[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS shishi/doc/specifications
From: |
shishi-commit |
Subject: |
CVS shishi/doc/specifications |
Date: |
Tue, 07 Dec 2004 23:29:15 +0100 |
Update of /home/cvs/shishi/doc/specifications
In directory dopio:/tmp/cvs-serv25592
Added Files:
draft-ietf-cat-kerberos-pk-init-22.txt
Log Message:
Add.
--- /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-22.txt
2004/12/07 22:29:15 NONE
+++ /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-22.txt
2004/12/07 22:29:15 1.1
NETWORK WORKING GROUP B. Tung
Internet-Draft C. Neuman
Expires: June 6, 2005 USC Information Sciences Institute
L. Zhu
M. Hur
Microsoft Corporation
S. Medvinsky
Motorola, Inc.
December 6, 2004
Public Key Cryptography for Initial Authentication in Kerberos
draft-ietf-cat-kerberos-pk-init
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 6, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
This document describes protocol extensions (hereafter called PKINIT)
to the Kerberos protocol specification. These extensions provide a
Tung, et al. Expires June 6, 2005 [Page 1]
Internet-Draft PKINIT December 2004
method for integrating public key cryptography into the initial
authentication exchange, by passing digital certificates and
associated authenticators in preauthentication data fields.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 4
3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1 Definitions, Requirements, and Constants . . . . . . . . . 5
3.1.1 Required Algorithms . . . . . . . . . . . . . . . . . 5
3.1.2 Defined Message and Encryption Types . . . . . . . . . 6
3.1.3 Algorithm Identifiers . . . . . . . . . . . . . . . . 7
3.2 PKINIT Preauthentication Syntax and Use . . . . . . . . . 7
3.2.1 Client Request . . . . . . . . . . . . . . . . . . . . 8
3.2.2 Validation of Client Request . . . . . . . . . . . . . 10
3.2.3 KDC Reply . . . . . . . . . . . . . . . . . . . . . . 12
3.2.4 Validation of KDC Reply . . . . . . . . . . . . . . . 17
3.3 KDC Indication of PKINIT Support . . . . . . . . . . . . . 17
4. Security Considerations . . . . . . . . . . . . . . . . . . . 19
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
7. Normative References . . . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 23
A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . 28
Tung, et al. Expires June 6, 2005 [Page 2]
Internet-Draft PKINIT December 2004
1. Introduction
A client typically authenticates itself to a service in Kerberos
using three distinct though related exchanges. First, the client
requests a ticket-granting ticket (TGT) from the Kerberos
authentication server (AS). Then, it uses the TGT to request a
service ticket from the Kerberos ticket-granting server (TGS).
Usually, the AS and TGS are integrated in a single device known as a
Kerberos Key Distribution Center, or KDC. Finally, the client uses
the service ticket to authenticate itself to the service.
The advantage afforded by the TGT is that the client need explicitly
request a ticket and expose his credentials only once. The TGT and
its associated session key can then be used for any subsequent
requests. One result of this is that all further authentication is
independent of the method by which the initial authentication was
performed. Consequently, initial authentication provides a
convenient place to integrate public-key cryptography into Kerberos
authentication.
As defined, Kerberos authentication exchanges use symmetric-key
cryptography, in part for performance. One cost of using
symmetric-key cryptography is that the keys must be shared, so that
before a client can authenticate itself, he must already be
registered with the KDC.
Conversely, public-key cryptography (in conjunction with an
established Public Key Infrastructure) permits authentication without
prior registration with a KDC. Adding it to Kerberos allows the
widespread use of Kerberized applications by clients without
requiring them to register first with a KDC--a requirement that has
no inherent security benefit.
As noted above, a convenient and efficient place to introduce
public-key cryptography into Kerberos is in the initial
authentication exchange. This document describes the methods and
data formats for integrating public-key cryptography into Kerberos
initial authentication.
Tung, et al. Expires June 6, 2005 [Page 3]
Internet-Draft PKINIT December 2004
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
In this document, we will refer to both the AS and the TGS as the
KDC.
Tung, et al. Expires June 6, 2005 [Page 4]
Internet-Draft PKINIT December 2004
3. Extensions
This section describes extensions to [CLAR] for supporting the use of
public-key cryptography in the initial request for a ticket.
Briefly, this document defines the following extensions to [CLAR]:
1. The client indicates the use of public-key authentication by
including a special preauthenticator in the initial request. This
preauthenticator contains the client's public-key data and a
signature.
2. The KDC tests the client's request against its policy and trusted
Certification Authorities (CAs).
3. If the request passes the verification tests, the KDC replies as
usual, but the reply is encrypted using either:
a. a symmetric encryption key, signed using the KDC's signature
key and encrypted using the client's encryption key; or
b. a key generated through a Diffie-Hellman exchange with the
client, signed using the KDC's signature key.
Any keying material required by the client to obtain the
Encryption key is returned in a preauthentication field
accompanying the usual reply.
4. The client obtains the encryption key, decrypts the reply, and
then proceeds as usual.
Section 3.1 of this document defines the necessary message formats.
Section 3.2 describes their syntax and use in greater detail.
3.1 Definitions, Requirements, and Constants
3.1.1 Required Algorithms
All PKINIT implementations MUST support the following algorithms:
o AS reply key: AES256-CTS-HMAC-SHA1-96 etype [KCRYPTO].
o Signature algorithm: SHA-1 digest and RSA.
o Reply key delivery method: RSA or ephemeral-ephemeral
Diffie-Hellman.
Tung, et al. Expires June 6, 2005 [Page 5]
Internet-Draft PKINIT December 2004
3.1.2 Defined Message and Encryption Types
PKINIT makes use of the following new preauthentication types:
PA-PK-AS-REQ 16
PA-PK-AS-REP 17
PKINIT also makes use of the following new authorization data type:
AD-INITIAL-VERIFIED-CAS 9
PKINIT introduces the following new error codes:
KDC_ERR_CLIENT_NOT_TRUSTED 62
KDC_ERR_KDC_NOT_TRUSTED 63
KDC_ERR_INVALID_SIG 64
KDC_ERR_KEY_SIZE 65
KDC_ERR_CERTIFICATE_MISMATCH 66
KDC_ERR_CANT_VERIFY_CERTIFICATE 70
KDC_ERR_INVALID_CERTIFICATE 71
KDC_ERR_REVOKED_CERTIFICATE 72
KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
KDC_ERR_CLIENT_NAME_MISMATCH 75
PKINIT uses the following typed data types for errors:
TD-TRUSTED-CERTIFIERS 104
TD-CERTIFICATE-INDEX 105
TD-DH-PARAMETERS 109
PKINIT defines the following encryption types, for use in the
KRB_AS_REQ message (to indicate acceptance of the corresponding
encryption OIDs in PKINIT):
dsaWithSHA1-CmsOID 9
md5WithRSAEncryption-CmsOID 10
sha1WithRSAEncryption-CmsOID 11
rc2CBC-EnvOID 12
rsaEncryption-EnvOID (PKCS1 v1.5) 13
rsaES-OAEP-EnvOID (PKCS1 v2.0) 14
des-ede3-cbc-EnvOID 15
The above encryption types are used by the client only within the
KDC-REQ-BODY to indicate which CMS [RFC2630] algorithms it supports.
Their use within Kerberos EncryptedData structures is not specified
by this document.
Tung, et al. Expires June 6, 2005 [Page 6]
Internet-Draft PKINIT December 2004
The ASN.1 module for all structures defined in this document (plus
IMPORT statements for all imported structures) are given in Appendix
A.
All structures defined in this document MUST be encoded using
Distinguished Encoding Rules (DER) [X690]. All imported data
structures must be encoded according to the rules specified in
Kerberos [CLAR] or CMS [RFC2630] as appropriate.
Interoperability note: Some implementations may not be able to decode
CMS objects encoded with BER but not DER; specifically, they may not
be able to decode infinite length encodings. To maximize
interoperability, implementers SHOULD encode CMS objects used in
PKINIT with DER.
3.1.3 Algorithm Identifiers
PKINIT does not define, but does make use of, the following algorithm
identifiers.
PKINIT uses the following algorithm identifier for Diffie-Hellman key
agreement [FIPS74]:
dhpublicnumber
PKINIT uses the following signature algorithm identifiers [RFC3279]:
sha-1WithRSAEncryption (RSA with SHA1)
md5WithRSAEncryption (RSA with MD5)
id-dsa-with-sha1 (DSA with SHA1)
PKINIT uses the following encryption algorithm identifiers [RFC2437]
for encrypting the temporary key with a public key:
rsaEncryption (PKCS1 v1.5)
id-RSAES-OAEP (PKCS1 v2.0)
PKINIT uses the following algorithm identifiers [RFC2630] for
encrypting the reply key with the temporary key:
des-ede3-cbc (three-key 3DES, CBC mode)
rc2-cbc (RC2, CBC mode)
aes256_CBC (AES-256, CBC mode)
3.2 PKINIT Preauthentication Syntax and Use
This section defines the syntax and use of the various
Tung, et al. Expires June 6, 2005 [Page 7]
Internet-Draft PKINIT December 2004
preauthentication fields employed by PKINIT.
3.2.1 Client Request
The initial authentication request (KRB_AS_REQ) is sent as per
[1169 lines skipped]
- CVS shishi/doc/specifications,
shishi-commit <=