1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
|
NETWORK WORKING GROUP L. Zhu
Internet-Draft G. Chander
Updates: 4279 (if approved) Microsoft Corporation
Intended status: Standards Track J. Altman
Expires: January 26, 2008 Secure Endpoints Inc.
S. Santesson
Microsoft Corporation
July 25, 2007
Flexible Key Agreement for Transport Layer Security (FKA-TLS)
draft-santesson-tls-gssapi-03
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 26, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document defines extensions to RFC 4279, "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)", to enable dynamic
key sharing in distributed environments using a Generic Security
Service Application Program Interface (GSS-API) mechanism, and then
Zhu, et al. Expires January 26, 2008 [Page 1]
�
Internet-Draft FKA-TLS July 2007
import that shared key as the "Pre-Shared Key" to complete the TLS
handshake.
This is a modular approach to perform authentication and key exchange
based on off-shelf libraries. And it obviates the need of pair-wise
key sharing by enabling the use of the widely-deployed Kerberos alike
trust infrastructures that are highly scalable and robust.
Furthermore, conforming implementations can provide server
authentication without the use of certificates.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 3
4. Choosing GSS-API Mechanisms . . . . . . . . . . . . . . . . . 8
5. Client Authentication . . . . . . . . . . . . . . . . . . . . 8
6. Protecting GSS-API Authentication Data . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1. Normative References . . . . . . . . . . . . . . . . . . 11
10.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. An FKA-TLS Example: Kerberos TLS . . . . . . . . . . 13
Appendix B. Additional Use Cases for FXA-TLS . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
Intellectual Property and Copyright Statements . . . . . . . . . . 16
Zhu, et al. Expires January 26, 2008 [Page 2]
�
Internet-Draft FKA-TLS July 2007
1. Introduction
[RFC4279] defines Transport Layer Security (TLS) based on pre-shared
keys (PSK). This assumes a pair-wise key sharing scheme that is less
scalable and more costly to manage in comparison with a trusted third
party scheme such as Kerberos [RFC4120]. In addition, off-shelf GSS-
API libraries that allow dynamic key sharing are not currently
accessible to TLS applications. Lastly, [RFC4279] does not provide
true mutual authentication against the server.
This document extends [RFC4279] to establish a shared key, and
optionally provide client or server authentication, by using off-
shelf GSS-API libraries, and the established shared key is then
imported as "PSK" to [RFC4279]. No new key cipher suite is defined
in this document.
As an example usage scenario, Kerberos [RFC4121] is a GSS-API
mechanism that can be selected to establish a shared key between a
client and a server based on either asymmetric keys [RFC4556] or
symmetric keys [RFC4120]. By using the extensions defined in this
document, a TLS connection is secured using the Kerberos version 5
mechanism exposed as a generic security service via GSS-API.
With regard to the previous work for the Kerberos support in TLS,
[RFC2712] defines "Addition of Kerberos Cipher Suites to Transport
Layer Security (TLS)" which has not been widely implemented due to
violations of Kerberos Version 5 library abstraction layers,
incompatible implementations from two major distributions (Sun Java
and OpenSSL), and its lack of support for credential delegation.
This document defines a generic extensible method that addresses the
limitations associated with [RFC2712] and integrates Kerberos and
TLS. Relying on [RFC4121] for Kerberos Version 5 support will
significantly reduce the challenges associated with implementing this
protocol as a replacement for [RFC2712].
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Protocol Definition
In this protocol, the on-demand key exchange is implemented by
encapsulating the GSS security context establishment within the TLS
handshake messages when PSK cipher suites are requested in the
Zhu, et al. Expires January 26, 2008 [Page 3]
�
Internet-Draft FKA-TLS July 2007
extended ClientHello message.
The gss_api TLS extension is defined according to [RFC3546]. The
extension data carries GSS-API token within the TLS hello messages.
enum {
gss_api(TBD), (65535)
} ExtensionType;
The client MUST NOT include a gss_api TLS extension if there is no
PSK ciphersuite [RFC4279] included in the cipher_suites field of the
client hello message.
Initially the client computes the gss_api TLS extension data by
calling GSS_Init_sec_context() [RFC2743] to establish a security
context. The TLS client MUST set the mutual_req_flag and identify
the server by targ_name so that mutual authentication is performed in
the course of context establishment. The extension_data from the
client contains the output token of GSS_Init_sec_context().
If a GSS-API context cannot be established, the gss_api TLS extension
MUST NOT be included in the client hello message and it is a matter
of local policy on the client whether to continue or reject the TLS
authentication as if the gss_api TLS extension is not supported.
If the mutual authentication is not available on the established GSS-
API context, the PSK key exchange described in Section 2 of [RFC4279]
MUST NOT be selected, and the DHE_PSK or RSA_PSK key exchange MUST be
negotiated instead in order to authenticate the server.
Upon receipt of the gss_api TLS extension from the client, and if the
server supports the gss_api TLS extension, the server calls
GSS_Accept_sec_context() with the client GSS-API output token in the
client's extension data as the input token. If
GSS_Accept_sec_context() returns a token successfully, the server
responds by including a gss_api TLS extension in the server hello
message and places the output token in the extension_data. If
GSS_Accept_sec_context() fails, it is a matter of local policy on the
server whether to continue or reject the TLS authentication as if the
gss_api TLS extension is not supported.
The server MUST ignore a TLS gss_api extension in the extended
ClientHello if its selected CipherSuite is not a PSK CipherSuite
[RFC4279], and the server MUST NOT include a gss_api TLS extension in
the server hello message.
If after the exchange of extended ClientHello and extended
ServerHello with the gss_api extension, at least one more additional
Zhu, et al. Expires January 26, 2008 [Page 4]
�
Internet-Draft FKA-TLS July 2007
GSS token is required in order to complete the GSS security context
establishment, the additional GSS-API token is encapsulated in a new
TLS Handshake message called the token_transfer message.
enum {
token_transfer(TBD), (255)
} HandshakeType;
struct {
HandshakeType msg_type; /* handshake type */
uint24 length; /* bytes in message */
select (HandshakeType) {
case token_transfer: /* NEW */
TokenTransfer;
} body;
} Handshake;
enum {
gss_api_token(1), (255)
} TokenTransferType;
struct {
TokenTransferType token_type; /* token type */
opaque token<0..2^16-1>;
} TokenTransfer;
The TokenTransfer structure is filled out as follows:
o The token_type is gss_api_token.
o The token field contains the GSS-API context establishment tokens
from the client and the server.
The client calls GSS_Init_sec_context() with the token in the
TokenTransfer stucture from the server as the input token, and then
places the output token, if any, into the TokenTransfer message and
sends the handshake message to the server. The server calls
GSS_Accept_sec_context() with the token in the TokenTransfer
structure from the client as the input token, and then places the
output token, if any, into the TokenTransfer message and sends the
handshake message to the client.
This loop repeats until either the context fails to establish or the
context is established successfully. To prevent an infinite loop,
both the client and the server MUST have a policy to limit the
maximum number of GSS-API context establishment calls for a given
session. The recommended value is a total of five (5) calls
including the GSS_Init_sec_context() and GSS_Accept_sec_context()
Zhu, et al. Expires January 26, 2008 [Page 5]
�
Internet-Draft FKA-TLS July 2007
from both the client and server. Exceeding the maximum number of
calls is to be treated as a GSS security context establishment
failure. It is RECOMMENDED that the client and server enforce the
same maximum number
If the GSS-API context fails to establish, it is a matter of local
policy whether to continue or reject the TLS authentication as if the
gss_api TLS extension is not supported.
When the last GSS-API context establishment token is sent by the
client or when the GSS-API context fails to establish on the client
side and the local policy allows the TLS authentication to proceed as
if the TLS gss_api extension is not supported, the client sends an
empty TokenTransfer handshake message.
If the GSS-API context fails to establish and local policy allows the
TLS authentication continue as if the gss_api TLS extension is not
supported, the server MAY send another ServerHello message in order
to choose a different cipher suite. The client then MUST expect the
second ServerHello message from the server before the session is
established. The additional ServerHello message MUST only differ
from the first ServerHello message in the choice of CipherSuite and
it MUST NOT include a TLS gss_api extension. The second ServerHello
MUST NOT be present if there is no TokenTransfer message.
If the client and the server establish a security context
successfully, both the client and the server call GSS_Pseudo_random()
[RFC4401] to compute a sufficiently long shared secret with the same
value based on the negotiated cipher suite (see details below), and
then proceed according to [RFC4279] using this shared secret value as
the "PSK".
When the shared key is established using a GSS-API mechanism as
described in this document, the identity of the server and the
identity of the client MUST be obtained from the GSS security
context. In this case, the PSK identity MUST be processed as
follows:
o The PSK identity as defined in Section 5.1 of [RFC4279] MUST be
specified as an empty string.
o If the server key exchange message is present, the PSK identity
hint as defined in Section 5.2 of [RFC4279] MUST be empty, and it
MUST be ignored by the client.
The input parameters to GSS_Pseudo_random() to compute the shared
secret value MUST be provided as follows:
Zhu, et al. Expires January 26, 2008 [Page 6]
�
Internet-Draft FKA-TLS July 2007
o The context is the handle to the GSS-API context established in
the given session.
o The prf_key is GSS_C_PRF_KEY_FULL.
o The prf_in contains the UTF8 encoding of the string "GSS-API TLS
PSK".
o The desired_output_len is 64. In other words, the output keying
mastering size is 64 in bytes. Note that this is the maximum PSK
length required to be supported by implementations conforming to
[RFC4279].
The following text art summaries the protocol message flow.
Client Server
ClientHello -------->
<--------* ServerHello
TokenTransfer* -------->
<-------- TokenTransfer*
.
.
.
TokenTransfer* -------->
ServerHello*
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <--------> Application Data
Fig. 1. Message flow for a full handshake
* Indicates optional or situation-dependent messages that are
not always sent.
There could be multiple TokenTransfer handshake messages, and the
last TokenTransfer message, if present, is always sent from the
client to the server and it can carry an empty token.
Zhu, et al. Expires January 26, 2008 [Page 7]
�
Internet-Draft FKA-TLS July 2007
4. Choosing GSS-API Mechanisms
If more than one GSS-API mechanism is shared between the client and
the server, it is RECOMMENDED to deploy a pseudo GSS-API mechanism
such as [RFC4178] to choose a mutually preferred GSS-API mechanism.
When Kerberos is selected as the GSS-API mechanism, the extensions
defined in [KRB-ANON] can perform server authentication without
client authentication, thus provide the functional equivalence to the
certificate-based TLS [RFC4346].
If the Kerberos client does not have access to the KDC but the server
does, [IAKERB] can be chosen to tunnel the Kerberos authentication
exchange within the TLS handshake messages.
5. Client Authentication
If the GSS-API mechanism in the gss_api TLS extension provides client
authentication [RFC2743], the CertificateRequest, the client
Certificate and the CertificateVerify handshake messages MUST NOT be
present. This is illustrated in Appendix A.
6. Protecting GSS-API Authentication Data
GSS-API [RFC2743] provides security services to callers in a generic
fashion, supportable with a range of underlying mechanisms and
technologies and hence allowing source-level portability of
applications to different environments. For example, Kerberos is a
GSS-API mechanism defined in [RFC4121]. It is possible to design a
GSS-API mechanism that can be used with FKA-TLS in order to, for
example, provide client authentication, and is so weak that its GSS-
API token MUST NOT be in clear text over the open network. A good
example is a GSS-API mechanism that implements basic authentication.
Although such mechanisms are unlikely to be standardized and will be
encouraged in no circumstance, they exist for practical reasons. In
addition, it is generally beneficial to provide privacy protection
for mechanisms that send client identities in the clear.
In order to provide a standard way for protecting weak GSS-API data
for use over FKA-TLS, TLSWrap is defined in this section as a pseudo
GSS-API mechanism that wraps around the real GSS-API authentication
context establishment tokens. This pseudo GSS-API mechanism does not
provide per-message security. The real GSS-API mechanism protected
by TLSWrap may provide per-message security after the context is
established.
Zhu, et al. Expires January 26, 2008 [Page 8]
�
Internet-Draft FKA-TLS July 2007
The syntax of the initial TLSWrap token follows the
initialContextToken syntax defined in Section 3.1 of [RFC2743]. The
TLSWrap pseudo mechanism is identified by the Object Identifier
iso.org.dod.internet.security.mechanism.tls-wrap (1.3.6.1.5.5.16).
Subsequent TLSWrap tokens MUST NOT be encapsulated in this GSS-API
generic token framing.
TLSWrap encapsulates the TLS handshake and data protection in its
context establishment tokens.
The innerContextToken [RFC2743] for the initial TLSWrap context token
contains the ClientHello message encoded according to [RFC4346]. No
PSK ciphersuite can be included in the client hello message. The
targ_name is used by the client to identify the server and it follows
the name forms defined in Section 4 of [PKU2U].
Upon receipt of the initial TLSWrap context token, the GSS-API server
processes the client hello message. The output GSS-API context token
for TLSWrap contains the ServerHello message and the ServerHelloDone
potentially with the optional handshake messages in the order as
defined in [RFC4346].
The GSS-API client then processes the server reply and returns the
ClientKeyExchange message and the Finished message potentially with
the optional handshake messages in the order as defined in [RFC4346].
The client places the real GSS-API authentication mechanism token as
an application data record right after the TLS Finished message in
the same GSS-API context token for TLSWrap. Because the real
mechanism token is placed after the ChangeCipherSpec message, the
GSS-API data for the real mechanism is encrypted. If the GSS-API
server is not authenticated at this point of the TLS handshake for
TLSWrap, the TLSWrap context establishment MUST fail and the real
authentication mechanism token MUST not be returned.
The GSS-API server in turn processes the client reply and returns the
TLS Finished message, the server places the reply token from the real
authentication mechanism, if present, as an application data record.
If additional TLS messages are needed before the application data,
these additional TLS messages are encapsulated in the context token
of TLSWrap in the same manner how the client hello message and the
server hello message are encapsulated as described above.
If additional tokens are required by the real authentication
mechanism in order to establish the context, these tokens are placed
as an application data record, encoded according to [RFC4346] and
then returned as TLSWrap GSS-API context tokens, with one TLSWrap
context token per each real mechanism context token. The real
Zhu, et al. Expires January 26, 2008 [Page 9]
�
Internet-Draft FKA-TLS July 2007
mechanism context tokens are decrypted by TLSWrap and then supply to
the real mechanism to complete the context establishment.
7. Security Considerations
As described in Section 3, when the shared key is established using a
GSS-API mechanism as described in this document, the identity of the
server MUST be obtained from the GSS security context and the
identity of the client MUST be obtained from the GSS security
context. Authentication methods such as GSS security context and
X.509 certificate mixed MUST NOT conflict. Such confusion about the
identity will interfere with the ability to properly determine the
client's authorization privileges, thus potentially result in a
security weakness.
When Kerberos as defined in [RFC4120] is used to establish the share
key, it is vulnerable to offline dictionary attacks. The threat is
mitigated by deploying Kerberos FAST [KRB-FAST].
Shared symmetric keys obtained from mutual calls to
GSS_Pseudo_random() are not susceptible to off-line dictionary
attacks in the same way that traditional pre-shared keys are. The
strength of the generated keys are determined based upon the security
properties of the selected GSS mechanism. Implementers MUST take
into account the Security Considerations associated with the GSS
mechanisms they decide to support.
8. Acknowledgements
Ari Medvinsky was one of the designers of the original TLS Kerberos
version 5 CipherSuite and contributed to the first two revisions of
this protocol specification.
Raghu Malpani provided insightful comments and was very helpful along
the way.
Ryan Hurst contributed significantly to the use cases of FKA-TLS.
Love Hornquist Astrand, Nicolas Williams and Martin Rex provided
helpful comments while reviewing early revisions of this document.
9. IANA Considerations
A new handshake message token_transfer is defined according to
[RFC4346] and a new TLS extension called the gss_api extension is
Zhu, et al. Expires January 26, 2008 [Page 10]
�
Internet-Draft FKA-TLS July 2007
defined according to [RFC3546]. The registry needs to be updated to
include these new types.
This document defines the type of the transfer tokens in Section 3, a
registry need to be setup and the allocation policy is "Specification
Required".
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 3546, June 2003.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism",
RFC 4178, October 2005.
[RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
for Transport Layer Security (TLS)", RFC 4279,
December 2005.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
Extension for the Generic Security Service Application
Program Interface (GSS-API)", RFC 4401, February 2006.
10.2. Informative References
[IAKERB] Zhu, L., "Initial and Pass Through Authentication Using
Kerberos V5 and the GSS-API", draft-zhu-ws-kerb-03.txt
(work in progress), 2007.
[KRB-ANON]
Zhu, L. and P. Leach, "Kerberos Anonymity Support",
draft-ietf-krb-wg-anon-04.txt (work in progress), 2007.
Zhu, et al. Expires January 26, 2008 [Page 11]
�
Internet-Draft FKA-TLS July 2007
[KRB-FAST]
Zhu, L. and S. Hartman, "A Generalized Framework for
Kerberos Pre-Authentication",
draft-ietf-krb-wg-preauth-framework-06.txt (work in
progress), 2007.
[PKU2U] Zhu, L., Altman, J., and A. Medvinsky, "Public Key
Cryptography Based User-to-User Authentication - (PKU2U)",
draft-zhu-pku2u-02.txt (work in progress), 2007.
[RFC2487] Hoffman, P., "SMTP Service Extension for Secure SMTP over
TLS", RFC 2487, January 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
Suites to Transport Layer Security (TLS)", RFC 2712,
October 1999.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3920] Saint-Andre, P., Ed., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 3920, October 2004.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121,
July 2005.
[RFC4402] Williams, N., "A Pseudo-Random Function (PRF) for the
Kerberos V Generic Security Service Application Program
Interface (GSS-API) Mechanism", RFC 4402, February 2006.
[RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510,
June 2006.
[RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.
Zhu, et al. Expires January 26, 2008 [Page 12]
�
Internet-Draft FKA-TLS July 2007
[RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based
Kerberos and NTLM HTTP Authentication in Microsoft
Windows", RFC 4559, June 2006.
Appendix A. An FKA-TLS Example: Kerberos TLS
This section provides a non-normative description of the message flow
when Kerberos Version 5 is used to established the shared secret
according to [RFC4121] and that shared secret is then used to secure
the TLS connection according to FKA-TLS defined in this document.
Client Server
ClientHello(with AP-REQ) -------->
ServerHello(with AP-REP)
<-------- ServerHelloDone
ClientKeyExchange
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <--------> Application Data
Fig. 2. Kerberos FKA-TLS example message flow
In this successful authentication sample, the TLS client sends the
Kerberos AP-REQ [RFC4120] in the inital context token according to
[RFC4121]. The initial GSS-API context token from the GSS-API client
contains the Object Identifier that signifies the Kerberos mechanism
and it is encapsulated in the gss_api TLS extension in the client
hello message. The TLS client always requests mutual authentication,
and the TLS server then sends a GSS-API context token that contains
the AP-REP [RFC4120] according to [RFC4121]. The TLS server's GSS-
API context token is encapsulated in the gss_api TLS extension in the
server hello message. The GSS-API context is established at that
point and both sides can derive the shared secret value according to
[RFC4402].
In this example, the ServerKeyExchange handshake message is not
needed and it is not present. And according to Section 5 none of the
CertificateRequest, the client Certificate or the CertificateVerify
handshake messages is present.
Appendix B. Additional Use Cases for FXA-TLS
TLS runs on layers beneath a wide range of application protocols such
Zhu, et al. Expires January 26, 2008 [Page 13]
�
Internet-Draft FKA-TLS July 2007
as LDAP [RFC4510], SMTP [RFC2487], and XMPP [RFC3920] and above a
reliable transport protocol. TLS can add security to any protocol
that uses reliable connections (such as TCP). TLS is also
increasingly being used as the standard method for protecting SIP
[RFC3261] application signaling. TLS can provide authentication and
encryption of the SIP signaling associated with VOIP (Voice over IP)
and other SIP-based applications.
Today these applications use public key certificates to verify the
identity of endpoints.
However, it is overwhelmingly complex to manage the assurance level
of the certificates when deploying PKI and such complexity has
gradually eroded the confidence for the PKI-based systems in general.
In addition, the perceived overhead of deploying and managing
certificates is fairly high. As a result, the industry badly needs
the ability to secure TLS connections by leveraging the existing
credential infrastructure. For many customers that means Kerberos.
It is highly desirable to enable PKI-less deployments yet still offer
strong authentication.
Having Kerberos/GSS-API in the layer above TLS means all TLS
applications need to be changed in the protocol level. In many
cases, such changes are not technically feasible. For example,
[RFC4559] provides integration with Kerberos in the HTTP level. It
suffers from a couple of drawbacks, most notably it only supports
single-round-trip GSS-API mechanisms and it lacks of channel bindings
to the underlying TLS connection which makes in unsuitable for
deployment in situations where proxies exists. Furthermore,
[RFC4559] lacks of session-based re-authentication (comparing with
TLS). The root causes of these problems are inherent to the HTTP
protocol and can't be fixed trivially.
Consequently, It is a better solution to integrate Kerberos/GSS-API
in the TLS layer. Such integration allows the existing
infrastructure work seamlessly with TLS for the products based on
them in ways that were not practical to do before. For instance, an
increasing number of client and server products support TLS natively,
but many still lack support. As an alternative, users may wish to
use standalone TLS products that rely on being able to obtain a TLS
connection immediately, by simply connecting to a separate port
reserved for the purpose. For example, by default the TCP port for
HTTPS is 443, to distinguish it from HTTP on port 80. TLS can also
be used to tunnel an entire network stack to create a VPN, as is the
case with OpenVPN. Many vendors now marry TLS's encryption and
authentication capabilities with authorization. There has also been
substantial development since the late 1990s in creating client
technology outside of the browser to enable support for client/server
Zhu, et al. Expires January 26, 2008 [Page 14]
�
Internet-Draft FKA-TLS July 2007
applications. When compared against traditional IPSec VPN
technologies, TLS has some inherent advantages in firewall and NAT
traversal that make it easier to administer for large remote-access
populations.
PSK-TLS as defined in [RFC4279] is a good start but this document
finishes the job by making it more deployable. FKA-TLS also fixes
the mutual-authentication problem in [RFC4279] in the cases where the
PSK can be shared among services on the same host.
Authors' Addresses
Larry Zhu
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Email: lzhu@microsoft.com
Girish Chander
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Email: gchander@microsoft.com
Jeffrey Altman
Secure Endpoints Inc.
255 W 94th St
New York, NY 10025
US
Email: jaltman@secure-endpoints.com
Stefan Santesson
Microsoft Corporation
Tuborg Boulevard 12
2900 Hellerup, WA
Denmark
Email: stefans@microsoft.com
Zhu, et al. Expires January 26, 2008 [Page 15]
�
Internet-Draft FKA-TLS July 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Zhu, et al. Expires January 26, 2008 [Page 16]
�
|
