[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS gss/doc/specification
|
From: |
gss-commit |
|
Subject: |
CVS gss/doc/specification |
|
Date: |
Wed, 16 Feb 2005 20:10:53 +0100 |
Update of /home/cvs/gss/doc/specification
In directory dopio:/tmp/cvs-serv29479
Added Files:
draft-ietf-kitten-gssapi-channel-bindings-00.txt
draft-ietf-kitten-gssapi-extensions-iana-00.txt
draft-ietf-kitten-gssapi-store-cred-00.txt
Log Message:
Add.
---
/home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-channel-bindings-00.txt
2005/02/16 19:10:53 NONE
+++
/home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-channel-bindings-00.txt
2005/02/16 19:10:53 1.1
KITTEN WG N. Williams
Internet-Draft Sun
Expires: December 30, 2004 July 2004
Clarifications and Extensions to the GSS-API for the Use of Channel
Bindings
draft-ietf-kitten-gssapi-channel-bindings-00.txt
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
and any of which I become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 30, 2004.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This document clarifies and generalizes the GSS-API "channel
bindings" facility. This document also specifies the format of the
various types of channel bindings.
Williams Expires December 30, 2004 [Page 1]
�
Internet-Draft GSS-API Channel Bindings July 2004
Table of Contents
1. Conventions used in this document . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Generic Structure for GSS-API Channel Bindings . . . . . . . . 5
3.1 Proper Mechanism Use of Channel Bindings . . . . . . . . . 5
4. Channel Bindings for SSHv2 . . . . . . . . . . . . . . . . . . 6
4.1 GSS_Make_sshv2_channel_bindings() . . . . . . . . . . . . 6
4.1.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . 6
5. Channel Bindings for TLS . . . . . . . . . . . . . . . . . . . 7
5.1 GSS_Make_tls_channel_bindings() . . . . . . . . . . . . . 7
5.1.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . 7
6. Channel Bindings for IPsec . . . . . . . . . . . . . . . . . . 8
6.1 GSS_Make_ipsec_channel_bindings() . . . . . . . . . . . . 8
6.1.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . 9
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1 Normative . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2 Informative . . . . . . . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 12
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . 14
Williams Expires December 30, 2004 [Page 2]
�
Internet-Draft GSS-API Channel Bindings July 2004
1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Williams Expires December 30, 2004 [Page 3]
�
Internet-Draft GSS-API Channel Bindings July 2004
2. Introduction
The concept of "channel bindings" and the abstract construction of
channel bindings for several types of channels are described in
[CHANNEL-BINDINGS]
To actually use channel bindings in GSS-API aplications additional
details are required that are given below.
First the structure given to channel bindings data in [RFC2744] is
generalized to all of the GSS-API, not just its C-Bindings.
Then the actual construction of channel bindings to SSHv2, TLS and
IPsec channels is given.
Williams Expires December 30, 2004 [Page 4]
�
Internet-Draft GSS-API Channel Bindings July 2004
3. Generic Structure for GSS-API Channel Bindings
The base GSS-API v2, update 1 specification [RFC2743]describes
channel bindings as an OCTET STRING and leaves it to the GSS-API v2,
update 1 C-Bindings specification to specify the structure of the
contents of the channel bindings OCTET STRINGs. The C-Bindings
specification [RFC2744]then defines, in terms of C, what should be
generic structure for channel bindings. The Kerberos V GSS mechanism
[RFC1964]then defines a method for encoding GSS channel bindings in a
way that is independent of the C-Bindings!
In other words, the structure of GSS channel bindings given in
[RFC2744] is actually generic, rather than specific to the C
programming language.
Here, then, is a generic re-statement of this structure, in
pseudo-ASN.1:
GSS-CHANNEL-BINDINGS := SEQUENCE {
initiator-address-type INTEGER,
initiator-address OCTET STRING,
acceptor-address-type INTEGER,
acceptor-address OCTET STRING,
application-data OCTET STRING,
}
The values for the address fields are described in [RFC2744].
Language-specific bindings of the GSS-API should specify a
language-specific formulation of this structure.
3.1 Proper Mechanism Use of Channel Bindings
As described in [CHANNEL-BINDINGS], GSS mechanisms should exchange
integrity protected proofs of channel bindings, where the proof is
obtained by running a strong hash of the channel bindings data
(encoded as per some mechanism-specific, such as in [RFC1964]) and a
binary value to represent the initiator->acceptor, and opposite,
direction.
The encoding of channel bindings used in [RFC1964], with the addition
of a binary value as described above, and the substitution of SHA-1
for MD5 is a reasonable, generic encoding of GSS-CHANNEL-BINDINGS
that any future GSS mechanisms can use.
Williams Expires December 30, 2004 [Page 5]
�
Internet-Draft GSS-API Channel Bindings July 2004
4. Channel Bindings for SSHv2
The SSHv2 channel bindings are constructed as an octet string for the
'application-data' field of the channel bindings by concatenating the
following values and in this order:
1. The ASCII string "GSS SSHv2 CB:"
2. The SSHv2 session ID
3. Any additional application-provided data, encoded as the DER
encoding of an ASN.1 OCTET STRING
4.1 GSS_Make_sshv2_channel_bindings()
Inputs:
o session_id OCTET STRING,
o additional_app_data OCTET STRING
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o channel_bindings_app_data OCTET STRING
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates failure to construct the channel bindings
as a result, perhaps, of a memory management, or similar failure.
This function constructs an OCTET STRING for use as the value of the
application-data field of the GSS-CHANNEL-BINDINGS structure
described above.
4.1.1 C-Bindings
OM_uint32 gss_make_sshv2_channel_bindings(
OM_uint32 *minor_status,
const gss_buffer_t session_id,
const gss_buffer_t additional_app_data,
gss_buffer_t channel_bindings_app_data
);
Williams Expires December 30, 2004 [Page 6]
�
Internet-Draft GSS-API Channel Bindings July 2004
5. Channel Bindings for TLS
The TLS channel bindings are constructed as an octet string for the
'application-data' field of the channel bindings by concatenating the
following values and in this order:
1. The ASCII string "GSS TLSv1.0 CB:"
2. The TLS finished message sent by the client
3. The TLS finished message sent by the server
4. Any additional application-provided data, encoded as the DER
encoding of an ASN.1 OCTET STRING
5.1 GSS_Make_tls_channel_bindings()
Inputs:
o client_finished_msg OCTET STRING,
o server_finished_msg OCTET STRING,
o additional_app_data OCTET STRING
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o channel_bindings_app_data OCTET STRING
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates failure to construct the channel bindings
as a result, perhaps, of a memory management, or similar failure.
This function constructs an OCTET STRING for use as the value of the
application-data field of the GSS-CHANNEL-BINDINGS structure
described above.
5.1.1 C-Bindings
OM_uint32 gss_make_tls_channel_bindings(
OM_uint32 *minor_status,
const gss_buffer_t client_finished_msg,
const gss_buffer_t server_finished_msg,
const gss_buffer_t additional_app_data,
gss_buffer_t channel_bindings_app_data
);
Williams Expires December 30, 2004 [Page 7]
�
Internet-Draft GSS-API Channel Bindings July 2004
6. Channel Bindings for IPsec
The IPsec channel bindings are constructed as an octet string for the
'application-data' field of the channel bindings by concatenating the
following values and in this order:
[384 lines skipped]
---
/home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-extensions-iana-00.txt
2005/02/16 19:10:53 NONE
+++
/home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-extensions-iana-00.txt
2005/02/16 19:10:53 1.1
[777 lines skipped]
--- /home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-store-cred-00.txt
2005/02/16 19:10:53 NONE
+++ /home/cvs/gss/doc/specification/draft-ietf-kitten-gssapi-store-cred-00.txt
2005/02/16 19:10:53 1.1
[1337 lines skipped]
- CVS gss/doc/specification, gss-commit, 2005/02/02
- CVS gss/doc/specification, gss-commit, 2005/02/15
- CVS gss/doc/specification, gss-commit, 2005/02/15
- CVS gss/doc/specification, gss-commit, 2005/02/15
- CVS gss/doc/specification, gss-commit, 2005/02/16
- CVS gss/doc/specification,
gss-commit <=
- CVS gss/doc/specification, gss-commit, 2005/02/23