summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-01.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-01.txt614
1 files changed, 614 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-01.txt b/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-01.txt
new file mode 100644
index 00000000000..e6ae54d9777
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-01.txt
@@ -0,0 +1,614 @@
+INTERNET-DRAFT Clifford Neuman
+draft-ietf-cat-kerberos-pk-init-01.txt Brian Tung
+Updates: RFC 1510 ISI
+expires December 7, 1996 John Wray
+ Digital Equipment Corporation
+
+
+ Public Key Cryptography for Initial Authentication in Kerberos
+
+
+0. Status Of this Memo
+
+ This document is an Internet-Draft. Internet-Drafts are working
+ documents of the Internet Engineering Task Force (IETF), its areas,
+ and its working groups. Note that other groups may also distribute
+ working documents as Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six
+ months and may be updated, replaced, or obsoleted by other docu-
+ ments at any time. It is inappropriate to use Internet-Drafts as
+ reference material or to cite them other than as ``work in pro-
+ gress.''
+
+ To learn the current status of any Internet-Draft, please check the
+ ``1id-abstracts.txt'' listing contained in the Internet-Drafts Sha-
+ dow Directories on ds.internic.net (US East Coast), nic.nordu.net
+ (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
+ Rim).
+
+ The distribution of this memo is unlimited. It is filed as
+ draft-ietf-cat-kerberos-pk-init-01.txt, and expires December 7, 1996.
+ Please send comments to the authors.
+
+
+1. Abstract
+
+ This document defines extensions to the Kerberos protocol specifi-
+ cation (RFC 1510, "The Kerberos Network Authentication Service
+ (V5)", September 1993) to provide a method for using public key
+ cryptography during initial authentication. The method defined
+ specifies the way in which preauthentication data fields and error
+ data fields in Kerberos messages are to be used to transport public
+ key data.
+
+2. Motivation
+
+ Public key cryptography presents a means by which a principal may
+ demonstrate possession of a key, without ever having divulged this
+ key to anyone else. In conventional cryptography, the encryption key
+ and decryption key are either identical or can easily be derived from
+ one another. In public key cryptography, however, neither the public
+ key nor the private key can be derived from the other (although the
+ private key RECORD may include the information required to generate
+ BOTH keys). Hence, a message encrypted with a public key is private,
+ since only the person possessing the private key can decrypt it;
+ similarly, someone possessing the private key can also encrypt a
+ message, thus providing a digital signature.
+
+ Furthermore, conventional keys are often derived from passwords, so
+ messages encrypted with these keys are susceptible to dictionary
+ attacks, whereas public key pairs are generated from a pseudo-random
+ number sequence. While it is true that messages encrypted using
+ public key cryptography are actually encrypted with a conventional
+ secret key, which is in turn encrypted using the public key pair,
+ the secret key is also randomly generated and is hence not vulnerable
+ to a dictionary attack.
+
+ The advantages provided by public key cryptography have produced a
+ demand for its integration into the Kerberos authentication protocol.
+ The primary advantage of registering public keys with the KDC lies in
+ the ease of recovery in case the KDC is compromised. With Kerberos as
+ it currently stands, compromise of the KDC is disastrous. All
+ keys become known by the attacker and all keys must be changed.
+
+ If users register public keys, compromise of the KDC does not divulge
+ their private key. Compromise of security on the KDC is still a
+ problem, since an attacker can impersonate any user by certifying a
+ bogus key with the KDC's private key. However, all bogus
+ certificates can be invalidated by revoking and changing the
+ KDC's public key. Legitimate users have to re-certify their public
+ keys with the new KDC key, but the users's keys themselves do not
+ need to be changed. Keys for application servers are conventional
+ symmetric keys and must be changed.
+
+ Note: If a user stores his private key, in an encrypted form, on the
+ KDC, then he does have to change the key pair, since the private key
+ is encrypted using a symmetric key derived from a password (as
+ described below), and is therefore vulnerable to dictionary attack.
+ Assuming good password policy, however, legitimate users may be
+ allowed to use the old password for a limited time, solely for the
+ purpose of changing the key pair. The realm administrator is then
+ not forced to re-key all users.
+
+ There are two important areas where public key cryptography will have
+ immediate use: in the initial authentication of users registered with
+ the KDC or using public key certificates from outside authorities,
+ and to establish inter-realm keys for cross-realm authentication.
+ This memo describes a method by which the first of these can be done.
+ The second case will be the topic for a separate proposal.
+
+ Some of the ideas on which this proposal is based arose during
+ discussions over several years between members of the SAAG, the
+ IETF-CAT working group, and the PSRG, regarding integration of
+ Kerberos and SPX. Some ideas are drawn from the DASS system, and
+ similar extensions have been discussed for use in DCE. These changes
+ are by no means endorsed by these groups. This is an attempt to
+ revive some of the goals of that group, and the proposal approaches
+ those goals primarily from the Kerberos perspective.
+
+
+3. Initial authentication of users with public keys
+
+ This section describes the extensions to Version 5 of the Kerberos
+ protocol that will support the use of public key cryptography by
+ users in the initial request for a ticket granting ticket. This
+ proposal is based on the implementation already made available;
+ nevertheless, we solicit any comments on modifications or additions
+ to the protocol description below.
+
+ Roughly speaking, the following changes to RFC 1510 are proposed:
+ a. The KDC's response is encrypted using a random nonce key,
+ rather than the user's secret key.
+ b. This random key accompanies the response in a
+ preauthentication field, encrypted and signed using the
+ public key pairs of the user and the KDC.
+ Certificate and message formats are also defined in this section.
+
+ This proposal will allow users either to use keys registered directly
+ with the KDC, or to use keys already registered for use with X.509,
+ PEM, or PGP, to obtain Kerberos credentials. These credentials can
+ then be used, as before, with application servers supporting Kerberos.
+ Use of public key cryptography will not be a requirement for Kerberos,
+ but if one's organization runs a KDC supporting public key, then users
+ may choose to be registered with a public key pair, instead of the
+ current secret key.
+
+ The application request and response between Kerberos clients and
+ application servers will continue to be based on conventional
+ cryptography, or will be converted to use user-to-user
+ authentication. There are performance issues and other reasons
+ that servers may be better off using conventional cryptography.
+ For this proposal, we feel that 80 percent of the benefits of
+ integrating public key with Kerberos can be attained for 20 percent
+ of the effort, by addressing only initial authentication. This
+ proposal does not preclude separate extensions.
+
+ With these changes, users will be able to register public keys, only
+ in realms that support public key, and they will then only be able
+ to perform initial authentication from a client that supports public key,
+ although they will be able to use services registered in any realm.
+ Furthermore, users registered with conventional keys will be able
+ to use any client.
+
+ This proposal addresses three ways in which users may use public key
+ cryptography for initial authentication with Kerberos, with minimal
+ change to the existing protocol. Users may register keys directly
+ with the KDC, or they may present certificates by outside certification
+ authorities (or certifications by other users) attesting to the
+ association of the public key with the named user. In both cases,
+ the end result is that the user obtains a conventional ticket
+ granting ticket or conventional server ticket that may be used for
+ subsequent authentication, with such subsequent authentication using
+ only conventional cryptography.
+
+ Additionally, users may also register a digital signature key with
+ the KDC. We provide this option for the licensing benefits, as well
+ as a simpler variant of the initial authentication exchange. However,
+ this option relies on the client to generate random keys.
+
+ We first consider the case where the user's key is registered with
+ the KDC.
+
+
+3.1 Definitions
+
+ Before we proceed, we will lay some groundwork definitions for
+ encryption and signatures. We propose the following definitions
+ of signature and encryption modes (and their corresponding values
+ on the wire):
+
+ #define ENCTYPE_SIGN_MD5_RSA 0x0011
+
+ #define ENCTYPE_ENCRYPT_RSA_PRIV 0x0021
+ #define ENCTYPE_ENCRYPT_RSA_PUB 0x0022
+
+ allowing further modes to be defined accordingly.
+
+ In the exposition below, we will use the notation E (T, K) to denote
+ the encryption of data T, with key (or parameters) K.
+
+ If E is ENCTYPE_SIGN_MD5_RSA, then
+
+ E (T, K) = {T, RSAEncryptPrivate (MD5Hash (T), K)}
+
+ If E is ENCTYPE_ENCRYPT_RSA_PRIV, then
+
+ E (T, K) = RSAEncryptPrivate (T, K)
+
+ Correspondingly, if E is ENCTYPE_ENCRYPT_RSA_PUB, then
+
+ E (T, K) = RSAEncryptPublic (T, K)
+
+
+3.2 Initial request for user registered with public key on KDC
+
+ In this scenario it is assumed that the user is registered with a
+ public key on the KDC. The user's private key may be held by the
+ user, or it may be stored on the KDC, encrypted so that it cannot be
+ used by the KDC.
+
+3.2.1 User's private key is stored locally
+
+ If the user stores his private key locally, the initial request to
+ the KDC for a ticket granting ticket proceeds according to RFC 1510,
+ except that a preauthentication field containing a nonce signed by
+ the user's private key is included. The preauthentication field
+ may also include a list of the root certifiers trusted by the user.
+
+ PA-PK-AS-ROOT ::= SEQUENCE {
+ rootCert[0] SEQUENCE OF OCTET STRING,
+ signedAuth[1] SignedPKAuthenticator
+ }
+
+ SignedPKAuthenticator ::= SEQUENCE {
+ authent[0] PKAuthenticator,
+ authentSig[1] Signature
+ }
+
+ PKAuthenticator ::= SEQUENCE {
+ cksum[0] Checksum OPTIONAL,
+ cusec[1] INTEGER,
+ ctime[2] KerberosTime,
+ nonce[3] INTEGER,
+ kdcRealm[4] Realm,
+ kdcName[5] PrincipalName
+ }
+
+ Signature ::= SEQUENCE {
+ sigType[0] INTEGER,
+ kvno[1] INTEGER OPTIONAL,
+ sigHash[2] OCTET STRING
+ }
+
+ Notationally, sigHash is then
+
+ sigType (authent, userPrivateKey)
+
+ where userPrivateKey is the user's private key (corresponding to the
+ public key held in the user's database record). Valid sigTypes are
+ thus far limited to the above-listed ENCTYPE_SIGN_MD5_RSA; we expect
+ that other types may be listed (and given on-the-wire values between
+ 0x0011 and 0x001f).
+
+ The format of each certificate depends on the particular
+ service used. (Alternatively, the KDC could send, with its reply,
+ a sequence of certifications (see below), but since the KDC is likely
+ to have more certifications than users have trusted root certifiers,
+ we have chosen the first method.) In the event that the client
+ believes it already possesses the current public key of the KDC,
+ a zero-length root-cert field is sent.
+
+ The fields in the signed authenticator are the same as those
+ in the Kerberos authenticator; in addition, we include a client-
+ generated nonce, and the name of the KDC. The structure is itself
+ signed using the user's private key corresponding to the public key
+ registered with the KDC.
+
+ Typically, preauthentication using a secret key would not be included,
+ but if included it may be ignored by the KDC. (We recommend that it
+ not be included: even if the KDC should ignore the preauthentication,
+ an attacker may not, and use an intercepted message to guess the
+ password off-line.)
+
+ The response from the KDC would be identical to the response in RFC 1510,
+ except that instead of being encrypted in the secret key shared by the
+ client and the KDC, it is encrypted in a random key freshly generated
+ by the KDC (of type ENCTYPE_ENC_CBC_CRC). A preauthentication field
+ (specified below) accompanies the response, optionally containing a
+ certificate with the public key for the KDC (since we do not assume
+ that the client knows this public key), and a package containing the
+ secret key in which the rest of the response is encrypted, along with
+ the same nonce used in the rest of the response, in order to prevent
+ replays. This package is itself encrypted with the private key of the
+ KDC, then encrypted with the public key of the user.
+
+ PA-PK-AS-REP ::= SEQUENCE {
+ kdcCert[0] SEQUENCE OF Certificate,
+ encryptShell[1] EncryptedData, -- EncPaPkAsRepPartShell
+ -- encrypted by encReplyTmpKey
+ encryptKey[2] EncryptedData -- EncPaPkAsRepTmpKey
+ -- encrypted by userPubliKey
+ }
+
+ EncPaPkAsRepPartShell ::= SEQUENCE {
+ encReplyPart[0] EncPaPkAsRepPart,
+ encReplyPartSig[1] Signature -- encReplyPart
+ -- signed by kdcPrivateKey
+ }
+
+ EncPaPkAsRepPart ::= SEQUENCE {
+ encReplyKey[0] EncryptionKey,
+ nonce[1] INTEGER
+ }
+
+ EncPaPkAsRepTmpKey ::= SEQUENCE {
+ encReplyTmpKey[0] EncryptionKey
+ }
+
+ Notationally, assume that encryptPack is encrypted (or signed) with
+ algorithm Ak, and that encryptShell is encrypted with algorithm Au.
+ Then, encryptShell is
+
+ Au (Ak ({encReplyKey, nonce}, kdcPrivateKey), userPublicKey)
+
+ where kdcPrivateKey is the KDC's private key, and userPublicKey is the
+ user's public key.
+
+ The kdc-cert specification is lifted, with slight modifications,
+ from v3 of the X.509 certificate specification:
+
+ Certificate ::= SEQUENCE {
+ version[0] Version DEFAULT v1 (1),
+ serialNumber[1] CertificateSerialNumber,
+ signature[2] AlgorithmIdentifier,
+ issuer[3] PrincipalName,
+ validity[4] Validity,
+ subjectRealm[5] Realm,
+ subject[6] PrincipalName,
+ subjectPublicKeyInfo[7] SubjectPublicKeyInfo,
+ issuerUniqueID[8] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID[9] IMPLICIT UniqueIdentifier OPTIONAL,
+ authentSig[10] Signature
+ }
+
+ The kdc-cert must have as its root certification one of the certifiers
+ sent to the KDC with the original request. If the KDC has no such
+ certification, then it will instead reply with a KRB_ERROR of type
+ KDC_ERROR_PREAUTH_FAILED. If a zero-length root-cert was sent by the
+ client as part of the PA-PK-AS-ROOT, then a correspondingly zero-length
+ kdc-cert may be absent, in which case the client uses its copy of the
+ KDC's public key.
+
+ Upon receipt of the response from the KDC, the client will verify the
+ public key for the KDC from PA-PK-AS-REP preauthentication data field,
+ The certificate must certify the key as belonging to a principal whose
+ name can be derived from the realm name. If the certificate checks
+ out, the client then decrypts the EncPaPkAsRepPart using the private
+ key of the user, and verifies the signature of the KDC. It then uses
+ the random key contained therein to decrypt the rest of the response,
+ and continues as per RFC 1510. Because there is direct trust between
+ the user and the KDC, the transited field of the ticket returned by
+ the KDC should remain empty. (Cf. Section 3.3.)
+
+
+3.2.2. Private key held by KDC
+
+ Implementation of the changes in this section is OPTIONAL.
+
+ When the user's private key is not carried with the user, the user may
+ encrypt the private key using conventional cryptography, and register
+ the encrypted private key with the KDC. The MD5 hash of the DES key
+ used to encrypt the private key must also be registered with the KDC.
+
+ We provide this option with the warning that storing the private key
+ on the KDC carries the risk of exposure in case the KDC is compromised.
+ If a suffiently good password is chosen to encrypt the key, then this
+ password can be used for a limited time to change the private key.
+ If the user wishes to authenticate himself without storing the private
+ key on each local disk, then a safer, albeit possibly less practical,
+ alternative is to use a smart card to store the keys.
+
+ When the user's private key is stored on the KDC, the KDC record
+ will also indicate whether preauthentication is required before
+ returning the key (we recommend that it be required). If such
+ preauthentication is required, when the initial request is received,
+ the KDC will respond with a KRB_ERROR message, with msg-type set
+ to KDC_ERR_PREAUTH_REQUIRED, and e-data set to:
+
+ PA-PK-AS-INFO ::= SEQUENCE {
+ kdcCert[0] SEQUENCE OF Certificate
+ }
+
+ The kdc-cert field is identical to that in the PA-PK-AS-REP
+ preauthentication data field returned with the KDC response, and must
+ be validated as belonging to the KDC in the same manner.
+
+ Upon receipt of the KRB_ERROR message with a PA-PK-AS-INFO field, the
+ client will prompt the user for the password that was used to
+ encrypt the private key, derive the DES key from that password,
+ and calculate the MD5 hash H1 of the DES key. The client then sends
+ a request to the KDC, which includes a timestamp and a
+ client-generated random secret key that will be used by the KDC
+ to super-encrypt the encrypted private key before it is returned
+ to the client. This information is sent to the KDC in a subsequent
+ AS_REQ message in a preauthentication data field:
+
+ PA-PK-AS-REQ ::= SEQUENCE {
+ encHashShell[0] EncryptedData -- EncPaPkAsReqShell
+ }
+
+ EncPaPkAsReqShell ::= SEQUENCE {
+ encHashPart[0] EncryptedData -- EncPaPkAsReqPart
+ }
+
+ EncPaPkAsReqPart ::= SEQUENCE {
+ encHashKey[0] EncryptionKey,
+ nonce[1] INTEGER
+ }
+
+ The EncPaPkAsReqPart is first encrypted with a DES key K1, derived
+ by string_to_key from the hash H1 (with null salt), then encrypted
+ again with the KDC's public key from the certificate in the
+ PA-PK-AS-INFO field of the error response.
+
+ Notationally, if encryption algorithm A is used for DES encryption,
+ and Ak is used for the public key encryption, then enc-shell is
+
+ Ak (A ({encHashKey, nonce}, K1), kdcPublicKey)
+
+ Upon receipt of the authentication request with the PA-PK-AS-REQ, the
+ KDC verifies the hash of the user's DES encryption key by attempting
+ to decrypt the EncPaPkAsReqPart of the PA-PK-AS-REQ. If decryption
+ is successful, the KDC generates the AS response as defined in
+ RFC 1510, but additionally includes a preauthentication field of type
+ PA-PK-USER-KEY. (This response will also be included in response to
+ the initial request without preauthentication if preauthentication is
+ not required for the user and the user's encrypted private key is
+ stored on the KDC.)
+
+ PA-PK-USER-KEY ::= SEQUENCE {
+ encUserKeyPart[0] EncryptedData -- EncPaPkUserKeyPart
+ }
+
+ EncPaPkUserKeyPart ::= SEQUENCE {
+ encUserKey[0] OCTET STRING,
+ nonce[1] INTEGER
+ }
+
+ Notationally, if encryption algorithm A is used, then enc-key-part is
+
+ A ({encUserKey, nonce}, enc-hash-key)
+
+ (where A could be null encryption).
+
+ This message contains the encrypted private key that has been
+ registered with the KDC by the user, as encrypted by the user,
+ optionally super-encrypted with the enc-hash-key from the PA-PK-AS-REQ
+ message if preauthentication using that method was provided (otherwise,
+ the EncryptedData should denote null encryption). Note that since
+ H1 is a one-way hash, it is not possible for one to decrypt the
+ message if one possesses H1 but not the DES key that H1 is derived
+ from. Because there is direct trust between the user and the
+ KDC, the transited field of the ticket returned by the KDC should
+ remain empty. (Cf. Section 3.3.)
+
+
+3.3. Clients with a public key certified by an outside authority
+
+ Implementation of the changes in this section is OPTIONAL.
+
+ In the case where the client is not registered with the current KDC,
+ the client is responsible for obtaining the private key on its own.
+ The client will request initial tickets from the KDC using the TGS
+ exchange, but instead of performing pre-authentication using a
+ Kerberos ticket granting ticket, or with the PA-PK-AS-REQ that is used
+ when the public key is known to the KDC, the client performs
+ preauthentication using the preauthentication data field of type
+ PA-PK-AS-EXT-CERT:
+
+ PA-PK-AS-EXT-CERT ::= SEQUENCE {
+ userCert[0] SEQUENCE OF OCTET STRING,
+ signedAuth[1] SignedPKAuthenticator
+ }
+
+ where the user-cert specification depends on the type of certificate
+ that the user possesses. In cases where the service has separate
+ key pairs for digital signature and for encryption, we recommend
+ that the signature keys be used for the purposes of sending the
+ preauthentication (and deciphering the response).
+
+ The authenticator is the one used from the exchange in section 3.2.1,
+ except that it is signed using the private key corresponding to
+ the public key in the user-cert.
+
+ The KDC will verify the preauthentication authenticator, and check the
+ certification path against its own policy of legitimate certifiers.
+ This may be based on a certification hierarchy, or simply a list of
+ recognized certifiers in a system like PGP.
+
+ If all checks out, the KDC will issue Kerberos credentials, as in 3.2,
+ but with the names of all the certifiers in the certification path
+ added to the transited field of the ticket, with a principal name
+ taken from the certificate (this might be a long path for X.509, or a
+ string like "John Q. Public <jqpublic@company.com>" if the certificate
+ was a PGP certificate. The realm will identify the kind of
+ certificate and the final certifier as follows:
+
+ cert_type/final_certifier
+
+ as in PGP/<endorser@company.com>.
+
+
+3.4. Digital Signature
+
+ Implementation of the changes in this section is OPTIONAL.
+
+ We offer this option with the warning that it requires the client
+ process to generate a random DES key; this generation may not
+ be able to guarantee the same level of randomness as the KDC.
+
+ If a user registered a digital signature key pair with the KDC,
+ a separate exchange may be used. The client sends a KRB_AS_REQ as
+ described in section 3.2.2. If the user's database record
+ indicates that a digital signature key is to be used, then the
+ KDC sends back a KRB_ERROR as in section 3.2.2.
+
+ It is assumed here that the signature key is stored on local disk.
+ The client generates a random key of enctype ENCTYPE_DES_CBC_CRC,
+ signs it using the signature key (otherwise the signature is
+ performed as described in section 3.2.1), then encrypts the whole with
+ the public key of the KDC. This is returned with a separate KRB_AS_REQ
+ in a preauthentication of type
+
+ PA-PK-AS-SIGNED ::= SEQUENCE {
+ signedKey[0] EncryptedData -- PaPkAsSignedData
+ }
+
+ PaPkAsSignedData ::= SEQUENCE {
+ signedKeyPart[0] SignedKeyPart,
+ signedKeyAuth[1] PKAuthenticator
+ }
+
+ SignedKeyPart ::= SEQUENCE {
+ encSignedKey[0] EncryptionKey,
+ nonce[1] INTEGER
+ }
+
+ where the nonce is the one from the request. Upon receipt of the
+ request, the KDC decrypts, then verifies the random key. It then
+ replies as per RFC 1510, except that instead of being encrypted
+ with the password-derived DES key, the reply is encrypted using
+ the randomKey sent by the client. Since the client already knows
+ this key, there is no need to accompany the reply with an extra
+ preauthentication field. Because there is direct trust between
+ the user and the KDC, the transited field of the ticket returned
+ by the KDC should remain empty. (Cf. Section 3.3.)
+
+
+4. Preauthentication Data Types
+
+ We propose that the following preauthentication types be allocated
+ for the preauthentication data packages described in this draft:
+
+ #define KRB5_PADATA_ROOT_CERT 17 /* PA-PK-AS-ROOT */
+ #define KRB5_PADATA_PUBLIC_REP 18 /* PA-PK-AS-REP */
+ #define KRB5_PADATA_PUBLIC_REQ 19 /* PA-PK-AS-REQ */
+ #define KRB5_PADATA_PRIVATE_REP 20 /* PA-PK-USER-KEY */
+ #define KRB5_PADATA_PUBLIC_EXT 21 /* PA-PK-AS-EXT-CERT */
+ #define KRB5_PADATA_PUBLIC_SIGN 22 /* PA-PK-AS-SIGNED */
+
+
+5. Encryption Information
+
+ For the public key cryptography used in direct registration, we used
+ (in our implementation) the RSAREF library supplied with the PGP 2.6.2
+ release. Encryption and decryption functions were implemented directly
+ on top of the primitives made available therein, rather than the
+ fully sealing operations in the API.
+
+
+6. Compatibility with One-Time Passcodes
+
+ We solicit discussion on how the use of public key cryptography for initial
+ authentication will interact with the proposed use of one time passwords
+ discussed in Internet Draft <draft-ietf-cat-kerberos-passwords-00.txt>.
+
+
+7. Strength of Encryption and Signature Mechanisms
+
+ In light of recent findings on the strengths of MD5 and various DES
+ modes, we solicit discussion on which modes to incorporate into the
+ protocol changes.
+
+
+8. Expiration
+
+ This Internet-Draft expires on December 7, 1996.
+
+
+9. Authors' Addresses
+
+ B. Clifford Neuman
+ USC/Information Sciences Institute
+ 4676 Admiralty Way Suite 1001
+ Marina del Rey, CA 90292-6695
+
+ Phone: 310-822-1511
+ EMail: bcn@isi.edu
+
+ Brian Tung
+ USC/Information Sciences Institute
+ 4676 Admiralty Way Suite 1001
+ Marina del Rey, CA 90292-6695
+
+ Phone: 310-822-1511
+ EMail: brian@isi.edu
+
+ John Wray
+ Digital Equipment Corporation
+ 550 King Street, LKG2-2/Z7
+ Littleton, MA 01460
+
+ Phone: 508-486-5210
+ EMail: wray@tuxedo.enet.dec.com
View Lorry Controller Status