idnits 2.17.1 draft-ietf-krb-wg-preauth-framework-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Sep 2009 rather than the newer Notice from 28 Dec 2009. (See https://trustee.ietf.org/license-info/) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4120, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1325 has weird spacing: '...ferrals reser...' == Line 1882 has weird spacing: '...ferrals rese...' (Using the creation date from RFC4120, updated by this document, for RFC5378 checks: 2002-02-27) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 22, 2010) is 5047 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0' on line 2337 -- Looks like a reference, but probably isn't: '1' on line 2338 -- Looks like a reference, but probably isn't: '2' on line 2341 -- Looks like a reference, but probably isn't: '3' on line 2342 -- Looks like a reference, but probably isn't: '4' on line 2344 == Outdated reference: A later version (-12) exists of draft-ietf-krb-wg-anon-10 ** Downref: Normative reference to an Historic draft: draft-ietf-krb-wg-anon (ref. 'KRB-ANON') ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) == Outdated reference: A later version (-03) exists of draft-sakane-krb-cross-problem-statement-02 == Outdated reference: A later version (-15) exists of draft-ietf-krb-wg-kerberos-referrals-11 Summary: 3 errors (**), 0 flaws (~~), 6 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Kerberos Working Group S. Hartman 3 Internet-Draft Painless Security 4 Updates: 4120 (if approved) L. Zhu 5 Intended status: Standards Track Microsoft Corporation 6 Expires: December 24, 2010 June 22, 2010 8 A Generalized Framework for Kerberos Pre-Authentication 9 draft-ietf-krb-wg-preauth-framework-17 11 Abstract 13 Kerberos is a protocol for verifying the identity of principals 14 (e.g., a workstation user or a network server) on an open network. 15 The Kerberos protocol provides a facility called pre-authentication. 16 Pre-authentication mechanisms can use this facility to extend the 17 Kerberos protocol and prove the identity of a principal. 19 This document describes a more formal model for this facility. The 20 model describes what state in the Kerberos request a pre- 21 authentication mechanism is likely to change. It also describes how 22 multiple pre-authentication mechanisms used in the same request will 23 interact. 25 This document also provides common tools needed by multiple pre- 26 authentication mechanisms. One of these tools is a secure channel 27 between the client and the key distribution center with a reply key 28 strengthening mechanism; this secure channel can be used to protect 29 the authentication exchange thus eliminate offline dictionary 30 attacks. With these tools, it is relatively straightforward to chain 31 multiple authentication mechanisms, utilize a different key 32 management system, or support a new key agreement algorithm. 34 Status of this Memo 36 This Internet-Draft is submitted to IETF in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF), its areas, and its working groups. Note that 41 other groups may also distribute working documents as Internet- 42 Drafts. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 The list of current Internet-Drafts can be accessed at 49 http://www.ietf.org/ietf/1id-abstracts.txt. 51 The list of Internet-Draft Shadow Directories can be accessed at 52 http://www.ietf.org/shadow.html. 54 This Internet-Draft will expire on December 24, 2010. 56 Copyright Notice 58 Copyright (c) 2010 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents 63 (http://trustee.ietf.org/license-info) in effect on the date of 64 publication of this document. Please review these documents 65 carefully, as they describe your rights and restrictions with respect 66 to this document. Code Components extracted from this document must 67 include Simplified BSD License text as described in Section 4.e of 68 the Trust Legal Provisions and are provided without warranty as 69 described in the BSD License. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 74 1.1. Conventions and Terminology Used in This Document . . . . 6 75 1.2. Conformance Requirements . . . . . . . . . . . . . . . . . 6 76 2. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 7 77 2.1. Information Managed by the Pre-authentication Model . . . 8 78 2.2. Initial Pre-authentication Required Error . . . . . . . . 10 79 2.3. Client to KDC . . . . . . . . . . . . . . . . . . . . . . 11 80 2.4. KDC to Client . . . . . . . . . . . . . . . . . . . . . . 12 81 3. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 12 82 3.1. Client-authentication Facility . . . . . . . . . . . . . . 14 83 3.2. Strengthening-reply-key Facility . . . . . . . . . . . . . 14 84 3.3. Replacing-reply-key Facility . . . . . . . . . . . . . . . 15 85 3.4. KDC-authentication Facility . . . . . . . . . . . . . . . 16 86 4. Requirements for Pre-Authentication Mechanisms . . . . . . . . 16 87 4.1. Protecting Requests/Responses . . . . . . . . . . . . . . 17 88 5. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 18 89 5.1. Combining Keys . . . . . . . . . . . . . . . . . . . . . . 18 90 5.2. Managing States for the KDC . . . . . . . . . . . . . . . 19 91 5.3. Pre-authentication Set . . . . . . . . . . . . . . . . . . 21 92 5.4. Definition of Kerberos FAST Padata . . . . . . . . . . . . 24 93 5.4.1. FAST Armors . . . . . . . . . . . . . . . . . . . . . 25 94 5.4.2. FAST Request . . . . . . . . . . . . . . . . . . . . . 27 95 5.4.3. FAST Response . . . . . . . . . . . . . . . . . . . . 31 96 5.4.4. Authenticated Kerberos Error Messages using 97 Kerberos FAST . . . . . . . . . . . . . . . . . . . . 34 98 5.4.5. Outer and Inner Requests . . . . . . . . . . . . . . . 35 99 5.4.6. The Encrypted Challenge FAST Factor . . . . . . . . . 35 100 5.5. Authentication Strength Indication . . . . . . . . . . . . 37 101 6. Assigned Constants . . . . . . . . . . . . . . . . . . . . . . 37 102 6.1. New Errors . . . . . . . . . . . . . . . . . . . . . . . . 38 103 6.2. Key Usage Numbers . . . . . . . . . . . . . . . . . . . . 38 104 6.3. Authorization Data Elements . . . . . . . . . . . . . . . 38 105 6.4. New PA-DATA Types . . . . . . . . . . . . . . . . . . . . 38 106 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 107 7.1. Pre-authentication and Typed Data . . . . . . . . . . . . 38 108 7.2. Fast Armor Types . . . . . . . . . . . . . . . . . . . . . 41 109 7.3. FAST Options . . . . . . . . . . . . . . . . . . . . . . . 41 110 8. Security Considerations . . . . . . . . . . . . . . . . . . . 41 111 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 43 112 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 113 10.1. Normative References . . . . . . . . . . . . . . . . . . . 43 114 10.2. Informative References . . . . . . . . . . . . . . . . . . 44 115 Appendix A. Test Vectors for KRB-FX-CF2 . . . . . . . . . . . . . 44 116 Appendix B. Change History . . . . . . . . . . . . . . . . . . . 45 117 B.1. Changes since 16 . . . . . . . . . . . . . . . . . . . . . 45 118 B.2. Changes since 15 . . . . . . . . . . . . . . . . . . . . . 46 119 B.3. Changes Since 14 . . . . . . . . . . . . . . . . . . . . . 46 120 B.4. Changes since 13 . . . . . . . . . . . . . . . . . . . . . 46 121 B.5. Changes since 12 . . . . . . . . . . . . . . . . . . . . . 46 122 B.6. Changes since 11 . . . . . . . . . . . . . . . . . . . . . 46 123 B.7. Changes since 10 . . . . . . . . . . . . . . . . . . . . . 46 124 B.8. Changes since 09 . . . . . . . . . . . . . . . . . . . . . 47 125 B.9. Changes since 08 . . . . . . . . . . . . . . . . . . . . . 47 126 B.10. Changes since 07 . . . . . . . . . . . . . . . . . . . . . 48 127 B.11. Changes since 06 . . . . . . . . . . . . . . . . . . . . . 48 128 Appendix C. ASN.1 module . . . . . . . . . . . . . . . . . . . . 49 129 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 51 131 1. Introduction 133 The core Kerberos specification [RFC4120] treats pre-authentication 134 data (padata) as an opaque typed hole in the messages to the KDC that 135 may influence the reply key used to encrypt the KDC reply. This 136 generality has been useful: pre-authentication data is used for a 137 variety of extensions to the protocol, many outside the expectations 138 of the initial designers. However, this generality makes designing 139 more common types of pre-authentication mechanisms difficult. Each 140 mechanism needs to specify how it interacts with other mechanisms. 141 Also, tasks such as combining a key with the long-term secrets or 142 proving the identity of the user are common to multiple mechanisms. 143 Where there are generally well-accepted solutions to these problems, 144 it is desirable to standardize one of these solutions so mechanisms 145 can avoid duplication of work. In other cases, a modular approach to 146 these problems is appropriate. The modular approach will allow new 147 and better solutions to common pre-authentication problems to be used 148 by existing mechanisms as they are developed. 150 This document specifies a framework for Kerberos pre-authentication 151 mechanisms. It defines the common set of functions that pre- 152 authentication mechanisms perform as well as how these functions 153 affect the state of the request and reply. In addition several 154 common tools needed by pre-authentication mechanisms are provided. 155 Unlike [RFC3961], this framework is not complete--it does not 156 describe all the inputs and outputs for the pre-authentication 157 mechanisms. Pre-Authentication mechanism designers should try to be 158 consistent with this framework because doing so will make their 159 mechanisms easier to implement. Kerberos implementations are likely 160 to have plugin architectures for pre-authentication; such 161 architectures are likely to support mechanisms that follow this 162 framework plus commonly used extensions. This framework also 163 facilitates combining multiple pre-authentication mechanisms, each of 164 which may represent an authentication factor, into a single multi- 165 factor pre-authentication mechanism. 167 One of these common tools is the flexible authentication secure 168 tunneling (FAST) padata type. FAST provides a protected channel 169 between the client and the key distribution center (KDC), and it can 170 optionally deliver key material used to strengthen the reply key 171 within the protected channel. Based on FAST, pre-authentication 172 mechanisms can extend Kerberos with ease, to support, for example, 173 password authenticated key exchange (PAKE) protocols with zero 174 knowledge password proof (ZKPP) [EKE] [IEEE1363.2]. Any pre- 175 authentication mechanism can be encapsulated in the FAST messages as 176 defined in Section 5.4. A pre-authentication type carried within 177 FAST is called a FAST factor. Creating a FAST factor is the easiest 178 path to create a new pre-authentication mechanism. FAST factors are 179 significantly easier to analyze from a security standpoint than other 180 pre-authentication mechanisms. 182 Mechanism designers should design FAST factors, instead of new pre- 183 authentication mechanisms outside of FAST. 185 1.1. Conventions and Terminology Used in This Document 187 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 188 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 189 document are to be interpreted as described in [RFC2119]. 191 This document should be read only after reading the documents 192 describing the Kerberos cryptography framework [RFC3961] and the core 193 Kerberos protocol [RFC4120]. This document may freely use 194 terminology and notation from these documents without reference or 195 further explanation. 197 The word padata is used as a shorthand for pre-authentication data. 199 A conversation is the set of all authentication messages exchanged 200 between the client and the client's Authentication Service (AS) in 201 order to authenticate the client principal. A conversation as 202 defined here consists of all messages that are necessary to complete 203 the authentication between the client and the client's AS. In the 204 Ticket Exchange Service (TGS) exchange, a conversation consists of 205 the request message and the reply message. The term conversation is 206 defined here for both AS and TGS for convenience of discussion. See 207 Section 5.2 for specific rules on the extent of a conversation in the 208 AS-REQ case. Prior to this framework, implementations needed to use 209 implementation-specific heuristics to determine the extent of a 210 conversation. 212 If the KDC reply in an AS exchange is verified, the KDC is 213 authenticated by the client. In this document, verification of the 214 KDC reply is used as a synonym of authentication of the KDC. 216 1.2. Conformance Requirements 218 This section summarizes the mandatory-to-implement subset of this 219 specification as a convenience to implementors. The actual 220 requirements and their context are stated in the body of the 221 document. 223 Clients conforming to this specification MUST support the padata 224 defined in Section 5.2. 226 Conforming implementations MUST support Kerberos FAST padata 227 (Section 5.4). Conforming implementations MUST implement the 228 FX_FAST_ARMOR_AP_REQUEST armor type. 230 Conforming implementations MUST support the encrypted challenge FAST 231 factor (Section 5.4.6)>. 233 2. Model for Pre-Authentication 235 When a Kerberos client wishes to obtain a ticket , it sends an 236 initial Authentication Service (AS) request to the KDC. If pre- 237 authentication is required but not being used, then the KDC will 238 respond with a KDC_ERR_PREAUTH_REQUIRED error [RFC4120]. 239 Alternatively, if the client knows what pre-authentication to use, it 240 MAY optimize away a round-trip and send an initial request with 241 padata included in the initial request. If the client includes the 242 padata computed using the wrong pre-authentication mechanism or 243 incorrect keys, the KDC MAY return KDC_ERR_PREAUTH_FAILED with no 244 indication of what padata should have been included. In that case, 245 the client MUST retry with no padata and examine the error data of 246 the KDC_ERR_PREAUTH_REQUIRED error. If the KDC includes pre- 247 authentication information in the accompanying error data of 248 KDC_ERR_PREAUTH_FAILED, the client SHOULD process the error data, and 249 then retry. 251 The conventional KDC maintains no state between two requests; 252 subsequent requests may even be processed by a different KDC. On the 253 other hand, the client treats a series of exchanges with KDCs as a 254 single conversation. Each exchange accumulates state and hopefully 255 brings the client closer to a successful authentication. 257 These models for state management are in apparent conflict. For many 258 of the simpler pre-authentication scenarios, the client uses one 259 round trip to find out what mechanisms the KDC supports. Then the 260 next request contains sufficient pre-authentication for the KDC to be 261 able to return a successful reply. For these simple scenarios, the 262 client only sends one request with pre-authentication data and so the 263 conversation is trivial. For more complex conversations, the KDC 264 needs to provide the client with a cookie to include in future 265 requests to capture the current state of the authentication session. 266 Handling of multiple round-trip mechanisms is discussed in 267 Section 5.2. 269 This framework specifies the behavior of Kerberos pre-authentication 270 mechanisms used to identify users or to modify the reply key used to 271 encrypt the KDC reply. The PA-DATA typed hole may be used to carry 272 extensions to Kerberos that have nothing to do with proving the 273 identity of the user or establishing a reply key. Such extensions 274 are outside the scope of this framework. However mechanisms that do 275 accomplish these goals should follow this framework. 277 This framework specifies the minimum state that a Kerberos 278 implementation needs to maintain while handling a request in order to 279 process pre-authentication. It also specifies how Kerberos 280 implementations process the padata at each step of the AS request 281 process. 283 2.1. Information Managed by the Pre-authentication Model 285 The following information is maintained by the client and KDC as each 286 request is being processed: 288 o The reply key used to encrypt the KDC reply 290 o How strongly the identity of the client has been authenticated 292 o Whether the reply key has been used in this conversation 294 o Whether the reply key has been replaced in this conversation 296 o Whether the origin of the KDC reply can be verified by the client 297 (i.e. whether the KDC is authenticated to the client) 299 Conceptually, the reply key is initially the long-term key of the 300 principal. However, principals can have multiple long-term keys 301 because of support for multiple encryption types, salts and 302 string2key parameters. As described in Section 5.2.7.5 of the 303 Kerberos protocol [RFC4120], the KDC sends PA-ETYPE-INFO2 to notify 304 the client what types of keys are available. Thus in full 305 generality, the reply key in the pre-authentication model is actually 306 a set of keys. At the beginning of a request, it is initialized to 307 the set of long-term keys advertised in the PA-ETYPE-INFO2 element on 308 the KDC. If multiple reply keys are available, the client chooses 309 which one to use. Thus the client does not need to treat the reply 310 key as a set. At the beginning of a request, the client picks a key 311 to use. 313 KDC implementations MAY choose to offer only one key in the PA-ETYPE- 314 INFO2 element. Since the KDC already knows the client's list of 315 supported enctypes from the request, no interoperability problems are 316 created by choosing a single possible reply key. This way, the KDC 317 implementation avoids the complexity of treating the reply key as a 318 set. 320 When the padata in the request is verified by the KDC, then the 321 client is known to have that key, therefore the KDC SHOULD pick the 322 same key as the reply key. 324 At the beginning of handling a message on both the client and the 325 KDC, the client's identity is not authenticated. A mechanism may 326 indicate that it has successfully authenticated the client's 327 identity. This information is useful to keep track of on the client 328 in order to know what pre-authentication mechanisms should be used. 329 The KDC needs to keep track of whether the client is authenticated 330 because the primary purpose of pre-authentication is to authenticate 331 the client identity before issuing a ticket. The handling of 332 authentication strength using various authentication mechanisms is 333 discussed in Section 5.5. 335 Initially the reply key has not been used. A pre-authentication 336 mechanism that uses the reply key to encrypt or checksum some data in 337 the generation of new keys MUST indicate that the reply key is used. 338 This state is maintained by the client and the KDC to enforce the 339 security requirement stated in Section 3.3 that the reply key SHOULD 340 NOT be replaced after it is used. 342 Initially the reply key has not been replaced. If a mechanism 343 implements the Replace Reply Key facility discussed in Section 3.3, 344 then the state MUST be updated to indicate that the reply key has 345 been replaced. Once the reply key has been replaced, knowledge of 346 the reply key is insufficient to authenticate the client. The reply 347 key is marked replaced in exactly the same situations as the KDC 348 reply is marked as not being verified to the client principal. 349 However, while mechanisms can verify the KDC reply to the client, 350 once the reply key is replaced, then the reply key remains replaced 351 for the remainder of the conversation. 353 Without pre-authentication, the client knows that the KDC reply is 354 authentic and has not been modified because it is encrypted in a 355 long-term key of the client. Only the KDC and the client know that 356 key. So at the start of a conversation, the KDC reply is presumed to 357 be verified using the client's long-term key. It should be noted 358 that in this document, verifying the KDC reply means authenticating 359 the KDC, and these phrases are used interchangeably. Any pre- 360 authentication mechanism that sets a new reply key not based on the 361 principal's long-term secret MUST either verify the KDC reply some 362 other way or indicate that the reply is not verified. If a mechanism 363 indicates that the reply is not verified then the client 364 implementation MUST return an error unless a subsequent mechanism 365 verifies the reply. The KDC needs to track this state so it can 366 avoid generating a reply that is not verified. 368 In this specification, KDC verification/authentication refers to the 369 level of authentication of the KDC to the client provided by RFC 370 4120. There is a stronger form of KDC verification that, while 371 sometimes important in Kerberos deployments is not addressed in this 372 specification: the typical Kerberos request does not provide a way 373 for the client machine to know that it is talking to the correct KDC. 374 Someone who can inject packets into the network between the client 375 machine and the KDC and who knows the password that the user will 376 give to the client machine can generate a KDC reply that will decrypt 377 properly. So, if the client machine needs to authenticate that the 378 user is in fact the named principal, then the client machine needs to 379 do a TGS request for itself as a service. Some pre-authentication 380 mechanisms may provide a way for the client machine to authenticate 381 the KDC. Examples of this include signing the reply that can be 382 verified using a well-known public key or providing a ticket for the 383 client machine as a service. 385 2.2. Initial Pre-authentication Required Error 387 Typically a client starts a conversation by sending an initial 388 request with no pre-authentication. If the KDC requires pre- 389 authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED message. 390 After the first reply with the KDC_ERR_PREAUTH_REQUIRED error code, 391 the KDC returns the error code KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 392 (defined in Section 5.2) for pre-authentication configurations that 393 use multi-round-trip mechanisms; see Section 2.4 for details of that 394 case. 396 The KDC needs to choose which mechanisms to offer the client. The 397 client needs to be able to choose what mechanisms to use from the 398 first message. For example consider the KDC that will accept 399 mechanism A followed by mechanism B or alternatively the single 400 mechanism C. A client that supports A and C needs to know that it 401 should not bother trying A. 403 Mechanisms can either be sufficient on their own or can be part of an 404 authentication set--a group of mechanisms that all need to 405 successfully complete in order to authenticate a client. Some 406 mechanisms may only be useful in authentication sets; others may be 407 useful alone or in authentication sets. For the second group of 408 mechanisms, KDC policy dictates whether the mechanism will be part of 409 an authentication set, offered alone, or both. For each mechanism 410 that is offered alone (even if it is also offered in an 411 authentication set), the KDC includes the pre-authentication type ID 412 of the mechanism in the padata sequence returned in the 413 KDC_ERR_PREAUTH_REQUIRED error. Mechanisms that are only offered as 414 part of an authentication set are not directly represented in the 415 padata sequence returned in the KDC_ERR_PREAUTH_REQUIRED error, 416 although they are represented in the PA-AUTHENTICATION-SET sequence. 418 The KDC SHOULD NOT send data that is encrypted in the long-term 419 password-based key of the principal. Doing so has the same security 420 exposures as the Kerberos protocol without pre-authentication. There 421 are few situations where the KDC needs to expose cipher text 422 encrypted in a weak key before the client has proven knowledge of 423 that key, and where pre-authentication is desirable. 425 2.3. Client to KDC 427 This description assumes that a client has already received a 428 KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs 429 optimistic pre-authentication then the client needs to guess values 430 for the information it would normally receive from that error 431 response or use cached information obtained in prior interactions 432 with the KDC. 434 The client starts by initializing the pre-authentication state as 435 specified. It then processes the padata in the 436 KDC_ERR_PREAUTH_REQUIRED. 438 When processing the response to the KDC_ERR_PREAUTH_REQUIRED, the 439 client MAY ignore any padata it chooses unless doing so violates a 440 specification to which the client conforms. Clients conforming to 441 this specification MUST NOT ignore the padata defined in Section 5.2. 442 Clients SHOULD choose one authentication set or mechanism that could 443 lead to authenticating the user and ignore other such mechanisms. 444 However, this rule does not affect processing of padata unrelated to 445 this framework; clients SHOULD process such padata normally. Since 446 the list of mechanisms offered by the KDC is in the decreasing 447 preference order, clients typically choose the first mechanism or 448 authentication set that the client can usefully perform. If a client 449 chooses to ignore a padata it MUST NOT process the padata, allow the 450 padata to affect the pre-authentication state, nor respond to the 451 padata. 453 For each padata the client chooses to process, the client processes 454 the padata and modifies the pre-authentication state as required by 455 that mechanism. Padata are processed in the order received from the 456 KDC. 458 After processing the padata in the KDC error, the client generates a 459 new request. It processes the pre-authentication mechanisms in the 460 order in which they will appear in the next request, updating the 461 state as appropriate. The request is sent when it is complete. 463 2.4. KDC to Client 465 When a KDC receives an AS request from a client, it needs to 466 determine whether it will respond with an error or an AS reply. 467 There are many causes for an error to be generated that have nothing 468 to do with pre-authentication; they are discussed in the core 469 Kerberos specification. 471 From the standpoint of evaluating the pre-authentication, the KDC 472 first starts by initializing the pre-authentication state. If a PA- 473 FX-COOKIE pre-authentication data item is present, it is processed 474 first; see Section 5.2 for a definition. It then processes the 475 padata in the request. As mentioned in Section 2.3, the KDC MAY 476 ignore padata that is inappropriate for the configuration and MUST 477 ignore padata of an unknown type. The KDC MUST NOT ignore padata of 478 types used in previous messages. For example, if a KDC issues a 479 KDC_ERR_PREAUTH_REQUIRED error including padata of type x, then the 480 KDC cannot ignore padata of type x received in an AS-REQ message from 481 the client. 483 At this point the KDC decides whether it will issue an error or a 484 reply. Typically a KDC will issue a reply if the client's identity 485 has been authenticated to a sufficient degree. 487 In the case of a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error, the KDC 488 first starts by initializing the pre-authentication state. Then it 489 processes any padata in the client's request in the order provided by 490 the client. Mechanisms that are not understood by the KDC are 491 ignored. Next, it generates padata for the error response, modifying 492 the pre-authentication state appropriately as each mechanism is 493 processed. The KDC chooses the order in which it will generate 494 padata (and thus the order of padata in the response), but it needs 495 to modify the pre-authentication state consistently with the choice 496 of order. For example, if some mechanism establishes an 497 authenticated client identity, then the subsequent mechanisms in the 498 generated response receive this state as input. After the padata is 499 generated, the error response is sent. Typically the errors with the 500 code KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in a conversation will 501 include KDC state as discussed in Section 5.2. 503 To generate a final reply, the KDC generates the padata modifying the 504 pre-authentication state as necessary. Then it generates the final 505 response, encrypting it in the current pre-authentication reply key. 507 3. Pre-Authentication Facilities 509 Pre-Authentication mechanisms can be thought of as providing various 510 conceptual facilities. This serves two useful purposes. First, 511 mechanism authors can choose only to solve one specific small 512 problem. It is often useful for a mechanism designed to offer key 513 management not to directly provide client authentication but instead 514 to allow one or more other mechanisms to handle this need. Secondly, 515 thinking about the abstract services that a mechanism provides yields 516 a minimum set of security requirements that all mechanisms providing 517 that facility must meet. These security requirements are not 518 complete; mechanisms will have additional security requirements based 519 on the specific protocol they employ. 521 A mechanism is not constrained to only offering one of these 522 facilities. While such mechanisms can be designed and are sometimes 523 useful, many pre-authentication mechanisms implement several 524 facilities. By combining multiple facilities in a single mechanism, 525 it is often easier to construct a secure, simple solution than by 526 solving the problem in full generality. Even when mechanisms provide 527 multiple facilities, they need to meet the security requirements for 528 all the facilities they provide. If the FAST factor approach is 529 used, it is likely that one or a small number of facilities can be 530 provided by a single mechanism without complicating the security 531 analysis. 533 According to Kerberos extensibility rules (Section 1.5 of the 534 Kerberos specification [RFC4120]), an extension MUST NOT change the 535 semantics of a message unless a recipient is known to understand that 536 extension. Because a client does not know that the KDC supports a 537 particular pre-authentication mechanism when it sends an initial 538 request, a pre-authentication mechanism MUST NOT change the semantics 539 of the request in a way that will break a KDC that does not 540 understand that mechanism. Similarly, KDCs MUST NOT send messages to 541 clients that affect the core semantics unless the client has 542 indicated support for the message. 544 The only state in this model that would break the interpretation of a 545 message is changing the expected reply key. If one mechanism changed 546 the reply key and a later mechanism used that reply key, then a KDC 547 that interpreted the second mechanism but not the first would fail to 548 interpret the request correctly. In order to avoid this problem, 549 extensions that change core semantics are typically divided into two 550 parts. The first part proposes a change to the core semantic--for 551 example proposes a new reply key. The second part acknowledges that 552 the extension is understood and that the change takes effect. 553 Section 3.2 discusses how to design mechanisms that modify the reply 554 key to be split into a proposal and acceptance without requiring 555 additional round trips to use the new reply key in subsequent pre- 556 authentication. Other changes in the state described in Section 2.1 557 can safely be ignored by a KDC that does not understand a mechanism. 559 Mechanisms that modify the behavior of the request outside the scope 560 of this framework need to carefully consider the Kerberos 561 extensibility rules to avoid similar problems. 563 3.1. Client-authentication Facility 565 The client authentication facility proves the identity of a user to 566 the KDC before a ticket is issued. Examples of mechanisms 567 implementing this facility include the encrypted timestamp facility 568 defined in Section 5.2.7.2 of the Kerberos specification [RFC4120]. 569 Mechanisms that provide this facility are expected to mark the client 570 as authenticated. 572 Mechanisms implementing this facility SHOULD require the client to 573 prove knowledge of the reply key before transmitting a successful KDC 574 reply. Otherwise, an attacker can intercept the pre-authentication 575 exchange and get a reply to attack. One way of proving the client 576 knows the reply key is to implement the Replace Reply Key facility 577 along with this facility. The PKINIT mechanism [RFC4556] implements 578 Client Authentication alongside Replace Reply Key. 580 If the reply key has been replaced, then mechanisms such as 581 encrypted-timestamp that rely on knowledge of the reply key to 582 authenticate the client MUST NOT be used. 584 3.2. Strengthening-reply-key Facility 586 Particularly when dealing with keys based on passwords, it is 587 desirable to increase the strength of the key by adding additional 588 secrets to it. Examples of sources of additional secrets include the 589 results of a Diffie-Hellman key exchange or key bits from the output 590 of a smart card [KRB-WG.SAM]. Typically these additional secrets can 591 be first combined with the existing reply key and then converted to a 592 protocol key using tools defined in Section 5.1. 594 Typically a mechanism implementing this facility will know that the 595 other side of the exchange supports the facility before the reply key 596 is changed. For example, a mechanism might need to learn the 597 certificate for a KDC before encrypting a new key in the public key 598 belonging to that certificate. However, if a mechanism implementing 599 this facility wishes to modify the reply key before knowing that the 600 other party in the exchange supports the mechanism, it proposes 601 modifying the reply key. The other party then includes a message 602 indicating that the proposal is accepted if it is understood and 603 meets policy. In many cases it is desirable to use the new reply key 604 for client authentication and for other facilities. Waiting for the 605 other party to accept the proposal and actually modify the reply key 606 state would add an additional round trip to the exchange. Instead, 607 mechanism designers are encouraged to include a typed hole for 608 additional padata in the message that proposes the reply key change. 609 The padata included in the typed hole are generated assuming the new 610 reply key. If the other party accepts the proposal, then these 611 padata are considered as an inner level. As with the outer level, 612 one authentication set or mechanism is typically chosen for client 613 authentication, along with auxiliary mechanisms such as KDC cookies, 614 and other mechanisms are ignored. When mechanisms include such a 615 container, the hint provided for use in authentication sets (as 616 defined in Section 5.3) MUST contain a sequence of inner mechanisms 617 along with hints for those mechanisms. The party generating the 618 proposal can determine whether the padata were processed based on 619 whether the proposal for the reply key is accepted. 621 The specific formats of the proposal message, including where padata 622 are included is a matter for the mechanism specification. Similarly, 623 the format of the message accepting the proposal is mechanism- 624 specific. 626 Mechanisms implementing this facility and including a typed hole for 627 additional padata MUST checksum that padata using a keyed checksum or 628 encrypt the padata. This requirement protects against modification 629 of the contents of the typed hole. By modifying these contents an 630 attacker might be able to choose which mechanism is used to 631 authenticate the client, or to convince a party to provide text 632 encrypted in a key that the attacker had manipulated. It is 633 important that mechanisms strengthen the reply key enough that using 634 it to checksum padata is appropriate. 636 3.3. Replacing-reply-key Facility 638 The Replace Reply Key facility replaces the key in which a successful 639 AS reply will be encrypted. This facility can only be used in cases 640 where knowledge of the reply key is not used to authenticate the 641 client. The new reply key MUST be communicated to the client and the 642 KDC in a secure manner. This facility MUST NOT be used if there can 643 be a man-in-the-middle between the client and the KDC. Mechanisms 644 implementing this facility MUST mark the reply key as replaced in the 645 pre-authentication state. Mechanisms implementing this facility MUST 646 either provide a mechanism to verify the KDC reply to the client or 647 mark the reply as unverified in the pre-authentication state. 648 Mechanisms implementing this facility SHOULD NOT be used if a 649 previous mechanism has used the reply key. 651 As with the strengthening-reply-key facility, Kerberos extensibility 652 rules require that the reply key not be changed unless both sides of 653 the exchange understand the extension. In the case of this facility 654 it will likely be the case for both sides to know that the facility 655 is available by the time that the new key is available to be used. 656 However, mechanism designers can use a container for padata in a 657 proposal message as discussed in Section 3.2 if appropriate. 659 3.4. KDC-authentication Facility 661 This facility verifies that the reply comes from the expected KDC. 662 In traditional Kerberos, the KDC and the client share a key, so if 663 the KDC reply can be decrypted then the client knows that a trusted 664 KDC responded. Note that the client machine cannot trust the client 665 unless the machine is presented with a service ticket for it 666 (typically the machine can retrieve this ticket by itself). However, 667 if the reply key is replaced, some mechanism is required to verify 668 the KDC. Pre-authentication mechanisms providing this facility allow 669 a client to determine that the expected KDC has responded even after 670 the reply key is replaced. They mark the pre-authentication state as 671 having been verified. 673 4. Requirements for Pre-Authentication Mechanisms 675 This section lists requirements for specifications of pre- 676 authentication mechanisms. 678 For each message in the pre-authentication mechanism, the 679 specification describes the pa-type value to be used and the contents 680 of the message. The processing of the message by the sender and 681 recipient is also specified. This specification needs to include all 682 modifications to the pre-authentication state. 684 Generally mechanisms have a message that can be sent in the error 685 data of the KDC_ERR_PREAUTH_REQUIRED error message or in an 686 authentication set. If the client needs information such as trusted 687 certificate authorities in order to determine if it can use the 688 mechanism, then this information should be in that message. In 689 addition, such mechanisms should also define a pa-hint to be included 690 in authentication sets. Often, the same information included in the 691 padata-value is appropriate to include in the pa-hint (as defined in 692 Section 5.3). 694 In order to ease security analysis the mechanism specification should 695 describe what facilities from this document are offered by the 696 mechanism. For each facility, the security consideration section of 697 the mechanism specification should show that the security 698 requirements of that facility are met. This requirement is 699 applicable to any FAST factor that provides authentication 700 information. 702 Significant problems have resulted in the specification of Kerberos 703 protocols because much of the KDC exchange is not protected against 704 alteration. The security considerations section should discuss 705 unauthenticated plaintext attacks. It should either show that 706 plaintext is protected or discuss what harm an attacker could do by 707 modifying the plaintext. It is generally acceptable for an attacker 708 to be able to cause the protocol negotiation to fail by modifying 709 plaintext. More significant attacks should be evaluated carefully. 711 As discussed in Section 5.2, there is no guarantee that a client will 712 use the same KDCs for all messages in a conversation. The mechanism 713 specification needs to show why the mechanism is secure in this 714 situation. The hardest problem to deal with, especially for 715 challenge/response mechanisms is to make sure that the same response 716 cannot be replayed against two KDCs while allowing the client to talk 717 to any KDC. 719 4.1. Protecting Requests/Responses 721 Mechanism designers SHOULD protect clear text portions of pre- 722 authentication data. Various denial of service attacks and downgrade 723 attacks against Kerberos are possible unless plaintexts are somehow 724 protected against modification. An early design goal of Kerberos 725 Version 5 [RFC4120] was to avoid encrypting more of the 726 authentication exchange than was required. (Version 4 doubly- 727 encrypted the encrypted part of a ticket in a KDC reply, for 728 example.) This minimization of encryption reduces the load on the 729 KDC and busy servers. Also, during the initial design of Version 5, 730 the existence of legal restrictions on the export of cryptography 731 made it desirable to minimize of the number of uses of encryption in 732 the protocol. Unfortunately, performing this minimization created 733 numerous instances of unauthenticated security-relevant plaintext 734 fields. 736 Mechanisms MUST guarantee that by the end of a successful 737 authentication exchange, both the client and the KDC have verified 738 all the plaintext sent by the other party. If there is more than one 739 round trip in the exchange, mechanisms MUST additionally guarantee 740 that no individual messages were reordered or replayed from a 741 previous exchange. Strategies for accomplishing this include using 742 message authentication codes (MACs) to protect the plaintext as it is 743 sent including some form of nonce or cookie to allow for the chaining 744 of state from one message to the next or exchanging a MAC of the 745 entire conversation after a key is established. 747 Mechanism designers need to provide a strategy for updating 748 cryptographic algorithms, such as defining a new pre-authentication 749 type for each algorithm or taking advantage of the client's list of 750 supported RFC 3961 encryption types to indicate the client's support 751 for cryptographic algorithms. 753 Primitives defined in [RFC3961] are RECOMMENDED for integrity 754 protection and confidentiality. Mechanisms based on these primitives 755 are crypto-agile as the result of using [RFC3961] along with 756 [RFC4120]. The advantage afforded by crypto-agility is the ability 757 to incrementally deploy a fix specific to a particular algorithm thus 758 avoid a multi-year standardization and deployment cycle, when real 759 attacks do arise against that algorithm. 761 Note that data used by FAST factors (defined in Section 5.4) is 762 encrypted in a protected channel, thus they do not share the un- 763 authenticated-text issues with mechanisms designed as full-blown pre- 764 authentication mechanisms. 766 5. Tools for Use in Pre-Authentication Mechanisms 768 This section describes common tools needed by multiple pre- 769 authentication mechanisms. By using these tools mechanism designers 770 can use a modular approach to specify mechanism details and ease 771 security analysis. 773 5.1. Combining Keys 775 Frequently a weak key needs to be combined with a stronger key before 776 use. For example, passwords are typically limited in size and 777 insufficiently random, therefore it is desirable to increase the 778 strength of the keys based on passwords by adding additional secrets. 779 Additional source of secrecy may come from hardware tokens. 781 This section provides standard ways to combine two keys into one. 783 KRB-FX-CF1() is defined to combine two pass-phrases. 785 KRB-FX-CF1(UTF-8 string, UTF-8 string) -> (UTF-8 string) 786 KRB-FX-CF1(x, y) := x || y 788 Where || denotes concatenation. The strength of the final key is 789 roughly the total strength of the individual keys being combined 790 assuming that the string_to_key() function [RFC3961] uses all its 791 input evenly. 793 An example usage of KRB-FX-CF1() is when a device provides random but 794 short passwords, the password is often combined with a personal 795 identification number (PIN). The password and the PIN can be 796 combined using KRB-FX-CF1(). 798 KRB-FX-CF2() combines two protocol keys based on the pseudo-random() 799 function defined in [RFC3961]. 801 Given two input keys, K1 and K2, where K1 and K2 can be of two 802 different enctypes, the output key of KRB-FX-CF2(), K3, is derived as 803 follows: 805 KRB-FX-CF2(protocol key, protocol key, octet string, 806 octet string) -> (protocol key) 808 PRF+(K1, pepper1) -> octet-string-1 809 PRF+(K2, pepper2) -> octet-string-2 810 KRB-FX-CF2(K1, K2, pepper1, pepper2) := 811 random-to-key(octet-string-1 ^ octet-string-2) 813 Where ^ denotes the exclusive-OR operation. PRF+() is defined as 814 follows: 816 PRF+(protocol key, octet string) -> (octet string) 818 PRF+(key, shared-info) := pseudo-random( key, 1 || shared-info ) || 819 pseudo-random( key, 2 || shared-info ) || 820 pseudo-random( key, 3 || shared-info ) || ... 822 Here the counter value 1, 2, 3 and so on are encoded as a one-octet 823 integer. The pseudo-random() operation is specified by the enctype 824 of the protocol key. PRF+() uses the counter to generate enough bits 825 as needed by the random-to-key() [RFC3961] function for the 826 encryption type specified for the resulting key; unneeded bits are 827 removed from the tail. Unless otherwise specified, the resulting 828 enctype of KRB-FX-CF2 is the enctype of k1. The pseudo-random() 829 operation is the RFC 3961 pseudo-random() operation for the 830 corresponding input key; the random-to-key() operation is the RFC 831 3961 random-to-key operation for the resulting key. 833 Mechanism designers MUST specify the values for the input parameter 834 pepper1 and pepper2 when combining two keys using KRB-FX-CF2(). The 835 pepper1 and pepper2 MUST be distinct so that if the two keys being 836 combined are the same, the resulting key is not a trivial key. 838 5.2. Managing States for the KDC 840 Kerberos KDCs are stateless in that there is no requirement that 841 clients will choose the same KDC for the second request in a 842 conversation. Proxies or other intermediate nodes may also influence 843 KDC selection. So, each request from a client to a KDC must include 844 sufficient information that the KDC can regenerate any needed state. 845 This is accomplished by giving the client a potentially long opaque 846 cookie in responses to include in future requests in the same 847 conversation. The KDC MAY respond that a conversation is too old and 848 needs to restart by responding with a KDC_ERR_PREAUTH_EXPIRED error. 850 KDC_ERR_PREAUTH_EXPIRED 90 852 When a client receives this error, the client SHOULD abort the 853 existing conversation, and restart a new one. 855 An example, where more than one message from the client is needed, is 856 when the client is authenticated based on a challenge-response 857 scheme. In that case, the KDC needs to keep track of the challenge 858 issued for a client authentication request. 860 The PA-FX-COOKIE padata type is defined in this section to facilitate 861 state management in the AS exchange. This padata is sent by the KDC 862 when the KDC requires state for a future transaction. The client 863 includes this opaque token in the next message in the conversation. 864 The token may be relatively large; clients MUST be prepared for 865 tokens somewhat larger than the size of all messages in a 866 conversation. 868 PA-FX-COOKIE 133 869 -- Stateless cookie that is not tied to a specific KDC. 871 The corresponding padata-value field [RFC4120] contains an opaque 872 token that will be echoed by the client in its response to an error 873 from the KDC. 875 The cookie token is generated by the KDC and transmitted in a PA-FX- 876 COOKIE pre-authentication data item of a KRB-ERROR message. The 877 client MUST copy the exact cookie encapsulated in a PA-FX-COOKIE data 878 element into the next message of the same conversation. The content 879 of the cookie field is a local matter of the KDC. As a result, it is 880 not generally possible to mix KDC implementations from different 881 vendors in the same realm. However the KDC MUST construct the cookie 882 token in such a manner that a malicious client cannot subvert the 883 authentication process by manipulating the token. The KDC 884 implementation needs to consider expiration of tokens, key rollover 885 and other security issues in token design. The content of the cookie 886 field is likely specific to the pre-authentication mechanisms used to 887 authenticate the client. If a client authentication response can be 888 replayed to multiple KDCs via the PA-FX-COOKIE mechanism, an 889 expiration in the cookie is RECOMMENDED to prevent the response being 890 presented indefinitely. Implementations need to consider replay both 891 of an entire conversation and of messages within a conversation when 892 designing what information is stored in a cookie and how pre- 893 authentication mechanisms are implemented. 895 If at least one more message for a mechanism or a mechanism set is 896 expected by the KDC, the KDC returns a 897 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with a PA-FX-COOKIE to 898 identify the conversation with the client according to Section 2.2. 899 The cookie is not expected to stay constant for a conversation: the 900 KDC is expected to generate a new cookie for each message. 902 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 904 A client MAY throw away the state associated with a conversation and 905 begin a new conversation by discarding its state and not including a 906 cookie in the first message of a conversation. KDCs that comply with 907 this specification MUST include a cookie in a response when the 908 client can continue the conversation. In particular, a KDC MUST 909 include a cookie in a KDC_ERR_PREAUTH_REQUIRED or 910 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. KDCs SHOULD include a cookie in 911 errors containing additional information allowing a client to retry. 912 One reasonable strategy for meeting these requirements is to always 913 include a cookie in KDC errors. 915 A KDC MAY indicate that it is terminating a conversation by not 916 including a cookie in a response. When FAST is used, clients can 917 assume that the absence of a cookie means that the KDC is ending the 918 conversation. Similarly, if a cookie is seen at all during a 919 conversation, clients MAY assume that the absence of a cookie in a 920 future message means that the KDC is ending the conversation. 921 Clients also need to deal with KDCs prior to this specification that 922 do not include cookies; if neither cookies nor FAST are used in a 923 conversation, the absence of a cookie is not a strong indication that 924 the KDC is terminating the conversation. 926 5.3. Pre-authentication Set 928 If all mechanisms in a group need to successfully complete in order 929 to authenticate a client, the client and the KDC SHOULD use the PA- 930 AUTHENTICATION-SET padata element. 932 PA-AUTHENTICATION-SET 134 934 A PA-AUTHENTICATION-SET padata element contains the ASN.1 DER 935 encoding of the PA-AUTHENTICATION-SET structure: 937 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 939 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 940 pa-type [0] Int32, 941 -- same as padata-type. 942 pa-hint [1] OCTET STRING OPTIONAL, 943 pa-value [2] OCTET STRING OPTIONAL, 944 ... 945 } 947 The pa-type field of the PA-AUTHENTICATION-SET-ELEM structure 948 contains the corresponding value of padata-type in PA-DATA [RFC4120]. 949 Associated with the pa-type is a pa-hint, which is an octet-string 950 specified by the pre-authentication mechanism. This hint may provide 951 information for the client which helps it determine whether the 952 mechanism can be used. For example a public-key mechanism might 953 include the certificate authorities it trusts in the hint info. Most 954 mechanisms today do not specify hint info; if a mechanism does not 955 specify hint info the KDC MUST NOT send a hint for that mechanism. 956 To allow future revisions of mechanism specifications to add hint 957 info, clients MUST ignore hint info received for mechanisms that the 958 client believes do not support hint info. The pa-value element of 959 the PA-AUTHENTICATION-SET-ELEM sequence is included to carry the 960 first padata-value from the KDC to the client. If the client chooses 961 this authentication set then the client MUST process this pa-value. 962 The pa-value element MUST be absent for all but the first entry in 963 the authentication set. Clients MUST ignore pa-value for the second 964 and following entries in the authentication set. 966 If the client chooses an authentication set, then its first AS-REQ 967 message MUST contain a PA-AUTH-SET-SELECTED padata element. This 968 element contains the encoding of the PA-AUTHENTICATION-SET sequence 969 received from the KDC corresponding to the authentication set that is 970 chosen. The client MUST use the same octet values received from the 971 KDC; it cannot re-encode the sequence. This allows KDCs to use bit- 972 wise comparison to identify the selected authentication set. 973 Permitting bit-wise comparison may limit the ability to use certain 974 pre-authentication mechanisms that generate a dynamic challenge in an 975 authentication set with optimistic selection of an authentication 976 set. As with other optimistic pre-authentication failures, the KDC 977 MAY return KDC_ERR_PREAUTH_FAILED with a new list of pre- 978 authentication mechanisms (including authentication sets) if 979 optimistic pre-authentication fails. The PA-AUTH-SET-SELECTED padata 980 element MUST come before any padata elements from the authentication 981 set in the padata sequence in the AS-REQ message. The client MAY 982 cache authentication sets from prior messages and use them to 983 construct an optimistic initial AS-REQ. If the KDC receives a PA- 984 AUTH-SET-SELECTED padata element that does not correspond to an 985 authentication set that it would offer, then the KDC returns the 986 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET error. The e-data in this 987 error contains a sequence of padata just as for the 988 KDC_ERR_PREAUTH_REQUIRED error. 990 PA-AUTH-SET-SELECTED 135 991 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92 993 The PA-AUTHENTICATION-SET appears only in the first message from the 994 KDC to the client. In particular, the client MAY fail if the 995 authentication mechanism sets change as the conversation progresses. 996 Clients MAY assume that the hints provided in the authentication set 997 contain enough information that the client knows what user interface 998 elements need to be displayed during the entire authentication 999 conversation. Exceptional circumstances such as expired passwords or 1000 expired accounts may require that additional user interface be 1001 displayed. Mechanism designers needs to carefully consider the 1002 design of their hints so that the client has this information. This 1003 way, clients can construct necessary dialogue boxes or wizards based 1004 on the authentication set and can present a coherent user interface. 1005 Current standards for user interface do not provide an acceptable 1006 experience when the client has to ask additional questions later in 1007 the conversation. 1009 When indicating which sets of pre-authentication mechanisms are 1010 supported, the KDC includes a PA-AUTHENTICATION-SET padata element 1011 for each pre-authentication mechanism set. 1013 The client sends the padata-value for the first mechanism it picks in 1014 the pre-authentication set, when the first mechanism completes, the 1015 client and the KDC will proceed with the second mechanism, and so on 1016 until all mechanisms complete successfully. The PA-FX-COOKIE as 1017 defined in Section 5.2 MUST be sent by the KDC. One reason for this 1018 requirement is so that the conversation can continue if the 1019 conversation involves multiple KDCs. KDCs MUST support clients that 1020 do not include a cookie because they optimistically choose an 1021 authentication set, although they MAY always return 1022 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET and include a cookie in that 1023 message. Clients that support PA-AUTHENTICATION-SET MUST support PA- 1024 FX-COOKIE. 1026 Before the authentication succeeds and a ticket is returned, the 1027 message that the client sends is an AS_REQ and the message that the 1028 KDC sends is a KRB-ERROR message. The error code in the KRB-ERROR 1029 message from the KDC is KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined 1030 in Section 5.2 and the accompanying e-data contains the DER encoding 1031 of ASN.1 type METHOD-DATA. The KDC includes the padata elements in 1032 the METHOD-DATA. If there is no padata, the e-data field is absent 1033 in the KRB-ERROR message. 1035 If the client sends the last message for a given mechanism, then the 1036 KDC sends the first message for the next mechanism. If the next 1037 mechanism does not start with a KDC-side challenge, then the KDC 1038 includes a padata item with the appropriate pa-type and an empty pa- 1039 data. 1041 If the KDC sends the last message for a particular mechanism, the KDC 1042 also includes the first padata for the next mechanism. 1044 5.4. Definition of Kerberos FAST Padata 1046 As described in [RFC4120], Kerberos is vulnerable to offline 1047 dictionary attacks. An attacker can request an AS-REP and try 1048 various passwords to see if they can decrypt the resulting ticket. 1049 RFC 4120 provides the encrypted timestamp pre-authentication method 1050 that ameliorates the situation somewhat by requiring that an attacker 1051 observe a successful authentication. However stronger security is 1052 desired in many environments. The Kerberos FAST pre-authentication 1053 padata defined in this section provides a tool to significantly 1054 reduce vulnerability to offline dictionary attack. When combined 1055 with encrypted challenge, FAST requires an attacker to mount a 1056 successful man-in-the-middle attack to observe ciphertext. When 1057 combined with host keys, FAST can even protect against active 1058 attacks. FAST also provides solutions to common problems for pre- 1059 authentication mechanisms such as binding of the request and the 1060 reply and freshness guarantee of the authentication. FAST itself, 1061 however, does not authenticate the client or the KDC, instead, it 1062 provides a typed hole to allow pre-authentication data be tunneled. 1063 A pre-authentication data element used within FAST is called a FAST 1064 factor. A FAST factor captures the minimal work required for 1065 extending Kerberos to support a new pre-authentication scheme. 1067 A FAST factor MUST NOT be used outside of FAST unless its 1068 specification explicitly allows so. The typed holes in FAST messages 1069 can also be used as generic holes for other padata that are not 1070 intended to prove the client's identity, or establish the reply key. 1072 New pre-authentication mechanisms SHOULD be designed as FAST factors, 1073 instead of full-blown pre-authentication mechanisms. 1075 FAST factors that are pre-authentication mechanisms MUST meet the 1076 requirements in Section 4. 1078 FAST employs an armoring scheme. The armor can be a Ticket Granting 1079 Ticket (TGT) obtained by the client's machine using the host keys to 1080 pre-authenticate with the KDC, or an anonymous TGT obtained based on 1081 anonymous PKINIT [KRB-ANON] [RFC4556]. 1083 The rest of this section describes the types of armors and the syntax 1084 of the messages used by FAST. Conforming implementations MUST 1085 support Kerberos FAST padata. 1087 Any FAST armor scheme MUST provide a fresh armor key for each 1088 conversation. Clients and KDCs can assume that if a message is 1089 encrypted and integrity protected with a given armor key then it is 1090 part of the conversation using that armor key. 1092 All KDCs in a realm MUST support FAST if FAST is offered by any KDC 1093 as a pre-authentication mechanism. 1095 5.4.1. FAST Armors 1097 An armor key is used to encrypt pre-authentication data in the FAST 1098 request and the response. The KrbFastArmor structure is defined to 1099 identify the armor key. This structure contains the following two 1100 fields: the armor-type identifies the type of armors, and the armor- 1101 value is an OCTET STRING that contains the description of the armor 1102 scheme and the armor key. 1104 KrbFastArmor ::= SEQUENCE { 1105 armor-type [0] Int32, 1106 -- Type of the armor. 1107 armor-value [1] OCTET STRING, 1108 -- Value of the armor. 1109 ... 1110 } 1112 The value of the armor key is a matter of the armor type 1113 specification. Only one armor type is defined in this document. 1115 FX_FAST_ARMOR_AP_REQUEST 1 1117 The FX_FAST_ARMOR_AP_REQUEST armor is based on Kerberos tickets. 1119 Conforming implementations MUST implement the 1120 FX_FAST_ARMOR_AP_REQUEST armor type. If a FAST KDC receives an 1121 unknown armor type it MUST respond with KDC_ERR_PREAUTH_FAILED. 1123 An armor type may be appropriate for use in armoring AS requests, 1124 armoring TGS requests or both. TGS armor types MUST authenticate the 1125 client to to the KDC, typically by binding the TGT subsession key to 1126 the armor key. As discussed below, it is desirable for AS armor 1127 types to authenticate the KDC to the client, but this is not 1128 required. 1130 FAST implementations MUST maintain state about whether the armor 1131 mechanism authenticates the KDC. If it does not, then a FAST factor 1132 that authenticates the KDC MUST be used if the reply key is replaced. 1134 5.4.1.1. Ticket-based Armors 1136 This is a ticket-based armoring scheme. The armor-type is 1137 FX_FAST_ARMOR_AP_REQUEST, the armor-value contains an ASN.1 DER 1138 encoded AP-REQ. The ticket in the AP-REQ is called an armor ticket 1139 or an armor TGT. The subkey field in the AP-REQ MUST be present. 1140 The armor key is defined by the following function: 1142 armor_key = KRB-FX-CF2( subkey, ticket_session_key, 1143 "subkeyarmor", "ticketarmor" ) 1145 The `ticket_session_key' is the session key from the ticket in the 1146 ap-req. The `subkey' is the ap-req subkey. This construction 1147 guarantees that both the KDC (through the session key) and the client 1148 (through the subkey) contribute to the armor key. 1150 The server name field of the armor ticket MUST identify the TGS of 1151 the target realm. Here are three common ways in the decreasing 1152 preference order how an armor TGT SHOULD be obtained: 1154 1. If the client is authenticating from a host machine whose 1155 Kerberos realm has an authentication path to the client's realm, 1156 the host machine obtains a TGT by using the host keys. If the 1157 client's realm is different than the realm of the local host, the 1158 machine then obtains a cross-realm TGT to the client's realm as 1159 the armor ticket. Otherwise, the host's primary TGT is the armor 1160 ticket. 1162 2. If the client's host machine cannot obtain a host ticket strictly 1163 based on RFC4120, but the KDC has an asymmetric signing key whose 1164 binding with the expected KDC can be verified by the client, the 1165 client can use anonymous PKINIT [KRB-ANON] [RFC4556] to 1166 authenticate the KDC and obtain an anonymous TGT as the armor 1167 ticket. The armor ticket can also be a cross-realm TGT obtained 1168 based on the initial primary TGT obtained using anonymous PKINIT 1169 with KDC authentication. 1171 3. Otherwise, the client uses anonymous PKINIT to get an anonymous 1172 TGT without KDC authentication and that TGT is the armor ticket. 1173 Note that this mode of operation is vulnerable to man-in-the- 1174 middle attacks at the time of obtaining the initial anonymous 1175 armor TGT. 1177 If anonymous PKINIT is used to obtain the armor ticket, the KDC 1178 cannot know whether its signing key can be verified by the client, 1179 hence the KDC MUST be marked as unverified from the KDC's point of 1180 view while the client could be able to authenticate the KDC by 1181 verifying the KDC's signing key is bound with the expected KDC. The 1182 client needs to carefully consider the risk and benefit tradeoffs 1183 associated with active attacks before exposing cipher text encrypted 1184 using the user's long-term secrets when the armor does not 1185 authenticate the KDC. 1187 The TGS MUST reject a request if there is an AD-fx-fast-armor (71) 1188 element in the authenticator of the pa-tgs-req padata or if the 1189 ticket in the authenticator of a pa-tgs-req contains the AD-fx-fast- 1190 armor authorization data element. These tickets and authenticators 1191 MAY be used as FAST armor tickets but not to obtain a ticket via the 1192 TGS. This authorization data is used in a system where the 1193 encryption of the user's pre-authentication data is performed in an 1194 unprivileged user process. A privileged process can provide to the 1195 user process a host ticket, an authenticator for use with that 1196 ticket, and the sub session key contained in the authenticator. In 1197 order for the host process to ensure that the host ticket is not 1198 accidentally or intentionally misused, (i.e. the user process might 1199 use the host ticket to authenticate as the host), it MUST include a 1200 critical authorization data element of the type AD-fx-fast-armor when 1201 providing the authenticator or in the enc-authorization-data field of 1202 the TGS request used to obtain the TGT. The corresponding ad-data 1203 field of the AD-fx-fast-armor element is empty. 1205 This armor type is only valid for AS requests; implicit armor, 1206 described below in TGS processing, is the only supported way to 1207 establish an armor key for the TGS at this time. 1209 5.4.2. FAST Request 1211 A padata type PA-FX-FAST is defined for the Kerberos FAST pre- 1212 authentication padata. The corresponding padata-value field 1213 [RFC4120] contains the DER encoding of the ASN.1 type PA-FX-FAST- 1214 REQUEST. As with all pre-authentication types, the KDC SHOULD 1215 advertise PA-FX-FAST in a PREAUTH_REQUIRED error. KDCs MUST send the 1216 advertisement of PA-FX-FAST with an empty pa-value. Clients MUST 1217 ignore the pa-value of PA-FX-FAST in an initial PREAUTH_REQUIRED 1218 error. FAST is not expected to be used in an authentication set: 1219 clients will typically use FAST padata if available and this decision 1220 should not depend on what other pre-authentication methods are 1221 available. As such, no pa-hint is defined for FAST at this time. 1223 PA-FX-FAST 136 1224 -- Padata type for Kerberos FAST 1226 PA-FX-FAST-REQUEST ::= CHOICE { 1227 armored-data [0] KrbFastArmoredReq, 1228 ... 1229 } 1231 KrbFastArmoredReq ::= SEQUENCE { 1232 armor [0] KrbFastArmor OPTIONAL, 1233 -- Contains the armor that identifies the armor key. 1234 -- MUST be present in AS-REQ. 1235 req-checksum [1] Checksum, 1236 -- For AS, contains the checksum performed over the type 1237 -- KDC-REQ-BODY for the req-body field of the KDC-REQ 1238 -- structure; 1239 -- For TGS, contains the checksum performed over the type 1240 -- AP-REQ in the PA-TGS-REQ padata. 1241 -- The checksum key is the armor key, the checksum 1242 -- type is the required checksum type for the enctype of 1243 -- the armor key, and the key usage number is 1244 -- KEY_USAGE_FAST_REQ_CHKSUM. 1245 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 1246 -- The encryption key is the armor key, and the key usage 1247 -- number is KEY_USAGE_FAST_ENC. 1248 ... 1249 } 1251 KEY_USAGE_FAST_REQ_CHKSUM 50 1252 KEY_USAGE_FAST_ENC 51 1254 The PA-FX-FAST-REQUEST structure contains a KrbFastArmoredReq type. 1255 The KrbFastArmoredReq encapsulates the encrypted padata. 1257 The enc-fast-req field contains an encrypted KrbFastReq structure. 1258 The armor key is used to encrypt the KrbFastReq structure, and the 1259 key usage number for that encryption is KEY_USAGE_FAST_ENC. 1261 The armor key is selected as follows: 1263 o In an AS request, the armor field in the KrbFastArmoredReq 1264 structure MUST be present and the armor key is identified 1265 according to the specification of the armor type. 1267 o There are two possibilities for armor for a TGS request. If the 1268 ticket presented in the PA-TGS-REQ authenticator is a TGT, then 1269 the client SHOULD NOT include the armor field in the Krbfastreq 1270 and a subkey MUST be included in the PA-TGS-REQ authenticator. In 1271 this case, the armor key is the same armor key that would be 1272 computed if the TGS-REQ authenticator was used in a 1273 FX_FAST_ARMOR_AP_REQUEST armor. Clients MAY present a non-TGT in 1274 the PA-TGS-REQ authenticator and omit the armor field, in which 1275 case the armor key is the same that would be computed if the 1276 authenticator were used in a FX_FAST_ARMOR_AP_REQUEST armor. This 1277 is the only case where a ticket other than a TGT can be used to 1278 establish an armor key; even though the armor key is computed the 1279 same as a FX_FAST_ARMOR_AP_REQUEST, a non-TGT cannot be used as an 1280 armor ticket in FX_FAST_ARMOR_AP_REQUEST. Alternatively, a client 1281 MAY use an armor type defined in the future for use with the TGS 1282 request. 1284 The req-checksum field contains a checksum computed differently for 1285 AS and TGS. For an AS-REQ, it is performed over the type KDC-REQ- 1286 BODY for the req-body field of the KDC-REQ structure of the 1287 containing message; for an TGS-REQ, it is performed over the type AP- 1288 REQ in the PA-TGS-REQ padata of the TGS request. The checksum key is 1289 the armor key, and the checksum type is the required checksum type 1290 for the enctype of the armor key per [RFC3961]. This checksum MUST 1291 be a keyed checksum and it is included in order to bind the FAST 1292 padata to the outer request. A KDC that implements FAST will ignore 1293 the outer request, but including a checksum is relatively cheap and 1294 may prevent confusing behavior. 1296 The KrbFastReq structure contains the following information: 1298 KrbFastReq ::= SEQUENCE { 1299 fast-options [0] FastOptions, 1300 -- Additional options. 1301 padata [1] SEQUENCE OF PA-DATA, 1302 -- padata typed holes. 1303 req-body [2] KDC-REQ-BODY, 1304 -- Contains the KDC request body as defined in Section 1305 -- 5.4.1 of [RFC4120]. 1306 -- This req-body field is preferred over the outer field 1307 -- in the KDC request. 1308 ... 1309 } 1311 The fast-options field indicates various options that are to modify 1312 the behavior of the KDC. The following options are defined: 1314 FastOptions ::= KerberosFlags 1315 -- reserved(0), 1316 -- hide-client-names(1), 1318 Bits Name Description 1319 ----------------------------------------------------------------- 1320 0 RESERVED Reserved for future expansion of this 1321 field. 1322 1 hide-client-names Requesting the KDC to hide client 1323 names in the KDC response, as 1324 described next in this section. 1325 16 kdc-follow-referrals reserved draft-ietf-krb-wg-referrals 1327 Bits 1 through 15 inclusive (with bit 1 and bit 15 included) are 1328 critical options. If the KDC does not support a critical option, it 1329 MUST fail the request with KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, and 1330 there is no accompanying e-data defined in this document for this 1331 error code. Bit 16 and onward (with bit 16 included) are non- 1332 critical options. KDCs conforming to this specification ignore 1333 unknown non-critical options. 1335 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93 1337 The hide-client-names Option 1339 The Kerberos response defined in [RFC4120] contains the client 1340 identity in clear text, This makes traffic analysis 1341 straightforward. The hide-client-names option is designed to 1342 complicate traffic analysis. If the hide-client-names option is 1343 set, the KDC implementing PA-FX-FAST MUST identify the client as 1344 the anonymous principal [KRB-ANON] in the KDC reply and the error 1345 response. Hence this option is set by the client if it wishes to 1346 conceal the client identity in the KDC response. A conforming KDC 1347 ignores the client principal name in the outer KDC-REQ-BODY field, 1348 and identifies the client using the cname and crealm fields in the 1349 req-body field of the KrbFastReq structure. 1351 The kdc-follow-referrals Option 1353 This option is reserved for [REFERRALS] 1355 The padata field contains a list of PA-DATA structures as described 1356 in Section 5.2.7 of [RFC4120]. These PA-DATA structures can contain 1357 FAST factors. They can also be used as generic typed-holes to 1358 contain data not intended for proving the client's identity or 1359 establishing a reply key, but for protocol extensibility. If the KDC 1360 supports the PA-FX-FAST-REQUEST padata, unless otherwise specified, 1361 the client MUST place any padata that is otherwise in the outer KDC 1362 request body into this field. In a TGS request, PA-TGS-REQ padata is 1363 not included in this field and it is present in the outer KDC request 1364 body. 1366 The KDC-REQ-BODY in the FAST structure is used in preference to the 1367 KDC-REQ-BODY outside of the FAST pre-authentication. The outer KDC- 1368 REQ-BODY structure SHOULD be filled in for backwards compatibility 1369 with KDCs that do not support FAST. A conforming KDC ignores the 1370 outer KDC-REQ-BODY field in the KDC request. Pre-authentication data 1371 methods such as [RFC4556] that include a checksum of the KDC-REQ-BODY 1372 should checksum the KDC-REQ-BODY in the FAST structure. 1374 In a TGS request, a client MAY include the AD-fx-fast-used authdata 1375 either in the pa-tgs-req authenticator or in the authorization data 1376 in the pa-tgs-req ticket. If the KDC receives this authorization 1377 data but does not find a FAST padata then it MUST return 1378 KRB_APP_ERR_MODIFIED. 1380 5.4.3. FAST Response 1382 The KDC that supports the PA-FX-FAST padata MUST include a PA-FX-FAST 1383 padata element in the KDC reply. In the case of an error, the PA-FX- 1384 FAST padata is included in the KDC responses according to 1385 Section 5.4.4. 1387 The corresponding padata-value field [RFC4120] for the PA-FX-FAST in 1388 the KDC response contains the DER encoding of the ASN.1 type PA-FX- 1389 FAST-REPLY. 1391 PA-FX-FAST-REPLY ::= CHOICE { 1392 armored-data [0] KrbFastArmoredRep, 1393 ... 1394 } 1396 KrbFastArmoredRep ::= SEQUENCE { 1397 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 1398 -- The encryption key is the armor key in the request, and 1399 -- the key usage number is KEY_USAGE_FAST_REP. 1400 ... 1401 } 1402 KEY_USAGE_FAST_REP 52 1404 The PA-FX-FAST-REPLY structure contains a KrbFastArmoredRep 1405 structure. The KrbFastArmoredRep structure encapsulates the padata 1406 in the KDC reply in the encrypted form. The KrbFastResponse is 1407 encrypted with the armor key used in the corresponding request, and 1408 the key usage number is KEY_USAGE_FAST_REP. 1410 The Kerberos client MUST support a local policy that rejects the 1411 response if PA-FX-FAST-REPLY is not included in the response. 1412 Clients MAY also support policies that fall back to other mechanisms 1413 or that do not use pre-authentication when FAST is unavailable. It 1414 is important to consider the potential downgrade attacks when 1415 deploying such a policy. 1417 The KrbFastResponse structure contains the following information: 1419 KrbFastResponse ::= SEQUENCE { 1420 padata [0] SEQUENCE OF PA-DATA, 1421 -- padata typed holes. 1422 strengthen-key [1] EncryptionKey OPTIONAL, 1423 -- This, if present, strengthens the reply key for AS and 1424 -- TGS. MUST be present for TGS. 1425 -- MUST be absent in KRB-ERROR. 1426 finished [2] KrbFastFinished OPTIONAL, 1427 -- Present in AS or TGS reply; absent otherwise. 1428 nonce [3] UInt32, 1429 -- Nonce from the client request. 1430 ... 1431 } 1433 The padata field in the KrbFastResponse structure contains a list of 1434 PA-DATA structures as described in Section 5.2.7 of [RFC4120]. These 1435 PA-DATA structures are used to carry data advancing the exchange 1436 specific for the FAST factors. They can also be used as generic 1437 typed-holes for protocol extensibility. Unless otherwise specified, 1438 the KDC MUST include any padata that is otherwise in the outer KDC- 1439 REP or KDC-ERROR structure into this field. The padata field in the 1440 KDC reply structure outside of the PA-FX-FAST-REPLY structure 1441 typically includes only the PA-FX-FAST-REPLY padata. 1443 The strengthen-key field provides a mechanism for the KDC to 1444 strengthen the reply key. If set, the strengthen-key value MUST be 1445 randomly generated to have the same etype as that of the reply key 1446 before being strengthened, and then the reply key is strengthened 1447 after all padata items are processed. Let padata-reply-key be the 1448 reply key after padata processing. 1450 reply-key = KRB-FX-CF2(strengthen-key, padata-reply-key, 1451 "strengthenkey", "replykey") 1453 The strengthen-key field MAY be set in an AS reply; it MUST be set in 1454 a TGS reply; it must be absent in an error reply. The strengthen key 1455 is required in a TGS reply so that an attacker cannot remove the FAST 1456 PADATA from a TGS reply, causing the KDC to appear not to support 1457 FAST. 1459 The finished field contains a KrbFastFinished structure. It is 1460 filled by the KDC in the final message in the conversation. This 1461 field is present in an AS-REP or a TGS-REP when a ticket is returned, 1462 and it is not present in an error reply. 1464 The KrbFastFinished structure contains the following information: 1466 KrbFastFinished ::= SEQUENCE { 1467 timestamp [0] KerberosTime, 1468 usec [1] Microseconds, 1469 -- timestamp and usec represent the time on the KDC when 1470 -- the reply was generated. 1471 crealm [2] Realm, 1472 cname [3] PrincipalName, 1473 -- Contains the client realm and the client name. 1474 ticket-checksum [4] Checksum, 1475 -- checksum of the ticket in the KDC-REP using the armor 1476 -- and the key usage is KEY_USAGE_FAST_FINISH. 1477 -- The checksum type is the required checksum type 1478 -- of the armor key. 1479 ... 1480 } 1481 KEY_USAGE_FAST_FINISHED 53 1483 The timestamp and usec fields represent the time on the KDC when the 1484 reply ticket was generated, these fields have the same semantics as 1485 the corresponding-identically-named fields in Section 5.6.1 of 1486 [RFC4120]. The client MUST use the KDC's time in these fields 1487 thereafter when using the returned ticket. The client need not 1488 confirm that the timestamp returned is within allowable clock skew: 1489 the armor key guarantees that the reply is fresh. The client MAY 1490 trust the time stamp returned. 1492 The cname and crealm fields identify the authenticated client. If 1493 facilities described in [REFERRALS] are used, the authenticated 1494 client may differ from the client in the FAST request. 1496 The ticket-checksum is a checksum of the issued ticket. The checksum 1497 key is the armor key, and the checksum type is the required checksum 1498 type of the enctype of that key, and the key usage number is 1499 KEY_USAGE_FAST_FINISHED. 1501 When FAST padata is included, the PA-FX-COOKIE padata as defined in 1502 Section 5.2 MUST8 be included in the padata sequence in the 1503 KrbFastResponse sequence if the KDC expects at least one more message 1504 from the client in order to complete the authentication. 1506 The nonce field in the KrbFastResponse contains the value of the 1507 nonce field in the KDC-REQ of the corresponding client request and it 1508 binds the KDC response with the client request. The client MUST 1509 verify that this nonce value in the reply matches with that of the 1510 request and reject the KDC reply otherwise. To prevent the response 1511 from one message in a conversation from being replayed to a request 1512 in another message, clients SHOULD use a new nonce for each message 1513 in a conversation. 1515 5.4.4. Authenticated Kerberos Error Messages using Kerberos FAST 1517 If the Kerberos FAST padata was included in the request, unless 1518 otherwise specified, the e-data field of the KRB-ERROR message 1519 [RFC4120] contains the ASN.1 DER encoding of the type METHOD-DATA 1520 [RFC4120] and a PA-FX-FAST is included in the METHOD-DATA. The KDC 1521 MUST include all the padata elements such as PA-ETYPE-INFO2 and 1522 padata elements that indicate acceptable pre-authentication 1523 mechanisms [RFC4120] in the KrbFastResponse structure. 1525 The KDC MUST also include a PA-FX-ERROR padata item in the 1526 KRBFastResponse structure. The padata-value element of this sequence 1527 is the ASN.1 DER encoding of the type KRB-ERROR. The e-data field 1528 MUST be absent in the PA-FX-ERROR padata. All other fields should be 1529 the same as the outer KRB-ERROR. The client ignores the outer error 1530 and uses the combination of the padata in the KRBFastResponse and the 1531 error information in the PA-FX-ERROR. 1533 PA-FX-ERROR 137 1535 If the Kerberos FAST padata is included in the request but not 1536 included in the error reply, it is a matter of the local policy on 1537 the client to accept the information in the error message without 1538 integrity protection. The client SHOULD however process the KDC 1539 errors as the result of the KDC's inability to accept the AP_REQ 1540 armor and potentially retry another request with a different armor 1541 when applicable. The Kerberos client MAY process an error message 1542 without a PA-FX-FAST-REPLY, if that is only intended to return better 1543 error information to the application, typically for trouble-shooting 1544 purposes. 1546 In the cases where the e-data field of the KRB-ERROR message is 1547 expected to carry a TYPED-DATA [RFC4120] element, then that 1548 information should be transmitted in a pa-data element within the 1549 KRBFastResponse structure. The padata-type is the same as the data- 1550 type would be in the typed data element and the padata-value is the 1551 same as the data-value. As discussed in Section 7, data-types and 1552 padata-types are drawn from the same namespace. For example, the 1553 TD_TRUSTED_CERTIFIERS structure is expected to be in the KRB-ERROR 1554 message when the error code is KDC_ERR_CANT_VERIFY_CERTIFICATE 1555 [RFC4556]. 1557 5.4.5. Outer and Inner Requests 1559 Typically, a client will know that FAST is being used before a 1560 request containing PA-FX-FAST is sent. So, the outer AS request 1561 typically only includes one pa-data item: PA-FX-FAST. The client MAY 1562 include additional pa-data, but the KDC MUST ignore the outer request 1563 body and any padata besides PA-FX-FAST if and only if PA-FX-FAST is 1564 processed. In the case of the TGS request, the outer request should 1565 include PA-FX-FAST and PA-TGS-REQ. 1567 When an AS generates a response, all padata besides PA-FX-FAST should 1568 be included in PA-FX-FAST. The client MUST ignore other padata 1569 outside of PA-FX-FAST. 1571 5.4.6. The Encrypted Challenge FAST Factor 1573 The encrypted challenge FAST factor authenticates a client using the 1574 client's long-term key. This factor works similarly to the encrypted 1575 time stamp pre-authentication option described in [RFC4120]. The 1576 word challenge is used instead of timestamp because while the 1577 timestamp is used as an initial challenge, if the KDC and client do 1578 not have synchronized time, then the KDC can provide updated time to 1579 the client to use as a challenge. The client encrypts a structure 1580 containing a timestamp in the challenge key. The challenge key used 1581 by the client to send a message to the KDC is KRB-FX- 1582 CF2(armor_key,long_term_key, "clientchallengearmor", 1583 "challengelongterm"). The challenge key used by the KDC encrypting 1584 to the client is KRB-FX-CF2(armor_key, long_term_key, 1585 "kdcchallengearmor", "challengelongterm"). Because the armor key is 1586 fresh and random, the challenge key is fresh and random. The only 1587 purpose of the timestamp is to limit the validity of the 1588 authentication so that a request cannot be replayed. A client MAY 1589 base the timestamp on the KDC time in a KDC error and need not 1590 maintain accurate time synchronization itself. If a client bases its 1591 time on an untrusted source, an attacker may trick the client into 1592 producing an authentication request that is valid at some future 1593 time. The attacker may be able to use this authentication request to 1594 make it appear that a client has authenticated at that future time. 1595 If ticket-based armor is used, then the lifetime of the ticket will 1596 limit the window in which an attacker can make the client appear to 1597 have authenticated. For many situations, the ability of an attacker 1598 to cause a client to appear to have authenticated is not a 1599 significant concern; the ability to avoid requiring time 1600 synchronization on clients is more valuable. 1602 The client sends a padata of type PA-ENCRYPTED-CHALLENGE. The 1603 corresponding padata-value contains the DER encoding of ASN.1 type 1604 EncryptedChallenge. 1606 EncryptedChallenge ::= EncryptedData 1607 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key 1608 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the 1609 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. 1611 PA-ENCRYPTED-CHALLENGE 138 1612 KEY_USAGE_ENC_CHALLENGE_CLIENT 54 1613 KEY_USAGE_ENC_CHALLENGE_KDC 55 1615 The client includes some time stamp reasonably close to the KDC's 1616 current time and encrypts it in the challenge key in a PA-ENC-TS-ENC 1617 structure (Secc section 5.2.7.2 in RFC 4120). Clients MAY use the 1618 current time; doing so prevents the exposure where an attacker can 1619 cause a client to appear to authenticate in the future. The client 1620 sends the request including this factor. 1622 On receiving an AS-REQ containing the PA-ENCRYPTED-CHALLENGE FAST 1623 factor, the KDC decrypts the timestamp. If the decryption fails the 1624 KDC SHOULD return KDC_ERR_PREAUTH_FAILED, including PA-ETYPE-INFO2 in 1625 the KRBFastResponse in the error. The KDC confirms that the 1626 timestamp falls within its current clock skew returning 1627 KRB_APP_ERR_SKEW if not. The KDC then SHOULD check to see if the 1628 encrypted challenge is a replay. The KDC MUST NOT consider two 1629 encrypted challenges replays simply because the time stamps are the 1630 same; to be a replay, the ciphertext MUST be identical. Allowing 1631 clients to re-use time stamps avoids requiring that clients maintain 1632 state about which time stamps have been used. 1634 If the KDC accepts the encrypted challenge, it MUST include a padata 1635 element of type PA-ENCRYPTED-CHALLENGE. The KDC encrypts its current 1636 time in the challenge key. The KDC MUST strengthen the reply key 1637 before issuing a ticket. The client MUST check that the timestamp 1638 decrypts properly. The client MAY check that the timestamp is within 1639 the window of acceptable clock skew for the client. The client MUST 1640 NOT require that the timestamp be identical to the timestamp in the 1641 issued credentials or the returned message. 1643 The encrypted challenge FAST factor provides the following 1644 facilities: client-authentication and KDC authentication. This FAST 1645 factor also takes advantage of the FAST facility to strengthen the 1646 reply key. It does not provide the replacing-reply-key facility. 1647 The security considerations section of this document provides an 1648 explanation why the security requirements are met. 1650 The encrypted challenge FAST factor can be useful in an 1651 authentication set. No pa-hint is defined because the only 1652 information needed by this mechanism is information contained in the 1653 PA-ETYPE-INFO2 pre-authentication data. KDCs are already required to 1654 send PA-ETYPE-INFO2. If KDCs were not required to send PA-ETYPE- 1655 INFO2 then that information would need to be part of a hint for 1656 encrypted challenge. 1658 Conforming implementations MUST support the encrypted challenge FAST 1659 factor. 1661 5.5. Authentication Strength Indication 1663 Implementations that have pre-authentication mechanisms offering 1664 significantly different strengths of client authentication MAY choose 1665 to keep track of the strength of the authentication used as an input 1666 into policy decisions. For example, some principals might require 1667 strong pre-authentication, while less sensitive principals can use 1668 relatively weak forms of pre-authentication like encrypted timestamp. 1670 An AuthorizationData data type AD-Authentication-Strength is defined 1671 for this purpose. 1673 AD-authentication-strength 70 1675 The corresponding ad-data field contains the DER encoding of the pre- 1676 authentication data set as defined in Section 5.3. This set contains 1677 all the pre-authentication mechanisms that were used to authenticate 1678 the client. If only one pre-authentication mechanism was used to 1679 authenticate the client, the pre-authentication set contains one 1680 element. Unless otherwise specified, the hint and value fields of 1681 the members of this sequence MUST be empty. In order to permit 1682 mechanisms to carry additional information about strength in these 1683 fields in the future, clients and application servers MUST ignore 1684 non-empty hint and value fields for mechanisms unless the 1685 implementation is updated with the interpretation of these fields for 1686 a given pre-authentication mechanism in this authorization element. 1688 The AD-authentication-strength element MUST be included in the AD- 1689 KDC-ISSUED container so that the KDC integrity protects its contents. 1690 This element can be ignored if it is unknown to the receiver. 1692 6. Assigned Constants 1694 The pre-authentication framework and FAST involve using a number of 1695 Kerberos protocol constants. This section lists protocol constants 1696 first introduced in this specification drawn from registries not 1697 managed by IANA. Many of these registries would best be managed by 1698 IANA; that is a known issue that is out of scope for this document. 1699 The constants described in this section have been accounted for and 1700 will appear in the next revision of the Kerberos core specification 1701 or in a document creating IANA registries. 1703 Section 7 creates IANA registries for a different set of constants 1704 used by the extensions described in this document. 1706 6.1. New Errors 1708 KDC_ERR_PREAUTH_EXPIRED 90 1709 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 1710 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92 1711 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93 1713 6.2. Key Usage Numbers 1715 KEY_USAGE_FAST_REQ_CHKSUM 50 1716 KEY_USAGE_FAST_ENC 51 1717 KEY_USAGE_FAST_REP 52 1718 KEY_USAGE_FAST_FINISHED 53 1719 KEY_USAGE_ENC_CHALLENGE_CLIENT 54 1720 KEY_USAGE_ENC_CHALLENGE_KDC 55 1722 6.3. Authorization Data Elements 1724 AD-authentication-strength 70 1725 AD-fx-fast-armor 71 1726 AD-fx-fast-used 72 1728 6.4. New PA-DATA Types 1730 PA-FX-COOKIE 133 1731 PA-AUTHENTICATION-SET 134 1732 PA-AUTH-SET-SELECTED 135 1733 PA-FX-FAST 136 1734 PA-FX-ERROR 137 1735 PA-ENCRYPTED-CHALLENGE 138 1737 7. IANA Considerations 1739 This document creates a number of IANA registries. These registries 1740 should all be located under 1741 http://www.iana.org/assignments/kerberos-parameters. See [RFC5226] 1742 for descriptions of the registration policies used in this section. 1744 7.1. Pre-authentication and Typed Data 1746 RFC 4120 defines pre-authentication data, which can be included in a 1747 KDC request or response in order to authenticate the client or extend 1748 the protocol. In addition, it defines Typed-Data which is an 1749 extension mechanism for errors. Both pre-authentication data and 1750 typed data are carried as a 32-bit signed integer along with an octet 1751 string. The encoding of typed data and pre-authentication data is 1752 slightly different. However the types for pre-authentication data 1753 and typed-data are drawn from the same namespace. By convention, 1754 registrations starting with TD- are typed data and registration 1755 starting with PA- are pre-authentication data. It is important that 1756 these data types be drawn from the same namespace, because some 1757 errors where it would be desirable to include typed data require the 1758 e-data field to be formatted as pre-authentication data. 1760 When Kerberos FAST is used, pre-authentication data encoding is 1761 always used. 1763 There is one apparently conflicting registration between typed data 1764 and pre-authentication data. PA-GET-FROM-TYPED-DATA and TD-PADATA 1765 are both assigned the value 22. However this registration is simply 1766 a mechanism to include an element of the other encoding. The use of 1767 both should be deprecated. 1769 This document creates a registry for pre-authentication and typed 1770 data. The registration procedures are as follows. Expert review for 1771 pre-authentication mechanisms designed to authenticate users, KDCs, 1772 or establish the reply key. The expert first determines that the 1773 purpose of the method is to authenticate clients, KDCs, or to 1774 establish the reply key. If so, expert review is appropriate. The 1775 expert evaluates the security and interoperability of the 1776 specification. 1778 IETF review is required if the expert believes that the pre- 1779 authentication method is broader than these three areas. Pre- 1780 authentication methods that change the Kerberos state machine or 1781 otherwise make significant changes to the Kerberos protocol should be 1782 standards track RFCs. A concern that a particular method needs to be 1783 a standards track RFC may be raised as an objection during IETF 1784 review. 1786 Several of the registrations indicated belowe were made at a time 1787 when the Kerberos protocol was less mature and do not meet the 1788 current requirements for this registry. These registrations are 1789 included in order to accurately document what is known about the use 1790 of these protocol code points and to avoid conflicts. 1792 Type Value Reference 1793 ---------------------------------------------------------------------- 1794 PA-TGS-REQ 1 RFC 4120 1795 PA-ENC-TIMESTAMP 2 RFC 4120 1796 PA-PW-SALT 3 RFC 4120 1797 [reserved] 4 1798 PA-ENC-UNIX-TIME 5 (deprecated) 1799 PA-SANDIA-SECUREID 6 1800 PA-SESAME 7 1801 PA-OSF-DCE 8 1802 PA-CYBERSAFE-SECUREID 9 1803 PA-AFS3-SALT 10 1804 PA-ETYPE-INFO 11 RFC 4120 1805 PA-SAM-CHALLENGE 12 (sam/otp) 1806 PA-SAM-RESPONSE 13 (sam/otp) 1807 PA-PK-AS-REQ_OLD 14 draft-ietf-cat-kerberos-pk-init-09 1808 PA-PK-AS-REP_OLD 15 draft-ietf-cat-kerberos-pk-init-09 1809 PA-PK-AS-REQ 16 RFC 4556 1810 PA-PK-AS-REP 17 RFC 4556 1811 PA-PK-OCSP-RESPONSE 18 RFC 4557 1812 PA-ETYPE-INFO2 19 RFC 4120 1813 PA-USE-SPECIFIED-KVNO 20 1814 PA-SVR-REFERRAL-INFO 20 (referrals) 1815 PA-SAM-REDIRECT 21 (sam/otp) 1816 PA-GET-FROM-TYPED-DATA 22 (embedded in typed data) 1817 TD-PADATA 22 (embeds padata) 1818 PA-SAM-ETYPE-INFO 23 (sam/otp) 1819 PA-ALT-PRINC 24 (crawdad@fnal.gov) 1820 PA-SERVER-REFERRAL 25 (referrals) 1821 PA-SAM-CHALLENGE2 30 (kenh@pobox.com) 1822 PA-SAM-RESPONSE2 31 (kenh@pobox.com) 1823 PA-EXTRA-TGT 41 Reserved extra TGT 1824 TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS 1825 TD-KRB-PRINCIPAL 102 PrincipalName 1826 TD-KRB-REALM 103 Realm 1827 TD-TRUSTED-CERTIFIERS 104 PKINIT 1828 TD-CERTIFICATE-INDEX 105 PKINIT 1829 TD-APP-DEFINED-ERROR 106 Application specific 1830 TD-REQ-NONCE 107 INTEGER 1831 TD-REQ-SEQ 108 INTEGER 1832 TD_DH_PARAMETERS 109 PKINIT 1833 TD-CMS-DIGEST-ALGORITHMS 111 draft-ietf-krb-wg-pkinit-alg-agility 1834 TD-CERT-DIGEST-ALGORITHMS 112 draft-ietf-krb-wg-pkinit-alg-agility 1835 PA-PAC-REQUEST 128 MS-KILE 1836 PA-FOR_USER 129 MS-KILE 1837 PA-FOR-X509-USER 130 MS-KILE 1838 PA-FOR-CHECK_DUPS 131 MS-KILE 1839 PA-AS-CHECKSUM 132 MS-KILE 1840 PA-FX-COOKIE 133 draft-ietf-krb-wg-preauth-framework 1841 PA-AUTHENTICATION-SET 134 draft-ietf-krb-wg-preauth-framework 1842 PA-AUTH-SET-SELECTED 135 draft-ietf-krb-wg-preauth-framework 1843 PA-FX-FAST 136 draft-ietf-krb-wg-preauth-framework 1844 PA-FX-ERROR 137 draft-ietf-krb-wg-preauth-framework 1845 PA-ENCRYPTED-CHALLENGE 138 draft-ietf-krb-wg-preauth-framework 1846 PA-OTP-CHALLENGE 141 (gareth.richards@rsa.com) 1847 PA-OTP-REQUEST 142 (gareth.richards@rsa.com) 1848 PA-OTP-CONFIRM 143 (gareth.richards@rsa.com) 1849 PA-OTP-PIN-CHANGE 144 (gareth.richards@rsa.com) 1850 PA-EPAK-AS-REQ 145 (sshock@gmail.com) 1851 PA-EPAK-AS-REP 146 (sshock@gmail.com>) 1852 PA_PKINIT_KX 147 draft-ietf-krb-wg-anon 1853 PA_PKU2U_NAME 148 draft-zhu-pku2u 1854 PA-SUPPORTED-ETYPES 165 MS-KILE 1855 PA-EXTENDED_ERROR 166 MS-KILE 1857 7.2. Fast Armor Types 1859 FAST armor types are defined in Section 5.4.1. A FAST armor type is 1860 a signed 32-bit integer. FAST armor types are assigned by standards 1861 action. 1863 Type Name Description 1864 ------------------------------------------------------------ 1865 0 Reserved. 1866 1 FX_FAST_ARMOR_AP_REQUEST Ticket armor using an ap-req. 1868 7.3. FAST Options 1870 A FAST request includes a set of bit flags to indicate additional 1871 options. Bits 0-15 are critical; other bits are non-critical. 1872 Assigning bits greater than 31 may require special support in 1873 implementations. Assignment of FAST options requires standards 1874 action. 1876 Type Name Description 1877 ------------------------------------------------------------------- 1878 0 RESERVED Reserved for future expansion of this 1879 field. 1880 1 hide-client-names Requesting the KDC to hide client 1881 names in the KDC response 1882 16 kdc-follow-referrals reserved 1884 8. Security Considerations 1886 The kdc-referrals option in the Kerberos FAST padata requests the KDC 1887 to act as the client to follow referrals. This can overload the KDC. 1888 To limit the damages of denial of service using this option, KDCs MAY 1889 restrict the number of simultaneous active requests with this option 1890 for any given client principal. 1892 Regarding the facilities provided by the Encrypted Challenge FAST 1893 factor, the challenge key is derived from the client secrets and 1894 because the client secrets are known only to the client and the KDC, 1895 the verification of the EncryptedChallenge structure proves the 1896 client's identity, the verification of the EncryptedChallenge 1897 structure in the KDC reply proves that the expected KDC responded. 1898 Therefore, the Encrypted Challenge FAST factor as a pre- 1899 authentication mechanism offers the following facilities: client- 1900 authentication and KDC-authentication. There is no un-authenticated 1901 clear text introduced by the Encrypted Challenge FAST factor. 1903 FAST provides an encrypted tunnel over which pre-authentication 1904 conversations can take place. In addition, FAST optionally 1905 authenticates the KDC to the client. It is the responsibility of 1906 FAST factors to authenticate the client to the KDC. Care MUST be 1907 taken to design FAST factors such that they are bound to the 1908 conversation. If this is not done, a man-in-the-middle may be able 1909 to cut&paste a FAST factor from one conversation to another. The 1910 easiest way to do this is to bind each FAST factor to the armor key 1911 which is guaranteed to be unique for each conversation. 1913 The anonymous pkinit mode for obtaining an armor ticket does not 1914 always authenticate the KDC to the client before the conversation 1915 begins. Tracking the KDC verified state guarantees that by the end 1916 of the conversation, the client has authenticated the KDC. However 1917 FAST factor designers need to consider the implications of using 1918 their factor when the KDC has not yet been authenticated. If this 1919 proves problematic in an environment, then the particular FAST factor 1920 should not be used with anonymous PKINIT. 1922 Existing pre-authentication mechanisms are believed to be at least as 1923 secure when used with FAST as they are when used outside of FAST. 1924 One part of this security is making sure that when pre-authentication 1925 methods checksum the request, they checksum the inner request rather 1926 than the outer request. If the mechanism checksummed the outer 1927 request, a man-in-the-middle could observe it outside a FAST tunnel 1928 and then cut&paste it into a FAST exchange where the inner rather 1929 than outer request would be used to select attributes of the issued 1930 ticket. Such attacks would typically invalidate auditing information 1931 or create a situation where the client and KDC disagree about what 1932 ticket is issued. However, such attacks are unlikely to allow an 1933 attacker who would not be able to authenticate as a principal to do 1934 so. Even so, FAST is believed to defend against these attacks in 1935 existing legacy mechanism. However since there is no standard for 1936 how legacy mechanisms bind the request to the pre-authentication or 1937 provide integrity protection, security analysis can be difficult. In 1938 some cases FAST may significantly improve the integrity protection of 1939 legacy mechanisms. 1941 The security of the TGS exchange depends on authenticating the client 1942 to the KDC. In the AS exchange, this is done using pre- 1943 authentication data or FAST factors. In the TGS exchange, this is 1944 done by presenting a TGT and by using the session (or sub-session) 1945 key in constructing the request. Because FAST uses a request body in 1946 the inner request, encrypted in the armor key, rather than the 1947 request body in the outer request, it is critical that establishing 1948 the armor key be tied to the authentication of the client to the KDC. 1949 If this is not done, an attacker could manipulate the options 1950 requested in the TGS request, for example requesting a ticket with 1951 different validity or addresses. The easiest way to bind the armor 1952 key to the authentication of the client to the KDC is for the armor 1953 key to depend on the sub-session key of the TGT. This is done with 1954 the implicit TGS armor supported by this specification. Future armor 1955 types designed for use with the TGS MUST either bind their armor keys 1956 to the TGT or provide another mechanism to authenticate the client to 1957 the KDC. 1959 9. Acknowledgements 1961 Sam Hartman would like to thank the MIT Kerberos Consortium for its 1962 funding of his time on this project. 1964 Several suggestions from Jeffrey Hutzelman based on early revisions 1965 of this documents led to significant improvements of this document. 1967 The proposal to ask one KDC to chase down the referrals and return 1968 the final ticket is based on requirements in [ID.CROSS]. 1970 Joel Weber had a proposal for a mechanism similar to FAST that 1971 created a protected tunnel for Kerberos pre-authentication. 1973 Srinivas Cheruku and Greg Hudson provided valuable review comments. 1975 10. References 1977 10.1. Normative References 1979 [KRB-ANON] 1980 Zhu, L. and P. Leach, "Kerberos Anonymity Support", 1981 draft-ietf-krb-wg-anon-10.txt (work in progress), 2008. 1983 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1984 Requirement Levels", BCP 14, RFC 2119, March 1997. 1986 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 1987 Kerberos 5", RFC 3961, February 2005. 1989 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The 1990 Kerberos Network Authentication Service (V5)", RFC 4120, 1991 July 2005. 1993 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial 1994 Authentication in Kerberos (PKINIT)", RFC 4556, June 2006. 1996 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 1997 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 1998 May 2008. 2000 10.2. Informative References 2002 [EKE] Bellovin, S. and M. Merritt, "Augmented Encrypted Key 2003 Exchange: A Password-Based Protocol Secure Against 2004 Dictionary Attacks and Password File Compromise, 2005 Proceedings of the 1st ACM Conference on Computer and 2006 Communications Security, ACM Press.", November 1993. 2008 [ID.CROSS] 2009 Sakane, S., Zrelli, S., and M. Ishiyama , "Problem 2010 Statement on the Operation of Kerberos in a Specific 2011 System", draft-sakane-krb-cross-problem-statement-02.txt 2012 (work in progress), April 2007. 2014 [IEEE1363.2] 2015 IEEE, "IEEE P1363.2: Password-Based Public-Key 2016 Cryptography", 2004. 2018 [KRB-WG.SAM] 2019 Hornstein, K., Renard, K., Neuman, C., and G. Zorn, 2020 "Integrating Single-use Authentication Mechanisms with 2021 Kerberos", draft-ietf-krb-wg-kerberos-sam-02.txt (work in 2022 progress), October 2003. 2024 [REFERRALS] 2025 Raeburn, K. and L. Zhu, "Generating KDC Referrals to 2026 Locate Kerberos Realms", 2027 draft-ietf-krb-wg-kerberos-referrals-11.txt (work in 2028 progress), 2008. 2030 Appendix A. Test Vectors for KRB-FX-CF2 2032 This informative appendix presents test vectors for the KRB-FX-CF2 2033 function. Test vectors are presented for several encryption types. 2035 In all cases the first key (k1) is the result of string-to- 2036 key("key1", "key1", default_parameters) and the second key (k2) is 2037 the result of string-to-key("key2", "key2", default_parameters). 2038 Both keys are of the same enctype. The presented test vector is the 2039 hexadecimal encoding of the key produced by KRB-FX-CF2(k1, k2, "a", 2040 "b"). The peppers are one-octet ASCII strings. 2042 In performing interoperability testing, there was significant 2043 ambiguity surrounding [RFC3961] pseudo-random operations. These test 2044 vectors assume that the AES pseudo-random operation is aes- 2045 ecb(trunc128(sha-1(input))) where trunc128 truncates its input to 2046 128-bits. The 3DES pseudo-random operation is assumed to be des3- 2047 cbc(trunc128(sha-1(input))). The DES pseudo-random operation is 2048 assumed to be des-cbc(md5(input)). As specified in RFC 4757, the RC4 2049 pseudo-random operation is hmac-sha1(input). 2051 Interoperability testing also demonstrated ambiguity surrounding the 2052 DES random-to-key operation. The random-to-key operation is assumed 2053 to be distribute 56 bits into high-7-bits of 8 octets and generate 2054 parity. 2056 These test vectors were produced with revision 22359 of the MIT 2057 Kerberos sources. The AES 256 and AES 128 test vectors have been 2058 confirmed by multiple other implementors. The RC4 test vectors have 2059 been confirmed by one other implementor. The DES and triple DES test 2060 vectors have not been confirmed. 2062 aes 128 (enctype 17): 97df97e4b798b29eb31ed7280287a92a 2063 AES256 (enctype 18): 4d6ca4e629785c1f01baf55e2e548566 2064 b9617ae3a96868c337cb93b5e72b1c7b 2065 DES (enctype 1): 43bae3738c9467e6 2066 3DES (enctype 16): e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 2067 RC4 (enctype 23): 24d7f6b6bae4e5c00d2082c5ebab3672 2069 Appendix B. Change History 2071 RFC editor, please remove this section before publication. 2073 B.1. Changes since 16 2075 Include conformance requirements section. 2076 Remove requirement for exchanging TLS style finish messages since 2077 FAST doesn't actually do this. The real security requirement is 2078 that the plaintext be protected; state this. Similarly, the 2079 requirement is that we be able to upgrade cryptographic algorithms 2080 not that a particular negotiation facility be used. 2082 B.2. Changes since 15 2084 Fix ASN.1 module 2085 Clarify generation of strengthen key. 2086 Fix IANA numbers to avoid conflicts 2087 ad-authentication-strength needs to be KDC issued. 2089 B.3. Changes Since 14 2091 Remove kdc-follow-referrals option and instead place as a 2092 reservations for the referrals draft. 2093 Note that a cookie followed by non-cookie terminates a 2094 conversation 2095 Move discussion of protecting cleartext to section 5 2096 Discuss pa-value and pa-hint in the ad element for authentication 2097 used 2098 Update rule on handling padata outside this framework 2100 B.4. Changes since 13 2102 Restore DES test vectors; their removal was not mentioned in 13. 2103 Clarify that only implicit TGS armor is defined at this time. In 2104 the future we may define explicit TGS armor. 2106 B.5. Changes since 12 2108 Per comment from Greg Hudson, KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 2109 instead of KDC_ERR_MORE_PREAUTH_DATA_NEEDED 2110 Use pa-authentication-set-selected not pa-auth-set-selected 2111 Update discussion of KDC verification (Love) 2112 Remove explicit TGS armor, note that TGS armor must authenticate 2113 the client to the KDC, describe in security considerations. 2115 B.6. Changes since 11 2117 Checksum the inner request body in methods like PKINIT, not the 2118 outer request body. Per mailing list discussion, this change 2119 addresses a potential security weakness. 2120 Add additional security considerations text 2122 B.7. Changes since 10 2124 The checksum member of the KrbFastFinished sequence has been 2125 removed. A nonce field has been added to KrbFastResponse. 2126 The cookie no longer needs to be outside of FAST. In fact, some 2127 security guarantees depend on the cookie being inside FAST now 2128 that the finish checksum has been removed. Affected that change. 2130 Replace the rep-key field in KrbFastResponse with the strengthen- 2131 key field. Per mailing list discussion, there are security 2132 advantages to strengthening the reply key. 2133 Clarify handling of authentication sets. 2134 Include the AD-fx-fast-used authorization data type. 2135 Include note about random nonces. 2137 B.8. Changes since 09 2139 Clarify conversations by defining for TGS and by describing how 2140 cookies form conversation boundaries. 2141 Simplify text surrounding when finish is included: always for AS 2142 and TGS reply, never for error. 2143 Fill in IANA and constants 2145 B.9. Changes since 08 2147 Fix a number of typos 2148 Rename anonymous flag to hide-client-name; rename kdc-referals to 2149 kdc-follow-referrals 2150 Clarify how anonymous pkinit interacts with KDC verified. 2151 Introduce AD-fx-fast-armor authorization data to deal with 2152 unprivileged processes constructing KDC requests. Note that a TGT 2153 is always used for armor tickets if the armor field is present; if 2154 you proxy or validate you'll end up with a TGT armor ticket and 2155 another ticket in the pa-tgs-req. Alternatively you can simply 2156 use the other ticket in the PA-TGS-REQ; weak consensus within WG. 2157 All KDCs in a realm MUST support FAST if it is to be offered. 2158 The cookie message is always generated by the KDC. 2159 Note that the client can trust and need not verify the time stamp 2160 in the finish message. This can seed the client's idea of KDC 2161 time. 2162 Note that the client name in the finish message may differ from 2163 the name in the request if referrals are used. 2164 Note that KDCs should advertize fast in preauth_required errors. 2165 Armor key is constructed using KRB-FX-CF2. This is true even in 2166 the TGS case; there is no security reason to do this. Using the 2167 subkey as done in draft 08 would be fine, but the current text 2168 uses the same procedure both in the TGS and AS case. 2169 Use a different challenge key in each direction in the encrypted 2170 challenge option. 2171 Note that the KDC should process PA-FX-COOKIE before other padata. 2172 KRB-FX-CF2 uses k1's enctype for the result; change around calling 2173 order so we pass in subkeys and armor keys as k1 in preference to 2174 long-term keys or ticket session keys. 2175 Clarify the relationship between authentication sets and cookies. 2176 A cookie may not be needed in the first message. Clarify how this 2177 interacts with optimistic clients. 2179 Remove text raising a concern that RFC 3961 may permit ciphertext 2180 transformations that do not change plaintext: discussion on the 2181 list came to the conclusion that RFC 3961 does not permit this. 2182 Remove binding key concept; use the armor key instead. The cookie 2183 becomes just an octet string. 2184 Include PA-FX-ERROR to protect the error information per Dublin. 2185 Returning preauth_failed in the failed to decrypt encrypted 2186 challenge seems fine; remove the issue marker 2187 Add a section describing what goes in the inner and outer request. 2188 I believe it is redundant but found it useful while putting 2189 together an implementation proposal. 2190 Use hyphen rather than underscore in the constants for pre- 2191 authentication data to be consistent with RFC 4120. 2192 Add a ticket-checksum to the finished message 2193 Remove redundant KEY_USAGE_FAST_ARMOR. 2194 Add protocol constants section for non-IANA registrations and 2195 flesh out IANA section. 2196 Clarify that kdc-req-body checksums should always use the outer 2197 body even for mechanisms like PKINIT that include their own (now 2198 redundant) checksum. 2199 Remove mechanism for encapsulating typed data in padata; just 2200 reflect the value. 2202 B.10. Changes since 07 2204 Propose replacement of authenticated timestamp with encrypted 2205 challenge. The desire to avoid clients needing time 2206 synchronization and to simply the factor. 2207 Add a requirement that any FAST armor scheme must provide a fresh 2208 key for each conversation. This allows us to assume that anything 2209 encrypted/integrity protected in the right key is fresh and not 2210 subject to cross-conversation cut and paste. 2211 Removed heartbeat padata. The KDC will double up messages if it 2212 needs to; the client simply sends its message and waits for the 2213 next response. 2214 Define PA-auth-SET-SELECTED 2215 Clarify a KDC cannot ignore padata is has claimed to support 2217 B.11. Changes since 06 2219 Note that even for replace reply key it is likely that the side 2220 using the mechanism will know that the other side supports it. 2221 Since it is reasonably unlikely we'll need a container mechanism 2222 other than FAST itself, we don't need to optimize for that case. 2223 So, we want to optimize for implementation simplicity. Thus if 2224 you do have such a container mechanism interacting with 2225 authentication sets we'll assume that the hint need to describe 2226 hints for all contained mechanisms. This closes out a long- 2227 standing issue. 2228 Write up what Sam believes is the consensus on UI and prompts in 2229 the authentication set: clients MAY assume that they have all the 2230 UI information they need. 2232 Appendix C. ASN.1 module 2234 KerberosPreauthFramework { 2235 iso(1) identified-organization(3) dod(6) internet(1) 2236 security(5) kerberosV5(2) modules(4) preauth-framework(3) 2237 } DEFINITIONS EXPLICIT TAGS ::= BEGIN 2239 IMPORTS 2240 KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum, 2241 Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY, 2242 Microseconds, KerberosFlags, UInt32 2243 FROM KerberosV5Spec2 { iso(1) identified-organization(3) 2244 dod(6) internet(1) security(5) kerberosV5(2) 2245 modules(4) krb5spec2(2) }; 2246 -- as defined in RFC 4120. 2248 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM 2250 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { 2251 pa-type [0] Int32, 2252 -- same as padata-type. 2253 pa-hint [1] OCTET STRING OPTIONAL, 2254 pa-value [2] OCTET STRING OPTIONAL, 2255 ... 2256 } 2258 KrbFastArmor ::= SEQUENCE { 2259 armor-type [0] Int32, 2260 -- Type of the armor. 2261 armor-value [1] OCTET STRING, 2262 -- Value of the armor. 2263 ... 2264 } 2266 PA-FX-FAST-REQUEST ::= CHOICE { 2267 armored-data [0] KrbFastArmoredReq, 2268 ... 2269 } 2271 KrbFastArmoredReq ::= SEQUENCE { 2272 armor [0] KrbFastArmor OPTIONAL, 2273 -- Contains the armor that identifies the armor key. 2275 -- MUST be present in AS-REQ. 2276 req-checksum [1] Checksum, 2277 -- For AS, contains the checksum performed over the type 2278 -- KDC-REQ-BODY for the req-body field of the KDC-REQ 2279 -- structure; 2280 -- For TGS, contains the checksum performed over the type 2281 -- AP-REQ in the PA-TGS-REQ padata. 2282 -- The checksum key is the armor key, the checksum 2283 -- type is the required checksum type for the enctype of 2284 -- the armor key, and the key usage number is 2285 -- KEY_USAGE_FAST_REQ_CHKSUM. 2286 enc-fast-req [2] EncryptedData, -- KrbFastReq -- 2287 -- The encryption key is the armor key, and the key usage 2288 -- number is KEY_USAGE_FAST_ENC. 2289 ... 2290 } 2292 KrbFastReq ::= SEQUENCE { 2293 fast-options [0] FastOptions, 2294 -- Additional options. 2295 padata [1] SEQUENCE OF PA-DATA, 2296 -- padata typed holes. 2297 req-body [2] KDC-REQ-BODY, 2298 -- Contains the KDC request body as defined in Section 2299 -- 5.4.1 of [RFC4120]. 2300 -- This req-body field is preferred over the outer field 2301 -- in the KDC request. 2302 ... 2303 } 2305 FastOptions ::= KerberosFlags 2306 -- reserved(0), 2307 -- hide-client-names(1), 2308 -- kdc-follow-referrals(16) 2310 PA-FX-FAST-REPLY ::= CHOICE { 2311 armored-data [0] KrbFastArmoredRep, 2312 ... 2313 } 2315 KrbFastArmoredRep ::= SEQUENCE { 2316 enc-fast-rep [0] EncryptedData, -- KrbFastResponse -- 2317 -- The encryption key is the armor key in the request, and 2318 -- the key usage number is KEY_USAGE_FAST_REP. 2319 ... 2320 } 2322 KrbFastResponse ::= SEQUENCE { 2323 padata [0] SEQUENCE OF PA-DATA, 2324 -- padata typed holes. 2325 strengthen-key [1] EncryptionKey OPTIONAL, 2326 -- This, if present, strengthens the reply key for AS and 2327 -- TGS. MUST be present for TGS 2328 -- MUST be absent in KRB-ERROR. 2329 finished [2] KrbFastFinished OPTIONAL, 2330 -- Present in AS or TGS reply; absent otherwise. 2331 nonce [3] UInt32, 2332 -- Nonce from the client request. 2333 ... 2334 } 2336 KrbFastFinished ::= SEQUENCE { 2337 timestamp [0] KerberosTime, 2338 usec [1] Microseconds, 2339 -- timestamp and usec represent the time on the KDC when 2340 -- the reply was generated. 2341 crealm [2] Realm, 2342 cname [3] PrincipalName, 2343 -- Contains the client realm and the client name. 2344 ticket-checksum [4] Checksum, 2345 -- checksum of the ticket in the KDC-REP using the armor 2346 -- and the key usage is KEY_USAGE_FAST_FINISH. 2347 -- The checksum type is the required checksum type 2348 -- of the armor key. 2349 ... 2350 } 2352 EncryptedChallenge ::= EncryptedData 2353 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key 2354 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the 2355 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC. 2356 END 2358 Authors' Addresses 2360 Sam hartman 2361 Painless Security 2363 Email: hartmans-ietf@mit.edu 2364 Larry Zhu 2365 Microsoft Corporation 2366 One Microsoft Way 2367 Redmond, WA 98052 2368 US 2370 Email: larry.zhu@microsoft.com