summaryrefslogtreecommitdiff
path: root/source4/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt')
-rw-r--r--source4/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt282
1 files changed, 282 insertions, 0 deletions
diff --git a/source4/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt b/source4/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
new file mode 100644
index 00000000000..4b193c57390
--- /dev/null
+++ b/source4/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-cross-01.txt
@@ -0,0 +1,282 @@
+INTERNET-DRAFT Brian Tung
+draft-ietf-cat-kerberos-pk-cross-01.txt Tatyana Ryutov
+Updates: RFC 1510 Clifford Neuman
+expires September 30, 1997 Gene Tsudik
+ ISI
+ Bill Sommerfeld
+ Hewlett-Packard
+ Ari Medvinsky
+ Matthew Hur
+ CyberSafe Corporation
+
+
+ Public Key Cryptography for Cross-Realm Authentication in Kerberos
+
+
+0. Status Of this Memo
+
+ This document is an Internet-Draft. Internet-Drafts are working
+ documents of the Internet Engineering Task Force (IETF), its
+ areas, and its working groups. Note that other groups may also
+ distribute working documents as Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six
+ months and may be updated, replaced, or obsoleted by other
+ documents at any time. It is inappropriate to use Internet-Drafts
+ as reference material or to cite them other than as ``work in
+ progress.''
+
+ To learn the current status of any Internet-Draft, please check
+ the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
+ Shadow Directories on ds.internic.net (US East Coast),
+ nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+ munnari.oz.au (Pacific Rim).
+
+ The distribution of this memo is unlimited. It is filed as
+ draft-ietf-cat-kerberos-pk-cross-01.txt, and expires September 30,
+ 1997. Please send comments to the authors.
+
+
+1. Abstract
+
+ This document defines extensions to the Kerberos protocol
+ specification (RFC 1510, "The Kerberos Network Authentication
+ Service (V5)", September 1993) to provide a method for using
+ public key cryptography during cross-realm authentication. The
+ methods defined here specify the way in which message exchanges
+ are to be used to transport cross-realm secret keys protected by
+ encryption under public keys certified as belonging to KDCs.
+
+
+2. Motivation
+
+ The advantages provided by public key cryptography--ease of
+ recoverability in the event of a compromise, the possibility of
+ an autonomous authentication infrastructure, to name a few--have
+ produced a demand for use by Kerberos authentication protocol. A
+ draft describing the use of public key cryptography in the initial
+ authentication exchange in Kerberos has already been submitted.
+ This draft describes its use in cross-realm authentication.
+
+ The principal advantage provided by public key cryptography in
+ cross-realm authentication lies in the ability to leverage the
+ existing public key infrastructure. It frees the Kerberos realm
+ administrator from having to maintain separate keys for each other
+ realm with which it wishes to exchange authentication information,
+ or to utilize a hierarchical arrangement, which may pose problems
+ of trust.
+
+ Even with the multi-hop cross-realm authentication, there must be
+ some way to locate the path by which separate realms are to be
+ transited. The current method, which makes use of the DNS-like
+ realm names typical to Kerberos, requires trust of the intermediate
+ KDCs.
+
+ The methods described in this draft allow a realm to specify, at
+ the time of authentication, which certification paths it will
+ trust. A shared key for cross-realm authentication can be
+ established, for a period of time. Furthermore, these methods are
+ transparent to the client, so that only the KDC's need to be
+ modified to use them.
+
+ It is not necessary to implement the changes described in the
+ "Public Key Cryptography for Initial Authentication" draft to make
+ use of the changes in this draft. We solicit comments about the
+ interaction between the two protocol changes, but as of this
+ writing, the authors do not perceive any obstacles to using both.
+
+
+3. Protocol Amendments
+
+ We assume that the user has already obtained a TGT. To perform
+ cross-realm authentication, the user sends a request to the local
+ KDC as per RFC 1510. If the two realms share a secret key, then
+ cross-realm authentication proceeds as usual. Otherwise, the
+ local KDC may attempt to establish a shared key with the remote
+ KDC using public key cryptography, and exchange this key through
+ the cross-realm ticket granting ticket.
+
+ We will consider the specific channel on which the message
+ exchanges take place in Section 5 below.
+
+
+3.1. Changes to the Cross-Realm Ticket Granting Ticket
+
+ In order to avoid the need for changes to the "installed base" of
+ Kerberos application clients and servers, the only protocol change
+ is to the way in which cross-realm ticket granting tickets (TGTs)
+ are encrypted; as these tickets are opaque to clients and servers,
+ the only change visible to them will be the increased size of the
+ tickets.
+
+ Cross-realm TGTs are granted by a local KDC to authenticate a user
+ to a remote KDC's ticket granting service. In standard Kerberos,
+ they are encrypted using a shared secret key manually configured
+ into each KDC.
+
+ In order to incorporate public key cryptography, we define a new
+ encryption type, "ENCTYPE_PK_CROSS". Operationally, this encryption
+ type transforms an OCTET STRING of plaintext (normally an EncTktPart)
+ into the following SEQUENCE:
+
+ PKCrossOutput ::= SEQUENCE {
+ certificate [0] OCTET STRING OPTIONAL,
+ -- public key certificate
+ -- of local KDC
+ encSharedKey [1] EncryptedData,
+ -- of type EncryptionKey
+ -- containing random symmetric key
+ -- encrypted using public key
+ -- of remote KDC
+ sigSharedKey [2] Signature,
+ -- of encSharedKey
+ -- using signature key
+ -- of local KDC
+ pkEncData [3] EncryptedData,
+ -- (normally) of type EncTktPart
+ -- encrypted using encryption key
+ -- found in encSharedKey
+ }
+
+ PKCROSS operates as follows: when a client submits a request for
+ cross-realm authentication, the local KDC checks to see if it has
+ a long-term shared key established for that realm. If so, it uses
+ this key as per RFC 1510.
+
+ If not, it sends a request for information to the remote KDC. The
+ content of this message is immaterial, as it does not need to be
+ processed by the remote KDC; for the sake of consistency, we define
+ it as follows:
+
+ RemoteRequest ::= [APPLICATION 41] SEQUENCE {
+ nonce [0] INTEGER
+ }
+
+ The remote KDC replies with a list of all trusted certifiers and
+ all its (the remote KDC's) certificates. We note that this response
+ is universal and does not depend on which KDC makes the request:
+
+ RemoteReply ::= [APPLICATION 42] SEQUENCE {
+ trustedCertifiers [0] SEQUENCE OF PrincipalName,
+ certificates[1] SEQUENCE OF Certificate,
+ encTypeToUse [1] SEQUENCE OF INTEGER
+ -- encryption types usable
+ -- for encrypting pkEncData
+ }
+
+ Certificate ::= SEQUENCE {
+ CertType [0] INTEGER,
+ -- type of certificate
+ -- 1 = X.509v3 (DER encoding)
+ -- 2 = PGP (per PGP draft)
+ CertData [1] OCTET STRING
+ -- actual certificate
+ -- type determined by CertType
+ } -- from pk-init draft
+
+ Upon receiving this reply, the local KDC determines whether it has
+ a certificate the remote KDC trusts, and whether the remote KDC has
+ a certificate the local KDC trusts. If so, it issues a ticket
+ encrypted using the ENCTYPE_PK_CROSS encryption type defined above.
+
+
+3.2. Profile Caches
+
+ We observe that using PKCROSS as specified above requires two
+ private key operations: a signature generation by the local KDC and
+ a decryption by the remote KDC. This cost can be reduced in the
+ long term by judicious caching of the encSharedKey and the
+ sigSharedKey.
+
+ Let us define a "profile" as the encSharedKey and sigSharedKey, in
+ conjunction with the associated remote realm name and decrypted
+ shared key (the key encrypted in the encSharedKey).
+
+ To optimize these interactions, each KDC maintains two caches, one
+ for outbound profiles and one for inbound profiles. When generating
+ an outbound TGT for another realm, the local KDC first checks to see
+ if the corresponding entry exists in the outbound profile cache; if
+ so, it uses its contents to form the first three fields of the
+ PKCrossOutput; the shared key is used to encrypt the data for the
+ fourth field. If not, the components are generated fresh and stored
+ in the outbound profile cache.
+
+ Upon receipt of the TGT, the remote realm checks its inbound profile
+ cache for the corresponding entry. If it exists, then it uses the
+ contents of the entry to decrypt the data encrypted in the pkEncData.
+ If not, then it goes through the full process of verifying and
+ extracting the shared key; if this is successful, then a new entry
+ is created in the inbound profile cache.
+
+ The inbound profile cache should support multiple entries per realm,
+ in the event that the initiating realm is replicated.
+
+
+4. Finding Realms Supporting PKCROSS
+
+ If either the local realm or the destination realm does not support
+ PKCROSS, or both do not, the mechanism specified in Section 3 can
+ still be used in obtaining the desired remote TGT.
+
+ In the reference Kerberos implementations, the default behavior is
+ to traverse a path up and down the realm name hierarchy, if the
+ two realms do not share a key. There is, however, the possibility
+ of using cross links--i.e., keys shared between two realms that
+ are non-contiguous in the realm name hierarchy--to shorten the
+ path, both to minimize delay and the number of intermediate realms
+ that need to be trusted.
+
+ PKCROSS can be used as a way to provide cross-links even in the
+ absence of shared keys. If the client is aware that one or two
+ intermediate realms support PKCROSS, then a combination of
+ PKCROSS and conventional cross-realm authentication can be used
+ to reach the final destination realm.
+
+ We solicit discussion on the best methods for clients and KDCs to
+ determine or advertise support for PKCROSS.
+
+
+5. Message Ports
+
+ We have not specified the port on which KDCs supporting PKCROSS
+ should listen to receive the request for information messages noted
+ above. We solicit discussion on which port should be used. We
+ propose to use the standard Kerberos ports (well-known 88 or 750),
+ but another possibility is to use a completely different port.
+
+ We also solicit discussion on what other approaches can be taken to
+ obtain the information in the RemoteReply (e.g., secure DNS or some
+ other repository).
+
+
+6. Expiration Date
+
+ This Internet-Draft will expire on September 30, 1997.
+
+
+7. Authors' Addresses
+
+ Brian Tung
+ Tatyana Ryutov
+ Clifford Neuman
+ Gene Tsudik
+ USC/Information Sciences Institute
+ 4676 Admiralty Way Suite 1001
+ Marina del Rey, CA 90292-6695
+ Phone: +1 310 822 1511
+ E-Mail: {brian, tryutov, bcn, gts}@isi.edu
+
+ Bill Sommerfeld
+ Hewlett Packard
+ 300 Apollo Drive
+ Chelmsford MA 01824
+ Phone: +1 508 436 4352
+ E-Mail: sommerfeld@apollo.hp.com
+
+ Ari Medvinsky
+ Matthew Hur
+ CyberSafe Corporation
+ 1605 NW Sammamish Road Suite 310
+ Issaquah WA 98027-5378
+ Phone: +1 206 391 6000
+ E-mail: {ari.medvinsky, matt.hur}@cybersafe.com
View Lorry Controller Status