[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS shishi/doc/specifications
From: |
shishi-commit |
Subject: |
CVS shishi/doc/specifications |
Date: |
Mon, 31 Jan 2005 22:04:44 +0100 |
Update of /home/cvs/shishi/doc/specifications
In directory dopio:/tmp/cvs-serv9644
Added Files:
draft-ietf-cat-kerberos-pk-init-23.txt
Log Message:
Add.
--- /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-23.txt
2005/01/31 21:04:44 NONE
+++ /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-23.txt
2005/01/31 21:04:44 1.1
NETWORK WORKING GROUP B. Tung
Internet-Draft USC Information Sciences Institute
Expires: August 4, 2005 L. Zhu
Microsoft Corporation
January 31, 2005
Public Key Cryptography for Initial Authentication in Kerberos
draft-ietf-cat-kerberos-pk-init-23
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 4, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes protocol extensions (hereafter called PKINIT)
to the Kerberos protocol specification. These extensions provide a
method for integrating public key cryptography into the initial
authentication exchange, by passing digital certificates and
associated authenticators in pre-authentication data fields.
Tung & Zhu Expires August 4, 2005 [Page 1]
Internet-Draft PKINIT January 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1 Definitions, Requirements, and Constants . . . . . . . . . 4
3.1.1 Required Algorithms . . . . . . . . . . . . . . . . . 4
3.1.2 Defined Message and Encryption Types . . . . . . . . . 5
3.1.3 Algorithm Identifiers . . . . . . . . . . . . . . . . 6
3.2 PKINIT Pre-authentication Syntax and Use . . . . . . . . . 6
3.2.1 Generation of Client Request . . . . . . . . . . . . . 7
3.2.2 Receipt of Client Request . . . . . . . . . . . . . . 9
3.2.3 Generation of KDC Reply . . . . . . . . . . . . . . . 12
3.2.4 Receipt of KDC Reply . . . . . . . . . . . . . . . . . 17
3.3 KDC Indication of PKINIT Support . . . . . . . . . . . . . 18
4. Security Considerations . . . . . . . . . . . . . . . . . . . 18
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 19
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.1 Normative References . . . . . . . . . . . . . . . . . . . 20
7.2 Informative References . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21
A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 21
Intellectual Property and Copyright Statements . . . . . . . . 27
Tung & Zhu Expires August 4, 2005 [Page 2]
Internet-Draft PKINIT January 2005
1. Introduction
A client typically authenticates itself to a service in Kerberos
using three distinct though related exchanges. First, the client
requests a ticket-granting ticket (TGT) from the Kerberos
authentication server (AS). Then, it uses the TGT to request a
service ticket from the Kerberos ticket-granting server (TGS).
Usually, the AS and TGS are integrated in a single device known as a
Kerberos Key Distribution Center, or KDC. (In this document, we will
refer to both the AS and the TGS as the KDC.) Finally, the client
uses the service ticket to authenticate itself to the service.
The advantage afforded by the TGT is that the client exposes his
long-term secrets only once. The TGT and its associated session key
can then be used for any subsequent service ticket requests. One
result of this is that all further authentication is independent of
the method by which the initial authentication was performed.
Consequently, initial authentication provides a convenient place to
integrate public-key cryptography into Kerberos authentication.
As defined in [CLAR], Kerberos authentication exchanges use
symmetric-key cryptography, in part for performance. One
disadvantage of using symmetric-key cryptography is that the keys
must be shared, so that before a client can authenticate itself, he
must already be registered with the KDC.
Conversely, public-key cryptography (in conjunction with an
established Public Key Infrastructure) permits authentication without
prior registration with a KDC. Adding it to Kerberos allows the
widespread use of Kerberized applications by clients without
requiring them to register first with a KDC--a requirement that has
no inherent security benefit.
As noted above, a convenient and efficient place to introduce
public-key cryptography into Kerberos is in the initial
authentication exchange. This document describes the methods and
data formats for integrating public-key cryptography into Kerberos
initial authentication.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Tung & Zhu Expires August 4, 2005 [Page 3]
Internet-Draft PKINIT January 2005
3. Extensions
This section describes extensions to [CLAR] for supporting the use of
public-key cryptography in the initial request for a ticket.
Briefly, this document defines the following extensions to [CLAR]:
1. The client indicates the use of public-key authentication by
including a special preauthenticator in the initial request. This
preauthenticator contains the client's public-key data and a
signature.
2. The KDC tests the client's request against its authentication
policy and trusted Certification Authorities (CAs).
3. If the request passes the verification tests, the KDC replies as
usual, but the reply is encrypted using either:
a. a key generated through a Diffie-Hellman (DH) key exchange
[RFC2631] with the client, signed using the KDC's signature
key; or
b. a symmetric encryption key, signed using the KDC's signature
key and encrypted using the client's public key.
Any keying material required by the client to obtain the
encryption key for decrypting the KDC reply is returned in a
pre-authentication field accompanying the usual reply.
4. The client obtains the encryption key, decrypts the reply, and
then proceeds as usual.
Section 3.1 of this document enumerates the required algorithms and
necessary extension message types. Section 3.2 describes the
extension messages in greater detail.
3.1 Definitions, Requirements, and Constants
3.1.1 Required Algorithms
All PKINIT implementations MUST support the following algorithms:
o AS reply key: AES256-CTS-HMAC-SHA1-96 etype [KCRYPTO].
o Signature algorithm: sha-1WithRSAEncryption [RFC3279].
o KDC AS reply key delivery method: ephemeral-ephemeral
Diffie-Hellman exchange (Diffie-Hellman keys are not cached).
Tung & Zhu Expires August 4, 2005 [Page 4]
3.1.2 Defined Message and Encryption Types
PKINIT makes use of the following new pre-authentication types:
PA-PK-AS-REQ 16
PA-PK-AS-REP 17
PKINIT also makes use of the following new authorization data type:
AD-INITIAL-VERIFIED-CAS 9
PKINIT introduces the following new error codes:
KDC_ERR_CLIENT_NOT_TRUSTED 62
KDC_ERR_KDC_NOT_TRUSTED 63
KDC_ERR_INVALID_SIG 64
KDC_ERR_KEY_SIZE 65
KDC_ERR_CERTIFICATE_MISMATCH 66
KDC_ERR_CANT_VERIFY_CERTIFICATE 70
KDC_ERR_INVALID_CERTIFICATE 71
KDC_ERR_REVOKED_CERTIFICATE 72
KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
KDC_ERR_CLIENT_NAME_MISMATCH 75
PKINIT uses the following typed data types for errors:
TD-TRUSTED-CERTIFIERS 104
TD-CERTIFICATE-INDEX 105
TD-DH-PARAMETERS 109
PKINIT defines the following encryption types, for use in the AS-REQ
message (to indicate acceptance of the corresponding encryption
Object Identifiers (OIDs) in PKINIT):
dsaWithSHA1-CmsOID 9
md5WithRSAEncryption-CmsOID 10
sha1WithRSAEncryption-CmsOID 11
rc2CBC-EnvOID 12
rsaEncryption-EnvOID (PKCS1 v1.5) 13
rsaES-OAEP-EnvOID (PKCS1 v2.0) 14
des-ede3-cbc-EnvOID 15
The above encryption types are used by the client only within the
KDC-REQ-BODY to indicate which Cryptographic Message Syntax (CMS)
[RFC3852] algorithms it supports. Their use within Kerberos
EncryptedData structures is not specified by this document.
The ASN.1 module for all structures defined in this document (plus
IMPORT statements for all imported structures) are given in
Tung & Zhu Expires August 4, 2005 [Page 5]
Internet-Draft PKINIT January 2005
Appendix A.
All structures defined in or imported into this document MUST be
encoded using Distinguished Encoding Rules (DER) [X690]. All data
structures wrapped in OCTET STRINGs must be encoded according to the
rules specified in corresponding specifications.
Interoperability note: Some implementations may not be able to decode
CMS objects encoded with BER but not DER; specifically, they may not
be able to decode infinite length encodings. To maximize
interoperability, implementers SHOULD encode CMS objects used in
PKINIT with DER.
3.1.3 Algorithm Identifiers
PKINIT does not define, but does make use of, the following algorithm
identifiers.
PKINIT uses the following algorithm identifier for Diffie-Hellman key
agreement [RFC3279]:
dhpublicnumber
PKINIT uses the following signature algorithm identifiers [RFC3279]:
sha-1WithRSAEncryption (RSA with SHA1)
md5WithRSAEncryption (RSA with MD5)
id-dsa-with-sha1 (DSA with SHA1)
PKINIT uses the following encryption algorithm identifiers [RFC3447]
for encrypting the temporary key with a public key:
rsaEncryption (PKCS1 v1.5)
id-RSAES-OAEP (PKCS1 v2.0)
PKINIT uses the following algorithm identifiers [RFC3370][RFC3565]
for encrypting the reply key with the temporary key:
des-ede3-cbc (three-key 3DES, CBC mode)
rc2-cbc (RC2, CBC mode)
id-aes256-CBC (AES-256, CBC mode)
3.2 PKINIT Pre-authentication Syntax and Use
This section defines the syntax and use of the various
pre-authentication fields employed by PKINIT.
Tung & Zhu Expires August 4, 2005 [Page 6]
Internet-Draft PKINIT January 2005
3.2.1 Generation of Client Request
The initial authentication request (AS-REQ) is sent as per [CLAR]; in
addition, a pre-authentication field contains data signed by the
client's private signature key, as follows:
PA-PK-AS-REQ ::= SEQUENCE {
signedAuthPack [0] IMPLICIT OCTET STRING,
-- Contains a CMS type ContentInfo encoded
-- according to [RFC3852].
-- The contentType field of the type ContentInfo
-- is id-signedData (1.2.840.113549.1.7.2),
-- and the content field is a SignedData.
-- The eContentType field for the type SignedData is
-- id-pkauthdata (1.3.6.1.5.2.3.1), and the
-- eContent field contains the DER encoding of the
-- type AuthPack.
-- AuthPack is defined below.
trustedCertifiers [1] SEQUENCE OF TrustedCA OPTIONAL,
-- A list of CAs, trusted by the client, that can
-- be used to validate KDC certificates.
kdcCert [2] IMPLICIT OCTET STRING
OPTIONAL,
-- Contains a CMS type IssuerAndSerialNumber encoded
-- according to [RFC3852].
-- Identifies a particular KDC certificate, if the
-- client already has it.
...
}
DHNonce ::= OCTET STRING
TrustedCA ::= CHOICE {
caName [1] IMPLICIT OCTET STRING,
-- Contains a PKIX type Name encoded according to
-- [RFC3280].
issuerAndSerial [2] IMPLICIT OCTET STRING,
-- Contains a CMS type IssuerAndSerialNumber encoded
-- according to [RFC3852].
-- Identifies a specific CA certificate.
...
}
AuthPack ::= SEQUENCE {
pkAuthenticator [0] PKAuthenticator,
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
-- Defined in [RFC3280].
-- Present only if the client wishes to use the
Tung & Zhu Expires August 4, 2005 [Page 7]
Internet-Draft PKINIT January 2005
-- Diffie-Hellman key agreement method.
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
OPTIONAL,
-- List of CMS encryption types supported by
-- client in order of (decreasing) preference.
clientDHNonce [3] DHNonce OPTIONAL,
[1110 lines skipped]