summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/protocol/draft-santesson-tls-gssapi-03.txt900
1 files changed, 900 insertions, 0 deletions
diff --git a/doc/protocol/draft-santesson-tls-gssapi-03.txt b/doc/protocol/draft-santesson-tls-gssapi-03.txt
new file mode 100644
index 0000000000..98a615c3d5
--- /dev/null
+++ b/doc/protocol/draft-santesson-tls-gssapi-03.txt
@@ -0,0 +1,900 @@
+
+
+NETWORK WORKING GROUP L. Zhu
+Internet-Draft G. Chander
+Updates: 4279 (if approved) Microsoft Corporation
+Intended status: Standards Track J. Altman
+Expires: January 26, 2008 Secure Endpoints Inc.
+ S. Santesson
+ Microsoft Corporation
+ July 25, 2007
+
+
+ Flexible Key Agreement for Transport Layer Security (FKA-TLS)
+ draft-santesson-tls-gssapi-03
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on January 26, 2008.
+
+Copyright Notice
+
+ Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+ This document defines extensions to RFC 4279, "Pre-Shared Key
+ Ciphersuites for Transport Layer Security (TLS)", to enable dynamic
+ key sharing in distributed environments using a Generic Security
+ Service Application Program Interface (GSS-API) mechanism, and then
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 1]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ import that shared key as the "Pre-Shared Key" to complete the TLS
+ handshake.
+
+ This is a modular approach to perform authentication and key exchange
+ based on off-shelf libraries. And it obviates the need of pair-wise
+ key sharing by enabling the use of the widely-deployed Kerberos alike
+ trust infrastructures that are highly scalable and robust.
+ Furthermore, conforming implementations can provide server
+ authentication without the use of certificates.
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
+ 3. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 3
+ 4. Choosing GSS-API Mechanisms . . . . . . . . . . . . . . . . . 8
+ 5. Client Authentication . . . . . . . . . . . . . . . . . . . . 8
+ 6. Protecting GSS-API Authentication Data . . . . . . . . . . . . 8
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
+ 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . 11
+ 10.2. Informative References . . . . . . . . . . . . . . . . . 11
+ Appendix A. An FKA-TLS Example: Kerberos TLS . . . . . . . . . . 13
+ Appendix B. Additional Use Cases for FXA-TLS . . . . . . . . . . 13
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
+ Intellectual Property and Copyright Statements . . . . . . . . . . 16
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 2]
+
+Internet-Draft FKA-TLS July 2007
+
+
+1. Introduction
+
+ [RFC4279] defines Transport Layer Security (TLS) based on pre-shared
+ keys (PSK). This assumes a pair-wise key sharing scheme that is less
+ scalable and more costly to manage in comparison with a trusted third
+ party scheme such as Kerberos [RFC4120]. In addition, off-shelf GSS-
+ API libraries that allow dynamic key sharing are not currently
+ accessible to TLS applications. Lastly, [RFC4279] does not provide
+ true mutual authentication against the server.
+
+ This document extends [RFC4279] to establish a shared key, and
+ optionally provide client or server authentication, by using off-
+ shelf GSS-API libraries, and the established shared key is then
+ imported as "PSK" to [RFC4279]. No new key cipher suite is defined
+ in this document.
+
+ As an example usage scenario, Kerberos [RFC4121] is a GSS-API
+ mechanism that can be selected to establish a shared key between a
+ client and a server based on either asymmetric keys [RFC4556] or
+ symmetric keys [RFC4120]. By using the extensions defined in this
+ document, a TLS connection is secured using the Kerberos version 5
+ mechanism exposed as a generic security service via GSS-API.
+
+ With regard to the previous work for the Kerberos support in TLS,
+ [RFC2712] defines "Addition of Kerberos Cipher Suites to Transport
+ Layer Security (TLS)" which has not been widely implemented due to
+ violations of Kerberos Version 5 library abstraction layers,
+ incompatible implementations from two major distributions (Sun Java
+ and OpenSSL), and its lack of support for credential delegation.
+ This document defines a generic extensible method that addresses the
+ limitations associated with [RFC2712] and integrates Kerberos and
+ TLS. Relying on [RFC4121] for Kerberos Version 5 support will
+ significantly reduce the challenges associated with implementing this
+ protocol as a replacement for [RFC2712].
+
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+3. Protocol Definition
+
+ In this protocol, the on-demand key exchange is implemented by
+ encapsulating the GSS security context establishment within the TLS
+ handshake messages when PSK cipher suites are requested in the
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 3]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ extended ClientHello message.
+
+ The gss_api TLS extension is defined according to [RFC3546]. The
+ extension data carries GSS-API token within the TLS hello messages.
+
+ enum {
+ gss_api(TBD), (65535)
+ } ExtensionType;
+
+ The client MUST NOT include a gss_api TLS extension if there is no
+ PSK ciphersuite [RFC4279] included in the cipher_suites field of the
+ client hello message.
+
+ Initially the client computes the gss_api TLS extension data by
+ calling GSS_Init_sec_context() [RFC2743] to establish a security
+ context. The TLS client MUST set the mutual_req_flag and identify
+ the server by targ_name so that mutual authentication is performed in
+ the course of context establishment. The extension_data from the
+ client contains the output token of GSS_Init_sec_context().
+
+ If a GSS-API context cannot be established, the gss_api TLS extension
+ MUST NOT be included in the client hello message and it is a matter
+ of local policy on the client whether to continue or reject the TLS
+ authentication as if the gss_api TLS extension is not supported.
+
+ If the mutual authentication is not available on the established GSS-
+ API context, the PSK key exchange described in Section 2 of [RFC4279]
+ MUST NOT be selected, and the DHE_PSK or RSA_PSK key exchange MUST be
+ negotiated instead in order to authenticate the server.
+
+ Upon receipt of the gss_api TLS extension from the client, and if the
+ server supports the gss_api TLS extension, the server calls
+ GSS_Accept_sec_context() with the client GSS-API output token in the
+ client's extension data as the input token. If
+ GSS_Accept_sec_context() returns a token successfully, the server
+ responds by including a gss_api TLS extension in the server hello
+ message and places the output token in the extension_data. If
+ GSS_Accept_sec_context() fails, it is a matter of local policy on the
+ server whether to continue or reject the TLS authentication as if the
+ gss_api TLS extension is not supported.
+
+ The server MUST ignore a TLS gss_api extension in the extended
+ ClientHello if its selected CipherSuite is not a PSK CipherSuite
+ [RFC4279], and the server MUST NOT include a gss_api TLS extension in
+ the server hello message.
+
+ If after the exchange of extended ClientHello and extended
+ ServerHello with the gss_api extension, at least one more additional
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 4]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ GSS token is required in order to complete the GSS security context
+ establishment, the additional GSS-API token is encapsulated in a new
+ TLS Handshake message called the token_transfer message.
+
+ enum {
+ token_transfer(TBD), (255)
+ } HandshakeType;
+
+ struct {
+ HandshakeType msg_type; /* handshake type */
+ uint24 length; /* bytes in message */
+ select (HandshakeType) {
+ case token_transfer: /* NEW */
+ TokenTransfer;
+ } body;
+ } Handshake;
+
+ enum {
+ gss_api_token(1), (255)
+ } TokenTransferType;
+
+ struct {
+ TokenTransferType token_type; /* token type */
+ opaque token<0..2^16-1>;
+ } TokenTransfer;
+
+ The TokenTransfer structure is filled out as follows:
+
+ o The token_type is gss_api_token.
+
+ o The token field contains the GSS-API context establishment tokens
+ from the client and the server.
+
+ The client calls GSS_Init_sec_context() with the token in the
+ TokenTransfer stucture from the server as the input token, and then
+ places the output token, if any, into the TokenTransfer message and
+ sends the handshake message to the server. The server calls
+ GSS_Accept_sec_context() with the token in the TokenTransfer
+ structure from the client as the input token, and then places the
+ output token, if any, into the TokenTransfer message and sends the
+ handshake message to the client.
+
+ This loop repeats until either the context fails to establish or the
+ context is established successfully. To prevent an infinite loop,
+ both the client and the server MUST have a policy to limit the
+ maximum number of GSS-API context establishment calls for a given
+ session. The recommended value is a total of five (5) calls
+ including the GSS_Init_sec_context() and GSS_Accept_sec_context()
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 5]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ from both the client and server. Exceeding the maximum number of
+ calls is to be treated as a GSS security context establishment
+ failure. It is RECOMMENDED that the client and server enforce the
+ same maximum number
+
+ If the GSS-API context fails to establish, it is a matter of local
+ policy whether to continue or reject the TLS authentication as if the
+ gss_api TLS extension is not supported.
+
+ When the last GSS-API context establishment token is sent by the
+ client or when the GSS-API context fails to establish on the client
+ side and the local policy allows the TLS authentication to proceed as
+ if the TLS gss_api extension is not supported, the client sends an
+ empty TokenTransfer handshake message.
+
+ If the GSS-API context fails to establish and local policy allows the
+ TLS authentication continue as if the gss_api TLS extension is not
+ supported, the server MAY send another ServerHello message in order
+ to choose a different cipher suite. The client then MUST expect the
+ second ServerHello message from the server before the session is
+ established. The additional ServerHello message MUST only differ
+ from the first ServerHello message in the choice of CipherSuite and
+ it MUST NOT include a TLS gss_api extension. The second ServerHello
+ MUST NOT be present if there is no TokenTransfer message.
+
+ If the client and the server establish a security context
+ successfully, both the client and the server call GSS_Pseudo_random()
+ [RFC4401] to compute a sufficiently long shared secret with the same
+ value based on the negotiated cipher suite (see details below), and
+ then proceed according to [RFC4279] using this shared secret value as
+ the "PSK".
+
+ When the shared key is established using a GSS-API mechanism as
+ described in this document, the identity of the server and the
+ identity of the client MUST be obtained from the GSS security
+ context. In this case, the PSK identity MUST be processed as
+ follows:
+
+ o The PSK identity as defined in Section 5.1 of [RFC4279] MUST be
+ specified as an empty string.
+
+ o If the server key exchange message is present, the PSK identity
+ hint as defined in Section 5.2 of [RFC4279] MUST be empty, and it
+ MUST be ignored by the client.
+
+ The input parameters to GSS_Pseudo_random() to compute the shared
+ secret value MUST be provided as follows:
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 6]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ o The context is the handle to the GSS-API context established in
+ the given session.
+
+ o The prf_key is GSS_C_PRF_KEY_FULL.
+
+ o The prf_in contains the UTF8 encoding of the string "GSS-API TLS
+ PSK".
+
+ o The desired_output_len is 64. In other words, the output keying
+ mastering size is 64 in bytes. Note that this is the maximum PSK
+ length required to be supported by implementations conforming to
+ [RFC4279].
+
+ The following text art summaries the protocol message flow.
+
+
+ Client Server
+
+ ClientHello -------->
+ <--------* ServerHello
+ TokenTransfer* -------->
+ <-------- TokenTransfer*
+ .
+ .
+ .
+ TokenTransfer* -------->
+ ServerHello*
+ Certificate*
+ ServerKeyExchange*
+ CertificateRequest*
+ <-------- ServerHelloDone
+ Certificate*
+ ClientKeyExchange
+ CertificateVerify*
+ [ChangeCipherSpec]
+ Finished -------->
+ [ChangeCipherSpec]
+ <-------- Finished
+ Application Data <--------> Application Data
+
+ Fig. 1. Message flow for a full handshake
+
+ * Indicates optional or situation-dependent messages that are
+ not always sent.
+
+
+ There could be multiple TokenTransfer handshake messages, and the
+ last TokenTransfer message, if present, is always sent from the
+ client to the server and it can carry an empty token.
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 7]
+
+Internet-Draft FKA-TLS July 2007
+
+
+4. Choosing GSS-API Mechanisms
+
+ If more than one GSS-API mechanism is shared between the client and
+ the server, it is RECOMMENDED to deploy a pseudo GSS-API mechanism
+ such as [RFC4178] to choose a mutually preferred GSS-API mechanism.
+
+ When Kerberos is selected as the GSS-API mechanism, the extensions
+ defined in [KRB-ANON] can perform server authentication without
+ client authentication, thus provide the functional equivalence to the
+ certificate-based TLS [RFC4346].
+
+ If the Kerberos client does not have access to the KDC but the server
+ does, [IAKERB] can be chosen to tunnel the Kerberos authentication
+ exchange within the TLS handshake messages.
+
+
+5. Client Authentication
+
+ If the GSS-API mechanism in the gss_api TLS extension provides client
+ authentication [RFC2743], the CertificateRequest, the client
+ Certificate and the CertificateVerify handshake messages MUST NOT be
+ present. This is illustrated in Appendix A.
+
+
+6. Protecting GSS-API Authentication Data
+
+ GSS-API [RFC2743] provides security services to callers in a generic
+ fashion, supportable with a range of underlying mechanisms and
+ technologies and hence allowing source-level portability of
+ applications to different environments. For example, Kerberos is a
+ GSS-API mechanism defined in [RFC4121]. It is possible to design a
+ GSS-API mechanism that can be used with FKA-TLS in order to, for
+ example, provide client authentication, and is so weak that its GSS-
+ API token MUST NOT be in clear text over the open network. A good
+ example is a GSS-API mechanism that implements basic authentication.
+ Although such mechanisms are unlikely to be standardized and will be
+ encouraged in no circumstance, they exist for practical reasons. In
+ addition, it is generally beneficial to provide privacy protection
+ for mechanisms that send client identities in the clear.
+
+ In order to provide a standard way for protecting weak GSS-API data
+ for use over FKA-TLS, TLSWrap is defined in this section as a pseudo
+ GSS-API mechanism that wraps around the real GSS-API authentication
+ context establishment tokens. This pseudo GSS-API mechanism does not
+ provide per-message security. The real GSS-API mechanism protected
+ by TLSWrap may provide per-message security after the context is
+ established.
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 8]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ The syntax of the initial TLSWrap token follows the
+ initialContextToken syntax defined in Section 3.1 of [RFC2743]. The
+ TLSWrap pseudo mechanism is identified by the Object Identifier
+ iso.org.dod.internet.security.mechanism.tls-wrap (1.3.6.1.5.5.16).
+ Subsequent TLSWrap tokens MUST NOT be encapsulated in this GSS-API
+ generic token framing.
+
+ TLSWrap encapsulates the TLS handshake and data protection in its
+ context establishment tokens.
+
+ The innerContextToken [RFC2743] for the initial TLSWrap context token
+ contains the ClientHello message encoded according to [RFC4346]. No
+ PSK ciphersuite can be included in the client hello message. The
+ targ_name is used by the client to identify the server and it follows
+ the name forms defined in Section 4 of [PKU2U].
+
+ Upon receipt of the initial TLSWrap context token, the GSS-API server
+ processes the client hello message. The output GSS-API context token
+ for TLSWrap contains the ServerHello message and the ServerHelloDone
+ potentially with the optional handshake messages in the order as
+ defined in [RFC4346].
+
+ The GSS-API client then processes the server reply and returns the
+ ClientKeyExchange message and the Finished message potentially with
+ the optional handshake messages in the order as defined in [RFC4346].
+ The client places the real GSS-API authentication mechanism token as
+ an application data record right after the TLS Finished message in
+ the same GSS-API context token for TLSWrap. Because the real
+ mechanism token is placed after the ChangeCipherSpec message, the
+ GSS-API data for the real mechanism is encrypted. If the GSS-API
+ server is not authenticated at this point of the TLS handshake for
+ TLSWrap, the TLSWrap context establishment MUST fail and the real
+ authentication mechanism token MUST not be returned.
+
+ The GSS-API server in turn processes the client reply and returns the
+ TLS Finished message, the server places the reply token from the real
+ authentication mechanism, if present, as an application data record.
+
+ If additional TLS messages are needed before the application data,
+ these additional TLS messages are encapsulated in the context token
+ of TLSWrap in the same manner how the client hello message and the
+ server hello message are encapsulated as described above.
+
+ If additional tokens are required by the real authentication
+ mechanism in order to establish the context, these tokens are placed
+ as an application data record, encoded according to [RFC4346] and
+ then returned as TLSWrap GSS-API context tokens, with one TLSWrap
+ context token per each real mechanism context token. The real
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 9]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ mechanism context tokens are decrypted by TLSWrap and then supply to
+ the real mechanism to complete the context establishment.
+
+
+7. Security Considerations
+
+ As described in Section 3, when the shared key is established using a
+ GSS-API mechanism as described in this document, the identity of the
+ server MUST be obtained from the GSS security context and the
+ identity of the client MUST be obtained from the GSS security
+ context. Authentication methods such as GSS security context and
+ X.509 certificate mixed MUST NOT conflict. Such confusion about the
+ identity will interfere with the ability to properly determine the
+ client's authorization privileges, thus potentially result in a
+ security weakness.
+
+ When Kerberos as defined in [RFC4120] is used to establish the share
+ key, it is vulnerable to offline dictionary attacks. The threat is
+ mitigated by deploying Kerberos FAST [KRB-FAST].
+
+ Shared symmetric keys obtained from mutual calls to
+ GSS_Pseudo_random() are not susceptible to off-line dictionary
+ attacks in the same way that traditional pre-shared keys are. The
+ strength of the generated keys are determined based upon the security
+ properties of the selected GSS mechanism. Implementers MUST take
+ into account the Security Considerations associated with the GSS
+ mechanisms they decide to support.
+
+
+8. Acknowledgements
+
+ Ari Medvinsky was one of the designers of the original TLS Kerberos
+ version 5 CipherSuite and contributed to the first two revisions of
+ this protocol specification.
+
+ Raghu Malpani provided insightful comments and was very helpful along
+ the way.
+
+ Ryan Hurst contributed significantly to the use cases of FKA-TLS.
+
+ Love Hornquist Astrand, Nicolas Williams and Martin Rex provided
+ helpful comments while reviewing early revisions of this document.
+
+
+9. IANA Considerations
+
+ A new handshake message token_transfer is defined according to
+ [RFC4346] and a new TLS extension called the gss_api extension is
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 10]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ defined according to [RFC3546]. The registry needs to be updated to
+ include these new types.
+
+ This document defines the type of the transfer tokens in Section 3, a
+ registry need to be setup and the allocation policy is "Specification
+ Required".
+
+
+10. References
+
+10.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
+ and T. Wright, "Transport Layer Security (TLS)
+ Extensions", RFC 3546, June 2003.
+
+ [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
+ Simple and Protected Generic Security Service Application
+ Program Interface (GSS-API) Negotiation Mechanism",
+ RFC 4178, October 2005.
+
+ [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
+ for Transport Layer Security (TLS)", RFC 4279,
+ December 2005.
+
+ [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.1", RFC 4346, April 2006.
+
+ [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
+ Extension for the Generic Security Service Application
+ Program Interface (GSS-API)", RFC 4401, February 2006.
+
+10.2. Informative References
+
+ [IAKERB] Zhu, L., "Initial and Pass Through Authentication Using
+ Kerberos V5 and the GSS-API", draft-zhu-ws-kerb-03.txt
+ (work in progress), 2007.
+
+ [KRB-ANON]
+ Zhu, L. and P. Leach, "Kerberos Anonymity Support",
+ draft-ietf-krb-wg-anon-04.txt (work in progress), 2007.
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 11]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ [KRB-FAST]
+ Zhu, L. and S. Hartman, "A Generalized Framework for
+ Kerberos Pre-Authentication",
+ draft-ietf-krb-wg-preauth-framework-06.txt (work in
+ progress), 2007.
+
+ [PKU2U] Zhu, L., Altman, J., and A. Medvinsky, "Public Key
+ Cryptography Based User-to-User Authentication - (PKU2U)",
+ draft-zhu-pku2u-02.txt (work in progress), 2007.
+
+ [RFC2487] Hoffman, P., "SMTP Service Extension for Secure SMTP over
+ TLS", RFC 2487, January 1999.
+
+ [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
+ Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
+
+ [RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
+ Suites to Transport Layer Security (TLS)", RFC 2712,
+ October 1999.
+
+ [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
+ A., Peterson, J., Sparks, R., Handley, M., and E.
+ Schooler, "SIP: Session Initiation Protocol", RFC 3261,
+ June 2002.
+
+ [RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
+ Protocol (XMPP): Core", RFC 3920, October 2004.
+
+ [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
+ Kerberos Network Authentication Service (V5)", RFC 4120,
+ July 2005.
+
+ [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
+ Version 5 Generic Security Service Application Program
+ Interface (GSS-API) Mechanism: Version 2", RFC 4121,
+ July 2005.
+
+ [RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the
+ Kerberos V Generic Security Service Application Program
+ Interface (GSS-API) Mechanism", RFC 4402, February 2006.
+
+ [RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
+ (LDAP): Technical Specification Road Map", RFC 4510,
+ June 2006.
+
+ [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
+ Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 12]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
+ Kerberos and NTLM HTTP Authentication in Microsoft
+ Windows", RFC 4559, June 2006.
+
+
+Appendix A. An FKA-TLS Example: Kerberos TLS
+
+ This section provides a non-normative description of the message flow
+ when Kerberos Version 5 is used to established the shared secret
+ according to [RFC4121] and that shared secret is then used to secure
+ the TLS connection according to FKA-TLS defined in this document.
+
+
+ Client Server
+
+ ClientHello(with AP-REQ) -------->
+ ServerHello(with AP-REP)
+ <-------- ServerHelloDone
+ ClientKeyExchange
+ [ChangeCipherSpec]
+ Finished -------->
+ [ChangeCipherSpec]
+ <-------- Finished
+ Application Data <--------> Application Data
+
+ Fig. 2. Kerberos FKA-TLS example message flow
+
+
+ In this successful authentication sample, the TLS client sends the
+ Kerberos AP-REQ [RFC4120] in the inital context token according to
+ [RFC4121]. The initial GSS-API context token from the GSS-API client
+ contains the Object Identifier that signifies the Kerberos mechanism
+ and it is encapsulated in the gss_api TLS extension in the client
+ hello message. The TLS client always requests mutual authentication,
+ and the TLS server then sends a GSS-API context token that contains
+ the AP-REP [RFC4120] according to [RFC4121]. The TLS server's GSS-
+ API context token is encapsulated in the gss_api TLS extension in the
+ server hello message. The GSS-API context is established at that
+ point and both sides can derive the shared secret value according to
+ [RFC4402].
+
+ In this example, the ServerKeyExchange handshake message is not
+ needed and it is not present. And according to Section 5 none of the
+ CertificateRequest, the client Certificate or the CertificateVerify
+ handshake messages is present.
+
+
+Appendix B. Additional Use Cases for FXA-TLS
+
+ TLS runs on layers beneath a wide range of application protocols such
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 13]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ as LDAP [RFC4510], SMTP [RFC2487], and XMPP [RFC3920] and above a
+ reliable transport protocol. TLS can add security to any protocol
+ that uses reliable connections (such as TCP). TLS is also
+ increasingly being used as the standard method for protecting SIP
+ [RFC3261] application signaling. TLS can provide authentication and
+ encryption of the SIP signaling associated with VOIP (Voice over IP)
+ and other SIP-based applications.
+
+ Today these applications use public key certificates to verify the
+ identity of endpoints.
+
+ However, it is overwhelmingly complex to manage the assurance level
+ of the certificates when deploying PKI and such complexity has
+ gradually eroded the confidence for the PKI-based systems in general.
+ In addition, the perceived overhead of deploying and managing
+ certificates is fairly high. As a result, the industry badly needs
+ the ability to secure TLS connections by leveraging the existing
+ credential infrastructure. For many customers that means Kerberos.
+ It is highly desirable to enable PKI-less deployments yet still offer
+ strong authentication.
+
+ Having Kerberos/GSS-API in the layer above TLS means all TLS
+ applications need to be changed in the protocol level. In many
+ cases, such changes are not technically feasible. For example,
+ [RFC4559] provides integration with Kerberos in the HTTP level. It
+ suffers from a couple of drawbacks, most notably it only supports
+ single-round-trip GSS-API mechanisms and it lacks of channel bindings
+ to the underlying TLS connection which makes in unsuitable for
+ deployment in situations where proxies exists. Furthermore,
+ [RFC4559] lacks of session-based re-authentication (comparing with
+ TLS). The root causes of these problems are inherent to the HTTP
+ protocol and can't be fixed trivially.
+
+ Consequently, It is a better solution to integrate Kerberos/GSS-API
+ in the TLS layer. Such integration allows the existing
+ infrastructure work seamlessly with TLS for the products based on
+ them in ways that were not practical to do before. For instance, an
+ increasing number of client and server products support TLS natively,
+ but many still lack support. As an alternative, users may wish to
+ use standalone TLS products that rely on being able to obtain a TLS
+ connection immediately, by simply connecting to a separate port
+ reserved for the purpose. For example, by default the TCP port for
+ HTTPS is 443, to distinguish it from HTTP on port 80. TLS can also
+ be used to tunnel an entire network stack to create a VPN, as is the
+ case with OpenVPN. Many vendors now marry TLS's encryption and
+ authentication capabilities with authorization. There has also been
+ substantial development since the late 1990s in creating client
+ technology outside of the browser to enable support for client/server
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 14]
+
+Internet-Draft FKA-TLS July 2007
+
+
+ applications. When compared against traditional IPSec VPN
+ technologies, TLS has some inherent advantages in firewall and NAT
+ traversal that make it easier to administer for large remote-access
+ populations.
+
+ PSK-TLS as defined in [RFC4279] is a good start but this document
+ finishes the job by making it more deployable. FKA-TLS also fixes
+ the mutual-authentication problem in [RFC4279] in the cases where the
+ PSK can be shared among services on the same host.
+
+
+Authors' Addresses
+
+ Larry Zhu
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ Email: lzhu@microsoft.com
+
+
+ Girish Chander
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ Email: gchander@microsoft.com
+
+
+ Jeffrey Altman
+ Secure Endpoints Inc.
+ 255 W 94th St
+ New York, NY 10025
+ US
+
+ Email: jaltman@secure-endpoints.com
+
+
+ Stefan Santesson
+ Microsoft Corporation
+ Tuborg Boulevard 12
+ 2900 Hellerup, WA
+ Denmark
+
+ Email: stefans@microsoft.com
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 15]
+
+Internet-Draft FKA-TLS July 2007
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2007).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+Zhu, et al. Expires January 26, 2008 [Page 16]
+
+