shishi-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS shishi/doc/specifications


From: shishi-commit
Subject: CVS shishi/doc/specifications
Date: Fri, 2 Dec 2005 00:52:01 +0100

Update of /home/cvs/shishi/doc/specifications
In directory dopio:/tmp/cvs-serv21944

Added Files:
        draft-ietf-cat-kerberos-pk-init-30.txt 
Log Message:
Add.


--- /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-30.txt  
2005/12/01 23:52:01     NONE
+++ /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-30.txt  
2005/12/01 23:52:01     1.1



NETWORK WORKING GROUP                                             L. Zhu
Internet-Draft                                     Microsoft Corporation
Expires: June 2, 2006                                            B. Tung
                                      USC Information Sciences Institute
                                                       November 29, 2005


     Public Key Cryptography for Initial Authentication in Kerberos
                   draft-ietf-cat-kerberos-pk-init-30

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on June 2, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes protocol extensions (hereafter called PKINIT)
   to the Kerberos protocol specification.  These extensions provide a
   method for integrating public key cryptography into the initial
   authentication exchange, by using asymmetric-key signature and/or
   encryption algorithms in pre-authentication data fields.





Zhu & Tung                Expires June 2, 2006                  [Page 1]

Internet-Draft                   PKINIT                    November 2005


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
   3.  Extensions . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     3.1.  Definitions, Requirements, and Constants . . . . . . . . .  5
       3.1.1.  Required Algorithms  . . . . . . . . . . . . . . . . .  5
       3.1.2.  Defined Message and Encryption Types . . . . . . . . .  5
       3.1.3.  Algorithm Identifiers  . . . . . . . . . . . . . . . .  6
     3.2.  PKINIT Pre-authentication Syntax and Use . . . . . . . . .  7
       3.2.1.  Generation of Client Request . . . . . . . . . . . . .  7
       3.2.2.  Receipt of Client Request  . . . . . . . . . . . . . . 12
       3.2.3.  Generation of KDC Reply  . . . . . . . . . . . . . . . 16
       3.2.4.  Receipt of KDC Reply . . . . . . . . . . . . . . . . . 22
     3.3.  Interoperability Requirements  . . . . . . . . . . . . . . 24
     3.4.  KDC Indication of PKINIT Support . . . . . . . . . . . . . 24
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 25
   5.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 27
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 27
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 28
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 29
   Appendix A.  PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 29
   Appendix B.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 35
   Appendix C.  Miscellaneous Information about Microsoft Windows
                PKINIT Implementations  . . . . . . . . . . . . . . . 36
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38
   Intellectual Property and Copyright Statements . . . . . . . . . . 39























Zhu & Tung                Expires June 2, 2006                  [Page 2]

Internet-Draft                   PKINIT                    November 2005


1.  Introduction

   A client typically authenticates itself to a service in Kerberos
   using three distinct though related exchanges.  First, the client
   requests a ticket-granting ticket (TGT) from the Kerberos
   authentication server (AS).  Then, it uses the TGT to request a
   service ticket from the Kerberos ticket-granting server (TGS).
   Usually, the AS and TGS are integrated in a single device known as a
   Kerberos Key Distribution Center, or KDC.  Finally, the client uses
   the service ticket to authenticate itself to the service.

   The advantage afforded by the TGT is that the client exposes his
   long-term secrets only once.  The TGT and its associated session key
   can then be used for any subsequent service ticket requests.  One
   result of this is that all further authentication is independent of
   the method by which the initial authentication was performed.
   Consequently, initial authentication provides a convenient place to
   integrate public-key cryptography into Kerberos authentication.

   As defined in [RFC4120], Kerberos authentication exchanges use
   symmetric-key cryptography, in part for performance.  One
   disadvantage of using symmetric-key cryptography is that the keys
   must be shared, so that before a client can authenticate itself, he
   must already be registered with the KDC.

   Conversely, public-key cryptography (in conjunction with an
   established Public Key Infrastructure) permits authentication without
   prior registration with a KDC.  Adding it to Kerberos allows the
   widespread use of Kerberized applications by clients without
   requiring them to register first with a KDC--a requirement that has
   no inherent security benefit.

   As noted above, a convenient and efficient place to introduce public-
   key cryptography into Kerberos is in the initial authentication
   exchange.  This document describes the methods and data formats for
   integrating public-key cryptography into Kerberos initial
   authentication.


2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Both the AS and the TGS are referred to as the KDC.

   In this document, the encryption key used to encrypt the enc-part



Zhu & Tung                Expires June 2, 2006                  [Page 3]

Internet-Draft                   PKINIT                    November 2005


   field of the KDC-REP in the AS-REP [RFC4120] is referred to as the AS
   reply key.

   In this document, an empty sequence in an optional field can be
   either included or omitted: both encodings are permitted and
   considered equivalent.

   In this document, the term "Modular Exponential Diffie-Hellman" is
   used to refer to the Diffie-Hellman key exchange as described in
   [RFC2631], in order to differentiate it from other equivalent
   representations of the same key agreement algorithm.


3.  Extensions

   This section describes extensions to [RFC4120] for supporting the use
   of public-key cryptography in the initial request for a ticket.

   Briefly, this document defines the following extensions to [RFC4120]:

   1. The client indicates the use of public-key authentication by
      including a special preauthenticator in the initial request.  This
      preauthenticator contains the client's public-key data and a
      signature.

   2. The KDC tests the client's request against its authentication
      policy and trusted Certification Authorities (CAs).

   3. If the request passes the verification tests, the KDC replies as
      usual, but the reply is encrypted using either:

      a. a key generated through a Diffie-Hellman (DH) key exchange
         [RFC2631] [IEEE1363] with the client, signed using the KDC's
         signature key; or

      b. a symmetric encryption key, signed using the KDC's signature
         key and encrypted using the client's public key.

      Any keying material required by the client to obtain the
      encryption key for decrypting the KDC reply is returned in a pre-
      authentication field accompanying the usual reply.

   4. The client validates the KDC's signature, obtains the encryption
      key, decrypts the reply, and then proceeds as usual.

   Section 3.1 of this document enumerates the required algorithms and
   necessary extension message types.  Section 3.2 describes the
   extension messages in greater detail.



Zhu & Tung                Expires June 2, 2006                  [Page 4]

Internet-Draft                   PKINIT                    November 2005


3.1.  Definitions, Requirements, and Constants

3.1.1.  Required Algorithms

   All PKINIT implementations MUST support the following algorithms:

   o  AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac-
      sha1-96 [RFC3962].

   o  Signature algorithm: sha-1WithRSAEncryption [RFC3279].

   o  AS reply key delivery method: Diffie-Hellman key exchange
      [RFC2631].

   In addition, implementations of this specification MUST be capable of
   processing the Extended Key Usage (EKU) extension and the id-pkinit-
   san (as defined in Section 3.2.2) otherName of the Subject
   Alternative Name (SAN) extension in X.509 certificates [RFC3280], if
   present.

3.1.2.  Defined Message and Encryption Types

   PKINIT makes use of the following new pre-authentication types:

       PA_PK_AS_REQ                                 16
       PA_PK_AS_REP                                 17

   PKINIT also makes use of the following new authorization data type:

       AD_INITIAL_VERIFIED_CAS                       9

   PKINIT introduces the following new error codes:

       KDC_ERR_CLIENT_NOT_TRUSTED                   62
       KDC_ERR_INVALID_SIG                          64
       KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED       65
       KDC_ERR_CANT_VERIFY_CERTIFICATE              70
       KDC_ERR_INVALID_CERTIFICATE                  71
       KDC_ERR_REVOKED_CERTIFICATE                  72
       KDC_ERR_REVOCATION_STATUS_UNKNOWN            73
       KDC_ERR_CLIENT_NAME_MISMATCH                 75
       KDC_ERR_INCONSISTENT_KEY_PURPOSE             76
       KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED          77
       KDC_ERR_HASH_IN_KDF_NOT_ACCEPTED             78
       KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED   79

   PKINIT uses the following typed data types for errors:




Zhu & Tung                Expires June 2, 2006                  [Page 5]

Internet-Draft                   PKINIT                    November 2005


       TD_TRUSTED_CERTIFIERS                       104
       TD_INVALID_CERTIFICATES                     105
       TD_DH_PARAMETERS                            109

   The ASN.1 module for all structures defined in this document (plus
   IMPORT statements for all imported structures) is given in
   Appendix A.

   All structures defined in or imported into this document MUST be
   encoded using Distinguished Encoding Rules (DER) [X680] [X690]
   (unless otherwise noted).  All data structures carried in OCTET
   STRINGs must be encoded according to the rules specified in
   corresponding specifications.

   Interoperability note: Some implementations may not be able to decode
   wrapped CMS objects encoded with BER but not DER; specifically, they
   may not be able to decode indefinite length encodings.  To maximize
   interoperability, implementers SHOULD encode CMS objects used in
   PKINIT with DER.

3.1.3.  Algorithm Identifiers

   PKINIT does not define, but does make use of, the following algorithm
   identifiers.

   PKINIT uses the following algorithm identifier(s) for Modular
   Exponential Diffie-Hellman key agreement [RFC2631] [RFC3279]:

       dhpublicnumber (as described in [RFC3279])

   PKINIT uses the following signature algorithm identifiers as defined
   in [RFC3279]:

       sha-1WithRSAEncryption (RSA with SHA1)
       md5WithRSAEncryption   (RSA with MD5)
       id-dsa-with-sha1       (DSA with SHA1)

   PKINIT uses the following encryption algorithm identifiers as defined
   in [RFC3447] for encrypting the temporary key with a public key:

       rsaEncryption
       id-RSAES-OAEP

   PKINIT uses the following algorithm identifiers [RFC3370] [RFC3565]
   for encrypting the AS reply key with the temporary key:

       des-ede3-cbc (three-key 3DES, CBC mode, as defined in [RFC3370])
       rc2-cbc       (RC2, CBC mode, as defined in [RFC3370])



Zhu & Tung                Expires June 2, 2006                  [Page 6]

Internet-Draft                   PKINIT                    November 2005


       id-aes256-CBC (AES-256, CBC mode, as defined in [RFC3565])

   PKINIT defines the following encryption types, for use in the etype
   field of the AS-REQ [RFC4120] message to indicate acceptance of the
   corresponding algorithms that can used by Cryptographic Message
   Syntax (CMS) [RFC3852] messages in the reply:

       id-dsa-with-sha1-CmsOID                       9
          -- Indicates that the client supports id-dsa-with-sha1.
       md5WithRSAEncryption-CmsOID                  10
          -- Indicates that the client supports md5WithRSAEncryption.
       sha-1WithRSAEncryption-CmsOID                11
          -- Indicates that the client supports sha-1WithRSAEncryption.
       rc2-cbc-EnvOID                               12
          -- Indicates that the client supports rc2-cbc.
       rsaEncryption-EnvOID                         13
          -- Indicates that the client supports rsaEncryption.
       id-RSAES-OAEP-EnvOID                         14
          -- Indicates that the client supports id-RSAES-OAEP.
       des-ede3-cbc-EnvOID                          15
          -- Indicates that the client supports des-ede3-cbc.

3.2.  PKINIT Pre-authentication Syntax and Use

   This section defines the syntax and use of the various pre-
   authentication fields employed by PKINIT.

3.2.1.  Generation of Client Request

   The initial authentication request (AS-REQ) is sent as per [RFC4120];
   in addition, a pre-authentication data element, whose padata-type is
   PA_PK_AS_REQ and whose padata-value contains the DER encoding of the
   type PA-PK-AS-REQ, is included.

       PA-PK-AS-REQ ::= SEQUENCE {
          signedAuthPack          [0] IMPLICIT OCTET STRING,
                   -- Contains a CMS type ContentInfo encoded
                   -- according to [RFC3852].
                   -- The contentType field of the type ContentInfo
                   -- is id-signedData (1.2.840.113549.1.7.2),
                   -- and the content field is a SignedData.
                   -- The eContentType field for the type SignedData is
                   -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
                   -- eContent field contains the DER encoding of the
                   -- type AuthPack.
                   -- AuthPack is defined below.
          trustedCertifiers       [1] SEQUENCE OF
                      ExternalPrincipalIdentifier OPTIONAL,



Zhu & Tung                Expires June 2, 2006                  [Page 7]

Internet-Draft                   PKINIT                    November 2005


                   -- Contains a list of CAs, trusted by the client,
                   -- that can be used to certify the KDC.
                   -- Each ExternalPrincipalIdentifier identifies a CA
                   -- or a CA certificate (thereby its public key).
                   -- The information contained in the

[1788 lines skipped]




reply via email to

[Prev in Thread] Current Thread [Next in Thread]