[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS shishi/doc/specifications
From: |
shishi-commit |
Subject: |
CVS shishi/doc/specifications |
Date: |
Fri, 21 Oct 2005 20:27:42 +0200 |
Update of /home/cvs/shishi/doc/specifications
In directory dopio:/tmp/cvs-serv31092
Added Files:
draft-ietf-cat-kerberos-pk-init-29.txt
Log Message:
Add.
--- /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-29.txt
2005/10/21 18:27:42 NONE
+++ /home/cvs/shishi/doc/specifications/draft-ietf-cat-kerberos-pk-init-29.txt
2005/10/21 18:27:42 1.1
NETWORK WORKING GROUP B. Tung
Internet-Draft USC Information Sciences Institute
Expires: April 22, 2006 L. Zhu
Microsoft Corporation
October 19, 2005
Public Key Cryptography for Initial Authentication in Kerberos
draft-ietf-cat-kerberos-pk-init-29
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 22, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes protocol extensions (hereafter called PKINIT)
to the Kerberos protocol specification. These extensions provide a
method for integrating public key cryptography into the initial
authentication exchange, by using asymmetric-key signature and/or
encryption algorithms in pre-authentication data fields.
Tung & Zhu Expires April 22, 2006 [Page 1]
Internet-Draft PKINIT October 2005
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Definitions, Requirements, and Constants . . . . . . . . . 4
3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 4
3.1.2. Defined Message and Encryption Types . . . . . . . . . 5
3.1.3. Algorithm Identifiers . . . . . . . . . . . . . . . . 6
3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 7
3.2.1. Generation of Client Request . . . . . . . . . . . . . 7
3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 10
3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 14
3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 20
3.3. Interoperability Requirements . . . . . . . . . . . . . . 21
3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 21
4. Security Considerations . . . . . . . . . . . . . . . . . . . 22
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.1. Normative References . . . . . . . . . . . . . . . . . . . 25
7.2. Informative References . . . . . . . . . . . . . . . . . . 26
Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 26
Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 32
Appendix C. Miscellaneous Information about Microsoft Windows
PKINIT Implementations . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
Intellectual Property and Copyright Statements . . . . . . . . . . 36
Tung & Zhu Expires April 22, 2006 [Page 2]
Internet-Draft PKINIT October 2005
1. Introduction
A client typically authenticates itself to a service in Kerberos
using three distinct though related exchanges. First, the client
requests a ticket-granting ticket (TGT) from the Kerberos
authentication server (AS). Then, it uses the TGT to request a
service ticket from the Kerberos ticket-granting server (TGS).
Usually, the AS and TGS are integrated in a single device known as a
Kerberos Key Distribution Center, or KDC. Finally, the client uses
the service ticket to authenticate itself to the service.
The advantage afforded by the TGT is that the client exposes his
long-term secrets only once. The TGT and its associated session key
can then be used for any subsequent service ticket requests. One
result of this is that all further authentication is independent of
the method by which the initial authentication was performed.
Consequently, initial authentication provides a convenient place to
integrate public-key cryptography into Kerberos authentication.
As defined in [RFC4120], Kerberos authentication exchanges use
symmetric-key cryptography, in part for performance. One
disadvantage of using symmetric-key cryptography is that the keys
must be shared, so that before a client can authenticate itself, he
must already be registered with the KDC.
Conversely, public-key cryptography (in conjunction with an
established Public Key Infrastructure) permits authentication without
prior registration with a KDC. Adding it to Kerberos allows the
widespread use of Kerberized applications by clients without
requiring them to register first with a KDC--a requirement that has
no inherent security benefit.
As noted above, a convenient and efficient place to introduce public-
key cryptography into Kerberos is in the initial authentication
exchange. This document describes the methods and data formats for
integrating public-key cryptography into Kerberos initial
authentication.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Both the AS and the TGS are referred to as the KDC.
In this document, the encryption key used to encrypt the enc-part
Tung & Zhu Expires April 22, 2006 [Page 3]
Internet-Draft PKINIT October 2005
field of the KDC-REP in the AS-REP [RFC4120] is referred to as the AS
reply key.
3. Extensions
This section describes extensions to [RFC4120] for supporting the use
of public-key cryptography in the initial request for a ticket.
Briefly, this document defines the following extensions to [RFC4120]:
1. The client indicates the use of public-key authentication by
including a special preauthenticator in the initial request. This
preauthenticator contains the client's public-key data and a
signature.
2. The KDC tests the client's request against its authentication
policy and trusted Certification Authorities (CAs).
3. If the request passes the verification tests, the KDC replies as
usual, but the reply is encrypted using either:
a. a key generated through a Diffie-Hellman (DH) key exchange
[RFC2631] [IEEE1363] with the client, signed using the KDC's
signature key; or
b. a symmetric encryption key, signed using the KDC's signature
key and encrypted using the client's public key.
Any keying material required by the client to obtain the
encryption key for decrypting the KDC reply is returned in a pre-
authentication field accompanying the usual reply.
4. The client validates the KDC's signature, obtains the encryption
key, decrypts the reply, and then proceeds as usual.
Section 3.1 of this document enumerates the required algorithms and
necessary extension message types. Section 3.2 describes the
extension messages in greater detail.
3.1. Definitions, Requirements, and Constants
3.1.1. Required Algorithms
All PKINIT implementations MUST support the following algorithms:
Tung & Zhu Expires April 22, 2006 [Page 4]
Internet-Draft PKINIT October 2005
o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac-
sha1-96 [RFC3962].
o Signature algorithm: sha-1WithRSAEncryption [RFC3279].
o AS reply key delivery method: Diffie-Hellman key exchange
[RFC2631].
In addition, implementations of this specification MUST be capable of
processing the Extended Key Usage (EKU) extension and the id-pkinit-
san (as defined in Section 3.2.2) otherName of the Subject
Alternative Name (SAN) extension in X.509 certificates [RFC3280], if
present.
3.1.2. Defined Message and Encryption Types
PKINIT makes use of the following new pre-authentication types:
PA_PK_AS_REQ 16
PA_PK_AS_REP 17
PKINIT also makes use of the following new authorization data type:
AD_INITIAL_VERIFIED_CAS 9
PKINIT introduces the following new error codes:
KDC_ERR_CLIENT_NOT_TRUSTED 62
KDC_ERR_INVALID_SIG 64
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65
KDC_ERR_CANT_VERIFY_CERTIFICATE 70
KDC_ERR_INVALID_CERTIFICATE 71
KDC_ERR_REVOKED_CERTIFICATE 72
KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
KDC_ERR_CLIENT_NAME_MISMATCH 75
KDC_ERR_INCONSISTENT_KEY_PURPOSE 76
PKINIT uses the following typed data types for errors:
TD_TRUSTED_CERTIFIERS 104
TD_INVALID_CERTIFICATES 105
TD_DH_PARAMETERS 109
PKINIT defines the following encryption types, for use in the etype
field of the AS-REQ [RFC4120] message to indicate acceptance of the
corresponding algorithms that can used by Cryptographic Message
Syntax (CMS) [RFC3852] messages in the reply:
Tung & Zhu Expires April 22, 2006 [Page 5]
Internet-Draft PKINIT October 2005
dsaWithSHA1-CmsOID 9
-- Indicates that the client supports dsaWithSHA1
md5WithRSAEncryption-CmsOID 10
-- Indicates that the client supports md5WithRSAEncryption
sha1WithRSAEncryption-CmsOID 11
-- Indicates that the client supports sha1WithRSAEncryption
rc2CBC-EnvOID 12
-- Indicates that the client supports rc2CBC
rsaEncryption-EnvOID 13
-- Indicates that the client supports
-- rsaEncryption (PKCS1 v2.1)
id-RSAES-OAEP-EnvOID 14
-- Indicates that the client supports
-- id-RSAES-OAEP (PKCS1 v2.1)
des-ede3-cbc-EnvOID 15
-- Indicates that the client supports des-ede3-cbc
The ASN.1 module for all structures defined in this document (plus
IMPORT statements for all imported structures) is given in
Appendix A.
All structures defined in or imported into this document MUST be
encoded using Distinguished Encoding Rules (DER) [X680] [X690]
(unless otherwise noted). All data structures carried in OCTET
STRINGs must be encoded according to the rules specified in
corresponding specifications.
Interoperability note: Some implementations may not be able to decode
wrapped CMS objects encoded with BER but not DER; specifically, they
may not be able to decode infinite length encodings. To maximize
interoperability, implementers SHOULD encode CMS objects used in
PKINIT with DER.
3.1.3. Algorithm Identifiers
PKINIT does not define, but does make use of, the following algorithm
identifiers.
PKINIT uses the following algorithm identifier(s) for Diffie-Hellman
key agreement [RFC3279]:
dhpublicnumber (Modular Exponential Diffie-Hellman [RFC2631])
PKINIT uses the following signature algorithm identifiers [RFC3279]:
sha-1WithRSAEncryption (RSA with SHA1)
md5WithRSAEncryption (RSA with MD5)
id-dsa-with-sha1 (DSA with SHA1)
Tung & Zhu Expires April 22, 2006 [Page 6]
Internet-Draft PKINIT October 2005
PKINIT uses the following encryption algorithm identifiers [RFC3447]
for encrypting the temporary key with a public key:
rsaEncryption (PKCS1 v2.1)
id-RSAES-OAEP (PKCS1 v2.1)
PKINIT uses the following algorithm identifiers [RFC3370] [RFC3565]
for encrypting the AS reply key with the temporary key:
des-ede3-cbc (three-key 3DES, CBC mode)
rc2-cbc (RC2, CBC mode)
id-aes256-CBC (AES-256, CBC mode)
3.2. PKINIT Pre-authentication Syntax and Use
This section defines the syntax and use of the various pre-
authentication fields employed by PKINIT.
3.2.1. Generation of Client Request
The initial authentication request (AS-REQ) is sent as per [RFC4120];
in addition, a pre-authentication data element, whose padata-type is
PA_PK_AS_REQ and whose padata-value contains the DER encoding of the
type PA-PK-AS-REQ, is included.
PA-PK-AS-REQ ::= SEQUENCE {
signedAuthPack [0] IMPLICIT OCTET STRING,
-- Contains a CMS type ContentInfo encoded
-- according to [RFC3852].
-- The contentType field of the type ContentInfo
-- is id-signedData (1.2.840.113549.1.7.2),
-- and the content field is a SignedData.
-- The eContentType field for the type SignedData is
-- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
-- eContent field contains the DER encoding of the
-- type AuthPack.
-- AuthPack is defined below.
trustedCertifiers [1] SEQUENCE OF
ExternalPrincipalIdentifier OPTIONAL,
-- A list of CAs, trusted by the client, that can
-- be used to certify the KDC.
-- Each ExternalPrincipalIdentifier identifies a CA
-- or a CA certificate (thereby its public key).
-- The information contained in the
-- trustedCertifiers SHOULD be used by the KDC as
-- hints to guide its selection of an appropriate
-- certificate chain to return to the client.
kdcPkId [2] IMPLICIT OCTET STRING
Tung & Zhu Expires April 22, 2006 [Page 7]
Internet-Draft PKINIT October 2005
OPTIONAL,
-- Contains a CMS type SignerIdentifier encoded
-- according to [RFC3852].
-- Identifies, if present, a particular KDC
-- public key that the client already has.
[1616 lines skipped]