 1132 field of the AD-fx-fast-armor element is empty. 1134 As discussed previously, the server of an armor ticket MUST be the 1135 TGS of the realm from whom service is requested. As a result, if 1136 this armor type is used when a ticket is being validated, proxied, or 1137 in other cases where a ticket other than a TGT is presented to the 1138 TGS, a TGT will be used as an armor ticket, while another ticket will 1139 be used in the pa-tgs-req authenticator. 1141 6.5.2. FAST Request 1143 A padata type PA-FX-FAST is defined for the Kerberos FAST pre- 1144 authentication padata. The corresponding padata-value field 1145 [RFC4120] contains the DER encoding of the ASN.1 type PA-FX-FAST- 1146 REQUEST. As with all pre-authentication types, the KDC SHOULD 1147 advertise PA-FX-FAST with an empty pa-value in a PREAUTH_REQUIRED 1148 error. Clients MUST ignore the pa-value of PA-FX-FAST in an initial 1149 PREAUTH_REQUIRED error. FAST is not expected to be used in an 1150 authentication set: clients will typically use FAST padata if 1151 available and this decision should not depend on what other pre- 1152 authentication methods are available. As such, no pa-hint is defined 1153 for FAST at this time. 1155 PA-FX-FAST 136 1156 -- Padata type for Kerberos FAST 1158 PA-FX-FAST-REQUEST ::= CHOICE { 1159 armored-data [0] KrbFastArmoredReq, 1160 ... 1161 } 1163 KrbFastArmoredReq ::= SEQUENCE { 1164 armor [0] KrbFastArmor OPTIONAL, 1165 -- Contains the armor that identifies the armor key. 1166 -- MUST be present in AS-REQ. 1167 req-checksum [1] Checksum, 1168 -- For AS, contains the checksum performed over the type 1169 -- KDC-REQ-BODY for the req-body field of the KDC-REQ 1170 -- structure; 1171 -- For TGS, contains the checksum performed over the type 1172 -- AP-REQ in the PA-TGS-REQ padata. 1173 -- The checksum key is the armor key, the checksum 1174 -- type is the required checksum type for the enctype of 1175 -- the armor key, and the key usage number is 1176 -- KEY_USAGE_FAST_REQ_CHKSUM. 1177 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 1178 -- The encryption key is the armor key, and the key usage 1179 -- number is KEY_USAGE_FAST_ENC. 1180 ... 1181 } 1183 KEY_USAGE_FAST_REQ_CHKSUM 50 1184 KEY_USAGE_FAST_ENC 51 1186 The PA-FX-FAST-REQUEST structure contains a KrbFastArmoredReq type. 1187 The KrbFastArmoredReq encapsulates the encrypted padata. 1189 The enc-fast-req field contains an encrypted KrbFastReq structure. 1190 The armor key is used to encrypt the KrbFastReq structure, and the 1191 key usage number for that encryption is KEY_USAGE_FAST_ENC. 1193 The armor key is selected as follows: 1195 o In an AS request, the armor field in the KrbFastArmoredReq 1196 structure MUST be present and the armor key is identified 1197 according to the specification of the armor type. 1199 o There are two possibilities for armor for a TGS request. If the 1200 ticket presented in the PA-TGS-REQ authenticator is a TGT, then 1201 the client SHOULD not include the armor field in the Krbfastreq 1202 and a subkey MUST be included in the PA-TGS-REQ authenticator. In 1203 this case, the armor key is the same armor key that would be 1204 computed if the TGS-REQ authenticator was used in a 1205 FX_FAST_ARMOR_AP_REQUEST armor. If a ticket other than a TGT is 1206 being presented to the TGS, a client SHOULD use some form of FAST 1207 armor such as a ticket-based armor with a TGT as an armor ticket. 1208 Clients MAY present a non-TGT in the PA-TGS-REQ authenticator and 1209 omit the armor field, in which case the armor key is the same that 1210 would be computed if the authenticator were used in a 1211 FX_FAST_ARMOR_AP_REQUEST armor. This is the only case where a 1212 ticket other than a TGT can be used to establish an armor key; 1213 even though the armor key is computed the same as a 1214 FX_FAST_ARMOR_AP_REQUEST, a non-TGT cannot be used as an armor 1215 ticket in FX_FAST_ARMOR_AP_REQUEST. 1217 The req-checksum field contains a checksum computed differently for 1218 AS and TGS. For an AS-REQ, it is performed over the type KDC-REQ- 1219 BODY for the req-body field of the KDC-REQ structure of the 1220 containing message; for an TGS-REQ, it is performed over the type AP- 1221 REQ in the PA-TGS-REQ padata of the TGS request. The checksum key is 1222 the armor key, and the checksum type is the required checksum type 1223 for the enctype of the armor key per [RFC3961]. This checksum is 1224 included in order to bind the FAST padata to the outer request. A 1225 KDC that implements FAST will ignore the outer request, but including 1226 a checksum is relatively cheap and may prevent confusing behavior. 1228 The KrbFastReq structure contains the following information: 1230 KrbFastReq ::= SEQUENCE { 1231 fast-options [0] FastOptions, 1232 -- Additional options. 1233 padata [1] SEQUENCE OF PA-DATA, 1234 -- padata typed holes. 1235 req-body [2] KDC-REQ-BODY, 1236 -- Contains the KDC request body as defined in Section 1237 -- 5.4.1 of [RFC4120]. 1238 -- This req-body field is preferred over the outer field 1239 -- in the KDC request. 1240 ... 1241 } 1243 The fast-options field indicates various options that are to modify 1244 the behavior of the KDC. The following options are defined: 1246 FastOptions ::= KerberosFlags 1247 -- reserved(0), 1248 -- hide-client-names(1), 1249 -- kdcfollow--referrals(16) 1251 Bits Name Description 1252 ----------------------------------------------------------------- 1253 0 RESERVED Reserved for future expansion of this 1254 field. 1255 1 hide-client-names Requesting the KDC to hide client 1256 names in the KDC response, as 1257 described next in this section. 1258 16 kdc-follow-referrals Requesting the KDC to follow referrals. 1260 Bits 1 through 15 inclusive (with bit 1 and bit 15 included) are 1261 critical options. If the KDC does not support a critical option, it 1262 MUST fail the request with KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, and 1263 there is no accompanying e-data defined in this document for this 1264 error code. Bit 16 and onward (with bit 16 included) are non- 1265 critical options. KDCs conforming to this specification ignore 1266 unknown non-critical options. 1268 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93 1270 The hide-client-names Option 1272 The Kerberos response defined in [RFC4120] contains the client 1273 identity in clear text, This makes traffic analysis 1274 straightforward. The hide-client-names option is designed to 1275 complicate traffic analysis. If the hide-client-names option is 1276 set, the KDC implementing PA-FX-FAST MUST identify the client as 1277 the anonymous principal [KRB-ANON] in the KDC reply and the error 1278 response. Hence this option is set by the client if it wishes to 1279 conceal the client identity in the KDC response. A conforming KDC 1280 ignores the client principal name in the outer KDC-REQ-BODY field, 1281 and identifies the client using the cname and crealm fields in the 1282 req-body field of the KrbFastReq structure. 1284 The kdc-follow-referrals Option 1286 The Kerberos client described in [RFC4120] has to request referral 1287 TGTs along the authentication path in order to get a service 1288 ticket for the target service. The Kerberos client described in 1289 the [REFERRALS] needs to contact the AS specified in the error 1290 response in order to complete client referrals. The kdc-follow- 1291 referrals option is designed to minimize the number of messages 1292 that need to be processed by the client. This option is useful 1293 when, for example, the client may contact the KDC via a satellite 1294 link that has high network latency, or the client has limited 1295 computational capabilities. If the kdc-follow-referrals option is 1296 set, the KDC MAY act as the client to follow TGS referrals 1297 [REFERRALS], and return the service ticket to the named server 1298 principal in the client request using the reply key expected by 1299 the client. That is, rather than returning a referral, the KDC 1300 follows that referral by contacting a remote KDC and processing 1301 the referral. The kdc-referrals option can be implemented when 1302 the KDC knows the reply key. The KDC can ignore kdc-referrals 1303 option when it does not understand it or it does not allow this 1304 option based on local policy. The client SHOULD be capable of 1305 processing the KDC responses when this option is not honored by 1306 the KDC. Clients SHOULD use TCP to contact a KDC if this option 1307 is going to be used to avoid problems when the client's UDP 1308 retransmit algorithm has timeouts insufficient to allow the KDC to 1309 interact with remote KDCs. 1311 The padata field contains a list of PA-DATA structures as described 1312 in Section 5.2.7 of [RFC4120]. These PA-DATA structures can contain 1313 FAST factors. They can also be used as generic typed-holes to 1314 contain data not intended for proving the client's identity or 1315 establishing a reply key, but for protocol extensibility. If the KDC 1316 supports the PA-FX-FAST-REQUEST padata, unless otherwise specified, 1317 the client MUST place any padata that is otherwise in the outer KDC 1318 request body into this field. In a TGS request, PA-TGS-REQ padata is 1319 not included in this field and it is present in the outer KDC request 1320 body. 1322 The KDC-REQ-BODY in the FAST structure is used in preference to the 1323 KDC-REQ-BODY outside of the FAST pre-authentication. The outer KDC- 1324 REQ-BODY structure SHOULD be filled in for backwards compatibility 1325 with KDCs that do not support FAST. A conforming KDC ignores the 1326 outer KDC-REQ-BODY field in the KDC request. However pre- 1327 authentication data methods such as [RFC4556] that include a checksum 1328 of the KDC-REQ-BODY should checksum the outer KDC-REQ-BODY. These 1329 methods will already be bound to the inner body through the integrity 1330 protection in the FAST request. 1332 6.5.3. FAST Response 1334 The KDC that supports the PA-FX-FAST padata MUST include a PA-FX-FAST 1335 padata element in the KDC reply. In the case of an error, the PA-FX- 1336 FAST padata is included in the KDC responses according to 1337 Section 6.5.4. 1339 The corresponding padata-value field [RFC4120] for the PA-FX-FAST in 1340 the KDC response contains the DER encoding of the ASN.1 type PA-FX- 1341 FAST-REPLY. 1343 PA-FX-FAST-REPLY ::= CHOICE { 1344 armored-data [0] KrbFastArmoredRep, 1345 ... 1346 } 1348 KrbFastArmoredRep ::= SEQUENCE { 1349 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 1350 -- The encryption key is the armor key in the request, and 1351 -- the key usage number is KEY_USAGE_FAST_REP. 1352 ... 1353 } 1354 KEY_USAGE_FAST_REP 52 1356 The PA-FX-FAST-REPLY structure contains a KrbFastArmoredRep 1357 structure. The KrbFastArmoredRep structure encapsulates the padata 1358 in the KDC reply in the encrypted form. The KrbFastResponse is 1359 encrypted with the armor key used in the corresponding request, and 1360 the key usage number is KEY_USAGE_FAST_REP. 1362 The Kerberos client who does not receive a PA-FX-FAST-REPLY in the 1363 KDC response MUST support a local policy that rejects the response. 1364 Clients MAY also support policies that fall back to other mechanisms 1365 or that do not use pre-authentication when FAST is unavailable. It 1366 is important to consider the potential downgrade attacks when 1367 deploying such a policy. 1369 The KrbFastResponse structure contains the following information: 1371 KrbFastResponse ::= SEQUENCE { 1372 padata [0] SEQUENCE OF PA-DATA, 1373 -- padata typed holes. 1374 rep-key [1] EncryptionKey OPTIONAL, 1375 -- This, if present, replaces the reply key for AS and 1376 -- TGS. 1377 -- MUST be absent in KRB-ERROR. 1378 finished [2] KrbFastFinished OPTIONAL, 1379 -- Present in AS or TGS reply; absent otherwise. 1380 ... 1381 } 1383 The padata field in the KrbFastResponse structure contains a list of 1384 PA-DATA structures as described in Section 5.2.7 of [RFC4120]. These 1385 PA-DATA structures are used to carry data advancing the exchange 1386 specific for the FAST factors. They can also be used as generic 1387 typed-holes for protocol extensibility. Unless otherwise specified, 1388 the KDC MUST include any padata that is otherwise in the outer KDC- 1389 REP structure into this field. The padata field in the KDC reply 1390 structure outside of the PA-FX-FAST-REPLY structure typically 1391 includes only the PA-FX- FAST-REPLY padata and optionally the PA-FX- 1392 COOKIE padata. 1394 The rep-key field, if present, contains the reply key that is used to 1395 encrypted the KDC reply. The rep-key field MUST be absent in the 1396 case where an error occurs. The enctype of the rep-key is the 1397 strongest mutually supported by the KDC and the client. 1399 The finished field contains a KrbFastFinished structure. It is 1400 filled by the KDC in the final message in the conversation. This 1401 field is present in an AS-REP or a TGS-REP when a ticket is returned, 1402 and it is not present in an error reply. 1404 The KrbFastFinished structure contains the following information: 1406 KrbFastFinished ::= SEQUENCE { 1407 timestamp [0] KerberosTime, 1408 usec [1] Microseconds, 1409 -- timestamp and usec represent the time on the KDC when 1410 -- the reply was generated. 1411 crealm [2] Realm, 1412 cname [3] PrincipalName, 1413 -- Contains the client realm and the client name. 1414 checksum [4] Checksum, 1415 -- Checksum performed over all the messages in the 1416 -- conversation, except the containing message. 1417 -- The checksum key is the armor key as defined in 1418 -- Section 6.5.1, and the checksum type is the required 1419 -- checksum type of the armor key. 1420 ticket-checksum [5] Checksum, 1421 -- checksum of the ticket in the KDC-REP using the armor 1422 -- and the key usage is KEY_USAGE_FAST_FINISH. 1423 -- The checksum type is the required checksum type 1424 -- of the armor key. 1425 ... 1426 } 1427 KEY_USAGE_FAST_FINISHED 53 1429 The timestamp and usec fields represent the time on the KDC when the 1430 reply ticket was generated, these fields have the same semantics as 1431 the corresponding-identically-named fields in Section 5.6.1 of 1432 [RFC4120]. The client MUST use the KDC's time in these fields 1433 thereafter when using the returned ticket. Note that the KDC's time 1434 in AS-REP may not match the authtime in the reply ticket if the kdc- 1435 follow-referrals option is requested and honored by the KDC. The 1436 client need not confirm that the timestamp returned is within 1437 allowable clock skew: the armor key guarantees that the reply is 1438 fresh. The client MAY trust the time stamp returned. 1440 The cname and crealm fields identify the authenticated client. If 1441 facilities described in [REFERRALS] are used, the authenticated 1442 client may differ from the client in the FAST request. 1444 The checksum field contains a checksum of all the messages in the 1445 conversation prior to the containing message (the containing message 1446 is excluded). The checksum key is the armor key, and the checksum 1447 type is the required checksum type of the enctype of that key, and 1448 the key usage number is KEY_USAGE_FAST_FINISHED. The ticket-checksum 1449 is a checksum of the issued ticket using the same key and key usage. 1451 When FAST padata is included, the PA-FX-COOKIE padata as defined in 1452 Section 6.3 MUST also be included if the KDC expects at least one 1453 more message from the client in order to complete the authentication. 1455 6.5.4. Authenticated Kerberos Error Messages using Kerberos FAST 1457 If the Kerberos FAST padata was included in the request, unless 1458 otherwise specified, the e-data field of the KRB-ERROR message 1459 [RFC4120] contains the ASN.1 DER encoding of the type METHOD-DATA 1460 [RFC4120] and a PA-FX-FAST is included in the METHOD-DATA. The KDC 1461 MUST include all the padata elements such as PA-ETYPE-INFO2 and 1462 padata elements that indicate acceptable pre-authentication 1463 mechanisms [RFC4120] in the KrbFastResponse structure. 1465 The KDC MUST also include a PA-FX-ERROR padata item in the 1466 KRBFastResponse structure. The padata-value element of this sequence 1467 is the ASN.1 DER encoding of the type KRB-ERROR. The e-data field 1468 MUST be absent in the PA-FX-ERROR padata. All other fields should be 1469 the same as the outer KRB-ERROR. The client ignores the outer error 1470 and uses the combination of the padata in the KRBFastResponse and the 1471 error information in the PA-FX-ERROR. 1473 PA-FX-ERROR 137 1475 If the Kerberos FAST padata is included in the request but not 1476 included in the error reply, it is a matter of the local policy on 1477 the client to accept the information in the error message without 1478 integrity protection. The Kerberos client MAY process an error 1479 message without a PA-FX-FAST-REPLY, if that is only intended to 1480 return better error information to the application, typically for 1481 trouble-shooting purposes. 1483 In the cases where the e-data field of the KRB-ERROR message is 1484 expected to carry a TYPED-DATA [RFC4120] element, then that 1485 information should be transmitted in a pa-data element within the 1486 KRBFastResponse structure. The padata-type is the same as the data- 1487 type would be in the typed data element and the padata-value is the 1488 same as the data-value. As discussed in Section 8, data-types and 1489 padata-types are drawn from the same namespace. For example, the 1490 TD_TRUSTED_CERTIFIERS structure is expected to be in the KRB-ERROR 1491 message when the error code is KDC_ERR_CANT_VERIFY_CERTIFICATE 1492 [RFC4556]. 1494 6.5.5. Outer and Inner Requests 1496 Typically, a client will know that FAST is being used before a 1497 request containing PA-FX-FAST is sent. So, the outer AS request 1498 typically only includes two pa-data items: PA-FX-FAST and PA-FX- 1499 COOKIE. The client MAY include additional pa-data, but the KDC MUST 1500 ignore the outer request body and any padata besides PA-FX-FAST and 1501 PA-FX-COOKIE if PA-FX-FAST is processed. In the case of the TGS 1502 request, the outer request should include PA-FX-FAST and PA-TGS-REQ. 1504 When an AS generates a response, all padata besides PA-FX-FAST and 1505 PA-FX-COOKIE should be included in PA-FX-FAST. The client MUST 1506 ignore other padata outside of PA-FX-FAST. 1508 6.5.6. The Encrypted Challenge FAST Factor 1510 The encrypted challenge FAST factor authenticates a client using the 1511 client's long-term key. This factor works similarly to the encrypted 1512 time stamp pre-authentication option described in [RFC4120]. The 1513 client encrypts a structure containing a timestamp in the challenge 1514 key. The challenge key used by the client to send a message to the 1515 KDC is KRB-FX-CF2(armor_key,long_term_key, "clientchallengearmor", 1516 "challengelongterm"). The challenge key used by the KDC encrypting 1517 to the client is KRB-FX-CF2(armor_key, long_term_key, 1518 "kdcchallengearmor", "challengelongterm"). Because the armor key is 1519 fresh and random, the challenge key is fresh and random. The only 1520 purpose of the timestamp is to limit the validity of the 1521 authentication so that a request cannot be replayed. A client MAY 1522 base the timestamp on the KDC time in a KDC error and need not 1523 maintain accurate time synchronization itself. If a client bases its 1524 time on an untrusted source, an attacker may trick the client into 1525 producing an authentication request that is valid at some future 1526 time. The attacker may be able to use this authentication request to 1527 make it appear that a client has authenticated at that future time. 1528 If ticket-based armor is used, then the lifetime of the ticket will 1529 limit the window in which an attacker can make the client appear to 1530 have authenticated. For many situations, the ability of an attacker 1531 to cause a client to appear to have authenticated is not a 1532 significant concern; the ability to avoid requiring time 1533 synchronization on clients is more valuable. 1535 The client sends a padata of type PA-ENCRYPTED-CHALLENGE the 1536 corresponding padata-value contains the DER encoding of ASN.1 type 1537 EncryptedChallenge. 1539 EncryptedChallenge ::= EncryptedData 1540 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key 1541 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the 1542 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. 1544 PA-ENCRYPTED-CHALLENGE 138 1545 KEY_USAGE_ENC_CHALLENGE_CLIENT 54 1546 KEY_USAGE_ENC_CHALLENGE_KDC 55 1548 The client includes some time stamp reasonably close to the KDC's 1549 current time and encrypts it in the challenge key. Clients MAY use 1550 the current time; doing so prevents the exposure where an attacker 1551 can cause a client to appear to authenticate in the future. The 1552 client sends the request including this factor. 1554 On receiving an AS-REQ containing the PA-ENCRYPTED-CHALLENGE fast 1555 factor, the KDC decrypts the timestamp. If the decryption fails the 1556 KDC SHOULD return KDC_ERR_PREAUTH_FAILED, including PA-ETYPE-INFO2 in 1557 the KRBFastResponse in the error. The KDC confirms that the 1558 timestamp falls within its current clock skew returning 1559 KRB_APP_ERR_SKEW if not. The KDC then SHOULD check to see if the 1560 encrypted challenge is a replay. The KDC MUST NOT consider two 1561 encrypted challenges replays simply because the time stamps are the 1562 same; to be a replay, the ciphertext MUST be identical. Allowing 1563 clients to re-use time stamps avoids requiring that clients maintain 1564 state about which time stamps have been used. 1566 If the KDC accepts the encrypted challenge, it MUST include a padata 1567 element of type PA-ENCRYPTED-CHALLENGE. The KDC encrypts its current 1568 time in the challenge key. The KDC MUST replace the reply key before 1569 issuing a ticket. The client MUST check that the timestamp decrypts 1570 properly. The client MAY check that the timestamp is winthin the 1571 window of acceptable clock skew for the client. The client MUST NOT 1572 require that the timestamp be identical to the timestamp in the 1573 issued credentials or the returned message. 1575 The encrypted challenge FAST factor provides the following 1576 facilities: client-authentication and KDC authentication. This FAST 1577 factor also takes advantage of the FAST facility to replace the reply 1578 key. It does not provide the strengthening-reply-key facility. The 1579 security considerations section of this document provides an 1580 explanation why the security requirements are met. 1582 The encrypted challenge FAST factor can be useful in an 1583 authentication set. No pa-hint is defined because the only 1584 information needed by this mechanism is information contained in the 1585 PA-ETYPE-INFO2 pre-authentication data. KDCs are already required to 1586 send PA-ETYPE-INFO2. If KDCs were not required to send PA-ETYPE- 1587 INFO2 then that information would need to be part of a hint for 1588 encrypted challenge. 1590 Conforming implementations MUST support the encrypted challenge FAST 1591 factor. 1593 6.6. Authentication Strength Indication 1595 Implementations that have pre-authentication mechanisms offering 1596 significantly different strengths of client authentication MAY choose 1597 to keep track of the strength of the authentication used as an input 1598 into policy decisions. For example, some principals might require 1599 strong pre-authentication, while less sensitive principals can use 1600 relatively weak forms of pre-authentication like encrypted timestamp. 1602 An AuthorizationData data type AD-Authentication-Strength is defined 1603 for this purpose. 1605 AD-authentication-strength 70 1607 The corresponding ad-data field contains the DER encoding of the pre- 1608 authentication data set as defined in Section 6.4. This set contains 1609 all the pre-authentication mechanisms that were used to authenticate 1610 the client. If only one pre-authentication mechanism was used to 1611 authenticate the client, the pre-authentication set contains one 1612 element. 1614 The AD-authentication-strength element MUST be included in the AD-IF- 1615 RELEVANT, thus it can be ignored if it is unknown to the receiver. 1617 7. Assigned Constants 1619 The pre-authentication framework and FAST involve using a number of 1620 Kerberos protocol constants. This section lists protocol constants 1621 first introduced in this specification drawn from registries not 1622 managed by IANA. Many of these registries would best be managed by 1623 IANA; that is a known issue that is out of scope for this document. 1624 The constants described in this section have been accounted for and 1625 will appear in the next revision of the Kerberos core specification 1626 or in a document creating IANA registries. 1628 Section 8 creates IANA registries for a different set of constants 1629 used by the extensions described in this document. 1631 7.1. New Errors 1633 KDC_ERR_PREAUTH_EXPIRED 90 1634 KDC_ERR_MORE_PREAUTH_DATA_NEEDED 91 1635 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92 1636 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93 1638 7.2. Key Usage Numbers 1640 KEY_USAGE_FAST_REQ_CHKSUM 50 1641 KEY_USAGE_FAST_ENC 51 1642 KEY_USAGE_FAST_REP 52 1643 KEY_USAGE_FAST_FINISHED 53 1644 KEY_USAGE_ENC_CHALLENGE_CLIENT 54 1645 KEY_USAGE_ENC_CHALLENGE_KDC 55 1647 7.3. Authorization Data Elements 1649 AD-authentication-strength 70 1650 AD-fx-fast-armor 71 1652 7.4. New PA-DATA Types 1654 PA-FX-COOKIE 133 1655 PA-AUTHENTICATION-SET 134 1656 PA-AUTH-SET-SELECTED 135 1657 PA-FX-FAST 136 1658 PA-FX-ERROR 137 1659 PA-ENCRYPTED-CHALLENGE 138 1661 8. IANA Considerations 1663 This document creates a number of IANA registries. These registries 1664 should all be located under 1665 http://www.iana.org/assignments/kerberos-parameters. 1667 8.1. Pre-authentication and Typed Data 1669 RFC 4120 defines pre-authentication data, which can be included in a 1670 KDC request or response in order to authenticate the client or extend 1671 the protocol. In addition, it defines Typed-Data which is an 1672 extension mechanism for errors. Both pre-authentication data and 1673 typed data are carried as a 32-bit signed integer along with an octet 1674 string. The encoding of typed data and pre-authentication data is 1675 slightly different. However the types for pre-authentication data 1676 and typed-data are drawn from the same namespace. By convention, 1677 registrations starting with TD- are typed data and registration 1678 starting with PA- are pre-authentication data. It is important that 1679 these data types be drawn from the same namespace, because some 1680 errors where it would be desirable to include typed data require the 1681 e-data field to be formatted as pre-authentication data. 1683 When Kerberos FAST is used, pre-authentication data encoding is 1684 always used. 1686 There is one apparently conflicting registration between typed data 1687 and pre-authentication data. PA-GET-FROM-TYPED-DATA and TD-PADATA 1688 are both assigned the value 22. However this registration is simply 1689 a mechanism to include an element of the other encoding. The use of 1690 both should be deprecated. 1692 This document creates a registry for pre-authentication and typed 1693 data. The registration procedures are as follows. Expert review for 1694 pre-authentication mechanisms designed to authenticate users, KDCs, 1695 or establish the reply key. The expert first determines that the 1696 purpose of the method is to authenticate clients, KDCs, or to 1697 establish the reply key. If so, expert review is appropriate. The 1698 expert evaluates the security and interoperability of the 1699 specification. 1701 IETF review is required if the expert believes that the pre- 1702 authentication method is broader than these three areas. Pre- 1703 authentication methods that change the Kerberos state machine or 1704 otherwise make significant changes to the Kerberos protocol should be 1705 standards track RFCs. A concern that a particular method needs to be 1706 a standards track RFC may be raised as an objection during IETF 1707 review. 1709 Type Value Reference 1710 ---------------------------------------------------------------------- 1711 PA-TGS-REQ 1 RFC 4120 1712 PA-ENC-TIMESTAMP 2 RFC 4120 1713 PA-PW-SALT 3 RFC 4120 1714 [reserved] 4 1715 PA-ENC-UNIX-TIME 5 (deprecated) 1716 PA-SANDIA-SECUREID 6 1717 PA-SESAME 7 1718 PA-OSF-DCE 8 1719 PA-CYBERSAFE-SECUREID 9 1720 PA-AFS3-SALT 10 1721 PA-ETYPE-INFO 11 RFC 4120 1722 PA-SAM-CHALLENGE 12 (sam/otp) 1723 PA-SAM-RESPONSE 13 (sam/otp) 1724 PA-PK-AS-REQ_OLD 14 draft-ietf-cat-kerberos-pk-init-09 1725 PA-PK-AS-REP_OLD 15 draft-ietf-cat-kerberos-pk-init-09 1726 PA-PK-AS-REQ 16 RFC 4556 1727 PA-PK-AS-REP 17 RFC 4556 1728 PA-ETYPE-INFO2 19 RFC 4120 1729 PA-USE-SPECIFIED-KVNO 20 1730 PA-SAM-REDIRECT 21 (sam/otp) 1731 PA-GET-FROM-TYPED-DATA 22 (embedded in typed data) 1732 TD-PADATA 22 (embeds padata) 1733 PA-SAM-ETYPE-INFO 23 (sam/otp) 1734 PA-ALT-PRINC 24 (crawdad@fnal.gov) 1735 PA-SAM-CHALLENGE2 30 (kenh@pobox.com) 1736 PA-SAM-RESPONSE2 31 (kenh@pobox.com) 1737 PA-EXTRA-TGT 41 Reserved extra TGT 1738 TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS 1739 TD-KRB-PRINCIPAL 102 PrincipalName 1740 TD-KRB-REALM 103 Realm 1741 TD-TRUSTED-CERTIFIERS 104 PKINIT 1742 TD-CERTIFICATE-INDEX 105 PKINIT 1743 TD-APP-DEFINED-ERROR 106 Application specific 1744 TD-REQ-NONCE 107 INTEGER 1745 TD-REQ-SEQ 108 INTEGER 1746 PA-PAC-REQUEST 128 MS-KILE 1747 PA-FOR_USER 129 MS-KILE 1748 PA-FOR-X509-USER 130 MS-KILE 1749 PA-FOR-CHECK_DUPS 131 MS-KILE 1750 PA-AS-CHECKSUM 132 MS-KILE 1751 PA-FX-COOKIE 133 draft-ietf-krb-wg-preauth-framework 1752 PA-AUTHENTICATION-SET 134 draft-ietf-krb-wg-preauth-framework 1753 PA-AUTH-SET-SELECTED 135 draft-ietf-krb-wg-preauth-framework 1754 PA-FX-FAST 136 draft-ietf-krb-wg-preauth-framework 1755 PA-FX-ERROR 137 draft-ietf-krb-wg-preauth-framework 1756 PA-ENCRYPTED-CHALLENGE 138 draft-ietf-krb-wg-preauth-framework 1757 PA-OTP-CHALLENGE 141 (gareth.richards@rsa.com) 1758 PA-OTP-REQUEST 142 (gareth.richards@rsa.com) 1759 PA-OTP-CONFIRM 143 (gareth.richards@rsa.com) 1760 PA-SUPPORTED-ETYPES 165 MS-KILE 1762 8.2. Fast Armor Types 1764 FAST armor types are defined in Section 6.5.1. A FAST armor type is 1765 a signed 32-bit integer. FAST armor types are assigned by standards 1766 action. 1768 Type Name Description 1769 ------------------------------------------------------------ 1770 0 Reserved. 1771 1 FX_FAST_ARMOR_AP_REQUEST Ticket armor using an ap-req. 1773 8.3. FAST Options 1775 A FAST request includes a set of bit flags to indicate additional 1776 options. Bits 0-15 are critical; other bits are non-critical. 1777 Assigning bits greater than 31 may require special support in 1778 implementations. Assignment of FAST options requires standards 1779 action. 1781 Type Name Description 1782 ------------------------------------------------------------------- 1783 0 RESERVED Reserved for future expansion of this 1784 field. 1785 1 hide-client-names Requesting the KDC to hide client 1786 names in the KDC response 1787 16 kdc-follow-referrals Requesting the KDC to follow 1788 referrals 1790 9. Security Considerations 1792 The kdc-referrals option in the Kerberos FAST padata requests the KDC 1793 to act as the client to follow referrals. This can overload the KDC. 1794 To limit the damages of denied of service using this option, KDCs MAY 1795 restrict the number of simultaneous active requests with this option 1796 for any given client principal. 1798 With regarding to the facilities provided by the Encrypted Challenge 1799 FAST factor, the challenge key is derived from the client secrets and 1800 because the client secrets are known only to the client and the KDC, 1801 the verification of the EncryptedChallenge structure proves the 1802 client's identity, the verification of the EncryptedChallenge 1803 structure in the KDC reply proves that the expected KDC responded. 1804 Therefore, the Encrypted Challenge FAST factor as a pre- 1805 authentication mechanism offers the following facilities: client- 1806 authentication and KDC-authentication. There is no un-authenticated 1807 clear text introduced by the Encrypted Challenge FAST factor. 1809 10. Acknowledgements 1811 Sam Hartman would like to thank the MIT Kerberos Consortium for its 1812 funding of his time on this project. 1814 Several suggestions from Jeffrey Hutzelman based on early revisions 1815 of this documents led to significant improvements of this document. 1817 The proposal to ask one KDC to chase down the referrals and return 1818 the final ticket is based on requirements in [ID.CROSS]. 1820 Joel Webber had a proposal for a mechanism similar to FAST that 1821 created a protected tunnel for Kerberos pre-authentication. 1823 11. References 1825 11.1. Normative References 1827 [KRB-ANON] 1828 Zhu, L. and P. Leach, "Kerberos Anonymity Support", 1829 draft-ietf-krb-wg-anon-04.txt (work in progress), 2007. 1831 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1832 Requirement Levels", BCP 14, RFC 2119, March 1997. 1834 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1835 Kerberos 5", RFC 3961, February 2005. 1837 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1838 Kerberos Network Authentication Service (V5)", RFC 4120, 1839 July 2005. 1841 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial 1842 Authentication in Kerberos (PKINIT)", RFC 4556, June 2006. 1844 11.2. Informative References 1846 [ID.CROSS] 1847 Sakane, S., Zrelli, S., and M. Ishiyama , "Problem 1848 Statement on the Operation of Kerberos in a Specific 1849 System", draft-sakane-krb-cross-problem-statement-02.txt 1850 (work in progress), April 2007. 1852 [KRB-WG.SAM] 1853 Hornstein, K., Renard, K., Neuman, C., and G. Zorn, 1854 "Integrating Single-use Authentication Mechanisms with 1855 Kerberos", draft-ietf-krb-wg-kerberos-sam-02.txt (work in 1856 progress), October 2003. 1858 [REFERRALS] 1859 Raeburn, K. and L. Zhu, "Generating KDC Referrals to 1860 Locate Kerberos Realms", 1861 draft-ietf-krb-wg-kerberos-referrals-10.txt (work in 1862 progress), 2007. 1864 Appendix A. Change History 1866 RFC editor, please remove this section before publication. 1868 A.1. Changes since 09 1870 Clarify conversations by defining for TGS and by describing how 1871 cookies form conversation boundaries. 1872 Simplify text surrounding when finish is included: always for AS 1873 and TGS reply, never for error. 1874 Fill in IANA and constants 1876 A.2. Changes since 08 1878 Fix a number of typos 1879 Rename anonymous flag to hide-client-name; rename kdc-referals to 1880 kdc-follow-referrals 1881 Clarify how anonymous pkinit interacts with KDC verified. 1882 Introduce AD-fx-fast-armor authorization data to deal with 1883 unprivileged processes constructing KDC requests. Note that a TGT 1884 is always used for armor tickets if the armor field is present; if 1885 you proxy or validate you'll end up with a TGT armor ticket and 1886 another ticket in the pa-tgs-req. Alternatively you can simply 1887 use the other ticket in the PA-TGS-REQ; weak consensus within WG. 1888 All KDCs in a realm MUST support FAST if it is to be offered. 1889 The cookie message is always generated by the KDC. 1890 Note that the client can trust and need not verify the time stamp 1891 in the finish message. This can seed the client's idea of KDC 1892 time. 1893 Note that the client name in the finish message may differ from 1894 the name in the request if referrals are used. 1895 Note that KDCs should advertize fast in preauth_required errors. 1896 Armor key is constructed using KRB-FX-CF2. This is true even in 1897 the TGS case; there is no security reason to do this. Using the 1898 subkey as done in draft 08 would be fine, but the current text 1899 uses the same procedure both in the TGS and AS case. 1900 Use a different challenge key in each direction in the encrypted 1901 challenge option. 1902 Note that the KDC should process PA-FX-COOKIE before other padata. 1903 KRB-FX-CF2 uses k1's enctype for the result; change around calling 1904 order so we pass in subkeys and armor keys as k1 in preference to 1905 long-term keys or ticket session keys. 1906 Clarify the relationship between authentication sets and cookies. 1907 A cookie may not be needed in the first message. Clarify how this 1908 interacts with optimistic clients. 1909 Remove text raising a concern that RFC 3961 may permit ciphertext 1910 transformations that do not change plaintext: discussion on the 1911 list came to the conclusion that RFC 3961 does not permit this. 1913 Remove binding key concept; use the armor key instead. The cookie 1914 becomes just an octet string. 1915 Include PA-FX-ERROR to protect the error information per Dublin. 1916 Returning preauth_failed in the failed to decrypt encrypted 1917 challenge seems fine; remove the issue marker 1918 Add a section describing what goes in the inner and outer request. 1919 I believe it is redundant but found it useful while putting 1920 together an implementation proposal. 1921 Use hyphen rather than underscore in the constants for pre- 1922 authentication data to be consistent with RFC 4120. 1923 Add a ticket-checksum to the finished message 1924 Remove redundant KEY_USAGE_FAST_ARMOR. 1925 Add protocol constants section for non-IANA registrations and 1926 flesh out IANA section. 1927 Clarify that kdc-req-body checksums should always use the outer 1928 body even for mechanisms like PKINIT that include their own (now 1929 redundant) checksum. 1930 Remove mechanism for encapsulating typed data in padata; just 1931 reflect the value. 1933 A.3. Changes since 07 1935 Propose replacement of authenticated timestamp with encrypted 1936 challenge. The desire to avoid clients needing time 1937 synchronization and to simply the factor. 1938 Add a requirement that any FAST armor scheme must provide a fresh 1939 key for each conversation. This allows us to assume that anything 1940 encrypted/integrity protected in the right key is fresh and not 1941 subject to cross-conversation cut and paste. 1942 Removed heartbeat padata. The KDC will double up messages if it 1943 needs to; the client simply sends its message and waits for the 1944 next response. 1945 Define PA-AUTH-SET-SELECTED 1946 Clarify a KDC cannot ignore padata is has claimed to support 1948 A.4. Changes since 06 1950 Note that even for replace reply key it is likely that the side 1951 using the mechanism will know that the other side supports it. 1952 Since it is reasonably unlikely we'll need a container mechanism 1953 other than FAST itself, we don't need to optimize for that case. 1954 So, we want to optimize for implementation simplicity. Thus if 1955 you do have such a container mechanism interacting with 1956 authentication sets we'll assume that the hint need to describe 1957 hints for all contained mechanisms. This closes out a long- 1958 standing issue. 1960 Write up what Sam believes is the consensus on UI and prompts in 1961 the authentication set: clients MAY assume that they have all the 1962 UI information they need. 1964 Appendix B. ASN.1 module 1966 KerberosPreauthFramework { 1967 iso(1) identified-organization(3) dod(6) internet(1) 1968 security(5) kerberosV5(2) modules(4) preauth-framework(3) 1969 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 1971 IMPORTS 1972 KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum, 1973 Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY, 1974 Microseconds, KerberosFlags 1975 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 1976 dod(6) internet(1) security(5) kerberosV5(2) 1977 modules(4) krb5spec2(2) }; 1978 -- as defined in RFC 4120. 1980 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 1982 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 1983 pa-type [0] Int32, 1984 -- same as padata-type. 1985 pa-hint [1] OCTET STRING OPTIONAL, 1986 pa-value [2] OCTET STRING OPTIONAL, 1987 ... 1988 } 1990 KrbFastArmor ::= SEQUENCE { 1991 armor-type [0] Int32, 1992 -- Type of the armor. 1993 armor-value [1] OCTET STRING, 1994 -- Value of the armor. 1995 ... 1996 } 1998 PA-FX-FAST-REQUEST ::= CHOICE { 1999 armored-data [0] KrbFastArmoredReq, 2000 ... 2001 } 2003 KrbFastArmoredReq ::= SEQUENCE { 2004 armor [0] KrbFastArmor OPTIONAL, 2005 -- Contains the armor that identifies the armor key. 2007 -- MUST be present in AS-REQ. 2008 req-checksum [1] Checksum, 2009 -- For AS, contains the checksum performed over the type 2010 -- KDC-REQ-BODY for the req-body field of the KDC-REQ 2011 -- structure; 2012 -- For TGS, contains the checksum performed over the type 2013 -- AP-REQ in the PA-TGS-REQ padata. 2014 -- The checksum key is the armor key, the checksum 2015 -- type is the required checksum type for the enctype of 2016 -- the armor key, and the key usage number is 2017 -- KEY_USAGE_FAST_REQ_CHKSUM. 2018 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 2019 -- The encryption key is the armor key, and the key usage 2020 -- number is KEY_USAGE_FAST_ENC. 2021 ... 2022 } 2024 KrbFastReq ::= SEQUENCE { 2025 fast-options [0] FastOptions, 2026 -- Additional options. 2027 padata [1] SEQUENCE OF PA-DATA, 2028 -- padata typed holes. 2029 req-body [2] KDC-REQ-BODY, 2030 -- Contains the KDC request body as defined in Section 2031 -- 5.4.1 of [RFC4120]. 2032 -- This req-body field is preferred over the outer field 2033 -- in the KDC request. 2034 ... 2035 } 2037 FastOptions ::= KerberosFlags 2038 -- reserved(0), 2039 -- anonymous(1), 2040 -- kdc-referrals(16) 2042 PA-FX-FAST-REPLY ::= CHOICE { 2043 armored-data [0] KrbFastArmoredRep, 2044 ... 2045 } 2047 KrbFastArmoredRep ::= SEQUENCE { 2048 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 2049 -- The encryption key is the armor key in the request, and 2050 -- the key usage number is KEY_USAGE_FAST_REP. 2051 ... 2052 } 2054 KrbFastResponse ::= SEQUENCE { 2055 padata [0] SEQUENCE OF PA-DATA, 2056 -- padata typed holes. 2057 rep-key [1] EncryptionKey OPTIONAL, 2058 -- This, if present, replaces the reply key for AS and 2059 -- TGS. 2060 -- MUST be absent in KRB-ERROR. 2061 finished [2] KrbFastFinished OPTIONAL, 2062 -- Present in AS or TGS reply; absent otherwise. 2063 ... 2064 } 2066 KrbFastFinished ::= SEQUENCE { 2067 timestamp [0] KerberosTime, 2068 usec [1] Microseconds, 2069 -- timestamp and usec represent the time on the KDC when 2070 -- the reply was generated. 2071 crealm [2] Realm, 2072 cname [3] PrincipalName, 2073 -- Contains the client realm and the client name. 2074 checksum [4] Checksum, 2075 -- Checksum performed over all the messages in the 2076 -- conversation, except the containing message. 2077 -- The checksum key is the armor key as defined in 2078 -- Section 6.5.1, and the checksum type is the required 2079 -- checksum type of the armor key. 2080 ticket-checksum [5] Checksum, 2081 -- checksum of the ticket in the KDC-REP using the armor 2082 -- and the key usage is KEY_USAGE_FAST_FINISH. 2083 -- The checksum type is the required checksum type 2084 -- of the armor key. 2085 ... 2086 } 2088 EncryptedChallenge ::= EncryptedData 2089 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key 2090 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the 2091 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. 2092 END 2094 Authors' Addresses 2096 Sam hartman 2097 Painless Security 2099 Email: hartmans-ietf@mit.edu 2100 Larry Zhu 2101 Microsoft Corporation 2102 One Microsoft Way 2103 Redmond, WA 98052 2104 US 2106 Email: lzhu@microsoft.com