summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-06.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-06.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-06.txt959
1 files changed, 959 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-06.txt b/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-06.txt
new file mode 100644
index 00000000000..cb18eb5ca3d
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-cat-kerberos-pk-init-06.txt
@@ -0,0 +1,959 @@
+INTERNET-DRAFT Brian Tung
+draft-ietf-cat-kerberos-pk-init-06.txt Clifford Neuman
+Updates: RFC 1510 ISI
+expires September 15, 1998 John Wray
+ Digital Equipment Corporation
+ Ari Medvinsky
+ Matthew Hur
+ CyberSafe Corporation
+ Jonathan Trostle
+ Novell
+
+
+ Public Key Cryptography for Initial Authentication in Kerberos
+
+
+0. Status Of This Memo
+
+ This document is an Internet-Draft. Internet-Drafts are working
+ documents of the Internet Engineering Task Force (IETF), its
+ areas, and its working groups. Note that other groups may also
+ distribute working documents as Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six
+ months and may be updated, replaced, or obsoleted by other
+ documents at any time. It is inappropriate to use Internet-Drafts
+ as reference material or to cite them other than as "work in
+ progress."
+
+ To learn the current status of any Internet-Draft, please check
+ the "1id-abstracts.txt" listing contained in the Internet-Drafts
+ Shadow Directories on ds.internic.net (US East Coast),
+ nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
+ munnari.oz.au (Pacific Rim).
+
+ The distribution of this memo is unlimited. It is filed as
+ draft-ietf-cat-kerberos-pk-init-05.txt, and expires September 15,
+ 1998. Please send comments to the authors.
+
+
+1. Abstract
+
+ This document defines extensions (PKINIT) to the Kerberos protocol
+ specification (RFC 1510 [1]) to provide a method for using public
+ key cryptography during initial authentication. The methods
+ defined specify the ways in which preauthentication data fields and
+ error data fields in Kerberos messages are to be used to transport
+ public key data.
+
+
+2. Introduction
+
+ The popularity of public key cryptography has produced a desire for
+ its support in Kerberos [2]. The advantages provided by public key
+ cryptography include simplified key management (from the Kerberos
+ perspective) and the ability to leverage existing and developing
+ public key certification infrastructures.
+
+ Public key cryptography can be integrated into Kerberos in a number
+ of ways. One is to associate a key pair with each realm, which can
+ then be used to facilitate cross-realm authentication; this is the
+ topic of another draft proposal. Another way is to allow users with
+ public key certificates to use them in initial authentication. This
+ is the concern of the current document.
+
+ One of the guiding principles in the design of PKINIT is that
+ changes should be as minimal as possible. As a result, the basic
+ mechanism of PKINIT is as follows: The user sends a request to the
+ KDC as before, except that if that user is to use public key
+ cryptography in the initial authentication step, his certificate
+ accompanies the initial request, in the preauthentication fields.
+
+ Upon receipt of this request, the KDC verifies the certificate and
+ issues a ticket granting ticket (TGT) as before, except that
+ the encPart from the AS-REP message carrying the TGT is now
+ encrypted in a randomly-generated key, instead of the user's
+ long-term key (which is derived from a password). This
+ random key is in turn encrypted using the public key from the
+ certificate that came with the request and signed using the KDC's
+ private key, and accompanies the reply, in the preauthentication
+ fields.
+
+ PKINIT also allows for users with only digital signature keys to
+ authenticate using those keys, and for users to store and retrieve
+ private keys on the KDC.
+
+ The PKINIT specification may also be used for direct peer to peer
+ authentication without contacting a central KDC. This application
+ of PKINIT is described in PKTAPP [4] and is based on concepts
+ introduced in [5, 6]. For direct client-to-server authentication,
+ the client uses PKINIT to authenticate to the end server (instead
+ of a central KDC), which then issues a ticket for itself. This
+ approach has an advantage over SSL [7] in that the server does not
+ need to save state (cache session keys). Furthermore, an
+ additional benefit is that Kerberos tickets can facilitate
+ delegation (see [8]).
+
+
+3. Proposed Extensions
+
+ This section describes extensions to RFC 1510 for supporting the
+ use of public key cryptography in the initial request for a ticket
+ granting ticket (TGT).
+
+ In summary, the following changes to RFC 1510 are proposed:
+
+ * Users may authenticate using either a public key pair or a
+ conventional (symmetric) key. If public key cryptography is
+ used, public key data is transported in preauthentication
+ data fields to help establish identity.
+ * Users may store private keys on the KDC for retrieval during
+ Kerberos initial authentication.
+
+ This proposal addresses two ways that users may use public key
+ cryptography for initial authentication. Users may present public
+ key certificates, or they may generate their own session key,
+ signed by their digital signature key. In either case, the end
+ result is that the user obtains an ordinary TGT that may be used for
+ subsequent authentication, with such authentication using only
+ conventional cryptography.
+
+ Section 3.1 provides definitions to help specify message formats.
+ Section 3.2 and 3.3 describe the extensions for the two initial
+ authentication methods. Section 3.4 describes a way for the user to
+ store and retrieve his private key on the KDC, as an adjunct to the
+ initial authentication.
+
+
+3.1. Definitions
+
+ The extensions involve new encryption methods; we propose the
+ addition of the following types:
+
+ dsa-sign 8
+ rsa-priv 9
+ rsa-pub 10
+ rsa-pub-md5 11
+ rsa-pub-sha1 12
+
+ The proposal of these encryption types notwithstanding, we do not
+ mandate the use of any particular public key encryption method.
+
+ The extensions involve new preauthentication fields; we propose the
+ addition of the following types:
+
+ PA-PK-AS-REQ 14
+ PA-PK-AS-REP 15
+ PA-PK-AS-SIGN 16
+ PA-PK-KEY-REQ 17
+ PA-PK-KEY-REP 18
+
+ The extensions also involve new error types; we propose the addition
+ of the following types:
+
+ KDC_ERR_CLIENT_NOT_TRUSTED 62
+ KDC_ERR_KDC_NOT_TRUSTED 63
+ KDC_ERR_INVALID_SIG 64
+ KDC_ERR_KEY_TOO_WEAK 65
+ KDC_ERR_CERTIFICATE_MISMATCH 66
+
+ In addition, PKINIT does not define, but does permit, the following
+ algorithm identifiers for use with the Signature data structure:
+
+ md4WithRSAEncryption (as defined in PKCS 1)
+ md5WithRSAEncryption (as defined in PKCS 1)
+ sha-1WithRSAEncryption ::= { iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) pkcs-1(1) 5 }
+ dsaWithSHA1 ::= { OIW oIWSecSig(3) oIWSecAlgorithm(2)
+ dsaWithSHA1(27) }
+
+ where
+
+ OIW ::= iso(1) identifiedOrganization(3) oIW(14)
+
+ In many cases, PKINIT requires the encoding of an X.500 name as a
+ Realm. In these cases, the realm will be represented using a
+ different style, specified in RFC 1510 with the following example:
+
+ NAMETYPE:rest/of.name=without-restrictions
+
+ For a realm derived from an X.500 name, NAMETYPE will have the value
+ X500-RFC1779. The full realm name will appear as follows:
+
+ X500-RFC1779:RFC1779Encode(DistinguishedName)
+
+ where DistinguishedName is an X.500 name, and RFC1779Encode is a
+ readable ASCII encoding of an X.500 name, as defined by RFC 1779.
+ To ensure that this encoding is unique, we add the following rules
+ to those specified by RFC 1779:
+
+ * The optional spaces specified in RFC 1779 are not allowed.
+ * The character that separates relative distinguished names
+ must be ',' (i.e., it must never be ';').
+ * Attribute values must not be enclosed in double quotes.
+ * Attribute values must not be specified as hexadecimal
+ numbers.
+ * When an attribute name is specified in the form of an OID,
+ it must start with the 'OID.' prefix, and not the 'oid.'
+ prefix.
+ * The order in which the attributes appear in the RFC 1779
+ encoding must be the reverse of the order in the ASN.1
+ encoding of the X.500 name that appears in the public key
+ certificate, because RFC 1779 requires that the least
+ significant relative distinguished name appear first. The
+ order of the relative distinguished names, as well as the
+ order of the attributes within each relative distinguished
+ name, will be reversed.
+
+ Similarly, PKINIT may require the encoding of an X.500 name as a
+ PrincipalName. In these cases, the name-type of the principal name
+ shall be set to NT-X500-PRINCIPAL. This new name type is defined
+ as:
+
+ #define CSFC5c_NT_X500_PRINCIPAL 6
+
+ The name-string shall be set as follows:
+
+ RFC1779Encode(DistinguishedName)
+
+ as described above.
+
+
+3.1.1. Encryption and Key Formats
+
+ In the exposition below, we use the terms public key and private
+ key generically. It should be understood that the term "public
+ key" may be used to refer to either a public encryption key or a
+ signature verification key, and that the term "private key" may be
+ used to refer to either a private decryption key or a signature
+ generation key. The fact that these are logically distinct does
+ not preclude the assignment of bitwise identical keys.
+
+ All additional symmetric keys specified in this draft shall use the
+ same encryption type as the session key in the response from the
+ KDC. These include the temporary keys used to encrypt the signed
+ random key encrypting the response, as well as the key derived from
+ Diffie-Hellman agreement. In the case of Diffie-Hellman, the key
+ shall be produced from the agreed bit string as follows:
+
+ * Truncate the bit string to the appropriate length.
+ * Rectify parity in each byte (if necessary) to obtain the key.
+
+ For instance, in the case of a DES key, we take the first eight
+ bytes of the bit stream, and then adjust the least significant bit
+ of each byte to ensure that each byte has odd parity.
+
+ RFC 1510, Section 6.1, defines EncryptedData as follows:
+
+ EncryptedData ::= SEQUENCE {
+ etype [0] INTEGER,
+ kvno [1] INTEGER OPTIONAL,
+ cipher [2] OCTET STRING
+ -- is CipherText
+ }
+
+ RFC 1510 also defines how CipherText is to be composed. It is not
+ an ASN.1 data structure, but rather an octet string which is the
+ encryption of a plaintext string. This plaintext string is in turn
+ a concatenation of the following octet strings: a confounder, a
+ checksum, the message, and padding. Details of how these components
+ are arranged can be found in RFC 1510.
+
+ The PKINIT protocol introduces several new types of encryption.
+ Data that is encrypted with a public key will allow only the check
+ optional field, as it is defined above. This type of the checksum
+ will be specified in the etype field, together with the encryption
+ type.
+
+ In order to identify the checksum type, etype will have the
+ following values:
+
+ rsa-pub-MD5
+ rsa-pub-SHA1
+
+ In the case that etype is set to rsa-pub, the optional 'check'
+ field will not be provided.
+
+ Data that is encrypted with a private key will not use any optional
+ fields. PKINIT uses private key encryption only for signatures,
+ which are encrypted checksums. Therefore, the optional check field
+ is not needed.
+
+
+3.2. Standard Public Key Authentication
+
+ Implementation of the changes in this section is REQUIRED for
+ compliance with PKINIT.
+
+ It is assumed that all public keys are signed by some certification
+ authority (CA). The initial authentication request is sent as per
+ RFC 1510, except that a preauthentication field containing data
+ signed by the user's private key accompanies the request:
+
+ PA-PK-AS-REQ ::= SEQUENCE {
+ -- PA TYPE 14
+ signedAuthPack [0] SignedAuthPack
+ userCert [1] SEQUENCE OF Certificate OPTIONAL,
+ -- the user's certificate chain
+ trustedCertifiers [2] SEQUENCE OF PrincipalName OPTIONAL,
+ -- CAs that the client trusts
+ serialNumber [3] CertificateSerialNumber OPTIONAL
+ -- specifying a particular
+ -- certificate if the client
+ -- already has it;
+ -- must be accompanied by
+ -- a single trustedCertifier
+ }
+
+ CertificateSerialNumber ::= INTEGER
+ -- as specified by PKCS 6
+
+ SignedAuthPack ::= SEQUENCE {
+ authPack [0] AuthPack,
+ authPackSig [1] Signature,
+ -- of authPack
+ -- using user's private key
+ }
+
+ AuthPack ::= SEQUENCE {
+ pkAuthenticator [0] PKAuthenticator,
+ clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
+ -- if client is using Diffie-Hellman
+ }
+
+ PKAuthenticator ::= SEQUENCE {
+ kdcName [0] PrincipalName,
+ kdcRealm [1] Realm,
+ cusec [2] INTEGER,
+ -- for replay prevention
+ ctime [3] KerberosTime,
+ -- for replay prevention
+ nonce [4] INTEGER
+ }
+
+ Signature ::= SEQUENCE {
+ signatureAlgorithm [0] SignatureAlgorithmIdentifier,
+ pkcsSignature [1] BIT STRING
+ -- octet-aligned big-endian bit
+ -- string (encrypted with signer's
+ -- private key)
+ }
+
+ SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
+
+ AlgorithmIdentifier ::= SEQUENCE {
+ algorithm ALGORITHM.&id,
+ -- for DH, equals
+ -- dhKeyAgreement
+ -- ({iso(1) member-body(2) US(840)
+ -- rsadsi(113549) pkcs(1) pkcs-3(3)
+ -- 1})
+ parameters ALGORITHM.&type
+ -- for DH, is DHParameter
+ } -- as specified by the X.509 recommendation [9]
+
+ SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING
+ -- for DH, equals
+ -- public exponent (INTEGER encoded
+ -- as payload of BIT STRING)
+ } -- as specified by the X.509 recommendation [9]
+
+ DHParameter ::= SEQUENCE {
+ prime INTEGER,
+ -- p
+ base INTEGER,
+ -- g
+ privateValueLength INTEGER OPTIONAL
+ } -- as specified by the X.509 recommendation [9]
+
+ Certificate ::= SEQUENCE {
+ certType [0] INTEGER,
+ -- type of certificate
+ -- 1 = X.509v3 (DER encoding)
+ -- 2 = PGP (per PGP specification)
+ certData [1] OCTET STRING
+ -- actual certificate
+ -- type determined by certType
+ }
+
+ If the client passes a certificate serial number in the request,
+ the KDC is requested to use the referred-to certificate. If none
+ exists, then the KDC returns an error of type
+ KDC_ERR_CERTIFICATE_MISMATCH. It also returns this error if, on the
+ other hand, the client does not pass any trustedCertifiers,
+ believing that it has the KDC's certificate, but the KDC has more
+ than one certificate.
+
+ The PKAuthenticator carries information to foil replay attacks,
+ to bind the request and response, and to optionally pass the
+ client's Diffie-Hellman public value (i.e. for using DSA in
+ combination with Diffie-Hellman). The PKAuthenticator is signed
+ with the private key corresponding to the public key in the
+ certificate found in userCert (or cached by the KDC).
+
+ In the PKAuthenticator, the client may specify the KDC name in one
+ of two ways:
+
+ * The Kerberos principal name krbtgt/<realm_name>@<realm_name>,
+ where <realm_name> is replaced by the applicable realm name.
+ * The name in the KDC's certificate (e.g., an X.500 name, or a
+ PGP name).
+
+ Note that the first case requires that the certificate name and the
+ Kerberos principal name be bound together (e.g., via an X.509v3
+ extension).
+
+ The userCert field is a sequence of certificates, the first of which
+ must be the user's public key certificate. Any subsequent
+ certificates will be certificates of the certifiers of the user's
+ certificate. These cerificates may be used by the KDC to verify the
+ user's public key. This field may be left empty if the KDC already
+ has the user's certificate.
+
+ The trustedCertifiers field contains a list of certification
+ authorities trusted by the client, in the case that the client does
+ not possess the KDC's public key certificate. If the KDC has no
+ certificate signed by any of the trustedCertifiers, then it returns
+ an error of type KDC_ERR_CERTIFICATE_MISMATCH.
+
+ Upon receipt of the AS_REQ with PA-PK-AS-REQ pre-authentication
+ type, the KDC attempts to verify the user's certificate chain
+ (userCert), if one is provided in the request. This is done by
+ verifying the certification path against the KDC's policy of
+ legitimate certifiers. This may be based on a certification
+ hierarchy, or it may be simply a list of recognized certifiers in a
+ system like PGP.
+
+ If verification of the user's certificate fails, the KDC sends back
+ an error message of type KDC_ERR_CLIENT_NOT_TRUSTED. The e-data
+ field contains additional information pertaining to this error, and
+ is formatted as follows:
+
+ METHOD-DATA ::= SEQUENCE {
+ method-type [0] INTEGER,
+ -- 1 = cannot verify public key
+ -- 2 = invalid certificate
+ -- 3 = revoked certificate
+ -- 4 = invalid KDC name
+ -- 5 = client name mismatch
+ method-data [1] OCTET STRING OPTIONAL
+ } -- syntax as for KRB_AP_ERR_METHOD (RFC 1510)
+
+ The values for the method-type and method-data fields are described
+ in Section 3.2.1.
+
+ If trustedCertifiers is provided in the PA-PK-AS-REQ, the KDC
+ verifies that it has a certificate issued by one of the certifiers
+ trusted by the client. If it does not have a suitable certificate,
+ the KDC returns an error message of type KDC_ERR_KDC_NOT_TRUSTED to
+ the client.
+
+ If a trust relationship exists, the KDC then verifies the client's
+ signature on AuthPack. If that fails, the KDC returns an error
+ message of type KDC_ERR_INVALID_SIG. Otherwise, the KDC uses the
+ timestamp in the PKAuthenticator to assure that the request is not a
+ replay. The KDC also verifies that its name is specified in the
+ PKAuthenticator.
+
+ If the clientPublicValue field is filled in, indicating that the
+ client wishes to use Diffie-Hellman key agreement, then the KDC
+ checks to see that the parameters satisfy its policy. If they do
+ not (e.g., the prime size is insufficient for the expected
+ encryption type), then the KDC sends back an error message of type
+ KDC_ERR_KEY_TOO_WEAK. Otherwise, it generates its own public and
+ private values for the response.
+
+ The KDC also checks that the timestamp in the PKAuthenticator is
+ within the allowable window. If the local (server) time and the
+ client time in the authenticator differ by more than the allowable
+ clock skew, then the KDC returns an error message of type
+ KRB_AP_ERR_SKEW.
+
+ Assuming no errors, the KDC replies as per RFC 1510, except as
+ follows: The user's name in the ticket is as represented in the
+ certificate, unless a Kerberos principal name is bound to the name
+ in the certificate (e.g., via an X.509v3 extension). The user's
+ realm in the ticket shall be the name of the Certification
+ Authority that issued the user's public key certificate.
+
+ The KDC encrypts the reply not with the user's long-term key, but
+ with a random key generated only for this particular response. This
+ random key is sealed in the preauthentication field:
+
+ PA-PK-AS-REP ::= SEQUENCE {
+ -- PA TYPE 15
+ encSignedReplyKeyPack [0] EncryptedData,
+ -- of type SignedReplyKeyPack
+ -- using the temporary key
+ -- in encTmpKey
+ encTmpKeyPack [1] EncryptedData,
+ -- of type TmpKeyPack
+ -- using either the client public
+ -- key or the Diffie-Hellman key
+ -- specified by SignedDHPublicValue
+ signedKDCPublicValue [2] SignedKDCPublicValue OPTIONAL
+ -- if one was passed in the request
+ kdcCert [3] SEQUENCE OF Certificate OPTIONAL,
+ -- the KDC's certificate chain
+ }
+
+ SignedReplyKeyPack ::= SEQUENCE {
+ replyKeyPack [0] ReplyKeyPack,
+ replyKeyPackSig [1] Signature,
+ -- of replyEncKeyPack
+ -- using KDC's private key
+ }
+
+ ReplyKeyPack ::= SEQUENCE {
+ replyKey [0] EncryptionKey,
+ -- used to encrypt main reply
+ -- of same ENCTYPE as session key
+ nonce [1] INTEGER
+ -- binds response to the request
+ -- must be same as the nonce
+ -- passed in the PKAuthenticator
+ }
+
+ TmpKeyPack ::= SEQUENCE {
+ tmpKey [0] EncryptionKey,
+ -- used to encrypt the
+ -- SignedReplyKeyPack
+ -- of same ENCTYPE as session key
+ }
+
+ SignedKDCPublicValue ::= SEQUENCE {
+ kdcPublicValue [0] SubjectPublicKeyInfo,
+ -- as described above
+ kdcPublicValueSig [1] Signature
+ -- of kdcPublicValue
+ -- using KDC's private key
+ }
+
+ The kdcCert field is a sequence of certificates, the first of which
+ must be the KDC's public key certificate. Any subsequent
+ certificates will be certificates of the certifiers of the KDC's
+ certificate. The last of these must have as its certifier one of
+ the certifiers sent to the KDC in the PA-PK-AS-REQ. These
+ cerificates may be used by the client to verify the KDC's public
+ key. This field is empty if the client did not send to the KDC a
+ list of trusted certifiers (the trustedCertifiers field was empty).
+
+ Since each certifier in the certification path of a user's
+ certificate is essentially a separate realm, the name of each
+ certifier shall be added to the transited field of the ticket. The
+ format of these realm names is defined in Section 3.1 of this
+ document. If applicable, the transit-policy-checked flag should be
+ set in the issued ticket.
+
+ The KDC's certificate must bind the public key to a name derivable
+ from the name of the realm for that KDC. For an X.509 certificate,
+ this is done as follows. The name of the KDC will be represented
+ as an OtherName, encoded as a GeneralString:
+
+ GeneralName ::= CHOICE {
+ otherName [0] KDCPrincipalName,
+ ...
+ }
+
+ KDCPrincipalNameTypes OTHER-NAME ::= {
+ { PrincipalNameSrvInst IDENTIFIED BY principalNameSrvInst }
+ }
+
+ KDCPrincipalName ::= SEQUENCE {
+ nameType [0] OTHER-NAME.&id ( { KDCPrincipalNameTypes } ),
+ name [1] OTHER-NAME.&type ( { KDCPrincipalNameTypes }
+ { @nameType } )
+ }
+
+ PrincipalNameSrvInst ::= GeneralString
+
+ where (from the Kerberos specification) we have
+
+ krb5 OBJECT IDENTIFIER ::= { iso (1)
+ org (3)
+ dod (6)
+ internet (1)
+ security (5)
+ kerberosv5 (2) }
+
+ principalName OBJECT IDENTIFIER ::= { krb5 2 }
+
+ principalNameSrvInst OBJECT IDENTIFIER ::= { principalName 2 }
+
+ The client then extracts the random key used to encrypt the main
+ reply. This random key (in encPaReply) is encrypted with either the
+ client's public key or with a key derived from the DH values
+ exchanged between the client and the KDC.
+
+
+3.2.1. Additional Information for Errors
+
+ This section describes the interpretation of the method-type and
+ method-data fields of the KDC_ERR_CLIENT_NOT_TRUSTED error.
+
+ If method-type=1, the client's public key certificate chain does not
+ contain a certificate that is signed by a certification authority
+ trusted by the KDC. The format of the method-data field will be an
+ ASN.1 encoding of a list of trusted certifiers, as defined above:
+
+ TrustedCertifiers ::= SEQUENCE OF PrincipalName
+
+ If method-type=2, the signature on one of the certificates in the
+ chain cannot be verified. The format of the method-data field will
+ be an ASN.1 encoding of the integer index of the certificate in
+ question:
+
+ CertificateIndex ::= INTEGER
+ -- 0 = 1st certificate,
+ -- 1 = 2nd certificate, etc
+
+ If method-type=3, one of the certificates in the chain has been
+ revoked. The format of the method-data field will be an ASN.1
+ encoding of the integer index of the certificate in question:
+
+ CertificateIndex ::= INTEGER
+ -- 0 = 1st certificate,
+ -- 1 = 2nd certificate, etc
+
+ If method-type=4, the KDC name or realm in the PKAuthenticator does
+ not match the principal name of the KDC. There is no method-data
+ field in this case.
+
+ If method-type=5, the client name or realm in the certificate does
+ not match the principal name of the client. There is no
+ method-data field in this case.
+
+
+3.3. Digital Signature
+
+ Implementation of the changes in this section are OPTIONAL for
+ compliance with PKINIT.
+
+ We offer this option with the warning that it requires the client to
+ generate a random key; the client may not be able to guarantee the
+ same level of randomness as the KDC.
+
+ If the user registered, or presents a certificate for, a digital
+ signature key with the KDC instead of an encryption key, then a
+ separate exchange must be used. The client sends a request for a
+ TGT as usual, except that it (rather than the KDC) generates the
+ random key that will be used to encrypt the KDC response. This key
+ is sent to the KDC along with the request in a preauthentication
+ field, encrypted with the KDC's public key:
+
+ PA-PK-AS-SIGN ::= SEQUENCE {
+ -- PA TYPE 16
+ encSignedRandomKeyPack [0] EncryptedData,
+ -- of type SignedRandomKeyPack
+ -- using the key in encTmpKeyPack
+ encTmpKeyPack [1] EncryptedData,
+ -- of type TmpKeyPack
+ -- using the KDC's public key
+ userCert [2] SEQUENCE OF Certificate OPTIONAL
+ -- the user's certificate chain
+ }
+
+ SignedRandomKeyPack ::= SEQUENCE {
+ randomkeyPack [0] RandomKeyPack,
+ randomkeyPackSig [1] Signature
+ -- of keyPack
+ -- using user's private key
+ }
+
+ RandomKeyPack ::= SEQUENCE {
+ randomKey [0] EncryptionKey,
+ -- will be used to encrypt reply
+ randomKeyAuth [1] PKAuthenticator
+ -- nonce copied from AS-REQ
+ }
+
+ If the KDC does not accept client-generated random keys as a matter
+ of policy, then it sends back an error message of type
+ KDC_ERR_KEY_TOO_WEAK. Otherwise, it extracts the random key as
+ follows.
+
+ Upon receipt of the PA-PK-AS-SIGN, the KDC decrypts then verifies
+ the randomKey. It then replies as per RFC 1510, except that the
+ reply is encrypted not with a password-derived user key, but with
+ the randomKey sent in the request. Since the client already knows
+ this key, there is no need to accompany the reply with an extra
+ preauthentication field. The transited field of the ticket should
+ specify the certification path as described in Section 3.2.
+
+
+3.4. Retrieving the User's Private Key from the KDC
+
+ Implementation of the changes described in this section are OPTIONAL
+ for compliance with PKINIT.
+
+ When the user's private key is not stored local to the user, he may
+ choose to store the private key (normally encrypted using a
+ password-derived key) on the KDC. In this case, the client makes a
+ request as described above, except that instead of preauthenticating
+ with his private key, he uses a symmetric key shared with the KDC.
+
+ For simplicity's sake, this shared key is derived from the password-
+ derived key used to encrypt the private key, in such a way that the
+ KDC can authenticate the user with the shared key without being able
+ to extract the private key.
+
+ We provide this option to present the user with an alternative to
+ storing the private key on local disk at each machine where he
+ expects to authenticate himself using PKINIT. It should be noted
+ that it replaces the added risk of long-term storage of the private
+ key on possibly many workstations with the added risk of storing the
+ private key on the KDC in a form vulnerable to brute-force attack.
+
+ Denote by K1 the symmetric key used to encrypt the private key.
+ Then construct symmetric key K2 as follows:
+
+ * Perform a hash on K1.
+ * Truncate the digest to Length(K1) bytes.
+ * Rectify parity in each byte (if necessary) to obtain K2.
+
+ The KDC stores K2, the public key, and the encrypted private key.
+ This key pair is designated as the "primary" key pair for that user.
+ This primary key pair is the one used to perform initial
+ authentication using the PA-PK-AS-REP preauthentication field. If
+ he desires, he may also store additional key pairs on the KDC; these
+ may be requested in addition to the primary. When the client
+ requests initial authentication using public key cryptography, it
+ must then include in its request, instead of a PA-PK-AS-REQ, the
+ following preauthentication sequence:
+
+ PA-PK-KEY-REQ ::= SEQUENCE {
+ -- PA TYPE 17
+ signedPKAuth [0] SignedPKAuth,
+ trustedCertifiers [1] SEQUENCE OF PrincipalName OPTIONAL,
+ -- CAs that the client trusts
+ keyIDList [2] SEQUENCE OF Checksum OPTIONAL
+ -- payload is hash of public key
+ -- corresponding to desired
+ -- private key
+ -- if absent, KDC will return all
+ -- stored private keys
+ }
+
+ Checksum ::= SEQUENCE {
+ cksumtype [0] INTEGER,
+ checksum [1] OCTET STRING
+ } -- as specified by RFC 1510
+
+ SignedPKAuth ::= SEQUENCE {
+ pkAuth [0] PKAuthenticator,
+ pkAuthSig [1] Signature
+ -- of pkAuth
+ -- using the symmetric key K2
+ }
+
+ If a keyIDList is present, the first identifier should indicate
+ the primary private key. No public key certificate is required,
+ since the KDC stores the public key along with the private key.
+ If there is no keyIDList, all the user's private keys are returned.
+
+ Upon receipt, the KDC verifies the signature using K2. If the
+ verification fails, the KDC sends back an error of type
+ KDC_ERR_INVALID_SIG. If the signature verifies, but the requested
+ keys are not found on the KDC, then the KDC sends back an error of
+ type KDC_ERR_PREAUTH_FAILED. If all checks out, the KDC responds as
+ described in Section 3.2, except that in addition, the KDC appends
+ the following preauthentication sequence:
+
+ PA-PK-KEY-REP ::= SEQUENCE {
+ -- PA TYPE 18
+ encKeyRep [0] EncryptedData
+ -- of type EncKeyReply
+ -- using the symmetric key K2
+ }
+
+ EncKeyReply ::= SEQUENCE {
+ keyPackList [0] SEQUENCE OF KeyPack,
+ -- the first KeyPair is
+ -- the primary key pair
+ nonce [1] INTEGER
+ -- binds reply to request
+ -- must be identical to the nonce
+ -- sent in the SignedAuthPack
+ }
+
+ KeyPack ::= SEQUENCE {
+ keyID [0] Checksum,
+ encPrivKey [1] OCTET STRING
+ }
+
+ Upon receipt of the reply, the client extracts the encrypted private
+ keys (and may store them, at the client's option). The primary
+ private key, which must be the first private key in the keyPack
+ SEQUENCE, is used to decrypt the random key in the PA-PK-AS-REP;
+ this key in turn is used to decrypt the main reply as described in
+ Section 3.2.
+
+
+4. Logistics and Policy
+
+ This section describes a way to define the policy on the use of
+ PKINIT for each principal and request.
+
+ The KDC is not required to contain a database record for users
+ that use either the Standard Public Key Authentication or Public Key
+ Authentication with a Digital Signature. However, if these users
+ are registered with the KDC, it is recommended that the database
+ record for these users be modified to include three additional flags
+ in the attributes field.
+
+ The first flag, use_standard_pk_init, indicates that the user should
+ authenticate using standard PKINIT as described in Section 3.2. The
+ second flag, use_digital_signature, indicates that the user should
+ authenticate using digital signature PKINIT as described in Section
+ 3.3. The third flag, store_private_key, indicates that the user
+ has stored his private key on the KDC and should retrieve it using
+ the exchange described in Section 3.4.
+
+ If one of the preauthentication fields defined above is included in
+ the request, then the KDC shall respond as described in Sections 3.2
+ through 3.4, ignoring the aforementioned database flags. If more
+ than one of the preauthentication fields is present, the KDC shall
+ respond with an error of type KDC_ERR_PREAUTH_FAILED.
+
+ In the event that none of the preauthentication fields defined above
+ are included in the request, the KDC checks to see if any of the
+ above flags are set. If the first flag is set, then it sends back
+ an error of type KDC_ERR_PREAUTH_REQUIRED indicating that a
+ preauthentication field of type PA-PK-AS-REQ must be included in the
+ request.
+
+ Otherwise, if the first flag is clear, but the second flag is set,
+ then the KDC sends back an error of type KDC_ERR_PREAUTH_REQUIRED
+ indicating that a preauthentication field of type PA-PK-AS-SIGN must
+ be included in the request.
+
+ Lastly, if the first two flags are clear, but the third flag is set,
+ then the KDC sends back an error of type KDC_ERR_PREAUTH_REQUIRED
+ indicating that a preauthentication field of type PA-PK-KEY-REQ must
+ be included in the request.
+
+
+5. Security Considerations
+
+ PKINIT raises a few security considerations, which we will address
+ in this section.
+
+ First of all, PKINIT introduces a new trust model, where KDCs do not
+ (necessarily) certify the identity of those for whom they issue
+ tickets. PKINIT does allow KDCs to act as their own CAs, in order
+ to simplify key management, but one of the additional benefits is to
+ align Kerberos authentication with a global public key
+ infrastructure. Anyone using PKINIT in this way must be aware of
+ how the certification infrastructure they are linking to works.
+
+ Secondly, PKINIT also introduces the possibility of interactions
+ between different cryptosystems, which may be of widely varying
+ strengths. Many systems, for instance, allow the use of 512-bit
+ public keys. Using such keys to wrap data encrypted under strong
+ conventional cryptosystems, such as triple-DES, is inappropriate;
+ it adds a weak link to a strong one at extra cost. Implementors
+ and administrators should take care to avoid such wasteful and
+ deceptive interactions.
+
+
+5. Transport Issues
+
+ Certificate chains can potentially grow quite large and span several
+ UDP packets; this in turn increases the probability that a Kerberos
+ message involving PKINIT extensions will be broken in transit. In
+ light of the possibility that the Kerberos specification will
+ require KDCs to accept requests using TCP as a transport mechanism,
+ we make the same recommendation with respect to the PKINIT
+ extensions as well.
+
+
+6. Bibliography
+
+ [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service
+ (V5). Request for Comments 1510.
+
+ [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service
+ for Computer Networks, IEEE Communications, 32(9):33-38. September
+ 1994.
+
+ [3] A. Medvinsky, M. Hur. Addition of Kerberos Cipher Suites to
+ Transport Layer Security (TLS).
+ draft-ietf-tls-kerb-cipher-suites-00.txt
+
+ [4] A. Medvinsky, M. Hur, B. Clifford Neuman. Public Key Utilizing
+ Tickets for Application Servers (PKTAPP).
+ draft-ietf-cat-pktapp-00.txt
+
+ [5] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos
+ Using Public Key Cryptography. Symposium On Network and Distributed
+ System Security, 1997.
+
+ [6] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction
+ Protocol. In Proceedings of the USENIX Workshop on Electronic
+ Commerce, July 1995.
+
+ [7] Alan O. Freier, Philip Karlton and Paul C. Kocher. The SSL
+ Protocol, Version 3.0 - IETF Draft.
+
+ [8] B.C. Neuman, Proxy-Based Authorization and Accounting for
+ Distributed Systems. In Proceedings of the 13th International
+ Conference on Distributed Computing Systems, May 1993.
+
+ [9] ITU-T (formerly CCITT) Information technology - Open Systems
+ Interconnection - The Directory: Authentication Framework
+ Recommendation X.509 ISO/IEC 9594-8
+
+
+7. Acknowledgements
+
+ Sasha Medvinsky contributed several ideas to the protocol changes
+ and specifications in this document. His additions have been most
+ appreciated.
+
+ Some of the ideas on which this proposal is based arose during
+ discussions over several years between members of the SAAG, the IETF
+ CAT working group, and the PSRG, regarding integration of Kerberos
+ and SPX. Some ideas have also been drawn from the DASS system.
+ These changes are by no means endorsed by these groups. This is an
+ attempt to revive some of the goals of those groups, and this
+ proposal approaches those goals primarily from the Kerberos
+ perspective. Lastly, comments from groups working on similar ideas
+ in DCE have been invaluable.
+
+
+8. Expiration Date
+
+ This draft expires September 15, 1998.
+
+
+9. Authors
+
+ Brian Tung
+ Clifford Neuman
+ USC Information Sciences Institute
+ 4676 Admiralty Way Suite 1001
+ Marina del Rey CA 90292-6695
+ Phone: +1 310 822 1511
+ E-mail: {brian, bcn}@isi.edu
+
+ John Wray
+ Digital Equipment Corporation
+ 550 King Street, LKG2-2/Z7
+ Littleton, MA 01460
+ Phone: +1 508 486 5210
+ E-mail: wray@tuxedo.enet.dec.com
+
+ Ari Medvinsky
+ Matthew Hur
+ CyberSafe Corporation
+ 1605 NW Sammamish Road Suite 310
+ Issaquah WA 98027-5378
+ Phone: +1 206 391 6000
+ E-mail: {ari.medvinsky, matt.hur}@cybersafe.com
+
+ Jonathan Trostle
+ Novell Corporation
+ Provo UT
+ E-mail: jtrostle@novell.com
View Lorry Controller Status