summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-05.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-05.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-05.txt8267
1 files changed, 8267 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-05.txt b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-05.txt
new file mode 100644
index 00000000000..1d62a9589dd
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-kerberos-clarifications-05.txt
@@ -0,0 +1,8267 @@
+INTERNET-DRAFT Clifford Neuman
+Obsoletes: 1510 USC-ISI
+ Tom Yu
+ Sam Hartman
+ Ken Raeburn
+ MIT
+ February 15, 2004
+ Expires 15 August, 2004
+
+ The Kerberos Network Authentication Service (V5)
+
+STATUS OF THIS MEMO
+
+ This document is an Internet-Draft and is in full conformance with
+ all provisions of Section 10 of RFC 2026. Internet-Drafts are working
+ documents of the Internet Engineering Task Force (IETF), its areas,
+ and its working groups. Note that other groups may also distribute
+ working documents as Internet-Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ To learn the current status of any Internet-Draft, please check the
+ "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
+ Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe),
+ ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim).
+
+ The distribution of this memo is unlimited. It is filed as draft-
+ ietf-krb-wg-kerberos-clarifications-05.txt, and expires 15 August
+ 2004. Please send comments to: ietf-krb-wg@anl.gov
+
+ABSTRACT
+
+ This document provides an overview and specification of Version 5 of
+ the Kerberos protocol, and updates RFC1510 to clarify aspects of the
+ protocol and its intended use that require more detailed or clearer
+ explanation than was provided in RFC1510. This document is intended
+ to provide a detailed description of the protocol, suitable for
+ implementation, together with descriptions of the appropriate use of
+ protocol messages and fields within those messages.
+
+
+
+February 2004 [Page 1]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+OVERVIEW
+
+ This document describes the concepts and model upon which the
+ Kerberos network authentication system is based. It also specifies
+ Version 5 of the Kerberos protocol. The motivations, goals,
+ assumptions, and rationale behind most design decisions are treated
+ cursorily; they are more fully described in a paper available in IEEE
+ communications [NT94] and earlier in the Kerberos portion of the
+ Athena Technical Plan [MNSS87].
+
+ This document is not intended to describe Kerberos to the end user,
+ system administrator, or application developer. Higher level papers
+ describing Version 5 of the Kerberos system [NT94] and documenting
+ version 4 [SNS88], are available elsewhere.
+
+BACKGROUND
+
+ The Kerberos model is based in part on Needham and Schroeder's
+ trusted third-party authentication protocol [NS78] and on
+ modifications suggested by Denning and Sacco [DS81]. The original
+ design and implementation of Kerberos Versions 1 through 4 was the
+ work of two former Project Athena staff members, Steve Miller of
+ Digital Equipment Corporation and Clifford Neuman (now at the
+ Information Sciences Institute of the University of Southern
+ California), along with Jerome Saltzer, Technical Director of Project
+ Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other
+ members of Project Athena have also contributed to the work on
+ Kerberos.
+
+ Version 5 of the Kerberos protocol (described in this document) has
+ evolved from Version 4 based on new requirements and desires for
+ features not available in Version 4. The design of Version 5 of the
+ Kerberos protocol was led by Clifford Neuman and John Kohl with much
+ input from the community. The development of the MIT reference
+ implementation was led at MIT by John Kohl and Theodore Ts'o, with
+ help and contributed code from many others. Since RFC1510 was issued,
+ extensions and revisions to the protocol have been proposed by many
+ individuals. Some of these proposals are reflected in this document.
+ Where such changes involved significant effort, the document cites
+ the contribution of the proposer.
+
+ Reference implementations of both version 4 and version 5 of Kerberos
+ are publicly available and commercial implementations have been
+ developed and are widely used. Details on the differences between
+ Kerberos Versions 4 and 5 can be found in [KNT94].
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119.
+
+
+February 2004 [Page 2]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Table of Contents
+
+
+
+1. Introduction ................................................... 7
+1.1. Cross-realm operation ........................................ 9
+1.2. Choosing a principal with which to communicate ............... 10
+1.3. Authorization ................................................ 11
+1.4. Extending Kerberos Without Breaking Interoperability ......... 12
+1.4.1. Compatibility with RFC 1510 ................................ 12
+1.4.2. Sending Extensible Messages ................................ 13
+1.5. Environmental assumptions .................................... 14
+1.6. Glossary of terms ............................................ 14
+2. Ticket flag uses and requests .................................. 17
+2.1. Initial, pre-authenticated, and hardware authenticated
+ tickets ..................................................... 18
+2.2. Invalid tickets .............................................. 18
+2.3. Renewable tickets ............................................ 18
+2.4. Postdated tickets ............................................ 19
+2.5. Proxiable and proxy tickets .................................. 20
+2.6. Forwardable tickets .......................................... 21
+2.7. Transited Policy Checking .................................... 21
+2.8. OK as Delegate ............................................... 22
+2.9. Other KDC options ............................................ 23
+2.9.1. Renewable-OK ............................................... 23
+2.9.2. ENC-TKT-IN-SKEY ............................................ 23
+2.9.3. Passwordless Hardware Authentication ....................... 23
+3. Message Exchanges .............................................. 23
+3.1. The Authentication Service Exchange .......................... 23
+3.1.1. Generation of KRB_AS_REQ message ........................... 25
+3.1.2. Receipt of KRB_AS_REQ message .............................. 25
+3.1.3. Generation of KRB_AS_REP message ........................... 25
+3.1.4. Generation of KRB_ERROR message ............................ 28
+3.1.5. Receipt of KRB_AS_REP message .............................. 28
+3.1.6. Receipt of KRB_ERROR message ............................... 29
+3.2. The Client/Server Authentication Exchange .................... 30
+3.2.1. The KRB_AP_REQ message ..................................... 30
+3.2.2. Generation of a KRB_AP_REQ message ......................... 30
+3.2.3. Receipt of KRB_AP_REQ message .............................. 31
+3.2.4. Generation of a KRB_AP_REP message ......................... 33
+3.2.5. Receipt of KRB_AP_REP message .............................. 33
+3.2.6. Using the encryption key ................................... 34
+3.3. The Ticket-Granting Service (TGS) Exchange ................... 34
+3.3.1. Generation of KRB_TGS_REQ message .......................... 36
+3.3.2. Receipt of KRB_TGS_REQ message ............................. 37
+
+
+
+February 2004 [Page 3]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+3.3.3. Generation of KRB_TGS_REP message .......................... 38
+3.3.3.1. Checking for revoked tickets ............................. 40
+3.3.3.2. Encoding the transited field ............................. 41
+3.3.4. Receipt of KRB_TGS_REP message ............................. 42
+3.4. The KRB_SAFE Exchange ........................................ 43
+3.4.1. Generation of a KRB_SAFE message ........................... 43
+3.4.2. Receipt of KRB_SAFE message ................................ 43
+3.5. The KRB_PRIV Exchange ........................................ 44
+3.5.1. Generation of a KRB_PRIV message ........................... 45
+3.5.2. Receipt of KRB_PRIV message ................................ 45
+3.6. The KRB_CRED Exchange ........................................ 46
+3.6.1. Generation of a KRB_CRED message ........................... 46
+3.6.2. Receipt of KRB_CRED message ................................ 47
+3.7. User-to-User Authentication Exchanges ........................ 47
+4. Encryption and Checksum Specifications ......................... 49
+5. Message Specifications ......................................... 50
+5.1. Specific Compatibility Notes on ASN.1 ........................ 52
+5.1.1. ASN.1 Distinguished Encoding Rules ......................... 52
+5.1.2. Optional Integer Fields .................................... 52
+5.1.3. Empty SEQUENCE OF Types .................................... 52
+5.1.4. Unrecognized Tag Numbers ................................... 53
+5.1.5. Tag Numbers Greater Than 30 ................................ 53
+5.2. Basic Kerberos Types ......................................... 53
+5.2.1. KerberosString ............................................. 53
+5.2.2. Realm and PrincipalName .................................... 55
+5.2.3. KerberosTime ............................................... 56
+5.2.4. Constrained Integer types .................................. 56
+5.2.5. HostAddress and HostAddresses .............................. 57
+5.2.6. AuthorizationData .......................................... 57
+5.2.6.1. IF-RELEVANT .............................................. 59
+5.2.6.2. KDCIssued ................................................ 59
+5.2.6.3. AND-OR ................................................... 60
+5.2.6.4. MANDATORY-FOR-KDC ........................................ 60
+5.2.7. PA-DATA .................................................... 61
+5.2.7.1. PA-TGS-REQ ............................................... 62
+5.2.7.2. Encrypted Timestamp Pre-authentication ................... 62
+5.2.7.3. PA-PW-SALT ............................................... 62
+5.2.7.4. PA-ETYPE-INFO ............................................ 63
+5.2.7.5. PA-ETYPE-INFO2 ........................................... 63
+5.2.8. KerberosFlags .............................................. 64
+5.2.9. Cryptosystem-related Types ................................. 65
+5.3. Tickets ...................................................... 67
+5.4. Specifications for the AS and TGS exchanges .................. 74
+5.4.1. KRB_KDC_REQ definition ..................................... 74
+5.4.2. KRB_KDC_REP definition ..................................... 82
+5.5. Client/Server (CS) message specifications .................... 85
+5.5.1. KRB_AP_REQ definition ...................................... 85
+5.5.2. KRB_AP_REP definition ...................................... 89
+
+
+
+February 2004 [Page 4]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+5.5.3. Error message reply ........................................ 90
+5.6. KRB_SAFE message specification ............................... 90
+5.6.1. KRB_SAFE definition ........................................ 90
+5.7. KRB_PRIV message specification ............................... 92
+5.7.1. KRB_PRIV definition ........................................ 92
+5.8. KRB_CRED message specification ............................... 92
+5.8.1. KRB_CRED definition ........................................ 93
+5.9. Error message specification .................................. 95
+5.9.1. KRB_ERROR definition ....................................... 95
+5.10. Application Tag Numbers ..................................... 97
+6. Naming Constraints ............................................. 98
+6.1. Realm Names .................................................. 98
+6.2. Principal Names .............................................. 99
+6.2.1. Name of server principals .................................. 101
+7. Constants and other defined values ............................. 101
+7.1. Host address types ........................................... 101
+7.2. KDC messaging - IP Transports ................................ 103
+7.2.1. UDP/IP transport ........................................... 103
+7.2.2. TCP/IP transport ........................................... 103
+7.2.3. KDC Discovery on IP Networks ............................... 104
+7.2.3.1. DNS vs. Kerberos - Case Sensitivity of Realm Names ....... 105
+7.2.3.2. Specifying KDC Location information with DNS SRV
+ records ..................................................... 105
+7.2.3.3. KDC Discovery for Domain Style Realm Names on IP
+ Networks .................................................... 106
+7.3. Name of the TGS .............................................. 106
+7.4. OID arc for KerberosV5 ....................................... 106
+7.5. Protocol constants and associated values ..................... 106
+7.5.1. Key usage numbers .......................................... 107
+7.5.2. PreAuthentication Data Types
+ ............................................................. 108
+7.5.3. Address Types
+ ............................................................. 109
+7.5.4. Authorization Data Types
+ ............................................................. 109
+7.5.5. Transited Encoding Types
+ ............................................................. 109
+7.5.6. Protocol Version Number
+ ............................................................. 110
+7.5.7. Kerberos Message Types
+ ............................................................. 110
+7.5.8. Name Types
+ ............................................................. 110
+7.5.9. Error Codes
+ ............................................................. 110
+8. Interoperability requirements .................................. 112
+8.1. Specification 2 .............................................. 112
+8.2. Recommended KDC values ....................................... 115
+
+
+
+February 2004 [Page 5]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+9. IANA considerations ............................................ 115
+10. Security Considerations ....................................... 116
+11. Author's Addresses ............................................ 120
+12. Acknowledgements .............................................. 121
+13. REFERENCES .................................................... 122
+13.1 NORMATIVE REFERENCES ......................................... 122
+13.2 INFORMATIVE REFERENCES ....................................... 123
+14. Copyright Statement ........................................... 124
+15. Intellectual Property ......................................... 125
+A. ASN.1 module ................................................... 125
+B. Changes since RFC-1510 ......................................... 133
+END NOTES ......................................................... 136
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+February 2004 [Page 6]
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+1. Introduction
+
+ Kerberos provides a means of verifying the identities of
+ principals, (e.g. a workstation user or a network server) on an
+ open (unprotected) network. This is accomplished without relying
+ on assertions by the host operating system, without basing trust
+ on host addresses, without requiring physical security of all the
+ hosts on the network, and under the assumption that packets
+ traveling along the network can be read, modified, and inserted at
+ will[1]. Kerberos performs authentication under these conditions
+ as a trusted third-party authentication service by using
+ conventional (shared secret key [2]) cryptography. Kerberos
+ extensions (outside the scope of this document) can provide for
+ the use of public key cryptography during certain phases of the
+ authentication protocol [@RFCE: if PKINIT advances concurrently
+ include reference to the RFC here]. Such extensions support
+ Kerberos authentication for users registered with public key
+ certification authorities and provide certain benefits of public
+ key cryptography in situations where they are needed.
+
+ The basic Kerberos authentication process proceeds as follows: A
+ client sends a request to the authentication server (AS)
+ requesting "credentials" for a given server. The AS responds with
+ these credentials, encrypted in the client's key. The credentials
+ consist of a "ticket" for the server and a temporary encryption
+ key (often called a "session key"). The client transmits the
+ ticket (which contains the client's identity and a copy of the
+ session key, all encrypted in the server's key) to the server. The
+ session key (now shared by the client and server) is used to
+ authenticate the client, and may optionally be used to
+ authenticate the server. It may also be used to encrypt further
+ communication between the two parties or to exchange a separate
+ sub-session key to be used to encrypt further communication.
+
+ Implementation of the basic protocol consists of one or more
+ authentication servers running on physically secure hosts. The
+ authentication servers maintain a database of principals (i.e.,
+ users and servers) and their secret keys. Code libraries provide
+ encryption and implement the Kerberos protocol. In order to add
+ authentication to its transactions, a typical network application
+ adds calls to the Kerberos library directly or through the Generic
+ Security Services Application Programming Interface, GSSAPI,
+ described in separate document [ref to GSSAPI RFC]. These calls
+ result in the transmission of the necessary messages to achieve
+ authentication.
+
+ The Kerberos protocol consists of several sub-protocols (or
+ exchanges). There are two basic methods by which a client can ask
+
+
+
+February 2004 [Page 7]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ a Kerberos server for credentials. In the first approach, the
+ client sends a cleartext request for a ticket for the desired
+ server to the AS. The reply is sent encrypted in the client's
+ secret key. Usually this request is for a ticket-granting ticket
+ (TGT) which can later be used with the ticket-granting server
+ (TGS). In the second method, the client sends a request to the
+ TGS. The client uses the TGT to authenticate itself to the TGS in
+ the same manner as if it were contacting any other application
+ server that requires Kerberos authentication. The reply is
+ encrypted in the session key from the TGT. Though the protocol
+ specification describes the AS and the TGS as separate servers,
+ they are implemented in practice as different protocol entry
+ points within a single Kerberos server.
+
+ Once obtained, credentials may be used to verify the identity of
+ the principals in a transaction, to ensure the integrity of
+ messages exchanged between them, or to preserve privacy of the
+ messages. The application is free to choose whatever protection
+ may be necessary.
+
+ To verify the identities of the principals in a transaction, the
+ client transmits the ticket to the application server. Since the
+ ticket is sent "in the clear" (parts of it are encrypted, but this
+ encryption doesn't thwart replay) and might be intercepted and
+ reused by an attacker, additional information is sent to prove
+ that the message originated with the principal to whom the ticket
+ was issued. This information (called the authenticator) is
+ encrypted in the session key, and includes a timestamp. The
+ timestamp proves that the message was recently generated and is
+ not a replay. Encrypting the authenticator in the session key
+ proves that it was generated by a party possessing the session
+ key. Since no one except the requesting principal and the server
+ know the session key (it is never sent over the network in the
+ clear) this guarantees the identity of the client.
+
+ The integrity of the messages exchanged between principals can
+ also be guaranteed using the session key (passed in the ticket and
+ contained in the credentials). This approach provides detection of
+ both replay attacks and message stream modification attacks. It is
+ accomplished by generating and transmitting a collision-proof
+ checksum (elsewhere called a hash or digest function) of the
+ client's message, keyed with the session key. Privacy and
+ integrity of the messages exchanged between principals can be
+ secured by encrypting the data to be passed using the session key
+ contained in the ticket or the sub-session key found in the
+ authenticator.
+
+ The authentication exchanges mentioned above require read-only
+
+
+
+February 2004 [Page 8]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ access to the Kerberos database. Sometimes, however, the entries
+ in the database must be modified, such as when adding new
+ principals or changing a principal's key. This is done using a
+ protocol between a client and a third Kerberos server, the
+ Kerberos Administration Server (KADM). There is also a protocol
+ for maintaining multiple copies of the Kerberos database. Neither
+ of these protocols are described in this document.
+
+1.1. Cross-realm operation
+
+ The Kerberos protocol is designed to operate across organizational
+ boundaries. A client in one organization can be authenticated to a
+ server in another. Each organization wishing to run a Kerberos
+ server establishes its own "realm". The name of the realm in which
+ a client is registered is part of the client's name, and can be
+ used by the end-service to decide whether to honor a request.
+
+ By establishing "inter-realm" keys, the administrators of two
+ realms can allow a client authenticated in the local realm to
+ prove its identity to servers in other realms[3]. The exchange of
+ inter-realm keys (a separate key may be used for each direction)
+ registers the ticket-granting service of each realm as a principal
+ in the other realm. A client is then able to obtain a ticket-
+ granting ticket for the remote realm's ticket-granting service
+ from its local realm. When that ticket-granting ticket is used,
+ the remote ticket-granting service uses the inter-realm key (which
+ usually differs from its own normal TGS key) to decrypt the
+ ticket-granting ticket, and is thus certain that it was issued by
+ the client's own TGS. Tickets issued by the remote ticket-granting
+ service will indicate to the end-service that the client was
+ authenticated from another realm.
+
+ A realm is said to communicate with another realm if the two
+ realms share an inter-realm key, or if the local realm shares an
+ inter-realm key with an intermediate realm that communicates with
+ the remote realm. An authentication path is the sequence of
+ intermediate realms that are transited in communicating from one
+ realm to another.
+
+ Realms may be organized hierarchically. Each realm shares a key
+ with its parent and a different key with each child. If an inter-
+ realm key is not directly shared by two realms, the hierarchical
+ organization allows an authentication path to be easily
+ constructed. If a hierarchical organization is not used, it may be
+ necessary to consult a database in order to construct an
+ authentication path between realms.
+
+ Although realms are typically hierarchical, intermediate realms
+
+
+
+February 2004 [Page 9]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ may be bypassed to achieve cross-realm authentication through
+ alternate authentication paths (these might be established to make
+ communication between two realms more efficient). It is important
+ for the end-service to know which realms were transited when
+ deciding how much faith to place in the authentication process. To
+ facilitate this decision, a field in each ticket contains the
+ names of the realms that were involved in authenticating the
+ client.
+
+ The application server is ultimately responsible for accepting or
+ rejecting authentication and SHOULD check the transited field. The
+ application server may choose to rely on the KDC for the
+ application server's realm to check the transited field. The
+ application server's KDC will set the TRANSITED-POLICY-CHECKED
+ flag in this case. The KDCs for intermediate realms may also check
+ the transited field as they issue ticket-granting tickets for
+ other realms, but they are encouraged not to do so. A client may
+ request that the KDCs not check the transited field by setting the
+ DISABLE-TRANSITED-CHECK flag. KDCs SHOULD honor this flag.
+
+1.2. Choosing a principal with which to communicate
+
+ The Kerberos protocol provides the means for verifying (subject to
+ the assumptions in 1.5) that the entity with which one
+ communicates is the same entity that was registered with the KDC
+ using the claimed identity (principal name). It is still necessary
+ to determine whether that identity corresponds to the entity with
+ which one intends to communicate.
+
+ When appropriate data has been exchanged in advance, this
+ determination may be performed syntactically by the application
+ based on the application protocol specification, information
+ provided by the user, and configuration files. For example, the
+ server principal name (including realm) for a telnet server might
+ be derived from the user specified host name (from the telnet
+ command line), the "host/" prefix specified in the application
+ protocol specification, and a mapping to a Kerberos realm derived
+ syntactically from the domain part of the specified hostname and
+ information from the local Kerberos realms database.
+
+ One can also rely on trusted third parties to make this
+ determination, but only when the data obtained from the third
+ party is suitably integrity protected while resident on the third
+ party server and when transmitted. Thus, for example, one should
+ not rely on an unprotected domain name system record to map a host
+ alias to the primary name of a server, accepting the primary name
+ as the party one intends to contact, since an attacker can modify
+ the mapping and impersonate the party with which one intended to
+
+
+
+February 2004 [Page 10]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ communicate.
+
+ Implementations of Kerberos and protocols based on Kerberos MUST
+ NOT use insecure DNS queries to canonicalize the hostname
+ components of the service principal names (i.e. MUST NOT use
+ insecure DNS queries to map one name to another to determine the
+ host part of the principal name with which one is to communicate).
+ In an environment without secure name service, application authors
+ MAY append a statically configured domain name to unqualified
+ hostnames before passing the name to the security mechanisms, but
+ should do no more than that. Secure name service facilities, if
+ available, might be trusted for hostname canonicalization, but
+ such canonicalization by the client SHOULD NOT be required by KDC
+ implementations.
+
+ Implementation note: Many current implementations do some degree
+ of canonicalization of the provided service name, often using DNS
+ even though it creates security problems. However there is no
+ consistency among implementations about whether the service name
+ is case folded to lower case or whether reverse resolution is
+ used. To maximize interoperability and security, applications
+ SHOULD provide security mechanisms with names which result from
+ folding the user-entered name to lower case, without performing
+ any other modifications or canonicalization.
+
+1.3. Authorization
+
+ As an authentication service, Kerberos provides a means of
+ verifying the identity of principals on a network. Authentication
+ is usually useful primarily as a first step in the process of
+ authorization, determining whether a client may use a service,
+ which objects the client is allowed to access, and the type of
+ access allowed for each. Kerberos does not, by itself, provide
+ authorization. Possession of a client ticket for a service
+ provides only for authentication of the client to that service,
+ and in the absence of a separate authorization procedure, it
+ should not be considered by an application as authorizing the use
+ of that service.
+
+ Such separate authorization methods MAY be implemented as
+ application specific access control functions and may utilize
+ files on the application server, or on separately issued
+ authorization credentials such as those based on proxies [Neu93],
+ or on other authorization services. Separately authenticated
+ authorization credentials MAY be embedded in a ticket's
+ authorization data when encapsulated by the KDC-issued
+ authorization data element.
+
+
+
+
+February 2004 [Page 11]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Applications should not accept the mere issuance of a service
+ ticket by the Kerberos server (even by a modified Kerberos server)
+ as granting authority to use the service, since such applications
+ may become vulnerable to the bypass of this authorization check in
+ an environment if they interoperate with other KDCs or where other
+ options for application authentication are provided.
+
+1.4. Extending Kerberos Without Breaking Interoperability
+
+ As the deployed base of Kerberos implementations grows, extending
+ Kerberos becomes more important. Unfortunately some extensions to
+ the existing Kerberos protocol create interoperability issues
+ because of uncertainty regarding the treatment of certain
+ extensibility options by some implementations. This section
+ includes guidelines that will enable future implementations to
+ maintain interoperability.
+
+ Kerberos provides a general mechanism for protocol extensibility.
+ Some protocol messages contain typed holes -- sub-messages that
+ contain an octet-string along with an integer that defines how to
+ interpret the octet-string. The integer types are registered
+ centrally, but can be used both for vendor extensions and for
+ extensions standardized through the IETF.
+
+ In this document, the word "extension" means an extension by
+ defining a new type to insert into an existing typed hole in a
+ protocol message. It does not mean extension by addition of new
+ fields to ASN.1 types, unless explicitly indicated otherwise in
+ the text.
+
+1.4.1. Compatibility with RFC 1510
+
+ It is important to note that existing Kerberos message formats can
+ not be readily extended by adding fields to the ASN.1 types.
+ Sending additional fields often results in the entire message
+ being discarded without an error indication. Future versions of
+ this specification will provide guidelines to ensure that ASN.1
+ fields can be added without creating an interoperability problem.
+
+ In the meantime, all new or modified implementations of Kerberos
+ that receive an unknown message extension SHOULD preserve the
+ encoding of the extension but otherwise ignore the presence of the
+ extension. Recipients MUST NOT decline a request simply because an
+ extension is present.
+
+ There is one exception to this rule. If an unknown authorization
+ data element type is received by a server other than the ticket
+ granting service either in an AP-REQ or in a ticket contained in
+
+
+
+February 2004 [Page 12]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ an AP-REQ, then authentication MUST fail. One of the primary uses
+ of authorization data is to restrict the use of the ticket. If the
+ service cannot determine whether the restriction applies to that
+ service then a security weakness may result if the ticket can be
+ used for that service. Authorization elements that are optional
+ SHOULD be enclosed in the AD-IF-RELEVANT element.
+
+ The ticket granting service MUST ignore but propagate to
+ derivative tickets any unknown authorization data types, unless
+ those data types are embedded in a MANDATORY-FOR-KDC element, in
+ which case the request will be rejected. This behavior is
+ appropriate because requiring that the ticket granting service
+ understand unknown authorization data types would require that KDC
+ software be upgraded to understand new application-level
+ restrictions before applications used these restrictions,
+ decreasing the utility of authorization data as a mechanism for
+ restricting the use of tickets. No security problem is created
+ because services to which the tickets are issued will verify the
+ authorization data.
+
+ Implementation note: Many RFC 1510 implementations ignore unknown
+ authorization data elements. Depending on these implementations to
+ honor authorization data restrictions may create a security
+ weakness.
+
+1.4.2. Sending Extensible Messages
+
+ Care must be taken to ensure that old implementations can
+ understand messages sent to them even if they do not understand an
+ extension that is used. Unless the sender knows an extension is
+ supported, the extension cannot change the semantics of the core
+ message or previously defined extensions.
+
+ For example, an extension including key information necessary to
+ decrypt the encrypted part of a KDC-REP could only be used in
+ situations where the recipient was known to support the extension.
+ Thus when designing such extensions it is important to provide a
+ way for the recipient to notify the sender of support for the
+ extension. For example in the case of an extension that changes
+ the KDC-REP reply key, the client could indicate support for the
+ extension by including a padata element in the AS-REQ sequence.
+ The KDC should only use the extension if this padata element is
+ present in the AS-REQ. Even if policy requires the use of the
+ extension, it is better to return an error indicating that the
+ extension is required than to use the extension when the recipient
+ may not support it; debugging why implementations do not
+ interoperate is easier when errors are returned.
+
+
+
+
+February 2004 [Page 13]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+1.5. Environmental assumptions
+
+ Kerberos imposes a few assumptions on the environment in which it
+ can properly function:
+
+ * "Denial of service" attacks are not solved with Kerberos. There
+ are places in the protocols where an intruder can prevent an
+ application from participating in the proper authentication steps.
+ Detection and solution of such attacks (some of which can appear
+ to be not-uncommon "normal" failure modes for the system) is
+ usually best left to the human administrators and users.
+
+ * Principals MUST keep their secret keys secret. If an intruder
+ somehow steals a principal's key, it will be able to masquerade as
+ that principal or impersonate any server to the legitimate
+ principal.
+
+ * "Password guessing" attacks are not solved by Kerberos. If a user
+ chooses a poor password, it is possible for an attacker to
+ successfully mount an offline dictionary attack by repeatedly
+ attempting to decrypt, with successive entries from a dictionary,
+ messages obtained which are encrypted under a key derived from the
+ user's password.
+
+ * Each host on the network MUST have a clock which is "loosely
+ synchronized" to the time of the other hosts; this synchronization
+ is used to reduce the bookkeeping needs of application servers
+ when they do replay detection. The degree of "looseness" can be
+ configured on a per-server basis, but is typically on the order of
+ 5 minutes. If the clocks are synchronized over the network, the
+ clock synchronization protocol MUST itself be secured from network
+ attackers.
+
+ * Principal identifiers are not recycled on a short-term basis. A
+ typical mode of access control will use access control lists
+ (ACLs) to grant permissions to particular principals. If a stale
+ ACL entry remains for a deleted principal and the principal
+ identifier is reused, the new principal will inherit rights
+ specified in the stale ACL entry. By not re-using principal
+ identifiers, the danger of inadvertent access is removed.
+
+1.6. Glossary of terms
+
+ Below is a list of terms used throughout this document.
+
+ Authentication
+ Verifying the claimed identity of a principal.
+
+
+
+
+February 2004 [Page 14]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Authentication header
+ A record containing a Ticket and an Authenticator to be presented
+ to a server as part of the authentication process.
+
+ Authentication path
+ A sequence of intermediate realms transited in the authentication
+ process when communicating from one realm to another.
+
+ Authenticator
+ A record containing information that can be shown to have been
+ recently generated using the session key known only by the client
+ and server.
+
+ Authorization
+ The process of determining whether a client may use a service,
+ which objects the client is allowed to access, and the type of
+ access allowed for each.
+
+ Capability
+ A token that grants the bearer permission to access an object or
+ service. In Kerberos, this might be a ticket whose use is
+ restricted by the contents of the authorization data field, but
+ which lists no network addresses, together with the session key
+ necessary to use the ticket.
+
+ Ciphertext
+ The output of an encryption function. Encryption transforms
+ plaintext into ciphertext.
+
+ Client
+ A process that makes use of a network service on behalf of a user.
+ Note that in some cases a Server may itself be a client of some
+ other server (e.g. a print server may be a client of a file
+ server).
+
+ Credentials
+ A ticket plus the secret session key necessary to successfully use
+ that ticket in an authentication exchange.
+
+ Encryption Type (etype)
+ When associated with encrypted data, an encryption type identifies
+ the algorithm used to encrypt the data and is used to select the
+ appropriate algorithm for decrypting the data. Encryption type
+ tags are communicated in other messages to enumerate algorithms
+ that are desired, supported, preferred, or allowed to be used for
+ encryption of data between parties. This preference is combined
+ with local information and policy to select an algorithm to be
+ used.
+
+
+
+February 2004 [Page 15]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ KDC
+ Key Distribution Center, a network service that supplies tickets
+ and temporary session keys; or an instance of that service or the
+ host on which it runs. The KDC services both initial ticket and
+ ticket-granting ticket requests. The initial ticket portion is
+ sometimes referred to as the Authentication Server (or service).
+ The ticket-granting ticket portion is sometimes referred to as the
+ ticket-granting server (or service).
+
+ Kerberos
+ The name given to the Project Athena's authentication service, the
+ protocol used by that service, or the code used to implement the
+ authentication service. The name is adopted from the three-headed
+ dog which guards Hades.
+
+ Key Version Number (kvno)
+ A tag associated with encrypted data identifies which key was used
+ for encryption when a long lived key associated with a principal
+ changes over time. It is used during the transition to a new key
+ so that the party decrypting a message can tell whether the data
+ was encrypted using the old or the new key.
+
+ Plaintext
+ The input to an encryption function or the output of a decryption
+ function. Decryption transforms ciphertext into plaintext.
+
+ Principal
+ A named client or server entity that participates in a network
+ communication, with one name that is considered canonical.
+
+ Principal identifier
+ The canonical name used to uniquely identify each different
+ principal.
+
+ Seal
+ To encipher a record containing several fields in such a way that
+ the fields cannot be individually replaced without either
+ knowledge of the encryption key or leaving evidence of tampering.
+
+ Secret key
+ An encryption key shared by a principal and the KDC, distributed
+ outside the bounds of the system, with a long lifetime. In the
+ case of a human user's principal, the secret key MAY be derived
+ from a password.
+
+ Server
+ A particular Principal which provides a resource to network
+ clients. The server is sometimes referred to as the Application
+
+
+
+February 2004 [Page 16]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Server.
+
+ Service
+ A resource provided to network clients; often provided by more
+ than one server (for example, remote file service).
+
+ Session key
+ A temporary encryption key used between two principals, with a
+ lifetime limited to the duration of a single login "session". In
+ the Kerberos system, a session key is generated by the KDC. The
+ session key is distinct from the sub-session key, described next..
+
+ Sub-session key
+ A temporary encryption key used between two principals, selected
+ and exchanged by the principals using the session key, and with a
+ lifetime limited to the duration of a single association. The sub-
+ session key is also referred to as the subkey.
+
+ Ticket
+ A record that helps a client authenticate itself to a server; it
+ contains the client's identity, a session key, a timestamp, and
+ other information, all sealed using the server's secret key. It
+ only serves to authenticate a client when presented along with a
+ fresh Authenticator.
+
+
+2. Ticket flag uses and requests
+
+ Each Kerberos ticket contains a set of flags which are used to
+ indicate attributes of that ticket. Most flags may be requested by
+ a client when the ticket is obtained; some are automatically
+ turned on and off by a Kerberos server as required. The following
+ sections explain what the various flags mean and give examples of
+ reasons to use them. With the exception of the INVALID flag
+ clients MUST ignore ticket flags that are not recognized. KDCs
+ MUST ignore KDC options that are not recognized. Some
+ implementations of RFC 1510 are known to reject unknown KDC
+ options, so clients may need to resend a request without new KDC
+ options if the request was rejected when sent with options added
+ since RFC 1510. Since new KDCs will ignore unknown options,
+ clients MUST confirm that the ticket returned by the KDC meets
+ their needs.
+
+ Note that it is not, in general, possible to determine whether an
+ option was not honored because it was not understood or because it
+ was rejected either through configuration or policy. When adding a
+ new option to the Kerberos protocol, designers should consider
+ whether the distinction is important for their option. In cases
+
+
+
+February 2004 [Page 17]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ where it is, a mechanism for the KDC to return an indication that
+ the option was understood but rejected needs to be provided in the
+ specification of the option. Often in such cases, the mechanism
+ needs to be broad enough to permit an error or reason to be
+ returned.
+
+2.1. Initial, pre-authenticated, and hardware authenticated tickets
+
+ The INITIAL flag indicates that a ticket was issued using the AS
+ protocol, rather than issued based on a ticket-granting ticket.
+ Application servers that want to require the demonstrated
+ knowledge of a client's secret key (e.g. a password-changing
+ program) can insist that this flag be set in any tickets they
+ accept, and thus be assured that the client's key was recently
+ presented to the application client.
+
+ The PRE-AUTHENT and HW-AUTHENT flags provide additional
+ information about the initial authentication, regardless of
+ whether the current ticket was issued directly (in which case
+ INITIAL will also be set) or issued on the basis of a ticket-
+ granting ticket (in which case the INITIAL flag is clear, but the
+ PRE-AUTHENT and HW-AUTHENT flags are carried forward from the
+ ticket-granting ticket).
+
+2.2. Invalid tickets
+
+ The INVALID flag indicates that a ticket is invalid. Application
+ servers MUST reject tickets which have this flag set. A postdated
+ ticket will be issued in this form. Invalid tickets MUST be
+ validated by the KDC before use, by presenting them to the KDC in
+ a TGS request with the VALIDATE option specified. The KDC will
+ only validate tickets after their starttime has passed. The
+ validation is required so that postdated tickets which have been
+ stolen before their starttime can be rendered permanently invalid
+ (through a hot-list mechanism) (see section 3.3.3.1).
+
+2.3. Renewable tickets
+
+ Applications may desire to hold tickets which can be valid for
+ long periods of time. However, this can expose their credentials
+ to potential theft for equally long periods, and those stolen
+ credentials would be valid until the expiration time of the
+ ticket(s). Simply using short-lived tickets and obtaining new ones
+ periodically would require the client to have long-term access to
+ its secret key, an even greater risk. Renewable tickets can be
+ used to mitigate the consequences of theft. Renewable tickets have
+ two "expiration times": the first is when the current instance of
+ the ticket expires, and the second is the latest permissible value
+
+
+
+February 2004 [Page 18]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ for an individual expiration time. An application client must
+ periodically (i.e. before it expires) present a renewable ticket
+ to the KDC, with the RENEW option set in the KDC request. The KDC
+ will issue a new ticket with a new session key and a later
+ expiration time. All other fields of the ticket are left
+ unmodified by the renewal process. When the latest permissible
+ expiration time arrives, the ticket expires permanently. At each
+ renewal, the KDC MAY consult a hot-list to determine if the ticket
+ had been reported stolen since its last renewal; it will refuse to
+ renew such stolen tickets, and thus the usable lifetime of stolen
+ tickets is reduced.
+
+ The RENEWABLE flag in a ticket is normally only interpreted by the
+ ticket-granting service (discussed below in section 3.3). It can
+ usually be ignored by application servers. However, some
+ particularly careful application servers MAY disallow renewable
+ tickets.
+
+ If a renewable ticket is not renewed by its expiration time, the
+ KDC will not renew the ticket. The RENEWABLE flag is reset by
+ default, but a client MAY request it be set by setting the
+ RENEWABLE option in the KRB_AS_REQ message. If it is set, then the
+ renew-till field in the ticket contains the time after which the
+ ticket may not be renewed.
+
+2.4. Postdated tickets
+
+ Applications may occasionally need to obtain tickets for use much
+ later, e.g. a batch submission system would need tickets to be
+ valid at the time the batch job is serviced. However, it is
+ dangerous to hold valid tickets in a batch queue, since they will
+ be on-line longer and more prone to theft. Postdated tickets
+ provide a way to obtain these tickets from the KDC at job
+ submission time, but to leave them "dormant" until they are
+ activated and validated by a further request of the KDC. If a
+ ticket theft were reported in the interim, the KDC would refuse to
+ validate the ticket, and the thief would be foiled.
+
+ The MAY-POSTDATE flag in a ticket is normally only interpreted by
+ the ticket-granting service. It can be ignored by application
+ servers. This flag MUST be set in a ticket-granting ticket in
+ order to issue a postdated ticket based on the presented ticket.
+ It is reset by default; it MAY be requested by a client by setting
+ the ALLOW-POSTDATE option in the KRB_AS_REQ message. This flag
+ does not allow a client to obtain a postdated ticket-granting
+ ticket; postdated ticket-granting tickets can only by obtained by
+ requesting the postdating in the KRB_AS_REQ message. The life
+ (endtime-starttime) of a postdated ticket will be the remaining
+
+
+
+February 2004 [Page 19]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ life of the ticket-granting ticket at the time of the request,
+ unless the RENEWABLE option is also set, in which case it can be
+ the full life (endtime-starttime) of the ticket-granting ticket.
+ The KDC MAY limit how far in the future a ticket may be postdated.
+
+ The POSTDATED flag indicates that a ticket has been postdated. The
+ application server can check the authtime field in the ticket to
+ see when the original authentication occurred. Some services MAY
+ choose to reject postdated tickets, or they may only accept them
+ within a certain period after the original authentication. When
+ the KDC issues a POSTDATED ticket, it will also be marked as
+ INVALID, so that the application client MUST present the ticket to
+ the KDC to be validated before use.
+
+2.5. Proxiable and proxy tickets
+
+ At times it may be necessary for a principal to allow a service to
+ perform an operation on its behalf. The service must be able to
+ take on the identity of the client, but only for a particular
+ purpose. A principal can allow a service to take on the
+ principal's identity for a particular purpose by granting it a
+ proxy.
+
+ The process of granting a proxy using the proxy and proxiable
+ flags is used to provide credentials for use with specific
+ services. Though conceptually also a proxy, users wishing to
+ delegate their identity in a form usable for all purpose MUST use
+ the ticket forwarding mechanism described in the next section to
+ forward a ticket-granting ticket.
+
+ The PROXIABLE flag in a ticket is normally only interpreted by the
+ ticket-granting service. It can be ignored by application servers.
+ When set, this flag tells the ticket-granting server that it is OK
+ to issue a new ticket (but not a ticket-granting ticket) with a
+ different network address based on this ticket. This flag is set
+ if requested by the client on initial authentication. By default,
+ the client will request that it be set when requesting a ticket-
+ granting ticket, and reset when requesting any other ticket.
+
+ This flag allows a client to pass a proxy to a server to perform a
+ remote request on its behalf (e.g. a print service client can give
+ the print server a proxy to access the client's files on a
+ particular file server in order to satisfy a print request).
+
+ In order to complicate the use of stolen credentials, Kerberos
+ tickets are usually valid from only those network addresses
+ specifically included in the ticket[4]. When granting a proxy, the
+ client MUST specify the new network address from which the proxy
+
+
+
+February 2004 [Page 20]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ is to be used, or indicate that the proxy is to be issued for use
+ from any address.
+
+ The PROXY flag is set in a ticket by the TGS when it issues a
+ proxy ticket. Application servers MAY check this flag and at
+ their option they MAY require additional authentication from the
+ agent presenting the proxy in order to provide an audit trail.
+
+2.6. Forwardable tickets
+
+ Authentication forwarding is an instance of a proxy where the
+ service that is granted is complete use of the client's identity.
+ An example where it might be used is when a user logs in to a
+ remote system and wants authentication to work from that system as
+ if the login were local.
+
+ The FORWARDABLE flag in a ticket is normally only interpreted by
+ the ticket-granting service. It can be ignored by application
+ servers. The FORWARDABLE flag has an interpretation similar to
+ that of the PROXIABLE flag, except ticket-granting tickets may
+ also be issued with different network addresses. This flag is
+ reset by default, but users MAY request that it be set by setting
+ the FORWARDABLE option in the AS request when they request their
+ initial ticket-granting ticket.
+
+ This flag allows for authentication forwarding without requiring
+ the user to enter a password again. If the flag is not set, then
+ authentication forwarding is not permitted, but the same result
+ can still be achieved if the user engages in the AS exchange
+ specifying the requested network addresses and supplies a
+ password.
+
+ The FORWARDED flag is set by the TGS when a client presents a
+ ticket with the FORWARDABLE flag set and requests a forwarded
+ ticket by specifying the FORWARDED KDC option and supplying a set
+ of addresses for the new ticket. It is also set in all tickets
+ issued based on tickets with the FORWARDED flag set. Application
+ servers may choose to process FORWARDED tickets differently than
+ non-FORWARDED tickets.
+
+ If addressless tickets are forwarded from one system to another,
+ clients SHOULD still use this option to obtain a new TGT in order
+ to have different session keys on the different systems.
+
+2.7. Transited Policy Checking
+
+ In Kerberos, the application server is ultimately responsible for
+ accepting or rejecting authentication and SHOULD check that only
+
+
+
+February 2004 [Page 21]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ suitably trusted KDCs are relied upon to authenticate a principal.
+ The transited field in the ticket identifies which realms (and
+ thus which KDCs) were involved in the authentication process and
+ an application server would normally check this field. If any of
+ these are untrusted to authenticate the indicated client principal
+ (probably determined by a realm-based policy), the authentication
+ attempt MUST be rejected. The presence of trusted KDCs in this
+ list does not provide any guarantee; an untrusted KDC may have
+ fabricated the list.
+
+ While the end server ultimately decides whether authentication is
+ valid, the KDC for the end server's realm MAY apply a realm
+ specific policy for validating the transited field and accepting
+ credentials for cross-realm authentication. When the KDC applies
+ such checks and accepts such cross-realm authentication it will
+ set the TRANSITED-POLICY-CHECKED flag in the service tickets it
+ issues based on the cross-realm TGT. A client MAY request that the
+ KDCs not check the transited field by setting the DISABLE-
+ TRANSITED-CHECK flag. KDCs are encouraged but not required to
+ honor this flag.
+
+ Application servers MUST either do the transited-realm checks
+ themselves, or reject cross-realm tickets without TRANSITED-
+ POLICY-CHECKED set.
+
+2.8. OK as Delegate
+
+ For some applications a client may need to delegate authority to a
+ server to act on its behalf in contacting other services. This
+ requires that the client forward credentials to an intermediate
+ server. The ability for a client to obtain a service ticket to a
+ server conveys no information to the client about whether the
+ server should be trusted to accept delegated credentials. The OK-
+ AS-DELEGATE provides a way for a KDC to communicate local realm
+ policy to a client regarding whether an intermediate server is
+ trusted to accept such credentials.
+
+ The copy of the ticket flags in the encrypted part of the KDC
+ reply may have the OK-AS-DELEGATE flag set to indicates to the
+ client that the server specified in the ticket has been determined
+ by policy of the realm to be a suitable recipient of delegation.
+ A client can use the presence of this flag to help it make a
+ decision whether to delegate credentials (either grant a proxy or
+ a forwarded ticket-granting ticket) to this server. It is
+ acceptable to ignore the value of this flag. When setting this
+ flag, an administrator should consider the security and placement
+ of the server on which the service will run, as well as whether
+ the service requires the use of delegated credentials.
+
+
+
+February 2004 [Page 22]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+2.9. Other KDC options
+
+ There are three additional options which MAY be set in a client's
+ request of the KDC.
+
+2.9.1. Renewable-OK
+
+ The RENEWABLE-OK option indicates that the client will accept a
+ renewable ticket if a ticket with the requested life cannot
+ otherwise be provided. If a ticket with the requested life cannot
+ be provided, then the KDC MAY issue a renewable ticket with a
+ renew-till equal to the requested endtime. The value of the renew-
+ till field MAY still be adjusted by site-determined limits or
+ limits imposed by the individual principal or server.
+
+2.9.2. ENC-TKT-IN-SKEY
+
+ In its basic form the Kerberos protocol supports authentication in
+ a client-server
+ setting and is not well suited to authentication in a peer-to-
+ peer environment because the long term key of the user does not
+ remain on the workstation after initial login. Authentication of
+ such peers may be supported by Kerberos in its user-to-user
+ variant. The ENC-TKT-IN-SKEY option supports user-to-user
+ authentication by allowing the KDC to issue a service ticket
+ encrypted using the session key from another ticket-granting
+ ticket issued to another user. The ENC-TKT-IN-SKEY option is
+ honored only by the ticket-granting service. It indicates that the
+ ticket to be issued for the end server is to be encrypted in the
+ session key from the additional second ticket-granting ticket
+ provided with the request. See section 3.3.3 for specific details.
+
+2.9.3. Passwordless Hardware Authentication
+
+ The OPT-HARDWARE-AUTH option indicates that the client wishes to
+ use some form of hardware authentication instead of or in addition
+ to the client's password or other long-lived encryption key. OPT-
+ HARDWARE-AUTH is honored only by the authentication service. If
+ supported and allowed by policy, the KDC will return an errorcode
+ KDC_ERR_PREAUTH_REQUIRED and include the required METHOD-DATA to
+ perform such authentication.
+
+3. Message Exchanges
+
+ The following sections describe the interactions between network
+ clients and servers and the messages involved in those exchanges.
+
+3.1. The Authentication Service Exchange
+
+
+
+February 2004 [Page 23]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Summary
+
+ Message direction Message type Section
+ 1. Client to Kerberos KRB_AS_REQ 5.4.1
+ 2. Kerberos to client KRB_AS_REP or 5.4.2
+ KRB_ERROR 5.9.1
+
+ The Authentication Service (AS) Exchange between the client and
+ the Kerberos Authentication Server is initiated by a client when
+ it wishes to obtain authentication credentials for a given server
+ but currently holds no credentials. In its basic form, the
+ client's secret key is used for encryption and decryption. This
+ exchange is typically used at the initiation of a login session to
+ obtain credentials for a Ticket-Granting Server which will
+ subsequently be used to obtain credentials for other servers (see
+ section 3.3) without requiring further use of the client's secret
+ key. This exchange is also used to request credentials for
+ services which must not be mediated through the Ticket-Granting
+ Service, but rather require a principal's secret key, such as the
+ password-changing service[5]. This exchange does not by itself
+ provide any assurance of the identity of the user[6].
+
+ The exchange consists of two messages: KRB_AS_REQ from the client
+ to Kerberos, and KRB_AS_REP or KRB_ERROR in reply. The formats for
+ these messages are described in sections 5.4.1, 5.4.2, and 5.9.1.
+
+ In the request, the client sends (in cleartext) its own identity
+ and the identity of the server for which it is requesting
+ credentials, other information about the credentials it is
+ requesting, and a randomly generated nonce which can be used to
+ detect replays, and to associate replies with the matching
+ requests. This nonce MUST be generated randomly by the client and
+ remembered for checking against the nonce in the expected reply.
+ The response, KRB_AS_REP, contains a ticket for the client to
+ present to the server, and a session key that will be shared by
+ the client and the server. The session key and additional
+ information are encrypted in the client's secret key. The
+ encrypted part of the KRB_AS_REP message also contains the nonce
+ which MUST be matched with the nonce from the KRB_AS_REQ message.
+
+ Without pre-authentication, the authentication server does not
+ know whether the client is actually the principal named in the
+ request. It simply sends a reply without knowing or caring whether
+ they are the same. This is acceptable because nobody but the
+ principal whose identity was given in the request will be able to
+ use the reply. Its critical information is encrypted in that
+ principal's key. However, an attacker can send a KRB_AS_REQ
+ message to get known plaintext in order to attack the principal's
+
+
+
+February 2004 [Page 24]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ key. Especially if the key is based on a password, this may create
+ a security exposure. So, the initial request supports an optional
+ field that can be used to pass additional information that might
+ be needed for the initial exchange. This field SHOULD be used for
+ pre-authentication as described in sections 3.1.1 and 5.2.7.
+
+ Various errors can occur; these are indicated by an error response
+ (KRB_ERROR) instead of the KRB_AS_REP response. The error message
+ is not encrypted. The KRB_ERROR message contains information which
+ can be used to associate it with the message to which it replies.
+ The contents of the KRB_ERROR message are not integrity-protected.
+ As such, the client cannot detect replays, fabrications or
+ modifications. A solution to this problem will be included in a
+ future version of the protocol.
+
+3.1.1. Generation of KRB_AS_REQ message
+
+ The client may specify a number of options in the initial request.
+ Among these options are whether pre-authentication is to be
+ performed; whether the requested ticket is to be renewable,
+ proxiable, or forwardable; whether it should be postdated or allow
+ postdating of derivative tickets; and whether a renewable ticket
+ will be accepted in lieu of a non-renewable ticket if the
+ requested ticket expiration date cannot be satisfied by a non-
+ renewable ticket (due to configuration constraints).
+
+ The client prepares the KRB_AS_REQ message and sends it to the
+ KDC.
+
+3.1.2. Receipt of KRB_AS_REQ message
+
+ If all goes well, processing the KRB_AS_REQ message will result in
+ the creation of a ticket for the client to present to the server.
+ The format for the ticket is described in section 5.3.
+
+ Because Kerberos can run over unreliable transports such as UDP,
+ the KDC MUST be prepared to retransmit responses in case they are
+ lost. If a KDC receives a request identical to one it has recently
+ successfully processed, the KDC MUST respond with a KRB_AS_REP
+ message rather than a replay error. In order to reduce ciphertext
+ given to a potential attacker, KDCs MAY send the same response
+ generated when the request was first handled. KDCs MUST obey this
+ replay behavior even if the actual transport in use is reliable.
+
+3.1.3. Generation of KRB_AS_REP message
+
+ The authentication server looks up the client and server
+ principals named in the KRB_AS_REQ in its database, extracting
+
+
+
+February 2004 [Page 25]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ their respective keys. If the requested client principal named in
+ the request is not known because it doesn't exist in the KDC's
+ principal database, then an error message with a
+ KDC_ERR_C_PRINCIPAL_UNKNOWN is returned.
+
+ If required, the server pre-authenticates the request, and if the
+ pre-authentication check fails, an error message with the code
+ KDC_ERR_PREAUTH_FAILED is returned. If pre-authentication is
+ required, but was not present in the request, an error message
+ with the code KDC_ERR_PREAUTH_REQUIRED is returned and a METHOD-
+ DATA object will be stored in the e-data field of the KRB-ERROR
+ message to specify which pre-authentication mechanisms are
+ acceptable. Usually this will include PA-ETYPE-INFO and/or PA-
+ ETYPE-INFO2 elements as described below. If the server cannot
+ accommodate any encryption type requested by the client, an error
+ message with code KDC_ERR_ETYPE_NOSUPP is returned. Otherwise the
+ KDC generates a 'random' session key[7].
+
+ When responding to an AS request, if there are multiple encryption
+ keys registered for a client in the Kerberos database, then the
+ etype field from the AS request is used by the KDC to select the
+ encryption method to be used to protect the encrypted part of the
+ KRB_AS_REP message which is sent to the client. If there is more
+ than one supported strong encryption type in the etype list, the
+ KDC SHOULD use the first valid strong etype for which an
+ encryption key is available.
+
+ When the user's key is generated from a password or pass phrase,
+ the string-to-key function for the particular encryption key type
+ is used, as specified in [@KCRYPTO]. The salt value and additional
+ parameters for the string-to-key function have default values
+ (specified by section 4 and by the encryption mechanism
+ specification, respectively) that may be overridden by pre-
+ authentication data (PA-PW-SALT, PA-AFS3-SALT, PA-ETYPE-INFO, PA-
+ ETYPE-INFO2, etc). Since the KDC is presumed to store a copy of
+ the resulting key only, these values should not be changed for
+ password-based keys except when changing the principal's key.
+
+ When the AS server is to include pre-authentication data in a KRB-
+ ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-
+ INFO, if the etype field of the client's AS-REQ lists at least one
+ "newer" encryption type. Otherwise (when the etype field of the
+ client's AS-REQ does not list any "newer" encryption types) it
+ MUST send both, PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an
+ entry for each enctype). A "newer" enctype is any enctype first
+ officially specified concurrently with or subsequent to the issue
+ of this RFC. The enctypes DES, 3DES or RC4 and any defined in
+ [RFC1510] are not "newer" enctypes.
+
+
+
+February 2004 [Page 26]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ It is not possible to reliably generate a user's key given a pass
+ phrase without contacting the KDC, since it will not be known
+ whether alternate salt or parameter values are required.
+
+ The KDC will attempt to assign the type of the random session key
+ from the list of methods in the etype field. The KDC will select
+ the appropriate type using the list of methods provided together
+ with information from the Kerberos database indicating acceptable
+ encryption methods for the application server. The KDC will not
+ issue tickets with a weak session key encryption type.
+
+ If the requested start time is absent, indicates a time in the
+ past, or is within the window of acceptable clock skew for the KDC
+ and the POSTDATE option has not been specified, then the start
+ time of the ticket is set to the authentication server's current
+ time. If it indicates a time in the future beyond the acceptable
+ clock skew, but the POSTDATED option has not been specified then
+ the error KDC_ERR_CANNOT_POSTDATE is returned. Otherwise the
+ requested start time is checked against the policy of the local
+ realm (the administrator might decide to prohibit certain types or
+ ranges of postdated tickets), and if acceptable, the ticket's
+ start time is set as requested and the INVALID flag is set in the
+ new ticket. The postdated ticket MUST be validated before use by
+ presenting it to the KDC after the start time has been reached.
+
+ The expiration time of the ticket will be set to the earlier of
+ the requested endtime and a time determined by local policy,
+ possibly determined using realm or principal specific factors. For
+ example, the expiration time MAY be set to the earliest of the
+ following:
+
+ * The expiration time (endtime) requested in the KRB_AS_REQ
+ message.
+
+ * The ticket's start time plus the maximum allowable lifetime
+ associated with the client principal from the authentication
+ server's database.
+
+ * The ticket's start time plus the maximum allowable lifetime
+ associated with the server principal.
+
+ * The ticket's start time plus the maximum lifetime set by the
+ policy of the local realm.
+
+ If the requested expiration time minus the start time (as determined
+ above) is less than a site-determined minimum lifetime, an error
+ message with code KDC_ERR_NEVER_VALID is returned. If the requested
+ expiration time for the ticket exceeds what was determined as above,
+
+
+
+February 2004 [Page 27]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ and if the 'RENEWABLE-OK' option was requested, then the 'RENEWABLE'
+ flag is set in the new ticket, and the renew-till value is set as if
+ the 'RENEWABLE' option were requested (the field and option names are
+ described fully in section 5.4.1).
+
+ If the RENEWABLE option has been requested or if the RENEWABLE-OK
+ option has been set and a renewable ticket is to be issued, then the
+ renew-till field MAY be set to the earliest of:
+
+ * Its requested value.
+
+ * The start time of the ticket plus the minimum of the two
+ maximum renewable lifetimes associated with the principals'
+ database entries.
+
+ * The start time of the ticket plus the maximum renewable
+ lifetime set by the policy of the local realm.
+
+ The flags field of the new ticket will have the following options set
+ if they have been requested and if the policy of the local realm
+ allows: FORWARDABLE, MAY-POSTDATE, POSTDATED, PROXIABLE, RENEWABLE.
+ If the new ticket is postdated (the start time is in the future), its
+ INVALID flag will also be set.
+
+ If all of the above succeed, the server will encrypt the ciphertext
+ part of the ticket using the encryption key extracted from the server
+ principal's record in the Kerberos database using the encryption type
+ associated with the server principal's key (this choice is NOT
+ affected by the etype field in the request). It then formats a
+ KRB_AS_REP message (see section 5.4.2), copying the addresses in the
+ request into the caddr of the response, placing any required pre-
+ authentication data into the padata of the response, and encrypts the
+ ciphertext part in the client's key using an acceptable encryption
+ method requested in the etype field of the request, or in some key
+ specified by pre-authentication mechanisms being used.
+
+3.1.4. Generation of KRB_ERROR message
+
+ Several errors can occur, and the Authentication Server responds
+ by returning an error message, KRB_ERROR, to the client, with the
+ error-code and e-text fields set to appropriate values. The error
+ message contents and details are described in Section 5.9.1.
+
+3.1.5. Receipt of KRB_AS_REP message
+
+ If the reply message type is KRB_AS_REP, then the client verifies
+ that the cname and crealm fields in the cleartext portion of the
+ reply match what it requested. If any padata fields are present,
+
+
+
+February 2004 [Page 28]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ they may be used to derive the proper secret key to decrypt the
+ message. The client decrypts the encrypted part of the response
+ using its secret key, verifies that the nonce in the encrypted
+ part matches the nonce it supplied in its request (to detect
+ replays). It also verifies that the sname and srealm in the
+ response match those in the request (or are otherwise expected
+ values), and that the host address field is also correct. It then
+ stores the ticket, session key, start and expiration times, and
+ other information for later use. The last-req field (and the
+ deprecated key-expiration field) from the encrypted part of the
+ response MAY be checked to notify the user of impending key
+ expiration. This enables the client program to suggest remedial
+ action, such as a password change.
+
+ Upon validation of the KRB_AS_REP message (by checking the
+ returned nonce against that sent in the KRB_AS_REQ message) the
+ client knows that the current time on the KDC is that read from
+ the authtime field of the encrypted part of the reply. The client
+ can optionally use this value for clock synchronization in
+ subsequent messages by recording with the ticket the difference
+ (offset) between the authtime value and the local clock. This
+ offset can then be used by the same user to adjust the time read
+ from the system clock when generating messages [DGT96].
+
+ This technique MUST be used when adjusting for clock skew instead
+ of directly changing the system clock because the KDC reply is
+ only authenticated to the user whose secret key was used, but not
+ to the system or workstation. If the clock were adjusted, an
+ attacker colluding with a user logging into a workstation could
+ agree on a password, resulting in a KDC reply that would be
+ correctly validated even though it did not originate from a KDC
+ trusted by the workstation.
+
+ Proper decryption of the KRB_AS_REP message is not sufficient for
+ the host to verify the identity of the user; the user and an
+ attacker could cooperate to generate a KRB_AS_REP format message
+ which decrypts properly but is not from the proper KDC. If the
+ host wishes to verify the identity of the user, it MUST require
+ the user to present application credentials which can be verified
+ using a securely-stored secret key for the host. If those
+ credentials can be verified, then the identity of the user can be
+ assured.
+
+3.1.6. Receipt of KRB_ERROR message
+
+ If the reply message type is KRB_ERROR, then the client interprets
+ it as an error and performs whatever application-specific tasks
+ are necessary to recover.
+
+
+
+February 2004 [Page 29]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+3.2. The Client/Server Authentication Exchange
+
+ Summary
+ Message direction Message type Section
+ Client to Application server KRB_AP_REQ 5.5.1
+ [optional] Application server to client KRB_AP_REP or 5.5.2
+ KRB_ERROR 5.9.1
+
+ The client/server authentication (CS) exchange is used by network
+ applications to authenticate the client to the server and vice
+ versa. The client MUST have already acquired credentials for the
+ server using the AS or TGS exchange.
+
+3.2.1. The KRB_AP_REQ message
+
+ The KRB_AP_REQ contains authentication information which SHOULD be
+ part of the first message in an authenticated transaction. It
+ contains a ticket, an authenticator, and some additional
+ bookkeeping information (see section 5.5.1 for the exact format).
+ The ticket by itself is insufficient to authenticate a client,
+ since tickets are passed across the network in cleartext[8], so
+ the authenticator is used to prevent invalid replay of tickets by
+ proving to the server that the client knows the session key of the
+ ticket and thus is entitled to use the ticket. The KRB_AP_REQ
+ message is referred to elsewhere as the 'authentication header.'
+
+3.2.2. Generation of a KRB_AP_REQ message
+
+ When a client wishes to initiate authentication to a server, it
+ obtains (either through a credentials cache, the AS exchange, or
+ the TGS exchange) a ticket and session key for the desired
+ service. The client MAY re-use any tickets it holds until they
+ expire. To use a ticket the client constructs a new Authenticator
+ from the system time, its name, and optionally an application
+ specific checksum, an initial sequence number to be used in
+ KRB_SAFE or KRB_PRIV messages, and/or a session subkey to be used
+ in negotiations for a session key unique to this particular
+ session. Authenticators MAY NOT be re-used and SHOULD be rejected
+ if replayed to a server[9]. If a sequence number is to be
+ included, it SHOULD be randomly chosen so that even after many
+ messages have been exchanged it is not likely to collide with
+ other sequence numbers in use.
+
+ The client MAY indicate a requirement of mutual authentication or
+ the use of a session-key based ticket (for user-to-user
+ authentication - see section 3.7) by setting the appropriate
+ flag(s) in the ap-options field of the message.
+
+
+
+
+February 2004 [Page 30]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The Authenticator is encrypted in the session key and combined
+ with the ticket to form the KRB_AP_REQ message which is then sent
+ to the end server along with any additional application-specific
+ information.
+
+3.2.3. Receipt of KRB_AP_REQ message
+
+ Authentication is based on the server's current time of day
+ (clocks MUST be loosely synchronized), the authenticator, and the
+ ticket. Several errors are possible. If an error occurs, the
+ server is expected to reply to the client with a KRB_ERROR
+ message. This message MAY be encapsulated in the application
+ protocol if its raw form is not acceptable to the protocol. The
+ format of error messages is described in section 5.9.1.
+
+ The algorithm for verifying authentication information is as
+ follows. If the message type is not KRB_AP_REQ, the server returns
+ the KRB_AP_ERR_MSG_TYPE error. If the key version indicated by the
+ Ticket in the KRB_AP_REQ is not one the server can use (e.g., it
+ indicates an old key, and the server no longer possesses a copy of
+ the old key), the KRB_AP_ERR_BADKEYVER error is returned. If the
+ USE-SESSION-KEY flag is set in the ap-options field, it indicates
+ to the server that user-to-user authentication is in use, and that
+ the ticket is encrypted in the session key from the server's
+ ticket-granting ticket rather than in the server's secret key. See
+ section 3.7 for a more complete description of the effect of user-
+ to-user authentication on all messages in the Kerberos protocol.
+
+ Since it is possible for the server to be registered in multiple
+ realms, with different keys in each, the srealm field in the
+ unencrypted portion of the ticket in the KRB_AP_REQ is used to
+ specify which secret key the server should use to decrypt that
+ ticket. The KRB_AP_ERR_NOKEY error code is returned if the server
+ doesn't have the proper key to decipher the ticket.
+
+ The ticket is decrypted using the version of the server's key
+ specified by the ticket. If the decryption routines detect a
+ modification of the ticket (each encryption system MUST provide
+ safeguards to detect modified ciphertext), the
+ KRB_AP_ERR_BAD_INTEGRITY error is returned (chances are good that
+ different keys were used to encrypt and decrypt).
+
+ The authenticator is decrypted using the session key extracted
+ from the decrypted ticket. If decryption shows it to have been
+ modified, the KRB_AP_ERR_BAD_INTEGRITY error is returned. The name
+ and realm of the client from the ticket are compared against the
+ same fields in the authenticator. If they don't match, the
+ KRB_AP_ERR_BADMATCH error is returned; this normally is caused by
+
+
+
+February 2004 [Page 31]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ a client error or attempted attack. The addresses in the ticket
+ (if any) are then searched for an address matching the operating-
+ system reported address of the client. If no match is found or the
+ server insists on ticket addresses but none are present in the
+ ticket, the KRB_AP_ERR_BADADDR error is returned. If the local
+ (server) time and the client time in the authenticator differ by
+ more than the allowable clock skew (e.g., 5 minutes), the
+ KRB_AP_ERR_SKEW error is returned.
+
+ Unless the application server provides its own suitable means to
+ protect against replay (for example, a challenge-response sequence
+ initiated by the server after authentication, or use of a server-
+ generated encryption subkey), the server MUST utilize a replay
+ cache to remember any authenticator presented within the allowable
+ clock skew. Careful analysis of the application protocol and
+ implementation is recommended before eliminating this cache. The
+ replay cache will store at least the server name, along with the
+ client name, time and microsecond fields from the recently-seen
+ authenticators and if a matching tuple is found, the
+ KRB_AP_ERR_REPEAT error is returned [10]. If a server loses track
+ of authenticators presented within the allowable clock skew, it
+ MUST reject all requests until the clock skew interval has passed,
+ providing assurance that any lost or replayed authenticators will
+ fall outside the allowable clock skew and can no longer be
+ successfully replayed [11].
+
+ Implementation note: If a client generates multiple requests to
+ the KDC with the same timestamp, including the microsecond field,
+ all but the first of the requests received will be rejected as
+ replays. This might happen, for example, if the resolution of the
+ client's clock is too coarse. Client implementations SHOULD
+ ensure that the timestamps are not reused, possibly by
+ incrementing the microseconds field in the time stamp when the
+ clock returns the same time for multiple requests.
+
+ If multiple servers (for example, different services on one
+ machine, or a single service implemented on multiple machines)
+ share a service principal (a practice we do not recommend in
+ general, but acknowledge will be used in some cases), they MUST
+ either share this replay cache, or the application protocol MUST
+ be designed so as to eliminate the need for it. Note that this
+ applies to all of the services, if any of the application
+ protocols does not have replay protection built in; an
+ authenticator used with such a service could later be replayed to
+ a different service with the same service principal but no replay
+ protection, if the former doesn't record the authenticator
+ information in the common replay cache.
+
+
+
+
+February 2004 [Page 32]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ If a sequence number is provided in the authenticator, the server
+ saves it for later use in processing KRB_SAFE and/or KRB_PRIV
+ messages. If a subkey is present, the server either saves it for
+ later use or uses it to help generate its own choice for a subkey
+ to be returned in a KRB_AP_REP message.
+
+ The server computes the age of the ticket: local (server) time
+ minus the start time inside the Ticket. If the start time is later
+ than the current time by more than the allowable clock skew or if
+ the INVALID flag is set in the ticket, the KRB_AP_ERR_TKT_NYV
+ error is returned. Otherwise, if the current time is later than
+ end time by more than the allowable clock skew, the
+ KRB_AP_ERR_TKT_EXPIRED error is returned.
+
+ If all these checks succeed without an error, the server is
+ assured that the client possesses the credentials of the principal
+ named in the ticket and thus, the client has been authenticated to
+ the server.
+
+ Passing these checks provides only authentication of the named
+ principal; it does not imply authorization to use the named
+ service. Applications MUST make a separate authorization decision
+ based upon the authenticated name of the user, the requested
+ operation, local access control information such as that contained
+ in a .k5login or .k5users file, and possibly a separate
+ distributed authorization service.
+
+3.2.4. Generation of a KRB_AP_REP message
+
+ Typically, a client's request will include both the authentication
+ information and its initial request in the same message, and the
+ server need not explicitly reply to the KRB_AP_REQ. However, if
+ mutual authentication (not only authenticating the client to the
+ server, but also the server to the client) is being performed, the
+ KRB_AP_REQ message will have MUTUAL-REQUIRED set in its ap-options
+ field, and a KRB_AP_REP message is required in response. As with
+ the error message, this message MAY be encapsulated in the
+ application protocol if its "raw" form is not acceptable to the
+ application's protocol. The timestamp and microsecond field used
+ in the reply MUST be the client's timestamp and microsecond field
+ (as provided in the authenticator) [12]. If a sequence number is
+ to be included, it SHOULD be randomly chosen as described above
+ for the authenticator. A subkey MAY be included if the server
+ desires to negotiate a different subkey. The KRB_AP_REP message is
+ encrypted in the session key extracted from the ticket.
+
+3.2.5. Receipt of KRB_AP_REP message
+
+
+
+
+February 2004 [Page 33]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ If a KRB_AP_REP message is returned, the client uses the session
+ key from the credentials obtained for the server [13] to decrypt
+ the message, and verifies that the timestamp and microsecond
+ fields match those in the Authenticator it sent to the server. If
+ they match, then the client is assured that the server is genuine.
+ The sequence number and subkey (if present) are retained for later
+ use.
+
+3.2.6. Using the encryption key
+
+ After the KRB_AP_REQ/KRB_AP_REP exchange has occurred, the client
+ and server share an encryption key which can be used by the
+ application. In some cases, the use of this session key will be
+ implicit in the protocol; in others the method of use must be
+ chosen from several alternatives. The actual encryption key to be
+ used for KRB_PRIV, KRB_SAFE, or other application-specific uses
+ MAY be chosen by the application based on the session key from the
+ ticket and subkeys in the KRB_AP_REP message and the authenticator
+ [14]. To mitigate the effect of failures in random number
+ generation on the client it is strongly encouraged that any key
+ derived by an application for subsequent use include the full key
+ entropy derived from the KDC generated session key carried in the
+ ticket. We leave the protocol negotiations of how to use the key
+ (e.g. selecting an encryption or checksum type) to the application
+ programmer; the Kerberos protocol does not constrain the
+ implementation options, but an example of how this might be done
+ follows.
+
+ One way that an application may choose to negotiate a key to be
+ used for subsequent integrity and privacy protection is for the
+ client to propose a key in the subkey field of the authenticator.
+ The server can then choose a key using the proposed key from the
+ client as input, returning the new subkey in the subkey field of
+ the application reply. This key could then be used for subsequent
+ communication.
+
+ With both the one-way and mutual authentication exchanges, the
+ peers should take care not to send sensitive information to each
+ other without proper assurances. In particular, applications that
+ require privacy or integrity SHOULD use the KRB_AP_REP response
+ from the server to client to assure both client and server of
+ their peer's identity. If an application protocol requires privacy
+ of its messages, it can use the KRB_PRIV message (section 3.5).
+ The KRB_SAFE message (section 3.4) can be used to assure
+ integrity.
+
+3.3. The Ticket-Granting Service (TGS) Exchange
+
+
+
+
+February 2004 [Page 34]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Summary
+ Message direction Message type Section
+ 1. Client to Kerberos KRB_TGS_REQ 5.4.1
+ 2. Kerberos to client KRB_TGS_REP or 5.4.2
+ KRB_ERROR 5.9.1
+
+ The TGS exchange between a client and the Kerberos Ticket-Granting
+ Server is initiated by a client when it wishes to obtain
+ authentication credentials for a given server (which might be
+ registered in a remote realm), when it wishes to renew or validate
+ an existing ticket, or when it wishes to obtain a proxy ticket. In
+ the first case, the client must already have acquired a ticket for
+ the Ticket-Granting Service using the AS exchange (the ticket-
+ granting ticket is usually obtained when a client initially
+ authenticates to the system, such as when a user logs in). The
+ message format for the TGS exchange is almost identical to that
+ for the AS exchange. The primary difference is that encryption
+ and decryption in the TGS exchange does not take place under the
+ client's key. Instead, the session key from the ticket-granting
+ ticket or renewable ticket, or sub-session key from an
+ Authenticator is used. As is the case for all application servers,
+ expired tickets are not accepted by the TGS, so once a renewable
+ or ticket-granting ticket expires, the client must use a separate
+ exchange to obtain valid tickets.
+
+ The TGS exchange consists of two messages: A request (KRB_TGS_REQ)
+ from the client to the Kerberos Ticket-Granting Server, and a
+ reply (KRB_TGS_REP or KRB_ERROR). The KRB_TGS_REQ message includes
+ information authenticating the client plus a request for
+ credentials. The authentication information consists of the
+ authentication header (KRB_AP_REQ) which includes the client's
+ previously obtained ticket-granting, renewable, or invalid ticket.
+ In the ticket-granting ticket and proxy cases, the request MAY
+ include one or more of: a list of network addresses, a collection
+ of typed authorization data to be sealed in the ticket for
+ authorization use by the application server, or additional tickets
+ (the use of which are described later). The TGS reply
+ (KRB_TGS_REP) contains the requested credentials, encrypted in the
+ session key from the ticket-granting ticket or renewable ticket,
+ or if present, in the sub-session key from the Authenticator (part
+ of the authentication header). The KRB_ERROR message contains an
+ error code and text explaining what went wrong. The KRB_ERROR
+ message is not encrypted. The KRB_TGS_REP message contains
+ information which can be used to detect replays, and to associate
+ it with the message to which it replies. The KRB_ERROR message
+ also contains information which can be used to associate it with
+ the message to which it replies. The same comments about integrity
+ protection of KRB_ERROR messages mentioned in section 3.1 apply to
+
+
+
+February 2004 [Page 35]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ the TGS exchange.
+
+3.3.1. Generation of KRB_TGS_REQ message
+
+ Before sending a request to the ticket-granting service, the
+ client MUST determine in which realm the application server is
+ believed to be registered [15]. If the client knows the service
+ principal name and realm and it does not already possess a ticket-
+ granting ticket for the appropriate realm, then one must be
+ obtained. This is first attempted by requesting a ticket-granting
+ ticket for the destination realm from a Kerberos server for which
+ the client possesses a ticket-granting ticket (using the
+ KRB_TGS_REQ message recursively). The Kerberos server MAY return a
+ TGT for the desired realm in which case one can proceed.
+ Alternatively, the Kerberos server MAY return a TGT for a realm
+ which is 'closer' to the desired realm (further along the standard
+ hierarchical path between the client's realm and the requested
+ realm server's realm). It should be noted in this case that
+ misconfiguration of the Kerberos servers may cause loops in the
+ resulting authentication path, which the client should be careful
+ to detect and avoid.
+
+ If the Kerberos server returns a TGT for a 'closer' realm other
+ than the desired realm, the client MAY use local policy
+ configuration to verify that the authentication path used is an
+ acceptable one. Alternatively, a client MAY choose its own
+ authentication path, rather than relying on the Kerberos server to
+ select one. In either case, any policy or configuration
+ information used to choose or validate authentication paths,
+ whether by the Kerberos server or client, MUST be obtained from a
+ trusted source.
+
+ When a client obtains a ticket-granting ticket that is 'closer' to
+ the destination realm, the client MAY cache this ticket and reuse
+ it in future KRB-TGS exchanges with services in the 'closer'
+ realm. However, if the client were to obtain a ticket-granting
+ ticket for the 'closer' realm by starting at the initial KDC
+ rather than as part of obtaining another ticket, then a shorter
+ path to the 'closer' realm might be used. This shorter path may be
+ desirable because fewer intermediate KDCs would know the session
+ key of the ticket involved. For this reason, clients SHOULD
+ evaluate whether they trust the realms transited in obtaining the
+ 'closer' ticket when making a decision to use the ticket in
+ future.
+
+ Once the client obtains a ticket-granting ticket for the
+ appropriate realm, it determines which Kerberos servers serve that
+ realm, and contacts one. The list might be obtained through a
+
+
+
+February 2004 [Page 36]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ configuration file or network service or it MAY be generated from
+ the name of the realm; as long as the secret keys exchanged by
+ realms are kept secret, only denial of service results from using
+ a false Kerberos server.
+
+ As in the AS exchange, the client MAY specify a number of options
+ in the KRB_TGS_REQ message. One of these options is the ENC-TKT-
+ IN-SKEY option used for user-to-user authentication. An overview
+ of user-to-user authentication can be found in section 3.7. When
+ generating the KRB_TGS_REQ message, this option indicates that the
+ client is including a ticket-granting ticket obtained from the
+ application server in the additional tickets field of the request
+ and that the KDC SHOULD encrypt the ticket for the application
+ server using the session key from this additional ticket, instead
+ of using a server key from the principal database.
+
+ The client prepares the KRB_TGS_REQ message, providing an
+ authentication header as an element of the padata field, and
+ including the same fields as used in the KRB_AS_REQ message along
+ with several optional fields: the enc-authorizatfion-data field
+ for application server use and additional tickets required by some
+ options.
+
+ In preparing the authentication header, the client can select a
+ sub-session key under which the response from the Kerberos server
+ will be encrypted [16]. If the sub-session key is not specified,
+ the session key from the ticket-granting ticket will be used. If
+ the enc-authorization-data is present, it MUST be encrypted in the
+ sub-session key, if present, from the authenticator portion of the
+ authentication header, or if not present, using the session key
+ from the ticket-granting ticket.
+
+ Once prepared, the message is sent to a Kerberos server for the
+ destination realm.
+
+3.3.2. Receipt of KRB_TGS_REQ message
+
+ The KRB_TGS_REQ message is processed in a manner similar to the
+ KRB_AS_REQ message, but there are many additional checks to be
+ performed. First, the Kerberos server MUST determine which server
+ the accompanying ticket is for and it MUST select the appropriate
+ key to decrypt it. For a normal KRB_TGS_REQ message, it will be
+ for the ticket granting service, and the TGS's key will be used.
+ If the TGT was issued by another realm, then the appropriate
+ inter-realm key MUST be used. If the accompanying ticket is not a
+ ticket-granting ticket for the current realm, but is for an
+ application server in the current realm, the RENEW, VALIDATE, or
+ PROXY options are specified in the request, and the server for
+
+
+
+February 2004 [Page 37]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ which a ticket is requested is the server named in the
+ accompanying ticket, then the KDC will decrypt the ticket in the
+ authentication header using the key of the server for which it was
+ issued. If no ticket can be found in the padata field, the
+ KDC_ERR_PADATA_TYPE_NOSUPP error is returned.
+
+ Once the accompanying ticket has been decrypted, the user-supplied
+ checksum in the Authenticator MUST be verified against the
+ contents of the request, and the message rejected if the checksums
+ do not match (with an error code of KRB_AP_ERR_MODIFIED) or if the
+ checksum is not collision-proof (with an error code of
+ KRB_AP_ERR_INAPP_CKSUM). If the checksum type is not supported,
+ the KDC_ERR_SUMTYPE_NOSUPP error is returned. If the
+ authorization-data are present, they are decrypted using the sub-
+ session key from the Authenticator.
+
+ If any of the decryptions indicate failed integrity checks, the
+ KRB_AP_ERR_BAD_INTEGRITY error is returned.
+
+ As discussed in section 3.1.2, the KDC MUST send a valid
+ KRB_TGS_REP message if it receives a KRB_TGS_REQ message identical
+ to one it has recently processed. However, if the authenticator is
+ a replay, but the rest of the request is not identical, then the
+ KDC SHOULD return KRB_AP_ERR_REPEAT.
+
+3.3.3. Generation of KRB_TGS_REP message
+
+ The KRB_TGS_REP message shares its format with the KRB_AS_REP
+ (KRB_KDC_REP), but with its type field set to KRB_TGS_REP. The
+ detailed specification is in section 5.4.2.
+
+ The response will include a ticket for the requested server or for
+ a ticket granting server of an intermediate KDC to be contacted to
+ obtain the requested ticket. The Kerberos database is queried to
+ retrieve the record for the appropriate server (including the key
+ with which the ticket will be encrypted). If the request is for a
+ ticket-granting ticket for a remote realm, and if no key is shared
+ with the requested realm, then the Kerberos server will select the
+ realm 'closest' to the requested realm with which it does share a
+ key, and use that realm instead. This is the only case where the
+ response for the KDC will be for a different server than that
+ requested by the client.
+
+ By default, the address field, the client's name and realm, the
+ list of transited realms, the time of initial authentication, the
+ expiration time, and the authorization data of the newly-issued
+ ticket will be copied from the ticket-granting ticket (TGT) or
+ renewable ticket. If the transited field needs to be updated, but
+
+
+
+February 2004 [Page 38]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ the transited type is not supported, the KDC_ERR_TRTYPE_NOSUPP
+ error is returned.
+
+ If the request specifies an endtime, then the endtime of the new
+ ticket is set to the minimum of (a) that request, (b) the endtime
+ from the TGT, and (c) the starttime of the TGT plus the minimum of
+ the maximum life for the application server and the maximum life
+ for the local realm (the maximum life for the requesting principal
+ was already applied when the TGT was issued). If the new ticket is
+ to be a renewal, then the endtime above is replaced by the minimum
+ of (a) the value of the renew_till field of the ticket and (b) the
+ starttime for the new ticket plus the life (endtime-starttime) of
+ the old ticket.
+
+ If the FORWARDED option has been requested, then the resulting
+ ticket will contain the addresses specified by the client. This
+ option will only be honored if the FORWARDABLE flag is set in the
+ TGT. The PROXY option is similar; the resulting ticket will
+ contain the addresses specified by the client. It will be honored
+ only if the PROXIABLE flag in the TGT is set. The PROXY option
+ will not be honored on requests for additional ticket-granting
+ tickets.
+
+ If the requested start time is absent, indicates a time in the
+ past, or is within the window of acceptable clock skew for the KDC
+ and the POSTDATE option has not been specified, then the start
+ time of the ticket is set to the authentication server's current
+ time. If it indicates a time in the future beyond the acceptable
+ clock skew, but the POSTDATED option has not been specified or the
+ MAY-POSTDATE flag is not set in the TGT, then the error
+ KDC_ERR_CANNOT_POSTDATE is returned. Otherwise, if the ticket-
+ granting ticket has the MAY-POSTDATE flag set, then the resulting
+ ticket will be postdated and the requested starttime is checked
+ against the policy of the local realm. If acceptable, the ticket's
+ start time is set as requested, and the INVALID flag is set. The
+ postdated ticket MUST be validated before use by presenting it to
+ the KDC after the starttime has been reached. However, in no case
+ may the starttime, endtime, or renew-till time of a newly-issued
+ postdated ticket extend beyond the renew-till time of the ticket-
+ granting ticket.
+
+ If the ENC-TKT-IN-SKEY option has been specified and an additional
+ ticket has been included in the request, it indicates that the
+ client is using user- to-user authentication to prove its identity
+ to a server that does not have access to a persistent key. Section
+ 3.7 describes the affect of this option on the entire Kerberos
+ protocol. When generating the KRB_TGS_REP message, this option in
+ the KRB_TGS_REQ message tells the KDC to decrypt the additional
+
+
+
+February 2004 [Page 39]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ ticket using the key for the server to which the additional ticket
+ was issued and verify that it is a ticket-granting ticket. If the
+ name of the requested server is missing from the request, the name
+ of the client in the additional ticket will be used. Otherwise the
+ name of the requested server will be compared to the name of the
+ client in the additional ticket and if different, the request will
+ be rejected. If the request succeeds, the session key from the
+ additional ticket will be used to encrypt the new ticket that is
+ issued instead of using the key of the server for which the new
+ ticket will be used.
+
+ If the name of the server in the ticket that is presented to the
+ KDC as part of the authentication header is not that of the
+ ticket-granting server itself, the server is registered in the
+ realm of the KDC, and the RENEW option is requested, then the KDC
+ will verify that the RENEWABLE flag is set in the ticket, that the
+ INVALID flag is not set in the ticket, and that the renew_till
+ time is still in the future. If the VALIDATE option is requested,
+ the KDC will check that the starttime has passed and the INVALID
+ flag is set. If the PROXY option is requested, then the KDC will
+ check that the PROXIABLE flag is set in the ticket. If the tests
+ succeed, and the ticket passes the hotlist check described in the
+ next section, the KDC will issue the appropriate new ticket.
+
+ The ciphertext part of the response in the KRB_TGS_REP message is
+ encrypted in the sub-session key from the Authenticator, if
+ present, or the session key from the ticket-granting ticket. It is
+ not encrypted using the client's secret key. Furthermore, the
+ client's key's expiration date and the key version number fields
+ are left out since these values are stored along with the client's
+ database record, and that record is not needed to satisfy a
+ request based on a ticket-granting ticket.
+
+3.3.3.1. Checking for revoked tickets
+
+ Whenever a request is made to the ticket-granting server, the
+ presented ticket(s) is(are) checked against a hot-list of tickets
+ which have been canceled. This hot-list might be implemented by
+ storing a range of issue timestamps for 'suspect tickets'; if a
+ presented ticket had an authtime in that range, it would be
+ rejected. In this way, a stolen ticket-granting ticket or
+ renewable ticket cannot be used to gain additional tickets
+ (renewals or otherwise) once the theft has been reported to the
+ KDC for the realm in which the server resides. Any normal ticket
+ obtained before it was reported stolen will still be valid
+ (because they require no interaction with the KDC), but only until
+ their normal expiration time. If TGT's have been issued for cross-
+ realm authentication, use of the cross-realm TGT will not be
+
+
+
+February 2004 [Page 40]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ affected unless the hot-list is propagated to the KDCs for the
+ realms for which such cross-realm tickets were issued.
+
+3.3.3.2. Encoding the transited field
+
+ If the identity of the server in the TGT that is presented to the
+ KDC as part of the authentication header is that of the ticket-
+ granting service, but the TGT was issued from another realm, the
+ KDC will look up the inter-realm key shared with that realm and
+ use that key to decrypt the ticket. If the ticket is valid, then
+ the KDC will honor the request, subject to the constraints
+ outlined above in the section describing the AS exchange. The
+ realm part of the client's identity will be taken from the ticket-
+ granting ticket. The name of the realm that issued the ticket-
+ granting ticket, if it is not the realm of the client principal,
+ will be added to the transited field of the ticket to be issued.
+ This is accomplished by reading the transited field from the
+ ticket-granting ticket (which is treated as an unordered set of
+ realm names), adding the new realm to the set, then constructing
+ and writing out its encoded (shorthand) form (this may involve a
+ rearrangement of the existing encoding).
+
+ Note that the ticket-granting service does not add the name of its
+ own realm. Instead, its responsibility is to add the name of the
+ previous realm. This prevents a malicious Kerberos server from
+ intentionally leaving out its own name (it could, however, omit
+ other realms' names).
+
+ The names of neither the local realm nor the principal's realm are
+ to be included in the transited field. They appear elsewhere in
+ the ticket and both are known to have taken part in authenticating
+ the principal. Since the endpoints are not included, both local
+ and single-hop inter-realm authentication result in a transited
+ field that is empty.
+
+ Because the name of each realm transited is added to this field,
+ it might potentially be very long. To decrease the length of this
+ field, its contents are encoded. The initially supported encoding
+ is optimized for the normal case of inter-realm communication: a
+ hierarchical arrangement of realms using either domain or X.500
+ style realm names. This encoding (called DOMAIN-X500-COMPRESS) is
+ now described.
+
+ Realm names in the transited field are separated by a ",". The
+ ",", "\", trailing "."s, and leading spaces (" ") are special
+ characters, and if they are part of a realm name, they MUST be
+ quoted in the transited field by preceding them with a "\".
+
+
+
+
+February 2004 [Page 41]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ A realm name ending with a "." is interpreted as being prepended
+ to the previous realm. For example, we can encode traversal of
+ EDU, MIT.EDU, ATHENA.MIT.EDU, WASHINGTON.EDU, and
+ CS.WASHINGTON.EDU as:
+
+ "EDU,MIT.,ATHENA.,WASHINGTON.EDU,CS.".
+
+ Note that if ATHENA.MIT.EDU, or CS.WASHINGTON.EDU were end-points,
+ that they would not be included in this field, and we would have:
+
+ "EDU,MIT.,WASHINGTON.EDU"
+
+ A realm name beginning with a "/" is interpreted as being appended
+ to the previous realm. For the purpose of appending, the realm
+ preceding the first listed realm is considered to be the null
+ realm (""). If a realm name beginning with a "/" is to stand by
+ itself, then it SHOULD be preceded by a space (" "). For example,
+ we can encode traversal of /COM/HP/APOLLO, /COM/HP, /COM, and
+ /COM/DEC as:
+
+ "/COM,/HP,/APOLLO, /COM/DEC".
+
+ Like the example above, if /COM/HP/APOLLO and /COM/DEC are
+ endpoints, they would not be included in this field, and we would
+ have:
+
+ "/COM,/HP"
+
+ A null subfield preceding or following a "," indicates that all
+ realms between the previous realm and the next realm have been
+ traversed. For the purpose of interpreting null subfields, the
+ client's realm is considered to precede those in the transited
+ field, and the server's realm is considered to follow them. Thus,
+ "," means that all realms along the path between the client and
+ the server have been traversed. ",EDU, /COM," means that all
+ realms from the client's realm up to EDU (in a domain style
+ hierarchy) have been traversed, and that everything from /COM down
+ to the server's realm in an X.500 style has also been traversed.
+ This could occur if the EDU realm in one hierarchy shares an
+ inter-realm key directly with the /COM realm in another hierarchy.
+
+3.3.4. Receipt of KRB_TGS_REP message
+
+ When the KRB_TGS_REP is received by the client, it is processed in
+ the same manner as the KRB_AS_REP processing described above. The
+ primary difference is that the ciphertext part of the response
+ must be decrypted using the sub-session key from the
+ Authenticator, if it was specified in the request, or the session
+
+
+
+February 2004 [Page 42]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ key from the ticket-granting ticket, rather than the client's
+ secret key. The server name returned in the reply is the true
+ principal name of the service.
+
+3.4. The KRB_SAFE Exchange
+
+ The KRB_SAFE message MAY be used by clients requiring the ability
+ to detect modifications of messages they exchange. It achieves
+ this by including a keyed collision-proof checksum of the user
+ data and some control information. The checksum is keyed with an
+ encryption key (usually the last key negotiated via subkeys, or
+ the session key if no negotiation has occurred).
+
+3.4.1. Generation of a KRB_SAFE message
+
+ When an application wishes to send a KRB_SAFE message, it collects
+ its data and the appropriate control information and computes a
+ checksum over them. The checksum algorithm should be the keyed
+ checksum mandated to be implemented along with the crypto system
+ used for the sub-session or session key. The checksum is generated
+ using the sub-session key if present or the session key. Some
+ implementations use a different checksum algorithm for the
+ KRB_SAFE messages but doing so in a interoperable manner is not
+ always possible.
+
+ The control information for the KRB_SAFE message includes both a
+ timestamp and a sequence number. The designer of an application
+ using the KRB_SAFE message MUST choose at least one of the two
+ mechanisms. This choice SHOULD be based on the needs of the
+ application protocol.
+
+ Sequence numbers are useful when all messages sent will be
+ received by one's peer. Connection state is presently required to
+ maintain the session key, so maintaining the next sequence number
+ should not present an additional problem.
+
+ If the application protocol is expected to tolerate lost messages
+ without them being resent, the use of the timestamp is the
+ appropriate replay detection mechanism. Using timestamps is also
+ the appropriate mechanism for multi-cast protocols where all of
+ one's peers share a common sub-session key, but some messages will
+ be sent to a subset of one's peers.
+
+ After computing the checksum, the client then transmits the
+ information and checksum to the recipient in the message format
+ specified in section 5.6.1.
+
+3.4.2. Receipt of KRB_SAFE message
+
+
+
+February 2004 [Page 43]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ When an application receives a KRB_SAFE message, it verifies it as
+ follows. If any error occurs, an error code is reported for use
+ by the application.
+
+ The message is first checked by verifying that the protocol
+ version and type fields match the current version and KRB_SAFE,
+ respectively. A mismatch generates a KRB_AP_ERR_BADVERSION or
+ KRB_AP_ERR_MSG_TYPE error. The application verifies that the
+ checksum used is a collision-proof keyed checksum that uses keys
+ compatible with the sub-session or session key as appropriate (or
+ with the application key derived from the session or sub-session
+ keys), and if it is not, a KRB_AP_ERR_INAPP_CKSUM error is
+ generated. The sender's address MUST be included in the control
+ information; the recipient verifies that the operating system's
+ report of the sender's address matches the sender's address in the
+ message, and (if a recipient address is specified or the recipient
+ requires an address) that one of the recipient's addresses appears
+ as the recipient's address in the message. To work with network
+ address translation, senders MAY use the directional address type
+ specified in section 8.1 for the sender address and not include
+ recipient addresses. A failed match for either case generates a
+ KRB_AP_ERR_BADADDR error. Then the timestamp and usec and/or the
+ sequence number fields are checked. If timestamp and usec are
+ expected and not present, or they are present but not current, the
+ KRB_AP_ERR_SKEW error is generated. Timestamps are not required to
+ be strictly ordered; they are only required to be in the skew
+ window. If the server name, along with the client name, time and
+ microsecond fields from the Authenticator match any recently-seen
+ (sent or received) such tuples, the KRB_AP_ERR_REPEAT error is
+ generated. If an incorrect sequence number is included, or a
+ sequence number is expected but not present, the
+ KRB_AP_ERR_BADORDER error is generated. If neither a time-stamp
+ and usec or a sequence number is present, a KRB_AP_ERR_MODIFIED
+ error is generated. Finally, the checksum is computed over the
+ data and control information, and if it doesn't match the received
+ checksum, a KRB_AP_ERR_MODIFIED error is generated.
+
+ If all the checks succeed, the application is assured that the
+ message was generated by its peer and was not modified in transit.
+
+ Implementations SHOULD accept any checksum algorithm they
+ implement that both have adequate security and that have keys
+ compatible with the sub-session or session key. Unkeyed or non-
+ collision-proof checksums are not suitable for this use.
+
+3.5. The KRB_PRIV Exchange
+
+ The KRB_PRIV message MAY be used by clients requiring
+
+
+
+February 2004 [Page 44]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ confidentiality and the ability to detect modifications of
+ exchanged messages. It achieves this by encrypting the messages
+ and adding control information.
+
+3.5.1. Generation of a KRB_PRIV message
+
+ When an application wishes to send a KRB_PRIV message, it collects
+ its data and the appropriate control information (specified in
+ section 5.7.1) and encrypts them under an encryption key (usually
+ the last key negotiated via subkeys, or the session key if no
+ negotiation has occurred). As part of the control information, the
+ client MUST choose to use either a timestamp or a sequence number
+ (or both); see the discussion in section 3.4.1 for guidelines on
+ which to use. After the user data and control information are
+ encrypted, the client transmits the ciphertext and some 'envelope'
+ information to the recipient.
+
+3.5.2. Receipt of KRB_PRIV message
+
+ When an application receives a KRB_PRIV message, it verifies it as
+ follows. If any error occurs, an error code is reported for use
+ by the application.
+
+ The message is first checked by verifying that the protocol
+ version and type fields match the current version and KRB_PRIV,
+ respectively. A mismatch generates a KRB_AP_ERR_BADVERSION or
+ KRB_AP_ERR_MSG_TYPE error. The application then decrypts the
+ ciphertext and processes the resultant plaintext. If decryption
+ shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY
+ error is generated.
+
+ The sender's address MUST be included in the control information;
+ the recipient verifies that the operating system's report of the
+ sender's address matches the sender's address in the message. If
+ a recipient address is specified or the recipient requires an
+ address then one of the recipient's addresses MUST also appear as
+ the recipient's address in the message. Where a sender's or
+ receiver's address might not otherwise match the address in a
+ message because of network address translation, an application MAY
+ be written to use addresses of the directional address type in
+ place of the actual network address.
+
+ A failed match for either case generates a KRB_AP_ERR_BADADDR
+ error. To work with network address translation, implementations
+ MAY use the directional address type defined in section 7.1 for
+ the sender address and include no recipient address.
+
+ Then the timestamp and usec and/or the sequence number fields are
+
+
+
+February 2004 [Page 45]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ checked. If timestamp and usec are expected and not present, or
+ they are present but not current, the KRB_AP_ERR_SKEW error is
+ generated. If the server name, along with the client name, time
+ and microsecond fields from the Authenticator match any recently-
+ seen such tuples, the KRB_AP_ERR_REPEAT error is generated. If an
+ incorrect sequence number is included, or a sequence number is
+ expected but not present, the KRB_AP_ERR_BADORDER error is
+ generated. If neither a time-stamp and usec or a sequence number
+ is present, a KRB_AP_ERR_MODIFIED error is generated.
+
+ If all the checks succeed, the application can assume the message
+ was generated by its peer, and was securely transmitted (without
+ intruders able to see the unencrypted contents).
+
+3.6. The KRB_CRED Exchange
+
+ The KRB_CRED message MAY be used by clients requiring the ability
+ to send Kerberos credentials from one host to another. It achieves
+ this by sending the tickets together with encrypted data
+ containing the session keys and other information associated with
+ the tickets.
+
+3.6.1. Generation of a KRB_CRED message
+
+ When an application wishes to send a KRB_CRED message it first
+ (using the KRB_TGS exchange) obtains credentials to be sent to the
+ remote host. It then constructs a KRB_CRED message using the
+ ticket or tickets so obtained, placing the session key needed to
+ use each ticket in the key field of the corresponding KrbCredInfo
+ sequence of the encrypted part of the KRB_CRED message.
+
+ Other information associated with each ticket and obtained during
+ the KRB_TGS exchange is also placed in the corresponding
+ KrbCredInfo sequence in the encrypted part of the KRB_CRED
+ message. The current time and, if specifically required by the
+ application the nonce, s-address, and r-address fields, are placed
+ in the encrypted part of the KRB_CRED message which is then
+ encrypted under an encryption key previously exchanged in the
+ KRB_AP exchange (usually the last key negotiated via subkeys, or
+ the session key if no negotiation has occurred).
+
+ Implementation note: When constructing a KRB_CRED message for
+ inclusion in a GSSAPI initial context token, the MIT
+ implementation of Kerberos will not encrypt the KRB_CRED message
+ if the session key is a DES or triple DES key. For
+ interoperability with MIT, the Microsoft implementation will not
+ encrypt the KRB_CRED in a GSSAPI token if it is using a DES
+ session key. Starting at version 1.2.5, MIT Kerberos can receive
+
+
+
+February 2004 [Page 46]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ and decode either encrypted or unencrypted KRB_CRED tokens in the
+ GSSAPI exchange. The Heimdal implementation of Kerberos can also
+ accept either encrypted or unencrypted KRB_CRED messages. Since
+ the KRB_CRED message in a GSSAPI token is encrypted in the
+ authenticator, the MIT behavior does not present a security
+ problem, although it is a violation of the Kerberos specification.
+
+3.6.2. Receipt of KRB_CRED message
+
+ When an application receives a KRB_CRED message, it verifies it.
+ If any error occurs, an error code is reported for use by the
+ application. The message is verified by checking that the protocol
+ version and type fields match the current version and KRB_CRED,
+ respectively. A mismatch generates a KRB_AP_ERR_BADVERSION or
+ KRB_AP_ERR_MSG_TYPE error. The application then decrypts the
+ ciphertext and processes the resultant plaintext. If decryption
+ shows the data to have been modified, a KRB_AP_ERR_BAD_INTEGRITY
+ error is generated.
+
+ If present or required, the recipient MAY verify that the
+ operating system's report of the sender's address matches the
+ sender's address in the message, and that one of the recipient's
+ addresses appears as the recipient's address in the message. The
+ address check does not provide any added security, since the
+ address if present has already been checked in the KRB_AP_REQ
+ message and there is not any benefit to be gained by an attacker
+ in reflecting a KRB_CRED message back to its originator. Thus, the
+ recipient MAY ignore the address even if present in order to work
+ better in NAT environments. A failed match for either case
+ generates a KRB_AP_ERR_BADADDR error. Recipients MAY skip the
+ address check as the KRB_CRED message cannot generally be
+ reflected back to the originator. The timestamp and usec fields
+ (and the nonce field if required) are checked next. If the
+ timestamp and usec are not present, or they are present but not
+ current, the KRB_AP_ERR_SKEW error is generated.
+
+ If all the checks succeed, the application stores each of the new
+ tickets in its credentials cache together with the session key and
+ other information in the corresponding KrbCredInfo sequence from
+ the encrypted part of the KRB_CRED message.
+
+3.7. User-to-User Authentication Exchanges
+
+ User-to-User authentication provides a method to perform
+ authentication when the verifier does not have a access to long
+ term service key. This might be the case when running a server
+ (for example a window server) as a user on a workstation. In such
+ cases, the server may have access to the ticket-granting ticket
+
+
+
+February 2004 [Page 47]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ obtained when the user logged in to the workstation, but because
+ the server is running as an unprivileged user it might not have
+ access to system keys. Similar situations may arise when running
+ peer-to-peer applications.
+
+ Summary
+ Message direction Message type Sections
+ 0. Message from application server Not Specified
+ 1. Client to Kerberos KRB_TGS_REQ 3.3 + 5.4.1
+ 2. Kerberos to client KRB_TGS_REP or 3.3 + 5.4.2
+ KRB_ERROR 5.9.1
+ 3. Client to Application server KRB_AP_REQ 3.2 + 5.5.1
+
+ To address this problem, the Kerberos protocol allows the client
+ to request that the ticket issued by the KDC be encrypted using a
+ session key from a ticket-granting ticket issued to the party that
+ will verify the authentication. This ticket-granting ticket must
+ be obtained from the verifier by means of an exchange external to
+ the Kerberos protocol, usually as part of the application
+ protocol. This message is shown in the summary above as message 0.
+ Note that because the ticket-granting ticket is encrypted in the
+ KDC's secret key, it can not be used for authentication without
+ possession of the corresponding secret key. Furthermore, because
+ the verifier does not reveal the corresponding secret key,
+ providing a copy of the verifier's ticket-granting ticket does not
+ allow impersonation of the verifier.
+
+ Message 0 in the table above represents an application specific
+ negotiation between the client and server, at the end of which
+ both have determined that they will use user-to-user
+ authentication and the client has obtained the server's TGT.
+
+ Next, the client includes the server's TGT as an additional ticket
+ in its KRB_TGS_REQ request to the KDC (message 1 in the table
+ above) and specifies the ENC-TKT-IN-SKEY option in its request.
+
+ If validated according to the instructions in 3.3.3, the
+ application ticket returned to the client (message 2 in the table
+ above) will be encrypted using the session key from the additional
+ ticket and the client will note this when it uses or stores the
+ application ticket.
+
+ When contacting the server using a ticket obtained for user-to-
+ user authentication (message 3 in the table above), the client
+ MUST specify the USE-SESSION-KEY flag in the ap-options field.
+ This tells the application server to use the session key
+ associated with its ticket-granting ticket to decrypt the server
+ ticket provided in the application request.
+
+
+
+February 2004 [Page 48]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+4. Encryption and Checksum Specifications
+
+ The Kerberos protocols described in this document are designed to
+ encrypt messages of arbitrary sizes, using stream or block
+ encryption ciphers. Encryption is used to prove the identities of
+ the network entities participating in message exchanges. The Key
+ Distribution Center for each realm is trusted by all principals
+ registered in that realm to store a secret key in confidence.
+ Proof of knowledge of this secret key is used to verify the
+ authenticity of a principal.
+
+ The KDC uses the principal's secret key (in the AS exchange) or a
+ shared session key (in the TGS exchange) to encrypt responses to
+ ticket requests; the ability to obtain the secret key or session
+ key implies the knowledge of the appropriate keys and the identity
+ of the KDC. The ability of a principal to decrypt the KDC response
+ and present a Ticket and a properly formed Authenticator
+ (generated with the session key from the KDC response) to a
+ service verifies the identity of the principal; likewise the
+ ability of the service to extract the session key from the Ticket
+ and prove its knowledge thereof in a response verifies the
+ identity of the service.
+
+ [@KCRYPTO] defines a framework for defining encryption and
+ checksum mechanisms for use with Kerberos. It also defines several
+ such mechanisms, and more may be added in future updates to that
+ document.
+
+ The string-to-key operation provided by [@KCRYPTO] is used to
+ produce a long-term key for a principal (generally for a user).
+ The default salt string, if none is provided via pre-
+ authentication data, is the concatenation of the principal's realm
+ and name components, in order, with no separators. Unless
+ otherwise indicated, the default string-to-key opaque parameter
+ set as defined in [@KCRYPTO] is used.
+
+ Encrypted data, keys and checksums are transmitted using the
+ EncryptedData, EncryptionKey and Checksum data objects defined in
+ section 5.2.9. The encryption, decryption, and checksum operations
+ described in this document use the corresponding encryption,
+ decryption, and get_mic operations described in [@KCRYPTO], with
+ implicit "specific key" generation using the "key usage" values
+ specified in the description of each EncryptedData or Checksum
+ object to vary the key for each operation. Note that in some
+ cases, the value to be used is dependent on the method of choosing
+ the key or the context of the message.
+
+ Key usages are unsigned 32 bit integers; zero is not permitted.
+
+
+
+February 2004 [Page 49]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The key usage values for encrypting or checksumming Kerberos
+ messages are indicated in section 5 along with the message
+ definitions. Key usage values 512-1023 are reserved for uses
+ internal to a Kerberos implementation. (For example, seeding a
+ pseudo-random number generator with a value produced by encrypting
+ something with a session key and a key usage value not used for
+ any other purpose.) Key usage values between 1024 and 2047
+ (inclusive) are reserved for application use; applications SHOULD
+ use even values for encryption and odd values for checksums within
+ this range. Key usage values are also summarized in a table in
+ section 7.5.1.
+
+ There might exist other documents which define protocols in terms
+ of the RFC1510 encryption types or checksum types. Such documents
+ would not know about key usages. In order that these
+ specifications continue to be meaningful until they are updated,
+ if no key usage values are specified then key usages 1024 and 1025
+ must be used to derive keys for encryption and checksums,
+ respectively (this does not apply to protocols that do their own
+ encryption independent of this framework, directly using the key
+ resulting from the Kerberos authentication exchange.) New
+ protocols defined in terms of the Kerberos encryption and checksum
+ types SHOULD use their own key usage values.
+
+ Unless otherwise indicated, no cipher state chaining is done from
+ one encryption operation to another.
+
+ Implementation note: While not recommended, some application
+ protocols will continue to use the key data directly, even if only
+ in currently existing protocol specifications. An implementation
+ intended to support general Kerberos applications may therefore
+ need to make key data available, as well as the attributes and
+ operations described in [@KCRYPTO]. One of the more common
+ reasons for directly performing encryption is direct control over
+ negotiation and selection of a "sufficiently strong" encryption
+ algorithm (in the context of a given application). While Kerberos
+ does not directly provide a facility for negotiating encryption
+ types between the application client and server, there are
+ approaches for using Kerberos to facilitate this negotiation - for
+ example, a client may request only "sufficiently strong" session
+ key types from the KDC and expect that any type returned by the
+ KDC will be understood and supported by the application server.
+
+5. Message Specifications
+
+ NOTE: The ASN.1 collected here should be identical to the contents
+ of Appendix A. In case of conflict, the contents of Appendix A
+ shall take precedence.
+
+
+
+February 2004 [Page 50]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The Kerberos protocol is defined here in terms of Abstract Syntax
+ Notation One (ASN.1) [X680], which provides a syntax for
+ specifying both the abstract layout of protocol messages as well
+ as their encodings. Implementors not utilizing an existing ASN.1
+ compiler or support library are cautioned to thoroughly understand
+ the actual ASN.1 specification to ensure correct implementation
+ behavior, as there is more complexity in the notation than is
+ immediately obvious, and some tutorials and guides to ASN.1 are
+ misleading or erroneous.
+
+ Note that in several places, there have been changes here from RFC
+ 1510 that change the abstract types. This is in part to address
+ widespread assumptions that various implementors have made, in
+ some cases resulting in unintentional violations of the ASN.1
+ standard. These are clearly flagged where they occur. The
+ differences between the abstract types in RFC 1510 and abstract
+ types in this document can cause incompatible encodings to be
+ emitted when certain encoding rules, e.g. the Packed Encoding
+ Rules (PER), are used. This theoretical incompatibility should not
+ be relevant for Kerberos, since Kerberos explicitly specifies the
+ use of the Distinguished Encoding Rules (DER). It might be an
+ issue for protocols wishing to use Kerberos types with other
+ encoding rules. (This practice is not recommended.) With very few
+ exceptions (most notably the usages of BIT STRING), the encodings
+ resulting from using the DER remain identical between the types
+ defined in RFC 1510 and the types defined in this document.
+
+ The type definitions in this section assume an ASN.1 module
+ definition of the following form:
+
+ KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+ } DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+ -- rest of definitions here
+
+ END
+
+ This specifies that the tagging context for the module will be
+ explicit and non-automatic.
+
+ Note that in some other publications [RFC1510] [RFC1964], the
+ "dod" portion of the object identifier is erroneously specified as
+ having the value "5". In the case of RFC 1964, use of the
+ "correct" OID value would result in a change in the wire protocol;
+ therefore, it remains unchanged for now.
+
+
+
+
+February 2004 [Page 51]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Note that elsewhere in this document, nomenclature for various
+ message types is inconsistent, but largely follows C language
+ conventions, including use of underscore (_) characters and all-
+ caps spelling of names intended to be numeric constants. Also, in
+ some places, identifiers (especially ones referring to constants)
+ are written in all-caps in order to distinguish them from
+ surrounding explanatory text.
+
+ The ASN.1 notation does not permit underscores in identifiers, so
+ in actual ASN.1 definitions, underscores are replaced with hyphens
+ (-). Additionally, structure member names and defined values in
+ ASN.1 MUST begin with a lowercase letter, while type names MUST
+ begin with an uppercase letter.
+
+5.1. Specific Compatibility Notes on ASN.1
+
+ For compatibility purposes, implementors should heed the following
+ specific notes regarding the use of ASN.1 in Kerberos. These notes
+ do not describe deviations from standard usage of ASN.1. The
+ purpose of these notes is to instead describe some historical
+ quirks and non-compliance of various implementations, as well as
+ historical ambiguities, which, while being valid ASN.1, can lead
+ to confusion during implementation.
+
+5.1.1. ASN.1 Distinguished Encoding Rules
+
+ The encoding of Kerberos protocol messages shall obey the
+ Distinguished Encoding Rules (DER) of ASN.1 as described in
+ [X690]. Some implementations (believed to be primarily ones
+ derived from DCE 1.1 and earlier) are known to use the more
+ general Basic Encoding Rules (BER); in particular, these
+ implementations send indefinite encodings of lengths.
+ Implementations MAY accept such encodings in the interests of
+ backwards compatibility, though implementors are warned that
+ decoding fully-general BER is fraught with peril.
+
+5.1.2. Optional Integer Fields
+
+ Some implementations do not internally distinguish between an
+ omitted optional integer value and a transmitted value of zero.
+ The places in the protocol where this is relevant include various
+ microseconds fields, nonces, and sequence numbers. Implementations
+ SHOULD treat omitted optional integer values as having been
+ transmitted with a value of zero, if the application is expecting
+ this.
+
+5.1.3. Empty SEQUENCE OF Types
+
+
+
+
+February 2004 [Page 52]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ There are places in the protocol where a message contains a
+ SEQUENCE OF type as an optional member. This can result in an
+ encoding that contains an empty SEQUENCE OF encoding. The Kerberos
+ protocol does not semantically distinguish between an absent
+ optional SEQUENCE OF type and a present optional but empty
+ SEQUENCE OF type. Implementations SHOULD NOT send empty SEQUENCE
+ OF encodings that are marked OPTIONAL, but SHOULD accept them as
+ being equivalent to an omitted OPTIONAL type. In the ASN.1 syntax
+ describing Kerberos messages, instances of these problematic
+ optional SEQUENCE OF types are indicated with a comment.
+
+5.1.4. Unrecognized Tag Numbers
+
+ Future revisions to this protocol may include new message types
+ with different APPLICATION class tag numbers. Such revisions
+ should protect older implementations by only sending the message
+ types to parties that are known to understand them, e.g. by means
+ of a flag bit set by the receiver in a preceding request. In the
+ interest of robust error handling, implementations SHOULD
+ gracefully handle receiving a message with an unrecognized tag
+ anyway, and return an error message if appropriate.
+
+ In particular, KDCs SHOULD return KRB_AP_ERR_MSG_TYPE if the
+ incorrect tag is sent over a TCP transport. The KDCs SHOULD NOT
+ respond to messages received with an unknown tag over UDP
+ transport in order to avoid denial of service attacks. For non-
+ KDC applications, the Kerberos implementation typically indicates
+ an error to the application which takes appropriate steps based on
+ the application protocol.
+
+5.1.5. Tag Numbers Greater Than 30
+
+ A naive implementation of a DER ASN.1 decoder may experience
+ problems with ASN.1 tag numbers greater than 30, due to such tag
+ numbers being encoded using more than one byte. Future revisions
+ of this protocol may utilize tag numbers greater than 30, and
+ implementations SHOULD be prepared to gracefully return an error,
+ if appropriate, if they do not recognize the tag.
+
+5.2. Basic Kerberos Types
+
+ This section defines a number of basic types that are potentially
+ used in multiple Kerberos protocol messages.
+
+5.2.1. KerberosString
+
+ The original specification of the Kerberos protocol in RFC 1510
+ uses GeneralString in numerous places for human-readable string
+
+
+
+February 2004 [Page 53]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ data. Historical implementations of Kerberos cannot utilize the
+ full power of GeneralString. This ASN.1 type requires the use of
+ designation and invocation escape sequences as specified in
+ ISO-2022/ECMA-35 [ISO-2022/ECMA-35] to switch character sets, and
+ the default character set that is designated as G0 is the
+ ISO-646/ECMA-6 [ISO-646,ECMA-6] International Reference Version
+ (IRV) (aka U.S. ASCII), which mostly works.
+
+ ISO-2022/ECMA-35 defines four character-set code elements (G0..G3)
+ and two Control-function code elements (C0..C1). DER prohibits the
+ designation of character sets as any but the G0 and C0 sets.
+ Unfortunately, this seems to have the side effect of prohibiting
+ the use of ISO-8859 (ISO Latin) [ISO-8859] character-sets or any
+ other character-sets that utilize a 96-character set, since it is
+ prohibited by ISO-2022/ECMA-35 to designate them as the G0 code
+ element. This side effect is being investigated in the ASN.1
+ standards community.
+
+ In practice, many implementations treat GeneralStrings as if they
+ were 8-bit strings of whichever character set the implementation
+ defaults to, without regard for correct usage of character-set
+ designation escape sequences. The default character set is often
+ determined by the current user's operating system dependent
+ locale. At least one major implementation places unescaped UTF-8
+ encoded Unicode characters in the GeneralString. This failure to
+ adhere to the GeneralString specifications results in
+ interoperability issues when conflicting character encodings are
+ utilized by the Kerberos clients, services, and KDC.
+
+ This unfortunate situation is the result of improper documentation
+ of the restrictions of the ASN.1 GeneralString type in prior
+ Kerberos specifications.
+
+ The new (post-RFC 1510) type KerberosString, defined below, is a
+ GeneralString that is constrained to only contain characters in
+ IA5String
+
+ KerberosString ::= GeneralString (IA5String)
+
+ In general, US-ASCII control characters should not be used in
+ KerberosString. Control characters SHOULD NOT be used in principal
+ names or realm names.
+
+ For compatibility, implementations MAY choose to accept
+ GeneralString values that contain characters other than those
+ permitted by IA5String, but they should be aware that character
+ set designation codes will likely be absent, and that the encoding
+ should probably be treated as locale-specific in almost every way.
+
+
+
+February 2004 [Page 54]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Implementations MAY also choose to emit GeneralString values that
+ are beyond those permitted by IA5String, but should be aware that
+ doing so is extraordinarily risky from an interoperability
+ perspective.
+
+ Some existing implementations use GeneralString to encode
+ unescaped locale-specific characters. This is a violation of the
+ ASN.1 standard. Most of these implementations encode US-ASCII in
+ the left-hand half, so as long the implementation transmits only
+ US-ASCII, the ASN.1 standard is not violated in this regard. As
+ soon as such an implementation encodes unescaped locale-specific
+ characters with the high bit set, it violates the ASN.1 standard.
+
+ Other implementations have been known to use GeneralString to
+ contain a UTF-8 encoding. This also violates the ASN.1 standard,
+ since UTF-8 is a different encoding, not a 94 or 96 character "G"
+ set as defined by ISO 2022. It is believed that these
+ implementations do not even use the ISO 2022 escape sequence to
+ change the character encoding. Even if implementations were to
+ announce the change of encoding by using that escape sequence, the
+ ASN.1 standard prohibits the use of any escape sequences other
+ than those used to designate/invoke "G" or "C" sets allowed by
+ GeneralString.
+
+ Future revisions to this protocol will almost certainly allow for
+ a more interoperable representation of principal names, probably
+ including UTF8String.
+
+ Note that applying a new constraint to a previously unconstrained
+ type constitutes creation of a new ASN.1 type. In this particular
+ case, the change does not result in a changed encoding under DER.
+
+5.2.2. Realm and PrincipalName
+
+ Realm ::= KerberosString
+
+ PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+ }
+
+ Kerberos realm names are encoded as KerberosStrings. Realms shall
+ not contain a character with the code 0 (the US-ASCII NUL). Most
+ realms will usually consist of several components separated by
+ periods (.), in the style of Internet Domain Names, or separated
+ by slashes (/) in the style of X.500 names. Acceptable forms for
+ realm names are specified in section 6.1.. A PrincipalName is a
+ typed sequence of components consisting of the following sub-
+
+
+
+February 2004 [Page 55]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ fields:
+
+ name-type
+ This field specifies the type of name that follows. Pre-defined
+ values for this field are specified in section 6.2. The name-type
+ SHOULD be treated as a hint. Ignoring the name type, no two names
+ can be the same (i.e. at least one of the components, or the
+ realm, must be different).
+
+ name-string
+ This field encodes a sequence of components that form a name, each
+ component encoded as a KerberosString. Taken together, a
+ PrincipalName and a Realm form a principal identifier. Most
+ PrincipalNames will have only a few components (typically one or
+ two).
+
+5.2.3. KerberosTime
+
+ KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+ The timestamps used in Kerberos are encoded as GeneralizedTimes. A
+ KerberosTime value shall not include any fractional portions of
+ the seconds. As required by the DER, it further shall not include
+ any separators, and it shall specify the UTC time zone (Z).
+ Example: The only valid format for UTC time 6 minutes, 27 seconds
+ after 9 pm on 6 November 1985 is 19851106210627Z.
+
+5.2.4. Constrained Integer types
+
+ Some integer members of types SHOULD be constrained to values
+ representable in 32 bits, for compatibility with reasonable
+ implementation limits.
+
+ Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+ UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+ Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+ While this results in changes to the abstract types from the RFC
+ 1510 version, the encoding in DER should be unaltered. Historical
+ implementations were typically limited to 32-bit integer values
+ anyway, and assigned numbers SHOULD fall in the space of integer
+ values representable in 32 bits in order to promote
+ interoperability anyway.
+
+
+
+February 2004 [Page 56]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ There are several integer fields in messages that are constrained
+ to fixed values.
+
+ pvno
+ also TKT-VNO or AUTHENTICATOR-VNO, this recurring field is always
+ the constant integer 5. There is no easy way to make this field
+ into a useful protocol version number, so its value is fixed.
+
+ msg-type
+ this integer field is usually identical to the application tag
+ number of the containing message type.
+
+5.2.5. HostAddress and HostAddresses
+
+ HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+ }
+
+ -- NOTE: HostAddresses is always used as an OPTIONAL field and
+ -- should not be empty.
+ HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+ The host address encodings consists of two fields:
+
+ addr-type
+ This field specifies the type of address that follows. Pre-defined
+ values for this field are specified in section 7.5.3.
+
+ address
+ This field encodes a single address of type addr-type.
+
+5.2.6. AuthorizationData
+
+ -- NOTE: AuthorizationData is always used as an OPTIONAL field and
+ -- should not be empty.
+ AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+ }
+
+ ad-data
+ This field contains authorization data to be interpreted according
+ to the value of the corresponding ad-type field.
+
+ ad-type
+
+
+
+February 2004 [Page 57]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ This field specifies the format for the ad-data subfield. All
+ negative values are reserved for local use. Non-negative values
+ are reserved for registered use.
+
+ Each sequence of type and data is referred to as an authorization
+ element. Elements MAY be application specific, however, there is a
+ common set of recursive elements that should be understood by all
+ implementations. These elements contain other elements embedded
+ within them, and the interpretation of the encapsulating element
+ determines which of the embedded elements must be interpreted, and
+ which may be ignored.
+
+ These common authorization data elements are recursively defined,
+ meaning the ad-data for these types will itself contain a sequence of
+ authorization data whose interpretation is affected by the
+ encapsulating element. Depending on the meaning of the encapsulating
+ element, the encapsulated elements may be ignored, might be
+ interpreted as issued directly by the KDC, or they might be stored in
+ a separate plaintext part of the ticket. The types of the
+ encapsulating elements are specified as part of the Kerberos
+ specification because the behavior based on these values should be
+ understood across implementations whereas other elements need only be
+ understood by the applications which they affect.
+
+ Authorization data elements are considered critical if present in a
+ ticket or authenticator. Unless encapsulated in a known authorization
+ data element amending the criticality of the elements it contains, if
+ an unknown authorization data element type is received by a server
+ either in an AP-REQ or in a ticket contained in an AP-REQ, then
+ authentication MUST fail. Authorization data is intended to restrict
+ the use of a ticket. If the service cannot determine whether the
+ restriction applies to that service then a security weakness may
+ result if the ticket can be used for that service. Authorization
+ elements that are optional can be enclosed in AD-IF-RELEVANT element.
+
+ In the definitions that follow, the value of the ad-type for the
+ element will be specified as the least significant part of the
+ subsection number, and the value of the ad-data will be as shown in
+ the ASN.1 structure that follows the subsection heading.
+
+ contents of ad-data ad-type
+
+ DER encoding of AD-IF-RELEVANT 1
+
+ DER encoding of AD-KDCIssued 4
+
+ DER encoding of AD-AND-OR 5
+
+
+
+
+February 2004 [Page 58]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ DER encoding of AD-MANDATORY-FOR-KDC 8
+
+5.2.6.1. IF-RELEVANT
+
+ AD-IF-RELEVANT ::= AuthorizationData
+
+ AD elements encapsulated within the if-relevant element are
+ intended for interpretation only by application servers that
+ understand the particular ad-type of the embedded element.
+ Application servers that do not understand the type of an element
+ embedded within the if-relevant element MAY ignore the
+ uninterpretable element. This element promotes interoperability
+ across implementations which may have local extensions for
+ authorization. The ad-type for AD-IF-RELEVANT is (1).
+
+5.2.6.2. KDCIssued
+
+ AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+ }
+
+ ad-checksum
+ A cryptographic checksum computed over the DER encoding of the
+ AuthorizationData in the "elements" field, keyed with the session
+ key. Its checksumtype is the mandatory checksum type for the
+ encryption type of the session key, and its key usage value is 19.
+
+ i-realm, i-sname
+ The name of the issuing principal if different from the KDC
+ itself. This field would be used when the KDC can verify the
+ authenticity of elements signed by the issuing principal and it
+ allows this KDC to notify the application server of the validity
+ of those elements.
+
+ elements
+ A sequence of authorization data elements issued by the KDC.
+
+ The KDC-issued ad-data field is intended to provide a means for
+ Kerberos principal credentials to embed within themselves privilege
+ attributes and other mechanisms for positive authorization,
+ amplifying the privileges of the principal beyond what can be done
+ using a credentials without such an a-data element.
+
+ This can not be provided without this element because the definition
+ of the authorization-data field allows elements to be added at will
+
+
+
+February 2004 [Page 59]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ by the bearer of a TGT at the time that they request service tickets
+ and elements may also be added to a delegated ticket by inclusion in
+ the authenticator.
+
+ For KDC-issued elements this is prevented because the elements are
+ signed by the KDC by including a checksum encrypted using the
+ server's key (the same key used to encrypt the ticket - or a key
+ derived from that key). Elements encapsulated with in the KDC-issued
+ element MUST be ignored by the application server if this
+ "signature" is not present. Further, elements encapsulated within
+ this element from a ticket-granting ticket MAY be interpreted by the
+ KDC, and used as a basis according to policy for including new signed
+ elements within derivative tickets, but they will not be copied to a
+ derivative ticket directly. If they are copied directly to a
+ derivative ticket by a KDC that is not aware of this element, the
+ signature will not be correct for the application ticket elements,
+ and the field will be ignored by the application server.
+
+ This element and the elements it encapsulates MAY be safely ignored
+ by applications, application servers, and KDCs that do not implement
+ this element.
+
+ The ad-type for AD-KDC-ISSUED is (4).
+
+5.2.6.3. AND-OR
+
+ AD-AND-OR ::= SEQUENCE {
+ condition-count [0] INTEGER,
+ elements [1] AuthorizationData
+ }
+
+
+ When restrictive AD elements are encapsulated within the and-or
+ element, the and-or element is considered satisfied if and only if
+ at least the number of encapsulated elements specified in
+ condition-count are satisfied. Therefore, this element MAY be
+ used to implement an "or" operation by setting the condition-count
+ field to 1, and it MAY specify an "and" operation by setting the
+ condition count to the number of embedded elements. Application
+ servers that do not implement this element MUST reject tickets
+ that contain authorization data elements of this type.
+
+ The ad-type for AD-AND-OR is (5).
+
+5.2.6.4. MANDATORY-FOR-KDC
+
+ AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+
+
+
+February 2004 [Page 60]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ AD elements encapsulated within the mandatory-for-kdc element are
+ to be interpreted by the KDC. KDCs that do not understand the type
+ of an element embedded within the mandatory-for-kdc element MUST
+ reject the request.
+
+ The ad-type for AD-MANDATORY-FOR-KDC is (8).
+
+5.2.7. PA-DATA
+
+ Historically, PA-DATA have been known as "pre-authentication
+ data", meaning that they were used to augment the initial
+ authentication with the KDC. Since that time, they have also been
+ used as a typed hole with which to extend protocol exchanges with
+ the KDC.
+
+ PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+ }
+
+ padata-type
+ indicates the way that the padata-value element is to be
+ interpreted. Negative values of padata-type are reserved for
+ unregistered use; non-negative values are used for a registered
+ interpretation of the element type.
+
+ padata-value
+ Usually contains the DER encoding of another type; the padata-type
+ field identifies which type is encoded here.
+
+ padata-type name contents of padata-value
+
+ 1 pa-tgs-req DER encoding of AP-REQ
+
+ 2 pa-enc-timestamp DER encoding of PA-ENC-TIMESTAMP
+
+ 3 pa-pw-salt salt (not ASN.1 encoded)
+
+ 11 pa-etype-info DER encoding of ETYPE-INFO
+
+ 19 pa-etype-info2 DER encoding of ETYPE-INFO2
+
+ This field MAY also contain information needed by certain
+ extensions to the Kerberos protocol. For example, it might be used
+ to initially verify the identity of a client before any response
+ is returned.
+
+
+
+
+February 2004 [Page 61]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The padata field can also contain information needed to help the
+ KDC or the client select the key needed for generating or
+ decrypting the response. This form of the padata is useful for
+ supporting the use of certain token cards with Kerberos. The
+ details of such extensions are specified in separate documents.
+ See [Pat92] for additional uses of this field.
+
+5.2.7.1. PA-TGS-REQ
+
+ In the case of requests for additional tickets (KRB_TGS_REQ),
+ padata-value will contain an encoded AP-REQ. The checksum in the
+ authenticator (which MUST be collision-proof) is to be computed
+ over the KDC-REQ-BODY encoding.
+
+5.2.7.2. Encrypted Timestamp Pre-authentication
+
+ There are pre-authentication types that may be used to pre-
+ authenticate a client by means of an encrypted timestamp.
+
+ PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+ PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+ }
+
+ Patimestamp contains the client's time, and pausec contains the
+ microseconds, which MAY be omitted if a client will not generate
+ more than one request per second. The ciphertext (padata-value)
+ consists of the PA-ENC-TS-ENC encoding, encrypted using the
+ client's secret key and a key usage value of 1.
+
+ This pre-authentication type was not present in RFC 1510, but many
+ implementations support it.
+
+5.2.7.3. PA-PW-SALT
+
+ The padata-value for this pre-authentication type contains the
+ salt for the string-to-key to be used by the client to obtain the
+ key for decrypting the encrypted part of an AS-REP message.
+ Unfortunately, for historical reasons, the character set to be
+ used is unspecified and probably locale-specific.
+
+ This pre-authentication type was not present in RFC 1510, but many
+ implementations support it. It is necessary in any case where the
+ salt for the string-to-key algorithm is not the default.
+
+ In the trivial example, a zero-length salt string is very
+
+
+
+February 2004 [Page 62]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ commonplace for realms that have converted their principal
+ databases from Kerberos 4.
+
+ A KDC SHOULD NOT send PA-PW-SALT when issuing a KRB-ERROR message
+ that requests additional pre-authentication. Implementation note:
+ some KDC implementations issue an erroneous PA-PW-SALT when
+ issuing a KRB-ERROR message that requests additional pre-
+ authentication. Therefore, clients SHOULD ignore a PA-PW-SALT
+ accompanying a KRB-ERROR message that requests additional pre-
+ authentication. As noted in section 3.1.3, a KDC MUST NOT send
+ PA-PW-SALT when the client's AS-REQ includes at least one "newer"
+ etype.
+
+5.2.7.4. PA-ETYPE-INFO
+
+ The ETYPE-INFO pre-authentication type is sent by the KDC in a
+ KRB-ERROR indicating a requirement for additional pre-
+ authentication. It is usually used to notify a client of which key
+ to use for the encryption of an encrypted timestamp for the
+ purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
+ It MAY also be sent in an AS-REP to provide information to the
+ client about which key salt to use for the string-to-key to be
+ used by the client to obtain the key for decrypting the encrypted
+ part the AS-REP.
+
+ ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+ }
+
+ ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ The salt, like that of PA-PW-SALT, is also completely unspecified
+ with respect to character set and is probably locale-specific.
+
+ If ETYPE-INFO is sent in an AS-REP, there shall be exactly one
+ ETYPE-INFO-ENTRY, and its etype shall match that of the enc-part
+ in the AS-REP.
+
+ This pre-authentication type was not present in RFC 1510, but many
+ implementations that support encrypted timestamps for pre-
+ authentication need to support ETYPE-INFO as well. As noted in
+ section 3.1.3, a KDC MUST NOT send PA-ETYPE-INFO when the client's
+ AS-REQ includes at least one "newer" etype.
+
+5.2.7.5. PA-ETYPE-INFO2
+
+ The ETYPE-INFO2 pre-authentication type is sent by the KDC in a
+
+
+
+February 2004 [Page 63]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ KRB-ERROR indicating a requirement for additional pre-
+ authentication. It is usually used to notify a client of which key
+ to use for the encryption of an encrypted timestamp for the
+ purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
+ It MAY also be sent in an AS-REP to provide information to the
+ client about which key salt to use for the string-to-key to be
+ used by the client to obtain the key for decrypting the encrypted
+ part the AS-REP.
+
+ ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+ }
+
+ ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+ The type of the salt is KerberosString, but existing installations
+ might have locale-specific characters stored in salt strings, and
+ implementors MAY choose to handle them.
+
+ The interpretation of s2kparams is specified in the cryptosystem
+ description associated with the etype. Each cryptosystem has a
+ default interpretation of s2kparams that will hold if that element
+ is omitted from the encoding of ETYPE-INFO2-ENTRY.
+
+ If ETYPE-INFO2 is sent in an AS-REP, there shall be exactly one
+ ETYPE-INFO2-ENTRY, and its etype shall match that of the enc-part
+ in the AS-REP.
+
+ The preferred ordering of the "hint" pre-authentication data that
+ affect client key selection is: ETYPE-INFO2, followed by ETYPE-
+ INFO, followed by PW-SALT. As noted in section 3.1.3, a KDC MUST
+ NOT send ETYPE-INFO or PW-SALT when the client's AS-REQ includes
+ at least one "newer" etype.
+
+ The ETYPE-INFO2 pre-authentication type was not present in RFC
+ 1510.
+
+5.2.8. KerberosFlags
+
+ For several message types, a specific constrained bit string type,
+ KerberosFlags, is used.
+
+ KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- minimum number of bits
+ -- shall be sent, but no fewer than 32
+
+ Compatibility note: the following paragraphs describe a change
+
+
+
+February 2004 [Page 64]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ from the RFC1510 description of bit strings that would result in
+ incompatility in the case of an implementation that strictly
+ conformed to ASN.1 DER and RFC1510.
+
+ ASN.1 bit strings have multiple uses. The simplest use of a bit
+ string is to contain a vector of bits, with no particular meaning
+ attached to individual bits. This vector of bits is not
+ necessarily a multiple of eight bits long. The use in Kerberos of
+ a bit string as a compact boolean vector wherein each element has
+ a distinct meaning poses some problems. The natural notation for a
+ compact boolean vector is the ASN.1 "NamedBit" notation, and the
+ DER require that encodings of a bit string using "NamedBit"
+ notation exclude any trailing zero bits. This truncation is easy
+ to neglect, especially given C language implementations that
+ naturally choose to store boolean vectors as 32 bit integers.
+
+ For example, if the notation for KDCOptions were to include the
+ "NamedBit" notation, as in RFC 1510, and a KDCOptions value to be
+ encoded had only the "forwardable" (bit number one) bit set, the
+ DER encoding MUST include only two bits: the first reserved bit
+ ("reserved", bit number zero, value zero) and the one-valued bit
+ (bit number one) for "forwardable".
+
+ Most existing implementations of Kerberos unconditionally send 32
+ bits on the wire when encoding bit strings used as boolean
+ vectors. This behavior violates the ASN.1 syntax used for flag
+ values in RFC 1510, but occurs on such a widely installed base
+ that the protocol description is being modified to accommodate it.
+
+ Consequently, this document removes the "NamedBit" notations for
+ individual bits, relegating them to comments. The size constraint
+ on the KerberosFlags type requires that at least 32 bits be
+ encoded at all times, though a lenient implementation MAY choose
+ to accept fewer than 32 bits and to treat the missing bits as set
+ to zero.
+
+ Currently, no uses of KerberosFlags specify more than 32 bits
+ worth of flags, although future revisions of this document may do
+ so. When more than 32 bits are to be transmitted in a
+ KerberosFlags value, future revisions to this document will likely
+ specify that the smallest number of bits needed to encode the
+ highest-numbered one-valued bit should be sent. This is somewhat
+ similar to the DER encoding of a bit string that is declared with
+ the "NamedBit" notation.
+
+5.2.9. Cryptosystem-related Types
+
+ Many Kerberos protocol messages contain an EncryptedData as a
+
+
+
+February 2004 [Page 65]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ container for arbitrary encrypted data, which is often the
+ encrypted encoding of another data type. Fields within
+ EncryptedData assist the recipient in selecting a key with which
+ to decrypt the enclosed data.
+
+ EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+ }
+
+ etype
+ This field identifies which encryption algorithm was used to
+ encipher the cipher.
+
+ kvno
+ This field contains the version number of the key under which data
+ is encrypted. It is only present in messages encrypted under long
+ lasting keys, such as principals' secret keys.
+
+ cipher
+ This field contains the enciphered text, encoded as an OCTET
+ STRING. (Note that the encryption mechanisms defined in
+ [@KCRYPTO] MUST incorporate integrity protection as well, so no
+ additional checksum is required.)
+
+ The EncryptionKey type is the means by which cryptographic keys used
+ for encryption are transferred.
+
+ EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+ }
+
+ keytype
+ This field specifies the encryption type of the encryption key
+ that follows in the keyvalue field. While its name is "keytype",
+ it actually specifies an encryption type. Previously, multiple
+ cryptosystems that performed encryption differently but were
+ capable of using keys with the same characteristics were permitted
+ to share an assigned number to designate the type of key; this
+ usage is now deprecated.
+
+ keyvalue
+ This field contains the key itself, encoded as an octet string.
+
+ Messages containing cleartext data to be authenticated will usually
+ do so by using a member of type Checksum. Most instances of Checksum
+
+
+
+February 2004 [Page 66]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ use a keyed hash, though exceptions will be noted.
+
+ Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+ }
+
+ cksumtype
+ This field indicates the algorithm used to generate the
+ accompanying checksum.
+
+ checksum
+ This field contains the checksum itself, encoded as an octet
+ string.
+
+ See section 4 for a brief description of the use of encryption and
+ checksums in Kerberos.
+
+5.3. Tickets
+
+ This section describes the format and encryption parameters for
+ tickets and authenticators. When a ticket or authenticator is
+ included in a protocol message it is treated as an opaque object.
+ A ticket is a record that helps a client authenticate to a
+ service. A Ticket contains the following information:
+
+ Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+ }
+
+ -- Encrypted part of ticket
+ EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+ }
+
+
+
+
+February 2004 [Page 67]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ -- encoded Transited field
+ TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+ }
+
+ TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+ -- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+ tkt-vno
+ This field specifies the version number for the ticket format.
+ This document describes version number 5.
+
+ realm
+ This field specifies the realm that issued a ticket. It also
+ serves to identify the realm part of the server's principal
+ identifier. Since a Kerberos server can only issue tickets for
+ servers within its realm, the two will always be identical.
+
+ sname
+ This field specifies all components of the name part of the
+ server's identity, including those parts that identify a specific
+ instance of a service.
+
+ enc-part
+ This field holds the encrypted encoding of the EncTicketPart
+ sequence. It is encrypted in the key shared by Kerberos and the
+ end server (the server's secret key), using a key usage value of
+ 2.
+
+ flags
+ This field indicates which of various options were used or
+ requested when the ticket was issued. The meanings of the flags
+ are:
+
+
+
+February 2004 [Page 68]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Bit(s) Name Description
+
+ 0 reserved Reserved for future expansion of this
+ field.
+
+ The FORWARDABLE flag is normally only
+ interpreted by the TGS, and can be
+ ignored by end servers. When set, this
+ 1 forwardable flag tells the ticket-granting server
+ that it is OK to issue a new
+ ticket-granting ticket with a
+ different network address based on the
+ presented ticket.
+
+ When set, this flag indicates that the
+ ticket has either been forwarded or
+ 2 forwarded was issued based on authentication
+ involving a forwarded ticket-granting
+ ticket.
+
+ The PROXIABLE flag is normally only
+ interpreted by the TGS, and can be
+ ignored by end servers. The PROXIABLE
+ flag has an interpretation identical
+ 3 proxiable to that of the FORWARDABLE flag,
+ except that the PROXIABLE flag tells
+ the ticket-granting server that only
+ non-ticket-granting tickets may be
+ issued with different network
+ addresses.
+
+ 4 proxy When set, this flag indicates that a
+ ticket is a proxy.
+
+ The MAY-POSTDATE flag is normally only
+ interpreted by the TGS, and can be
+ 5 may-postdate ignored by end servers. This flag
+ tells the ticket-granting server that
+ a post-dated ticket MAY be issued
+ based on this ticket-granting ticket.
+
+ This flag indicates that this ticket
+ has been postdated. The end-service
+ 6 postdated can check the authtime field to see
+ when the original authentication
+ occurred.
+
+ This flag indicates that a ticket is
+
+
+
+February 2004 [Page 69]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ invalid, and it must be validated by
+ 7 invalid the KDC before use. Application
+ servers must reject tickets which have
+ this flag set.
+
+ The RENEWABLE flag is normally only
+ interpreted by the TGS, and can
+ usually be ignored by end servers
+ 8 renewable (some particularly careful servers MAY
+ disallow renewable tickets). A
+ renewable ticket can be used to obtain
+ a replacement ticket that expires at a
+ later date.
+
+ This flag indicates that this ticket
+ 9 initial was issued using the AS protocol, and
+ not issued based on a ticket-granting
+ ticket.
+
+ This flag indicates that during
+ initial authentication, the client was
+ authenticated by the KDC before a
+ 10 pre-authent ticket was issued. The strength of the
+ pre-authentication method is not
+ indicated, but is acceptable to the
+ KDC.
+
+ This flag indicates that the protocol
+ employed for initial authentication
+ required the use of hardware expected
+ 11 hw-authent to be possessed solely by the named
+ client. The hardware authentication
+ method is selected by the KDC and the
+ strength of the method is not
+ indicated.
+
+ This flag indicates that the KDC for
+ the realm has checked the transited
+ field against a realm defined policy
+ for trusted certifiers. If this flag
+ is reset (0), then the application
+ server must check the transited field
+ itself, and if unable to do so it must
+ reject the authentication. If the flag
+ 12 transited- is set (1) then the application server
+ policy-checked MAY skip its own validation of the
+ transited field, relying on the
+ validation performed by the KDC. At
+
+
+
+February 2004 [Page 70]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ its option the application server MAY
+ still apply its own validation based
+ on a separate policy for acceptance.
+
+ This flag is new since RFC 1510.
+
+ This flag indicates that the server
+ (not the client) specified in the
+ ticket has been determined by policy
+ of the realm to be a suitable
+ recipient of delegation. A client can
+ use the presence of this flag to help
+ it make a decision whether to delegate
+ credentials (either grant a proxy or a
+ forwarded ticket-granting ticket) to
+ 13 ok-as-delegate this server. The client is free to
+ ignore the value of this flag. When
+ setting this flag, an administrator
+ should consider the Security and
+ placement of the server on which the
+ service will run, as well as whether
+ the service requires the use of
+ delegated credentials.
+
+ This flag is new since RFC 1510.
+
+ 14-31 reserved Reserved for future use.
+
+ key
+ This field exists in the ticket and the KDC response and is used
+ to pass the session key from Kerberos to the application server
+ and the client.
+
+ crealm
+ This field contains the name of the realm in which the client is
+ registered and in which initial authentication took place.
+
+ cname
+ This field contains the name part of the client's principal
+ identifier.
+
+ transited
+ This field lists the names of the Kerberos realms that took part
+ in authenticating the user to whom this ticket was issued. It does
+ not specify the order in which the realms were transited. See
+ section 3.3.3.2 for details on how this field encodes the
+ traversed realms. When the names of CA's are to be embedded in
+ the transited field (as specified for some extensions to the
+
+
+
+February 2004 [Page 71]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ protocol), the X.500 names of the CA's SHOULD be mapped into items
+ in the transited field using the mapping defined by RFC2253.
+
+ authtime
+ This field indicates the time of initial authentication for the
+ named principal. It is the time of issue for the original ticket
+ on which this ticket is based. It is included in the ticket to
+ provide additional information to the end service, and to provide
+ the necessary information for implementation of a `hot list'
+ service at the KDC. An end service that is particularly paranoid
+ could refuse to accept tickets for which the initial
+ authentication occurred "too far" in the past. This field is also
+ returned as part of the response from the KDC. When returned as
+ part of the response to initial authentication (KRB_AS_REP), this
+ is the current time on the Kerberos server. It is NOT recommended
+ that this time value be used to adjust the workstation's clock
+ since the workstation cannot reliably determine that such a
+ KRB_AS_REP actually came from the proper KDC in a timely manner.
+
+
+ starttime
+
+ This field in the ticket specifies the time after which the ticket
+ is valid. Together with endtime, this field specifies the life of
+ the ticket. If the starttime field is absent from the ticket, then
+ the authtime field SHOULD be used in its place to determine the
+ life of the ticket.
+
+ endtime
+ This field contains the time after which the ticket will not be
+ honored (its expiration time). Note that individual services MAY
+ place their own limits on the life of a ticket and MAY reject
+ tickets which have not yet expired. As such, this is really an
+ upper bound on the expiration time for the ticket.
+
+ renew-till
+ This field is only present in tickets that have the RENEWABLE flag
+ set in the flags field. It indicates the maximum endtime that may
+ be included in a renewal. It can be thought of as the absolute
+ expiration time for the ticket, including all renewals.
+
+ caddr
+ This field in a ticket contains zero (if omitted) or more (if
+ present) host addresses. These are the addresses from which the
+ ticket can be used. If there are no addresses, the ticket can be
+ used from any location. The decision by the KDC to issue or by the
+ end server to accept addressless tickets is a policy decision and
+ is left to the Kerberos and end-service administrators; they MAY
+
+
+
+February 2004 [Page 72]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ refuse to issue or accept such tickets. Because of the wide
+ deployment of network address translation, it is recommended that
+ policy allow the issue and acceptance of such tickets.
+
+ Network addresses are included in the ticket to make it harder for
+ an attacker to use stolen credentials. Because the session key is
+ not sent over the network in cleartext, credentials can't be
+ stolen simply by listening to the network; an attacker has to gain
+ access to the session key (perhaps through operating system
+ security breaches or a careless user's unattended session) to make
+ use of stolen tickets.
+
+ It is important to note that the network address from which a
+ connection is received cannot be reliably determined. Even if it
+ could be, an attacker who has compromised the client's workstation
+ could use the credentials from there. Including the network
+ addresses only makes it more difficult, not impossible, for an
+ attacker to walk off with stolen credentials and then use them
+ from a "safe" location.
+
+ authorization-data
+ The authorization-data field is used to pass authorization data
+ from the principal on whose behalf a ticket was issued to the
+ application service. If no authorization data is included, this
+ field will be left out. Experience has shown that the name of this
+ field is confusing, and that a better name for this field would be
+ restrictions. Unfortunately, it is not possible to change the name
+ of this field at this time.
+
+ This field contains restrictions on any authority obtained on the
+ basis of authentication using the ticket. It is possible for any
+ principal in possession of credentials to add entries to the
+ authorization data field since these entries further restrict what
+ can be done with the ticket. Such additions can be made by
+ specifying the additional entries when a new ticket is obtained
+ during the TGS exchange, or they MAY be added during chained
+ delegation using the authorization data field of the
+ authenticator.
+
+ Because entries may be added to this field by the holder of
+ credentials, except when an entry is separately authenticated by
+ encapsulation in the KDC-issued element, it is not allowable for
+ the presence of an entry in the authorization data field of a
+ ticket to amplify the privileges one would obtain from using a
+ ticket.
+
+ The data in this field may be specific to the end service; the
+ field will contain the names of service specific objects, and the
+
+
+
+February 2004 [Page 73]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ rights to those objects. The format for this field is described in
+ section 5.2.6. Although Kerberos is not concerned with the format
+ of the contents of the sub-fields, it does carry type information
+ (ad-type).
+
+ By using the authorization_data field, a principal is able to
+ issue a proxy that is valid for a specific purpose. For example, a
+ client wishing to print a file can obtain a file server proxy to
+ be passed to the print server. By specifying the name of the file
+ in the authorization_data field, the file server knows that the
+ print server can only use the client's rights when accessing the
+ particular file to be printed.
+
+ A separate service providing authorization or certifying group
+ membership may be built using the authorization-data field. In
+ this case, the entity granting authorization (not the authorized
+ entity), may obtain a ticket in its own name (e.g. the ticket is
+ issued in the name of a privilege server), and this entity adds
+ restrictions on its own authority and delegates the restricted
+ authority through a proxy to the client. The client would then
+ present this authorization credential to the application server
+ separately from the authentication exchange. Alternatively, such
+ authorization credentials MAY be embedded in the ticket
+ authenticating the authorized entity, when the authorization is
+ separately authenticated using the KDC-issued authorization data
+ element (see 5.2.6.2).
+
+ Similarly, if one specifies the authorization-data field of a
+ proxy and leaves the host addresses blank, the resulting ticket
+ and session key can be treated as a capability. See [Neu93] for
+ some suggested uses of this field.
+
+ The authorization-data field is optional and does not have to be
+ included in a ticket.
+
+5.4. Specifications for the AS and TGS exchanges
+
+ This section specifies the format of the messages used in the
+ exchange between the client and the Kerberos server. The format of
+ possible error messages appears in section 5.9.1.
+
+5.4.1. KRB_KDC_REQ definition
+
+ The KRB_KDC_REQ message has no application tag number of its own.
+ Instead, it is incorporated into one of KRB_AS_REQ or KRB_TGS_REQ,
+ which each have an application tag, depending on whether the
+ request is for an initial ticket or an additional ticket. In
+ either case, the message is sent from the client to the KDC to
+
+
+
+February 2004 [Page 74]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ request credentials for a service.
+
+ The message fields are:
+
+ AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+ TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+ KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+ msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+ }
+
+ KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+ }
+
+ KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+
+
+
+February 2004 [Page 75]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+ -- 15 is reserved for canonicalize
+ -- unused15(15),
+ -- 26 was unused in 1510
+ -- disable-transited-check(26),
+ --
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+ The fields in this message are:
+
+ pvno
+ This field is included in each message, and specifies the protocol
+ version number. This document specifies protocol version 5.
+
+ msg-type
+ This field indicates the type of a protocol message. It will
+ almost always be the same as the application identifier associated
+ with a message. It is included to make the identifier more readily
+ accessible to the application. For the KDC-REQ message, this type
+ will be KRB_AS_REQ or KRB_TGS_REQ.
+
+ padata
+ Contains pre-authentication data. Requests for additional tickets
+ (KRB_TGS_REQ) MUST contain a padata of PA-TGS-REQ.
+
+ The padata (pre-authentication data) field contains a sequence of
+ authentication information which may be needed before credentials
+ can be issued or decrypted.
+
+ req-body
+ This field is a placeholder delimiting the extent of the remaining
+ fields. If a checksum is to be calculated over the request, it is
+ calculated over an encoding of the KDC-REQ-BODY sequence which is
+ enclosed within the req-body field.
+
+ kdc-options
+ This field appears in the KRB_AS_REQ and KRB_TGS_REQ requests to
+ the KDC and indicates the flags that the client wants set on the
+ tickets as well as other information that is to modify the
+ behavior of the KDC. Where appropriate, the name of an option may
+ be the same as the flag that is set by that option. Although in
+ most case, the bit in the options field will be the same as that
+
+
+
+February 2004 [Page 76]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ in the flags field, this is not guaranteed, so it is not
+ acceptable to simply copy the options field to the flags field.
+ There are various checks that must be made before honoring an
+ option anyway.
+
+ The kdc_options field is a bit-field, where the selected options
+ are indicated by the bit being set (1), and the unselected options
+ and reserved fields being reset (0). The encoding of the bits is
+ specified in section 5.2. The options are described in more detail
+ above in section 2. The meanings of the options are:
+
+ Bits Name Description
+
+ 0 RESERVED Reserved for future expansion of
+ this field.
+
+ The FORWARDABLE option indicates
+ that the ticket to be issued is to
+ have its forwardable flag set. It
+ 1 FORWARDABLE may only be set on the initial
+ request, or in a subsequent request
+ if the ticket-granting ticket on
+ which it is based is also
+ forwardable.
+
+ The FORWARDED option is only
+ specified in a request to the
+ ticket-granting server and will only
+ be honored if the ticket-granting
+ ticket in the request has its
+ 2 FORWARDED FORWARDABLE bit set. This option
+ indicates that this is a request for
+ forwarding. The address(es) of the
+ host from which the resulting ticket
+ is to be valid are included in the
+ addresses field of the request.
+
+ The PROXIABLE option indicates that
+ the ticket to be issued is to have
+ its proxiable flag set. It may only
+ 3 PROXIABLE be set on the initial request, or in
+ a subsequent request if the
+ ticket-granting ticket on which it
+ is based is also proxiable.
+
+ The PROXY option indicates that this
+ is a request for a proxy. This
+ option will only be honored if the
+
+
+
+February 2004 [Page 77]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ ticket-granting ticket in the
+ 4 PROXY request has its PROXIABLE bit set.
+ The address(es) of the host from
+ which the resulting ticket is to be
+ valid are included in the addresses
+ field of the request.
+
+ The ALLOW-POSTDATE option indicates
+ that the ticket to be issued is to
+ have its MAY-POSTDATE flag set. It
+ 5 ALLOW-POSTDATE may only be set on the initial
+ request, or in a subsequent request
+ if the ticket-granting ticket on
+ which it is based also has its
+ MAY-POSTDATE flag set.
+
+ The POSTDATED option indicates that
+ this is a request for a postdated
+ ticket. This option will only be
+ honored if the ticket-granting
+ ticket on which it is based has its
+ 6 POSTDATED MAY-POSTDATE flag set. The resulting
+ ticket will also have its INVALID
+ flag set, and that flag may be reset
+ by a subsequent request to the KDC
+ after the starttime in the ticket
+ has been reached.
+
+ 7 RESERVED This option is presently unused.
+
+ The RENEWABLE option indicates that
+ the ticket to be issued is to have
+ its RENEWABLE flag set. It may only
+ be set on the initial request, or
+ when the ticket-granting ticket on
+ 8 RENEWABLE which the request is based is also
+ renewable. If this option is
+ requested, then the rtime field in
+ the request contains the desired
+ absolute expiration time for the
+ ticket.
+
+ 9 RESERVED Reserved for PK-Cross
+
+ 10 RESERVED Reserved for future use.
+
+ 11 RESERVED Reserved for opt-hardware-auth.
+
+
+
+
+February 2004 [Page 78]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ 12-25 RESERVED Reserved for future use.
+
+ By default the KDC will check the
+ transited field of a
+ ticket-granting-ticket against the
+ policy of the local realm before it
+ will issue derivative tickets based
+ on the ticket-granting ticket. If
+ this flag is set in the request,
+ checking of the transited field is
+ disabled. Tickets issued without the
+ 26 DISABLE-TRANSITED-CHECK performance of this check will be
+ noted by the reset (0) value of the
+ TRANSITED-POLICY-CHECKED flag,
+ indicating to the application server
+ that the tranisted field must be
+ checked locally. KDCs are
+ encouraged but not required to honor
+ the DISABLE-TRANSITED-CHECK option.
+
+ This flag is new since RFC 1510
+
+ The RENEWABLE-OK option indicates
+ that a renewable ticket will be
+ acceptable if a ticket with the
+ requested life cannot otherwise be
+ provided. If a ticket with the
+ requested life cannot be provided,
+ 27 RENEWABLE-OK then a renewable ticket may be
+ issued with a renew-till equal to
+ the requested endtime. The value
+ of the renew-till field may still be
+ limited by local limits, or limits
+ selected by the individual principal
+ or server.
+
+ This option is used only by the
+ ticket-granting service. The
+ ENC-TKT-IN-SKEY option indicates
+ 28 ENC-TKT-IN-SKEY that the ticket for the end server
+ is to be encrypted in the session
+ key from the additional
+ ticket-granting ticket provided.
+
+ 29 RESERVED Reserved for future use.
+
+ This option is used only by the
+ ticket-granting service. The RENEW
+
+
+
+February 2004 [Page 79]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ option indicates that the present
+ request is for a renewal. The ticket
+ provided is encrypted in the secret
+ key for the server on which it is
+ 30 RENEW valid. This option will only be
+ honored if the ticket to be renewed
+ has its RENEWABLE flag set and if
+ the time in its renew-till field has
+ not passed. The ticket to be renewed
+ is passed in the padata field as
+ part of the authentication header.
+
+ This option is used only by the
+ ticket-granting service. The
+ VALIDATE option indicates that the
+ request is to validate a postdated
+ ticket. It will only be honored if
+ the ticket presented is postdated,
+ presently has its INVALID flag set,
+ 31 VALIDATE and would be otherwise usable at
+ this time. A ticket cannot be
+ validated before its starttime. The
+ ticket presented for validation is
+ encrypted in the key of the server
+ for which it is valid and is passed
+ in the padata field as part of the
+ authentication header.
+ cname and sname
+ These fields are the same as those described for the ticket in
+ section 5.3. The sname may only be absent when the ENC-TKT-IN-SKEY
+ option is specified. If absent, the name of the server is taken
+ from the name of the client in the ticket passed as additional-
+ tickets.
+
+ enc-authorization-data
+ The enc-authorization-data, if present (and it can only be present
+ in the TGS_REQ form), is an encoding of the desired authorization-
+ data encrypted under the sub-session key if present in the
+ Authenticator, or alternatively from the session key in the
+ ticket-granting ticket (both the Authenticator and ticket-granting
+ ticket come from the padata field in the KRB_TGS_REQ). The key
+ usage value used when encrypting is 5 if a sub-session key is
+ used, or 4 if the session key is used.
+
+ realm
+ This field specifies the realm part of the server's principal
+ identifier. In the AS exchange, this is also the realm part of the
+ client's principal identifier.
+
+
+
+February 2004 [Page 80]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ from
+ This field is included in the KRB_AS_REQ and KRB_TGS_REQ ticket
+ requests when the requested ticket is to be postdated. It
+ specifies the desired start time for the requested ticket. If this
+ field is omitted then the KDC SHOULD use the current time instead.
+
+ till
+ This field contains the expiration date requested by the client in
+ a ticket request. It is not optional, but if the requested endtime
+ is "19700101000000Z", the requested ticket is to have the maximum
+ endtime permitted according to KDC policy. Implementation note:
+ This special timestamp corresponds to a UNIX time_t value of zero
+ on most systems.
+
+ rtime
+ This field is the requested renew-till time sent from a client to
+ the KDC in a ticket request. It is optional.
+
+ nonce
+ This field is part of the KDC request and response. It is intended
+ to hold a random number generated by the client. If the same
+ number is included in the encrypted response from the KDC, it
+ provides evidence that the response is fresh and has not been
+ replayed by an attacker. Nonces MUST NEVER be reused.
+
+ etype
+ This field specifies the desired encryption algorithm to be used
+ in the response.
+
+ addresses
+ This field is included in the initial request for tickets, and
+ optionally included in requests for additional tickets from the
+ ticket-granting server. It specifies the addresses from which the
+ requested ticket is to be valid. Normally it includes the
+ addresses for the client's host. If a proxy is requested, this
+ field will contain other addresses. The contents of this field are
+ usually copied by the KDC into the caddr field of the resulting
+ ticket.
+
+ additional-tickets
+ Additional tickets MAY be optionally included in a request to the
+ ticket-granting server. If the ENC-TKT-IN-SKEY option has been
+ specified, then the session key from the additional ticket will be
+ used in place of the server's key to encrypt the new ticket. When
+ the ENC-TKT-IN-SKEY option is used for user-to-user
+ authentication, this additional ticket MAY be a TGT issued by the
+ local realm or an inter-realm TGT issued for the current KDC's
+ realm by a remote KDC. If more than one option which requires
+
+
+
+February 2004 [Page 81]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ additional tickets has been specified, then the additional tickets
+ are used in the order specified by the ordering of the options
+ bits (see kdc-options, above).
+
+ The application tag number will be either ten (10) or twelve (12)
+ depending on whether the request is for an initial ticket (AS-REQ) or
+ for an additional ticket (TGS-REQ).
+
+ The optional fields (addresses, authorization-data and additional-
+ tickets) are only included if necessary to perform the operation
+ specified in the kdc-options field.
+
+ It should be noted that in KRB_TGS_REQ, the protocol version number
+ appears twice and two different message types appear: the KRB_TGS_REQ
+ message contains these fields as does the authentication header
+ (KRB_AP_REQ) that is passed in the padata field.
+
+5.4.2. KRB_KDC_REP definition
+
+ The KRB_KDC_REP message format is used for the reply from the KDC
+ for either an initial (AS) request or a subsequent (TGS) request.
+ There is no message type for KRB_KDC_REP. Instead, the type will
+ be either KRB_AS_REP or KRB_TGS_REP. The key used to encrypt the
+ ciphertext part of the reply depends on the message type. For
+ KRB_AS_REP, the ciphertext is encrypted in the client's secret
+ key, and the client's key version number is included in the key
+ version number for the encrypted data. For KRB_TGS_REP, the
+ ciphertext is encrypted in the sub-session key from the
+ Authenticator, or if absent, the session key from the ticket-
+ granting ticket used in the request. In that case, no version
+ number will be present in the EncryptedData sequence.
+
+ The KRB_KDC_REP message contains the following fields:
+
+ AS-REP ::= [APPLICATION 11] KDC-REP
+
+ TGS-REP ::= [APPLICATION 13] KDC-REP
+
+ KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+
+
+
+February 2004 [Page 82]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ -- as appropriate
+ }
+
+ EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+ EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+ EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+ }
+
+ LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+ }
+
+ pvno and msg-type
+ These fields are described above in section 5.4.1. msg-type is
+ either KRB_AS_REP or KRB_TGS_REP.
+
+ padata
+ This field is described in detail in section 5.4.1. One possible
+ use for this field is to encode an alternate "salt" string to be
+ used with a string-to-key algorithm. This ability is useful to
+ ease transitions if a realm name needs to change (e.g. when a
+ company is acquired); in such a case all existing password-derived
+ entries in the KDC database would be flagged as needing a special
+ salt string until the next password change.
+
+ crealm, cname, srealm and sname
+ These fields are the same as those described for the ticket in
+ section 5.3.
+
+ ticket
+ The newly-issued ticket, from section 5.3.
+
+ enc-part
+
+
+
+February 2004 [Page 83]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ This field is a place holder for the ciphertext and related
+ information that forms the encrypted part of a message. The
+ description of the encrypted part of the message follows each
+ appearance of this field.
+
+ The key usage value for encrypting this field is 3 in an AS-REP
+ message, using the client's long-term key or another key selected
+ via pre-authentication mechanisms. In a TGS-REP message, the key
+ usage value is 8 if the TGS session key is used, or 9 if a TGS
+ authenticator subkey is used.
+
+ Compatibility note: Some implementations unconditionally send an
+ encrypted EncTGSRepPart (application tag number 26) in this field
+ regardless of whether the reply is a AS-REP or a TGS-REP. In the
+ interests of compatibility, implementors MAY relax the check on
+ the tag number of the decrypted ENC-PART.
+
+ key
+ This field is the same as described for the ticket in section 5.3.
+
+ last-req
+ This field is returned by the KDC and specifies the time(s) of the
+ last request by a principal. Depending on what information is
+ available, this might be the last time that a request for a
+ ticket-granting ticket was made, or the last time that a request
+ based on a ticket-granting ticket was successful. It also might
+ cover all servers for a realm, or just the particular server. Some
+ implementations MAY display this information to the user to aid in
+ discovering unauthorized use of one's identity. It is similar in
+ spirit to the last login time displayed when logging into
+ timesharing systems.
+
+ lr-type
+ This field indicates how the following lr-value field is to be
+ interpreted. Negative values indicate that the information
+ pertains only to the responding server. Non-negative values
+ pertain to all servers for the realm.
+
+ If the lr-type field is zero (0), then no information is
+ conveyed by the lr-value subfield. If the absolute value of the
+ lr-type field is one (1), then the lr-value subfield is the
+ time of last initial request for a TGT. If it is two (2), then
+ the lr-value subfield is the time of last initial request. If
+ it is three (3), then the lr-value subfield is the time of
+ issue for the newest ticket-granting ticket used. If it is four
+ (4), then the lr-value subfield is the time of the last
+ renewal. If it is five (5), then the lr-value subfield is the
+ time of last request (of any type). If it is (6), then the lr-
+
+
+
+February 2004 [Page 84]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ value subfield is the time when the password will expire. If
+ it is (7), then the lr-value subfield is the time when the
+ account will expire.
+
+ lr-value
+ This field contains the time of the last request. The time MUST
+ be interpreted according to the contents of the accompanying
+ lr-type subfield.
+
+ nonce
+ This field is described above in section 5.4.1.
+
+ key-expiration
+ The key-expiration field is part of the response from the KDC and
+ specifies the time that the client's secret key is due to expire.
+ The expiration might be the result of password aging or an account
+ expiration. If present, it SHOULD be set to the earliest of the
+ user's key expiration and account expiration. The use of this
+ field is deprecated and the last-req field SHOULD be used to
+ convey this information instead. This field will usually be left
+ out of the TGS reply since the response to the TGS request is
+ encrypted in a session key and no client information need be
+ retrieved from the KDC database. It is up to the application
+ client (usually the login program) to take appropriate action
+ (such as notifying the user) if the expiration time is imminent.
+
+ flags, authtime, starttime, endtime, renew-till and caddr
+ These fields are duplicates of those found in the encrypted
+ portion of the attached ticket (see section 5.3), provided so the
+ client MAY verify they match the intended request and to assist in
+ proper ticket caching. If the message is of type KRB_TGS_REP, the
+ caddr field will only be filled in if the request was for a proxy
+ or forwarded ticket, or if the user is substituting a subset of
+ the addresses from the ticket-granting ticket. If the client-
+ requested addresses are not present or not used, then the
+ addresses contained in the ticket will be the same as those
+ included in the ticket-granting ticket.
+
+5.5. Client/Server (CS) message specifications
+
+ This section specifies the format of the messages used for the
+ authentication of the client to the application server.
+
+5.5.1. KRB_AP_REQ definition
+
+ The KRB_AP_REQ message contains the Kerberos protocol version
+ number, the message type KRB_AP_REQ, an options field to indicate
+ any options in use, and the ticket and authenticator themselves.
+
+
+
+February 2004 [Page 85]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The KRB_AP_REQ message is often referred to as the 'authentication
+ header'.
+
+ AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+ }
+
+ APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+ pvno and msg-type
+ These fields are described above in section 5.4.1. msg-type is
+ KRB_AP_REQ.
+
+ ap-options
+ This field appears in the application request (KRB_AP_REQ) and
+ affects the way the request is processed. It is a bit-field, where
+ the selected options are indicated by the bit being set (1), and
+ the unselected options and reserved fields being reset (0). The
+ encoding of the bits is specified in section 5.2. The meanings of
+ the options are:
+
+ Bit(s) Name Description
+
+ 0 reserved Reserved for future expansion of this field.
+
+ The USE-SESSION-KEY option indicates that the
+ ticket the client is presenting to a server
+ 1 use-session-key is encrypted in the session key from the
+ server's ticket-granting ticket. When this
+ option is not specified, the ticket is
+ encrypted in the server's secret key.
+
+ The MUTUAL-REQUIRED option tells the server
+ 2 mutual-required that the client requires mutual
+ authentication, and that it must respond with
+ a KRB_AP_REP message.
+
+ 3-31 reserved Reserved for future use.
+
+ ticket
+ This field is a ticket authenticating the client to the server.
+
+
+
+February 2004 [Page 86]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ authenticator
+ This contains the encrypted authenticator, which includes the
+ client's choice of a subkey.
+
+ The encrypted authenticator is included in the AP-REQ; it certifies
+ to a server that the sender has recent knowledge of the encryption
+ key in the accompanying ticket, to help the server detect replays. It
+ also assists in the selection of a "true session key" to use with the
+ particular session. The DER encoding of the following is encrypted
+ in the ticket's session key, with a key usage value of 11 in normal
+ application exchanges, or 7 when used as the PA-TGS-REQ PA-DATA field
+ of a TGS-REQ exchange (see section 5.4.1):
+
+ -- Unencrypted authenticator
+ Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+ }
+
+ authenticator-vno
+ This field specifies the version number for the format of the
+ authenticator. This document specifies version 5.
+
+ crealm and cname
+ These fields are the same as those described for the ticket in
+ section 5.3.
+
+ cksum
+ This field contains a checksum of the application data that
+ accompanies the KRB_AP_REQ, computed using a key usage value of 10
+ in normal application exchanges, or 6 when used in the TGS-REQ PA-
+ TGS-REQ AP-DATA field.
+
+ cusec
+ This field contains the microsecond part of the client's
+ timestamp. Its value (before encryption) ranges from 0 to 999999.
+ It often appears along with ctime. The two fields are used
+ together to specify a reasonably accurate timestamp.
+
+ ctime
+ This field contains the current time on the client's host.
+
+
+
+February 2004 [Page 87]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ subkey
+ This field contains the client's choice for an encryption key
+ which is to be used to protect this specific application session.
+ Unless an application specifies otherwise, if this field is left
+ out the session key from the ticket will be used.
+
+ seq-number
+ This optional field includes the initial sequence number to be
+ used by the KRB_PRIV or KRB_SAFE messages when sequence numbers
+ are used to detect replays (It may also be used by application
+ specific messages). When included in the authenticator this field
+ specifies the initial sequence number for messages from the client
+ to the server. When included in the AP-REP message, the initial
+ sequence number is that for messages from the server to the
+ client. When used in KRB_PRIV or KRB_SAFE messages, it is
+ incremented by one after each message is sent. Sequence numbers
+ fall in the range of 0 through 2^32 - 1 and wrap to zero following
+ the value 2^32 - 1.
+
+ For sequence numbers to adequately support the detection of
+ replays they SHOULD be non-repeating, even across connection
+ boundaries. The initial sequence number SHOULD be random and
+ uniformly distributed across the full space of possible sequence
+ numbers, so that it cannot be guessed by an attacker and so that
+ it and the successive sequence numbers do not repeat other
+ sequences. In the event that more than 2^32 messages are to be
+ generated in a series of KRB_PRIV or KRB_SAFE messages, rekeying
+ SHOULD be performed before sequence numbers are reused with the
+ same encryption key.
+
+ Implmentation note: historically, some implementations transmit
+ signed twos-complement numbers for sequence numbers. In the
+ interests of compatibility, implementations MAY accept the
+ equivalent negative number where a positive number greater than
+ 2^31 - 1 is expected.
+
+ Implementation note: as noted before, some implementations omit
+ the optional sequence number when its value would be zero.
+ Implementations MAY accept an omitted sequence number when
+ expecting a value of zero, and SHOULD NOT transmit an
+ Authenticator with a initial sequence number of zero.
+
+ authorization-data
+ This field is the same as described for the ticket in section 5.3.
+ It is optional and will only appear when additional restrictions
+ are to be placed on the use of a ticket, beyond those carried in
+ the ticket itself.
+
+
+
+
+February 2004 [Page 88]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+5.5.2. KRB_AP_REP definition
+
+ The KRB_AP_REP message contains the Kerberos protocol version
+ number, the message type, and an encrypted time-stamp. The message
+ is sent in response to an application request (KRB_AP_REQ) where
+ the mutual authentication option has been selected in the ap-
+ options field.
+
+ AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+ }
+
+ EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL
+ }
+
+ The encoded EncAPRepPart is encrypted in the shared session key of
+ the ticket. The optional subkey field can be used in an
+ application-arranged negotiation to choose a per association
+ session key.
+
+ pvno and msg-type
+ These fields are described above in section 5.4.1. msg-type is
+ KRB_AP_REP.
+
+ enc-part
+ This field is described above in section 5.4.2. It is computed
+ with a key usage value of 12.
+
+ ctime
+ This field contains the current time on the client's host.
+
+ cusec
+ This field contains the microsecond part of the client's
+ timestamp.
+
+ subkey
+ This field contains an encryption key which is to be used to
+ protect this specific application session. See section 3.2.6 for
+ specifics on how this field is used to negotiate a key. Unless an
+ application specifies otherwise, if this field is left out, the
+ sub-session key from the authenticator, or if also left out, the
+ session key from the ticket will be used.
+
+
+
+February 2004 [Page 89]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ seq-number
+ This field is described above in section 5.3.2.
+
+5.5.3. Error message reply
+
+ If an error occurs while processing the application request, the
+ KRB_ERROR message will be sent in response. See section 5.9.1 for
+ the format of the error message. The cname and crealm fields MAY
+ be left out if the server cannot determine their appropriate
+ values from the corresponding KRB_AP_REQ message. If the
+ authenticator was decipherable, the ctime and cusec fields will
+ contain the values from it.
+
+5.6. KRB_SAFE message specification
+
+ This section specifies the format of a message that can be used by
+ either side (client or server) of an application to send a tamper-
+ proof message to its peer. It presumes that a session key has
+ previously been exchanged (for example, by using the
+ KRB_AP_REQ/KRB_AP_REP messages).
+
+5.6.1. KRB_SAFE definition
+
+ The KRB_SAFE message contains user data along with a collision-
+ proof checksum keyed with the last encryption key negotiated via
+ subkeys, or the session key if no negotiation has occurred. The
+ message fields are:
+
+ KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+ }
+
+ KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+ }
+
+ pvno and msg-type
+ These fields are described above in section 5.4.1. msg-type is
+ KRB_SAFE.
+
+
+
+
+February 2004 [Page 90]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ safe-body
+ This field is a placeholder for the body of the KRB-SAFE message.
+
+ cksum
+ This field contains the checksum of the application data, computed
+ with a key usage value of 15.
+
+ The checksum is computed over the encoding of the KRB-SAFE
+ sequence. First, the cksum is set to a type zero, zero-length
+ value and the checksum is computed over the encoding of the KRB-
+ SAFE sequence, then the checksum is set to the result of that
+ computation, and finally the KRB-SAFE sequence is encoded again.
+ This method, while different than the one specified in RFC 1510,
+ corresponds to existing practice.
+
+ user-data
+ This field is part of the KRB_SAFE and KRB_PRIV messages and
+ contain the application specific data that is being passed from
+ the sender to the recipient.
+
+ timestamp
+ This field is part of the KRB_SAFE and KRB_PRIV messages. Its
+ contents are the current time as known by the sender of the
+ message. By checking the timestamp, the recipient of the message
+ is able to make sure that it was recently generated, and is not a
+ replay.
+
+ usec
+ This field is part of the KRB_SAFE and KRB_PRIV headers. It
+ contains the microsecond part of the timestamp.
+
+ seq-number
+ This field is described above in section 5.3.2.
+
+ s-address
+ Sender's address.
+
+ This field specifies the address in use by the sender of the
+ message.
+
+ r-address
+ This field specifies the address in use by the recipient of the
+ message. It MAY be omitted for some uses (such as broadcast
+ protocols), but the recipient MAY arbitrarily reject such
+ messages. This field, along with s-address, can be used to help
+ detect messages which have been incorrectly or maliciously
+ delivered to the wrong recipient.
+
+
+
+
+February 2004 [Page 91]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+5.7. KRB_PRIV message specification
+
+ This section specifies the format of a message that can be used by
+ either side (client or server) of an application to securely and
+ privately send a message to its peer. It presumes that a session
+ key has previously been exchanged (for example, by using the
+ KRB_AP_REQ/KRB_AP_REP messages).
+
+5.7.1. KRB_PRIV definition
+
+ The KRB_PRIV message contains user data encrypted in the Session
+ Key. The message fields are:
+
+ KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+ }
+
+ EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+ }
+
+ pvno and msg-type
+ These fields are described above in section 5.4.1. msg-type is
+ KRB_PRIV.
+
+ enc-part
+ This field holds an encoding of the EncKrbPrivPart sequence
+ encrypted under the session key, with a key usage value of 13.
+ This encrypted encoding is used for the enc-part field of the KRB-
+ PRIV message.
+
+ user-data, timestamp, usec, s-address and r-address
+ These fields are described above in section 5.6.1.
+
+ seq-number
+ This field is described above in section 5.3.2.
+
+5.8. KRB_CRED message specification
+
+ This section specifies the format of a message that can be used to
+
+
+
+February 2004 [Page 92]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ send Kerberos credentials from one principal to another. It is
+ presented here to encourage a common mechanism to be used by
+ applications when forwarding tickets or providing proxies to
+ subordinate servers. It presumes that a session key has already
+ been exchanged perhaps by using the KRB_AP_REQ/KRB_AP_REP
+ messages.
+
+5.8.1. KRB_CRED definition
+
+ The KRB_CRED message contains a sequence of tickets to be sent and
+ information needed to use the tickets, including the session key
+ from each. The information needed to use the tickets is encrypted
+ under an encryption key previously exchanged or transferred
+ alongside the KRB_CRED message. The message fields are:
+
+ KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+ }
+
+ EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+ r-address [5] HostAddress OPTIONAL
+ }
+
+ KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+ }
+
+ pvno and msg-type
+ These fields are described above in section 5.4.1. msg-type is
+ KRB_CRED.
+
+
+
+February 2004 [Page 93]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ tickets
+ These are the tickets obtained from the KDC specifically for use
+ by the intended recipient. Successive tickets are paired with the
+ corresponding KrbCredInfo sequence from the enc-part of the KRB-
+ CRED message.
+
+ enc-part
+ This field holds an encoding of the EncKrbCredPart sequence
+ encrypted under the session key shared between the sender and the
+ intended recipient, with a key usage value of 14. This encrypted
+ encoding is used for the enc-part field of the KRB-CRED message.
+
+ Implementation note: implementations of certain applications, most
+ notably certain implementations of the Kerberos GSS-API mechanism,
+ do not separately encrypt the contents of the EncKrbCredPart of
+ the KRB-CRED message when sending it. In the case of those GSS-
+ API mechanisms, this is not a security vulnerability, as the
+ entire KRB-CRED message is itself embedded in an encrypted
+ message.
+
+ nonce
+ If practical, an application MAY require the inclusion of a nonce
+ generated by the recipient of the message. If the same value is
+ included as the nonce in the message, it provides evidence that
+ the message is fresh and has not been replayed by an attacker. A
+ nonce MUST NEVER be reused.
+
+ timestamp and usec
+ These fields specify the time that the KRB-CRED message was
+ generated. The time is used to provide assurance that the message
+ is fresh.
+
+ s-address and r-address
+ These fields are described above in section 5.6.1. They are used
+ optionally to provide additional assurance of the integrity of the
+ KRB-CRED message.
+
+ key
+ This field exists in the corresponding ticket passed by the KRB-
+ CRED message and is used to pass the session key from the sender
+ to the intended recipient. The field's encoding is described in
+ section 5.2.9.
+
+ The following fields are optional. If present, they can be associated
+ with the credentials in the remote ticket file. If left out, then it
+ is assumed that the recipient of the credentials already knows their
+ value.
+
+
+
+
+February 2004 [Page 94]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ prealm and pname
+ The name and realm of the delegated principal identity.
+
+ flags, authtime, starttime, endtime, renew-till, srealm, sname, and
+ caddr
+ These fields contain the values of the corresponding fields from
+ the ticket found in the ticket field. Descriptions of the fields
+ are identical to the descriptions in the KDC-REP message.
+
+5.9. Error message specification
+
+ This section specifies the format for the KRB_ERROR message. The
+ fields included in the message are intended to return as much
+ information as possible about an error. It is not expected that
+ all the information required by the fields will be available for
+ all types of errors. If the appropriate information is not
+ available when the message is composed, the corresponding field
+ will be left out of the message.
+
+ Note that since the KRB_ERROR message is not integrity protected,
+ it is quite possible for an intruder to synthesize or modify such
+ a message. In particular, this means that the client SHOULD NOT
+ use any fields in this message for security-critical purposes,
+ such as setting a system clock or generating a fresh
+ authenticator. The message can be useful, however, for advising a
+ user on the reason for some failure.
+
+5.9.1. KRB_ERROR definition
+
+ The KRB_ERROR message consists of the following fields:
+
+ KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+ }
+
+ pvno and msg-type
+
+
+
+February 2004 [Page 95]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ These fields are described above in section 5.4.1. msg-type is
+ KRB_ERROR.
+
+ ctime
+ This field is described above in section 5.5.2.
+
+ cusec
+ This field is described above in section 5.5.2.
+
+ stime
+ This field contains the current time on the server. It is of type
+ KerberosTime.
+
+ susec
+ This field contains the microsecond part of the server's
+ timestamp. Its value ranges from 0 to 999999. It appears along
+ with stime. The two fields are used in conjunction to specify a
+ reasonably accurate timestamp.
+
+ error-code
+ This field contains the error code returned by Kerberos or the
+ server when a request fails. To interpret the value of this field
+ see the list of error codes in section 7.5.9. Implementations are
+ encouraged to provide for national language support in the display
+ of error messages.
+
+ crealm, cname, realm and sname
+ These fields are described above in section 5.3.
+
+ e-text
+ This field contains additional text to help explain the error code
+ associated with the failed request (for example, it might include
+ a principal name which was unknown).
+
+ e-data
+ This field contains additional data about the error for use by the
+ application to help it recover from or handle the error. If the
+ errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will
+ contain an encoding of a sequence of padata fields, each
+ corresponding to an acceptable pre-authentication method and
+ optionally containing data for the method:
+
+ METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+ For error codes defined in this document other than
+ KDC_ERR_PREAUTH_REQUIRED, the format and contents of the e-data field
+ are implementation-defined. Similarly, for future error codes, the
+ format and contents of the e-data field are implementation-defined
+
+
+
+February 2004 [Page 96]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ unless specified. Whether defined by the implementation or in a
+ future document, the e-data field MAY take the form of TYPED-DATA:
+
+ TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] INTEGER,
+ data-value [1] OCTET STRING OPTIONAL
+ }
+
+5.10. Application Tag Numbers
+
+ The following table lists the application class tag numbers used
+ by various data types defined in this section.
+
+ Tag Number(s) Type Name Comments
+
+ 0 unused
+
+ 1 Ticket PDU
+
+ 2 Authenticator non-PDU
+
+ 3 EncTicketPart non-PDU
+
+ 4-9 unused
+
+ 10 AS-REQ PDU
+
+ 11 AS-REP PDU
+
+ 12 TGS-REQ PDU
+
+ 13 TGS-REP PDU
+
+ 14 AP-REQ PDU
+
+ 15 AP-REP PDU
+
+ 16 RESERVED16 TGT-REQ (for user-to-user)
+
+ 17 RESERVED17 TGT-REP (for user-to-user)
+
+ 18-19 unused
+
+ 20 KRB-SAFE PDU
+
+ 21 KRB-PRIV PDU
+
+ 22 KRB-CRED PDU
+
+
+
+February 2004 [Page 97]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ 23-24 unused
+
+ 25 EncASRepPart non-PDU
+
+ 26 EncTGSRepPart non-PDU
+
+ 27 EncApRepPart non-PDU
+
+ 28 EncKrbPrivPart non-PDU
+
+ 29 EncKrbCredPart non-PDU
+
+ 30 KRB-ERROR PDU
+
+ The ASN.1 types marked as "PDU" (Protocol Data Unit) in the above
+ are the only ASN.1 types intended as top-level types of the
+ Kerberos protocol, and are the only types that may be used as
+ elements in another protocol that makes use of Kerberos.
+
+6. Naming Constraints
+
+6.1. Realm Names
+
+ Although realm names are encoded as GeneralStrings and although a
+ realm can technically select any name it chooses, interoperability
+ across realm boundaries requires agreement on how realm names are
+ to be assigned, and what information they imply.
+
+ To enforce these conventions, each realm MUST conform to the
+ conventions itself, and it MUST require that any realms with which
+ inter-realm keys are shared also conform to the conventions and
+ require the same from its neighbors.
+
+ Kerberos realm names are case sensitive. Realm names that differ
+ only in the case of the characters are not equivalent. There are
+ presently three styles of realm names: domain, X500, and other.
+ Examples of each style follow:
+
+ domain: ATHENA.MIT.EDU
+ X500: C=US/O=OSF
+ other: NAMETYPE:rest/of.name=without-restrictions
+
+ Domain style realm names MUST look like domain names: they consist
+ of components separated by periods (.) and they contain neither
+ colons (:) nor slashes (/). Though domain names themselves are
+ case insensitive, in order for realms to match, the case must
+ match as well. When establishing a new realm name based on an
+ internet domain name it is recommended by convention that the
+
+
+
+February 2004 [Page 98]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ characters be converted to upper case.
+
+ X.500 names contain an equal (=) and cannot contain a colon (:)
+ before the equal. The realm names for X.500 names will be string
+ representations of the names with components separated by slashes.
+ Leading and trailing slashes will not be included. Note that the
+ slash separator is consistent with Kerberos implementations based
+ on RFC1510, but it is different from the separator recommended in
+ RFC2253.
+
+ Names that fall into the other category MUST begin with a prefix
+ that contains no equal (=) or period (.) and the prefix MUST be
+ followed by a colon (:) and the rest of the name. All prefixes
+ expect those beginning with used. Presently none are assigned.
+
+ The reserved category includes strings which do not fall into the
+ first three categories. All names in this category are reserved.
+ It is unlikely that names will be assigned to this category unless
+ there is a very strong argument for not using the 'other'
+ category.
+
+ These rules guarantee that there will be no conflicts between the
+ various name styles. The following additional constraints apply to
+ the assignment of realm names in the domain and X.500 categories:
+ the name of a realm for the domain or X.500 formats must either be
+ used by the organization owning (to whom it was assigned) an
+ Internet domain name or X.500 name, or in the case that no such
+ names are registered, authority to use a realm name MAY be derived
+ from the authority of the parent realm. For example, if there is
+ no domain name for E40.MIT.EDU, then the administrator of the
+ MIT.EDU realm can authorize the creation of a realm with that
+ name.
+
+ This is acceptable because the organization to which the parent is
+ assigned is presumably the organization authorized to assign names
+ to its children in the X.500 and domain name systems as well. If
+ the parent assigns a realm name without also registering it in the
+ domain name or X.500 hierarchy, it is the parent's responsibility
+ to make sure that there will not in the future exist a name
+ identical to the realm name of the child unless it is assigned to
+ the same entity as the realm name.
+
+6.2. Principal Names
+
+ As was the case for realm names, conventions are needed to ensure
+ that all agree on what information is implied by a principal name.
+ The name-type field that is part of the principal name indicates
+ the kind of information implied by the name. The name-type SHOULD
+
+
+
+February 2004 [Page 99]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ be treated only as a hint to interpreting the meaning of a name.
+ It is not significant when checking for equivalence. Principal
+ names that differ only in the name-type identify the same
+ principal. The name type does not partition the name space.
+ Ignoring the name type, no two names can be the same (i.e. at
+ least one of the components, or the realm, MUST be different). The
+ following name types are defined:
+
+ name-type value meaning
+
+ name types
+
+ NT-UNKNOWN 0 Name type not known
+ NT-PRINCIPAL 1 Just the name of the principal as in DCE, or for users
+ NT-SRV-INST 2 Service and other unique instance (krbtgt)
+ NT-SRV-HST 3 Service with host name as instance (telnet, rcommands)
+ NT-SRV-XHST 4 Service with host as remaining components
+ NT-UID 5 Unique ID
+ NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253]
+ NT-SMTP-NAME 7 Name in form of SMTP email name (e.g. user@foo.com)
+ NT-ENTERPRISE 10 Enterprise name - may be mapped to principal name
+
+ When a name implies no information other than its uniqueness at a
+ particular time the name type PRINCIPAL SHOULD be used. The
+ principal name type SHOULD be used for users, and it might also be
+ used for a unique server. If the name is a unique machine
+ generated ID that is guaranteed never to be reassigned then the
+ name type of UID SHOULD be used (note that it is generally a bad
+ idea to reassign names of any type since stale entries might
+ remain in access control lists).
+
+ If the first component of a name identifies a service and the
+ remaining components identify an instance of the service in a
+ server specified manner, then the name type of SRV-INST SHOULD be
+ used. An example of this name type is the Kerberos ticket-granting
+ service whose name has a first component of krbtgt and a second
+ component identifying the realm for which the ticket is valid.
+
+ If the first component of a name identifies a service and there is
+ a single component following the service name identifying the
+ instance as the host on which the server is running, then the name
+ type SRV-HST SHOULD be used. This type is typically used for
+ Internet services such as telnet and the Berkeley R commands. If
+ the separate components of the host name appear as successive
+ components following the name of the service, then the name type
+ SRV-XHST SHOULD be used. This type might be used to identify
+ servers on hosts with X.500 names where the slash (/) might
+ otherwise be ambiguous.
+
+
+
+February 2004 [Page 100]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ A name type of NT-X500-PRINCIPAL SHOULD be used when a name from
+ an X.509 certificate is translated into a Kerberos name. The
+ encoding of the X.509 name as a Kerberos principal shall conform
+ to the encoding rules specified in RFC 2253.
+
+ A name type of SMTP allows a name to be of a form that resembles a
+ SMTP email name. This name, including an "@" and a domain name, is
+ used as the one component of the principal name.
+
+ A name type of UNKNOWN SHOULD be used when the form of the name is
+ not known. When comparing names, a name of type UNKNOWN will match
+ principals authenticated with names of any type. A principal
+ authenticated with a name of type UNKNOWN, however, will only
+ match other names of type UNKNOWN.
+
+ Names of any type with an initial component of 'krbtgt' are
+ reserved for the Kerberos ticket granting service. See section 7.3
+ for the form of such names.
+
+6.2.1. Name of server principals
+
+ The principal identifier for a server on a host will generally be
+ composed of two parts: (1) the realm of the KDC with which the
+ server is registered, and (2) a two-component name of type NT-SRV-
+ HST if the host name is an Internet domain name or a multi-
+ component name of type NT-SRV-XHST if the name of the host is of a
+ form such as X.500 that allows slash (/) separators. The first
+ component of the two- or multi-component name will identify the
+ service and the latter components will identify the host. Where
+ the name of the host is not case sensitive (for example, with
+ Internet domain names) the name of the host MUST be lower case. If
+ specified by the application protocol for services such as telnet
+ and the Berkeley R commands which run with system privileges, the
+ first component MAY be the string 'host' instead of a service
+ specific identifier.
+
+7. Constants and other defined values
+
+7.1. Host address types
+
+ All negative values for the host address type are reserved for
+ local use. All non-negative values are reserved for officially
+ assigned type fields and interpretations.
+
+ Internet (IPv4) Addresses
+
+ Internet (IPv4) addresses are 32-bit (4-octet) quantities, encoded
+ in MSB order. The IPv4 loopback address SHOULD NOT appear in a
+
+
+
+February 2004 [Page 101]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Kerberos packet. The type of IPv4 addresses is two (2).
+
+ Internet (IPv6) Addresses
+
+ IPv6 addresses [RFC2373] are 128-bit (16-octet) quantities,
+ encoded in MSB order. The type of IPv6 addresses is twenty-four
+ (24). The following addresses MUST NOT appear in any Kerberos
+ packet:
+
+ * the Unspecified Address
+ * the Loopback Address
+ * Link-Local addresses
+
+ IPv4-mapped IPv6 addresses MUST be represented as addresses of
+ type 2.
+
+ DECnet Phase IV addresses
+
+ DECnet Phase IV addresses are 16-bit addresses, encoded in LSB
+ order. The type of DECnet Phase IV addresses is twelve (12).
+
+ Netbios addresses
+
+ Netbios addresses are 16-octet addresses typically composed of 1
+ to 15 alphanumeric characters and padded with the US-ASCII SPC
+ character (code 32). The 16th octet MUST be the US-ASCII NUL
+ character (code 0). The type of Netbios addresses is twenty (20).
+
+ Directional Addresses
+
+ In many environments, including the sender address in KRB_SAFE and
+ KRB_PRIV messages is undesirable because the addresses may be
+ changed in transport by network address translators. However, if
+ these addresses are removed, the messages may be subject to a
+ reflection attack in which a message is reflected back to its
+ originator. The directional address type provides a way to avoid
+ transport addresses and reflection attacks. Directional addresses
+ are encoded as four byte unsigned integers in network byte order.
+ If the message is originated by the party sending the original
+ KRB_AP_REQ message, then an address of 0 SHOULD be used. If the
+ message is originated by the party to whom that KRB_AP_REQ was
+ sent, then the address 1 SHOULD be used. Applications involving
+ multiple parties can specify the use of other addresses.
+
+ Directional addresses MUST only be used for the sender address
+ field in the KRB_SAFE or KRB_PRIV messages. They MUST NOT be used
+ as a ticket address or in a KRB_AP_REQ message. This address type
+ SHOULD only be used in situations where the sending party knows
+
+
+
+February 2004 [Page 102]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ that the receiving party supports the address type. This generally
+ means that directional addresses may only be used when the
+ application protocol requires their support. Directional addresses
+ are type (3).
+
+7.2. KDC messaging - IP Transports
+
+ Kerberos defines two IP transport mechanisms for communication
+ between clients and servers: UDP/IP and TCP/IP.
+
+7.2.1. UDP/IP transport
+
+ Kerberos servers (KDCs) supporting IP transports MUST accept UDP
+ requests and SHOULD listen for such requests on port 88 (decimal)
+ unless specifically configured to listen on an alternative UDP
+ port. Alternate ports MAY be used when running multiple KDCs for
+ multiple realms on the same host.
+
+ Kerberos clients supporting IP transports SHOULD support the
+ sending of UDP requests. Clients SHOULD use KDC discovery [7.2.3]
+ to identify the IP address and port to which they will send their
+ request.
+
+ When contacting a KDC for a KRB_KDC_REQ request using UDP/IP
+ transport, the client shall send a UDP datagram containing only an
+ encoding of the request to the KDC. The KDC will respond with a
+ reply datagram containing only an encoding of the reply message
+ (either a KRB_ERROR or a KRB_KDC_REP) to the sending port at the
+ sender's IP address. The response to a request made through UDP/IP
+ transport MUST also use UDP/IP transport. If the response can not
+ be handled using UDP (for example because it is too large), the
+ KDC MUST return KRB_ERR_RESPONSE_TOO_BIG, forcing the client to
+ retry the request using the TCP transport.
+
+7.2.2. TCP/IP transport
+
+ Kerberos servers (KDCs) supporting IP transports MUST accept TCP
+ requests and SHOULD listen for such requests on port 88 (decimal)
+ unless specifically configured to listen on an alternate TCP port.
+ Alternate ports MAY be used when running multiple KDCs for
+ multiple realms on the same host.
+
+ Clients MUST support the sending of TCP requests, but MAY choose
+ to initially try a request using the UDP transport. Clients SHOULD
+ use KDC discovery [7.2.3] to identify the IP address and port to
+ which they will send their request.
+
+ Implementation note: Some extensions to the Kerberos protocol will
+
+
+
+February 2004 [Page 103]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ not succeed if any client or KDC not supporting the TCP transport
+ is involved. Implementations of RFC 1510 were not required to
+ support TCP/IP transports.
+
+ When the KRB_KDC_REQ message is sent to the KDC over a TCP stream,
+ the response (KRB_KDC_REP or KRB_ERROR message) MUST be returned
+ to the client on the same TCP stream that was established for the
+ request. The KDC MAY close the TCP stream after sending a
+ response, but MAY leave the stream open for a reasonable period of
+ time if it expects a followup. Care must be taken in managing
+ TCP/IP connections on the KDC to prevent denial of service attacks
+ based on the number of open TCP/IP connections.
+
+ The client MUST be prepared to have the stream closed by the KDC
+ at anytime after the receipt of a response. A stream closure
+ SHOULD NOT be treated as a fatal error. Instead, if multiple
+ exchanges are required (e.g., certain forms of pre-authentication)
+ the client may need to establish a new connection when it is ready
+ to send subsequent messages. A client MAY close the stream after
+ receiving a response, and SHOULD close the stream if it does not
+ expect to send followup messages.
+
+ A client MAY send multiple requests before receiving responses,
+ though it must be prepared to handle the connection being closed
+ after the first response.
+
+ Each request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR)
+ sent over the TCP stream is preceded by the length of the request
+ as 4 octets in network byte order. The high bit of the length is
+ reserved for future expansion and MUST currently be set to zero.
+ If a KDC that does not understand how to interpret a set high bit
+ of the length encoding receives a request with the high order bit
+ of the length set, it MUST return a KRB-ERROR message with the
+ error KRB_ERR_FIELD_TOOLONG and MUST close the TCP stream.
+
+ If multiple requests are sent over a single TCP connection, and
+ the KDC sends multiple responses, the KDC is not required to send
+ the responses in the order of the corresponding requests. This may
+ permit some implementations to send each response as soon as it is
+ ready even if earlier requests are still being processed (for
+ example, waiting for a response from an external device or
+ database).
+
+7.2.3. KDC Discovery on IP Networks
+
+ Kerberos client implementations MUST provide a means for the
+ client to determine the location of the Kerberos Key Distribution
+ Centers (KDCs). Traditionally, Kerberos implementations have
+
+
+
+February 2004 [Page 104]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ stored such configuration information in a file on each client
+ machine. Experience has shown this method of storing configuration
+ information presents problems with out-of-date information and
+ scaling problems, especially when using cross-realm
+ authentication. This section describes a method for using the
+ Domain Name System [RFC 1035] for storing KDC location
+ information.
+
+7.2.3.1. DNS vs. Kerberos - Case Sensitivity of Realm Names
+
+ In Kerberos, realm names are case sensitive. While it is strongly
+ encouraged that all realm names be all upper case this
+ recommendation has not been adopted by all sites. Some sites use
+ all lower case names and other use mixed case. DNS on the other
+ hand is case insensitive for queries. Since the realm names
+ "MYREALM", "myrealm", and "MyRealm" are all different, but resolve
+ the same in the domain name system, it is necessary that only one
+ of the possible combinations of upper and lower case characters be
+ used in realm names.
+
+7.2.3.2. Specifying KDC Location information with DNS SRV records
+
+ KDC location information is to be stored using the DNS SRV RR [RFC
+ 2782]. The format of this RR is as follows:
+
+ _Service._Proto.Realm TTL Class SRV Priority Weight Port Target
+
+ The Service name for Kerberos is always "kerberos".
+
+ The Proto can be one of "udp", "tcp". If these SRV records are to
+ be used, both "udp" and "tcp" records MUST be specified for all
+ KDC deployments.
+
+ The Realm is the Kerberos realm that this record corresponds to.
+ The realm MUST be a domain style realm name.
+
+ TTL, Class, SRV, Priority, Weight, and Target have the standard
+ meaning as defined in RFC 2782.
+
+ As per RFC 2782 the Port number used for "_udp" and "_tcp" SRV
+ records SHOULD be the value assigned to "kerberos" by the Internet
+ Assigned Number Authority: 88 (decimal) unless the KDC is
+ configured to listen on an alternate TCP port.
+
+ Implementation note: Many existing client implementations do not
+ support KDC Discovery and are configured to send requests to the
+ IANA assigned port (88 decimal), so it is strongly recommended
+ that KDCs be configured to listen on that port.
+
+
+
+February 2004 [Page 105]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+7.2.3.3. KDC Discovery for Domain Style Realm Names on IP Networks
+
+ These are DNS records for a Kerberos realm EXAMPLE.COM. It has two
+ Kerberos servers, kdc1.example.com and kdc2.example.com. Queries
+ should be directed to kdc1.example.com first as per the specified
+ priority. Weights are not used in these sample records.
+
+ _kerberos._udp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com.
+ _kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com.
+ _kerberos._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com.
+ _kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com.
+
+7.3. Name of the TGS
+
+ The principal identifier of the ticket-granting service shall be
+ composed of three parts: (1) the realm of the KDC issuing the TGS
+ ticket (2) a two-part name of type NT-SRV-INST, with the first
+ part "krbtgt" and the second part the name of the realm which will
+ accept the ticket-granting ticket. For example, a ticket-granting
+ ticket issued by the ATHENA.MIT.EDU realm to be used to get
+ tickets from the ATHENA.MIT.EDU KDC has a principal identifier of
+ "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A
+ ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be
+ used to get tickets from the MIT.EDU realm has a principal
+ identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU")
+ (name).
+
+7.4. OID arc for KerberosV5
+
+ This OID MAY be used to identify Kerberos protocol messages
+ encapsulated in other protocols. It also designates the OID arc
+ for KerberosV5-related OIDs assigned by future IETF action.
+ Implementation note:: RFC 1510 had an incorrect value (5) for
+ "dod" in its OID.
+
+ id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+ }
+
+
+ Assignment of OIDs beneath the id-krb5 arc must be obtained by
+ contacting the registrar for the id-krb5 arc, or its designee. At
+ the time of the issuance of this RFC, such registrations can be
+ obtained by contacting krb5-oid-registrar@mit.edu.
+
+7.5. Protocol constants and associated values
+
+
+
+
+February 2004 [Page 106]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The following tables list constants used in the protocol and
+ define their meanings. Ranges are specified in the "specification"
+ section that limit the values of constants for which values are
+ defined here. This allows implementations to make assumptions
+ about the maximum values that will be received for these
+ constants. Implementation receiving values outside the range
+ specified in the "specification" section MAY reject the request,
+ but they MUST recover cleanly.
+
+7.5.1. Key usage numbers
+
+ The encryption and checksum specifications in [@KCRYPTO] require
+ as input a "key usage number", to alter the encryption key used in
+ any specific message, to make certain types of cryptographic
+ attack more difficult. These are the key usage values assigned in
+ this document:
+
+ 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted
+ with the client key (section 5.2.7.2)
+ 2. AS-REP Ticket and TGS-REP Ticket (includes TGS session
+ key or application session key), encrypted with the
+ service key (section 5.3)
+ 3. AS-REP encrypted part (includes TGS session key or
+ application session key), encrypted with the client key
+ (section 5.4.2)
+ 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+ the TGS session key (section 5.4.1)
+ 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
+ the TGS authenticator subkey (section 5.4.1)
+ 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum,
+ keyed with the TGS session key (sections 5.5.1)
+ 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator
+ (includes TGS authenticator subkey), encrypted with the
+ TGS session key (section 5.5.1)
+ 8. TGS-REP encrypted part (includes application session
+ key), encrypted with the TGS session key (section
+ 5.4.2)
+ 9. TGS-REP encrypted part (includes application session
+ key), encrypted with the TGS authenticator subkey
+ (section 5.4.2)
+ 10. AP-REQ Authenticator cksum, keyed with the application
+ session key (section 5.5.1)
+ 11. AP-REQ Authenticator (includes application
+ authenticator subkey), encrypted with the application
+ session key (section 5.5.1)
+ 12. AP-REP encrypted part (includes application session
+ subkey), encrypted with the application session key
+ (section 5.5.2)
+
+
+
+February 2004 [Page 107]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ 13. KRB-PRIV encrypted part, encrypted with a key chosen by
+ the application (section 5.7.1)
+ 14. KRB-CRED encrypted part, encrypted with a key chosen by
+ the application (section 5.8.1)
+ 15. KRB-SAFE cksum, keyed with a key chosen by the
+ application (section 5.6.1)
+ 19. AD-KDC-ISSUED checksum (ad-checksum in 5.2.6.4)
+ 22-25. Reserved for use in GSSAPI mechanisms derived from RFC
+ 1964. (raeburn/MIT)
+ 16-18,20-21,26-511. Reserved for future use in Kerberos and related
+ protocols.
+ 512-1023. Reserved for uses internal to a Kerberos
+ implementation.
+ 1024. Encryption for application use in protocols that
+ do not specify key usage values
+ 1025. Checksums for application use in protocols that
+ do not specify key usage values
+ 1026-2047. Reserved for application use.
+
+
+7.5.2. PreAuthentication Data Types
+
+ padata and data types padata-type value comment
+
+ PA-TGS-REQ 1
+ PA-ENC-TIMESTAMP 2
+ PA-PW-SALT 3
+ [reserved] 4
+ PA-ENC-UNIX-TIME 5 (deprecated)
+ PA-SANDIA-SECUREID 6
+ PA-SESAME 7
+ PA-OSF-DCE 8
+ PA-CYBERSAFE-SECUREID 9
+ PA-AFS3-SALT 10
+ PA-ETYPE-INFO 11
+ PA-SAM-CHALLENGE 12 (sam/otp)
+ PA-SAM-RESPONSE 13 (sam/otp)
+ PA-PK-AS-REQ 14 (pkinit)
+ PA-PK-AS-REP 15 (pkinit)
+ PA-ETYPE-INFO2 19 (replaces pa-etype-info)
+ PA-USE-SPECIFIED-KVNO 20
+ PA-SAM-REDIRECT 21 (sam/otp)
+ PA-GET-FROM-TYPED-DATA 22 (embedded in typed data)
+ TD-PADATA 22 (embeds padata)
+ PA-SAM-ETYPE-INFO 23 (sam/otp)
+ PA-ALT-PRINC 24 (crawdad@fnal.gov)
+ PA-SAM-CHALLENGE2 30 (kenh@pobox.com)
+ PA-SAM-RESPONSE2 31 (kenh@pobox.com)
+
+
+
+February 2004 [Page 108]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ PA-EXTRA-TGT 41 Reserved extra TGT
+ TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS
+ TD-KRB-PRINCIPAL 102 PrincipalName
+ TD-KRB-REALM 103 Realm
+ TD-TRUSTED-CERTIFIERS 104 from PKINIT
+ TD-CERTIFICATE-INDEX 105 from PKINIT
+ TD-APP-DEFINED-ERROR 106 application specific
+ TD-REQ-NONCE 107 INTEGER
+ TD-REQ-SEQ 108 INTEGER
+ PA-PAC-REQUEST 128 (jbrezak@exchange.microsoft.com)
+
+7.5.3. Address Types
+
+ Address type value
+
+ IPv4 2
+ Directional 3
+ ChaosNet 5
+ XNS 6
+ ISO 7
+ DECNET Phase IV 12
+ AppleTalk DDP 16
+ NetBios 20
+ IPv6 24
+
+7.5.4. Authorization Data Types
+
+ authorization data type ad-type value
+ AD-IF-RELEVANT 1
+ AD-INTENDED-FOR-SERVER 2
+ AD-INTENDED-FOR-APPLICATION-CLASS 3
+ AD-KDC-ISSUED 4
+ AD-AND-OR 5
+ AD-MANDATORY-TICKET-EXTENSIONS 6
+ AD-IN-TICKET-EXTENSIONS 7
+ AD-MANDATORY-FOR-KDC 8
+ reserved values 9-63
+ OSF-DCE 64
+ SESAME 65
+ AD-OSF-DCE-PKI-CERTID 66 (hemsath@us.ibm.com)
+ AD-WIN2K-PAC 128 (jbrezak@exchange.microsoft.com)
+
+7.5.5. Transited Encoding Types
+
+ transited encoding type tr-type value
+ DOMAIN-X500-COMPRESS 1
+ reserved values all others
+
+
+
+
+February 2004 [Page 109]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+7.5.6. Protocol Version Number
+
+ Label Value Meaning or MIT code
+
+ pvno 5 current Kerberos protocol version number
+
+7.5.7. Kerberos Message Types
+
+ message types
+
+ KRB_AS_REQ 10 Request for initial authentication
+ KRB_AS_REP 11 Response to KRB_AS_REQ request
+ KRB_TGS_REQ 12 Request for authentication based on TGT
+ KRB_TGS_REP 13 Response to KRB_TGS_REQ request
+ KRB_AP_REQ 14 application request to server
+ KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL
+ KRB_RESERVED16 16 Reserved for user-to-user krb_tgt_request
+ KRB_RESERVED17 17 Reserved for user-to-user krb_tgt_reply
+ KRB_SAFE 20 Safe (checksummed) application message
+ KRB_PRIV 21 Private (encrypted) application message
+ KRB_CRED 22 Private (encrypted) message to forward credentials
+ KRB_ERROR 30 Error response
+
+7.5.8. Name Types
+
+ name types
+
+ KRB_NT_UNKNOWN 0 Name type not known
+ KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE, or for users
+ KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt)
+ KRB_NT_SRV_HST 3 Service with host name as instance (telnet, rcommands)
+ KRB_NT_SRV_XHST 4 Service with host as remaining components
+ KRB_NT_UID 5 Unique ID
+ KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253]
+ KRB_NT_SMTP_NAME 7 Name in form of SMTP email name (e.g. user@foo.com)
+ KRB_NT_ENTERPRISE 10 Enterprise name - may be mapped to principal name
+
+7.5.9. Error Codes
+
+ error codes
+
+ KDC_ERR_NONE 0 No error
+ KDC_ERR_NAME_EXP 1 Client's entry in database has expired
+ KDC_ERR_SERVICE_EXP 2 Server's entry in database has expired
+ KDC_ERR_BAD_PVNO 3 Requested protocol version number
+ not supported
+ KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in old master key
+ KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in old master key
+
+
+
+February 2004 [Page 110]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in Kerberos database
+ KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in Kerberos database
+ KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries in database
+ KDC_ERR_NULL_KEY 9 The client or server has a null key
+ KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for postdating
+ KDC_ERR_NEVER_VALID 11 Requested start time is later than end time
+ KDC_ERR_POLICY 12 KDC policy rejects request
+ KDC_ERR_BADOPTION 13 KDC cannot accommodate requested option
+ KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for encryption type
+ KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for checksum type
+ KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for padata type
+ KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for transited type
+ KDC_ERR_CLIENT_REVOKED 18 Clients credentials have been revoked
+ KDC_ERR_SERVICE_REVOKED 19 Credentials for server have been revoked
+ KDC_ERR_TGT_REVOKED 20 TGT has been revoked
+ KDC_ERR_CLIENT_NOTYET 21 Client not yet valid - try again later
+ KDC_ERR_SERVICE_NOTYET 22 Server not yet valid - try again later
+ KDC_ERR_KEY_EXPIRED 23 Password has expired
+ - change password to reset
+ KDC_ERR_PREAUTH_FAILED 24 Pre-authentication information was invalid
+ KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-authenticationrequired
+ KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket don't match
+ KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for user2user only
+ KDC_ERR_PATH_NOT_ACCPETED 28 KDC Policy rejects transited path
+ KDC_ERR_SVC_UNAVAILABLE 29 A service is not available
+ KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on decrypted field failed
+ KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired
+ KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid
+ KRB_AP_ERR_REPEAT 34 Request is a replay
+ KRB_AP_ERR_NOT_US 35 The ticket isn't for us
+ KRB_AP_ERR_BADMATCH 36 Ticket and authenticator don't match
+ KRB_AP_ERR_SKEW 37 Clock skew too great
+ KRB_AP_ERR_BADADDR 38 Incorrect net address
+ KRB_AP_ERR_BADVERSION 39 Protocol version mismatch
+ KRB_AP_ERR_MSG_TYPE 40 Invalid msg type
+ KRB_AP_ERR_MODIFIED 41 Message stream modified
+ KRB_AP_ERR_BADORDER 42 Message out of order
+ KRB_AP_ERR_BADKEYVER 44 Specified version of key is not available
+ KRB_AP_ERR_NOKEY 45 Service key not available
+ KRB_AP_ERR_MUT_FAIL 46 Mutual authentication failed
+ KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction
+ KRB_AP_ERR_METHOD 48 Alternative authentication method required
+ KRB_AP_ERR_BADSEQ 49 Incorrect sequence number in message
+ KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of checksum in message
+ KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited path
+ KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP, retry with TCP
+ KRB_ERR_GENERIC 60 Generic error (description in e-text)
+ KRB_ERR_FIELD_TOOLONG 61 Field is too long for this implementation
+
+
+
+February 2004 [Page 111]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ KDC_ERROR_CLIENT_NOT_TRUSTED 62 Reserved for PKINIT
+ KDC_ERROR_KDC_NOT_TRUSTED 63 Reserved for PKINIT
+ KDC_ERROR_INVALID_SIG 64 Reserved for PKINIT
+ KDC_ERR_KEY_TOO_WEAK 65 Reserved for PKINIT
+ KDC_ERR_CERTIFICATE_MISMATCH 66 Reserved for PKINIT
+ KRB_AP_ERR_NO_TGT 67 No TGT available to validate USER-TO-USER
+ KDC_ERR_WRONG_REALM 68 USER-TO-USER TGT issued different KDC
+ KRB_AP_ERR_USER_TO_USER_REQUIRED 69 Ticket must be for USER-TO-USER
+ KDC_ERR_CANT_VERIFY_CERTIFICATE 70 Reserved for PKINIT
+ KDC_ERR_INVALID_CERTIFICATE 71 Reserved for PKINIT
+ KDC_ERR_REVOKED_CERTIFICATE 72 Reserved for PKINIT
+ KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 Reserved for PKINIT
+ KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 Reserved for PKINIT
+ KDC_ERR_CLIENT_NAME_MISMATCH 75 Reserved for PKINIT
+ KDC_ERR_KDC_NAME_MISMATCH 76 Reserved for PKINIT
+
+8. Interoperability requirements
+
+ Version 5 of the Kerberos protocol supports a myriad of options.
+ Among these are multiple encryption and checksum types,
+ alternative encoding schemes for the transited field, optional
+ mechanisms for pre-authentication, the handling of tickets with no
+ addresses, options for mutual authentication, user-to-user
+ authentication, support for proxies, forwarding, postdating, and
+ renewing tickets, the format of realm names, and the handling of
+ authorization data.
+
+ In order to ensure the interoperability of realms, it is necessary
+ to define a minimal configuration which must be supported by all
+ implementations. This minimal configuration is subject to change
+ as technology does. For example, if at some later date it is
+ discovered that one of the required encryption or checksum
+ algorithms is not secure, it will be replaced.
+
+8.1. Specification 2
+
+ This section defines the second specification of these options.
+ Implementations which are configured in this way can be said to
+ support Kerberos Version 5 Specification 2 (5.2). Specification 1
+ (deprecated) may be found in RFC1510.
+
+ Transport
+
+ TCP/IP and UDP/IP transport MUST be supported by clients and KDCs
+ claiming conformance to specification 2.
+
+ Encryption and checksum methods
+
+
+
+
+February 2004 [Page 112]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ The following encryption and checksum mechanisms MUST be
+ supported.
+
+ Encryption: AES256-CTS-HMAC-SHA1-96
+ Checksums: HMAC-SHA1-96-AES256
+
+ Implementations SHOULD support other mechanisms as well, but the
+ additional mechanisms may only be used when communicating with
+ principals known to also support them. The mechanisms that SHOULD
+ be supported are:
+
+ Encryption: DES-CBC-MD5, DES3-CBC-SHA1-KD
+ Checksums: DES-MD5, HMAC-SHA1-DES3-KD
+
+ Implementations MAY support other mechanisms as well, but the
+ additional mechanisms may only be used when communicating with
+ principals known to also support them.
+
+ Implementation note: earlier implementations of Kerberos generate
+ messages using the CRC-32, RSA-MD5 checksum methods. For
+ interoperability with these earlier releases implementors MAY
+ consider supporting these checksum methods but should carefully
+ analyze the security impplications to limit the situations within
+ which these methods are accepted.
+
+ Realm Names
+
+ All implementations MUST understand hierarchical realms in both
+ the Internet Domain and the X.500 style. When a ticket-granting
+ ticket for an unknown realm is requested, the KDC MUST be able to
+ determine the names of the intermediate realms between the KDCs
+ realm and the requested realm.
+
+ Transited field encoding
+
+ DOMAIN-X500-COMPRESS (described in section 3.3.3.2) MUST be
+ supported. Alternative encodings MAY be supported, but they may
+ be used only when that encoding is supported by ALL intermediate
+ realms.
+
+ Pre-authentication methods
+
+ The TGS-REQ method MUST be supported. The TGS-REQ method is not
+ used on the initial request. The PA-ENC-TIMESTAMP method MUST be
+ supported by clients but whether it is enabled by default MAY be
+ determined on a realm by realm basis. If not used in the initial
+ request and the error KDC_ERR_PREAUTH_REQUIRED is returned
+ specifying PA-ENC-TIMESTAMP as an acceptable method, the client
+
+
+
+February 2004 [Page 113]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ SHOULD retry the initial request using the PA-ENC-TIMESTAMP pre-
+ authentication method. Servers need not support the PA-ENC-
+ TIMESTAMP method, but if not supported the server SHOULD ignore
+ the presence of PA-ENC-TIMESTAMP pre-authentication in a request.
+
+ The ETYPE-INFO2 method MUST be supported; this method is used to
+ communicate the set of supported encryption types, and
+ corresponding salt and string to key paramters. The ETYPE-INFO
+ method SHOULD be supported for interoperability with older
+ implementation.
+
+ Mutual authentication
+
+ Mutual authentication (via the KRB_AP_REP message) MUST be
+ supported.
+
+ Ticket addresses and flags
+
+ All KDCs MUST pass through tickets that carry no addresses (i.e.
+ if a TGT contains no addresses, the KDC will return derivative
+ tickets). Implementations SHOULD default to requesting
+ addressless tickets as this significantly increases
+ interoperability with network address translation. In some cases
+ realms or application servers MAY require that tickets have an
+ address.
+
+ Implementations SHOULD accept directional address type for the
+ KRB_SAFE and KRB_PRIV message and SHOULD include directional
+ addresses in these messages when other address types are not
+ available.
+
+ Proxies and forwarded tickets MUST be supported. Individual realms
+ and application servers can set their own policy on when such
+ tickets will be accepted.
+
+ All implementations MUST recognize renewable and postdated
+ tickets, but need not actually implement them. If these options
+ are not supported, the starttime and endtime in the ticket shall
+ specify a ticket's entire useful life. When a postdated ticket is
+ decoded by a server, all implementations shall make the presence
+ of the postdated flag visible to the calling server.
+
+ User-to-user authentication
+
+ Support for user-to-user authentication (via the ENC-TKT-IN-SKEY
+ KDC option) MUST be provided by implementations, but individual
+ realms MAY decide as a matter of policy to reject such requests on
+ a per-principal or realm-wide basis.
+
+
+
+February 2004 [Page 114]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Authorization data
+
+ Implementations MUST pass all authorization data subfields from
+ ticket-granting tickets to any derivative tickets unless directed
+ to suppress a subfield as part of the definition of that
+ registered subfield type (it is never incorrect to pass on a
+ subfield, and no registered subfield types presently specify
+ suppression at the KDC).
+
+ Implementations MUST make the contents of any authorization data
+ subfields available to the server when a ticket is used.
+ Implementations are not required to allow clients to specify the
+ contents of the authorization data fields.
+
+ Constant ranges
+
+ All protocol constants are constrained to 32 bit (signed) values
+ unless further constrained by the protocol definition. This limit
+ is provided to allow implementations to make assumptions about the
+ maximum values that will be received for these constants.
+ Implementation receiving values outside this range MAY reject the
+ request, but they MUST recover cleanly.
+
+8.2. Recommended KDC values
+
+ Following is a list of recommended values for a KDC configuration.
+
+ minimum lifetime 5 minutes
+ maximum renewable lifetime 1 week
+ maximum ticket lifetime 1 day
+ acceptable clock skew 5 minutes
+ empty addresses Allowed.
+ proxiable, etc. Allowed.
+
+9. IANA considerations
+
+ Section 7 of this document specifies protocol constants and other
+ defined values required for the interoperability of multiple
+ implementations. Until otherwise specified in a subsequent RFC, or
+ upon disbanding of the Kerberos working group, allocations of
+ additional protocol constants and other defined values required
+ for extensions to the Kerberos protocol will be administered by
+ the kerberos working group. Following the recomendations outlined
+ in [RFC 2434], guidance is provided to the IANA as follows:
+
+ "reserved" realm name types in section 6.1 and "other" realm types
+ except those beginning with "X-" or "x-" will not be registered
+ without IETF standards action, at which point guidlines for
+
+
+
+February 2004 [Page 115]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ further assignment will be specified. Realm name types beginning
+ with "X-" or "x-" are for private use.
+
+ For host address types described in section 7.1, negative values
+ are for private use. Assignment of additional positive numbers is
+ subject to review by the kerberos working group or other expert
+ review.
+
+ Additional key usage numbers as defined in section 7.5.1 will be
+ assigned subject to review by the kerberos working group or other
+ expert review.
+
+ Additional preauthentciation data type values as defined in
+ section 7.5.2 will be assigned subject to review by the kerberos
+ working group or other expert review.
+
+ Additional Authorization Data Types as defined in section 7.5.4
+ will be assigned subject to review by the kerberos working group
+ or other expert review. Although it is anticipated that there may
+ be significant demand for private use types, provision is
+ intentionaly not made for a private use portion of the namespace
+ because conficts between privately assigned values coule have
+ detrimental security implications.
+
+ Additional Transited Encoding Types as defined in section 7.5.5
+ present special concerns for interoperability with existing
+ implementations. As such, such assignments will only be made by
+ standards action, except that the Kerberos working group or
+ another other working group with competent jurisdiction may make
+ preliminary assignments for documents which are moving through the
+ standards process.
+
+ Additional Kerberos Message Types as described in section 7.5.7
+ will be assigned subject to review by the kerberos working group
+ or other expert review.
+
+ Additional Name Types as described in section 7.5.8 will be
+ assigned subject to review by the kerberos working group or other
+ expert review.
+
+ Additional error codes described in section 7.5.9 will be assigned
+ subject to review by the kerberos working group or other expert
+ review.
+
+10. Security Considerations
+
+ As an authentication service, Kerberos provides a means of
+ verifying the identity of principals on a network. Kerberos does
+
+
+
+February 2004 [Page 116]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ not, by itself, provide authorization. Applications should not
+ accept the issuance of a service ticket by the Kerberos server as
+ granting authority to use the service, since such applications may
+ become vulnerable to the bypass of this authorization check in an
+ environment if they inter-operate with other KDCs or where other
+ options for application authentication are provided.
+
+ Denial of service attacks are not solved with Kerberos. There are
+ places in the protocols where an intruder can prevent an
+ application from participating in the proper authentication steps.
+ Because authentication is a required step for the use of many
+ services, successful denial of service attacks on a Kerberos
+ server might result in the denial of other network services that
+ rely on Kerberos for authentication. Kerberos is vulnerable to
+ many kinds of denial of service attacks: denial of service attacks
+ on the network which would prevent clients from contacting the
+ KDC; denial of service attacks on the domain name system which
+ could prevent a client from finding the IP address of the Kerberos
+ server; and denial of service attack by overloading the Kerberos
+ KDC itself with repeated requests.
+
+ Interoperability conflicts caused by incompatible character-set
+ usage (see 5.2.1) can result in denial of service for clients that
+ utilize character-sets in Kerberos strings other than those stored
+ in the KDC database.
+
+ Authentication servers maintain a database of principals (i.e.,
+ users and servers) and their secret keys. The security of the
+ authentication server machines is critical. The breach of security
+ of an authentication server will compromise the security of all
+ servers that rely upon the compromised KDC, and will compromise
+ the authentication of any principals registered in the realm of
+ the compromised KDC.
+
+ Principals must keep their secret keys secret. If an intruder
+ somehow steals a principal's key, it will be able to masquerade as
+ that principal or impersonate any server to the legitimate
+ principal.
+
+ Password guessing attacks are not solved by Kerberos. If a user
+ chooses a poor password, it is possible for an attacker to
+ successfully mount an off-line dictionary attack by repeatedly
+ attempting to decrypt, with successive entries from a dictionary,
+ messages obtained which are encrypted under a key derived from the
+ user's password.
+
+ Unless pre-authentication options are required by the policy of a
+ realm, the KDC will not know whether a request for authentication
+
+
+
+February 2004 [Page 117]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ succeeds. An attacker can request a reply with credentials for any
+ principal. These credentials will likely not be of much use to the
+ attacker unless it knows the client's secret key, but the
+ availability of the response encrypted in the client's secret key
+ provides the attacker with ciphertext that may be used to mount
+ brute force or dictionary attacks to decrypt the credentials, by
+ guessing the user's password. For this reason it is strongly
+ encouraged that Kerberos realms require the use of pre-
+ authentication. Even with pre-authentication, attackers may try
+ brute force or dictionary attacks against credentials that are
+ observed by eavesdropping on the network.
+
+ Because a client can request a ticket for any server principal and
+ can attempt a brute force or dictionary attack against the server
+ principal's key using that ticket, it is strongly encouraged that
+ keys be randomly generated (rather than generated from passwords)
+ for any principals that are usable as the target principal for a
+ KRB_TGS_REQ or KRB_AS_REQ messages. [RFC1750]
+
+ Although the DES-CBC-MD5 encryption method and DES-MD5 checksum
+ methods are listed as SHOULD be implemented for backward
+ compatibility, the single DES encryption algorithm on which these
+ are based is weak and stronger algorithms should be used whenever
+ possible.
+
+ Each host on the network must have a clock which is loosely
+ synchronized to the time of the other hosts; this synchronization
+ is used to reduce the bookkeeping needs of application servers
+ when they do replay detection. The degree of "looseness" can be
+ configured on a per-server basis, but is typically on the order of
+ 5 minutes. If the clocks are synchronized over the network, the
+ clock synchronization protocol MUST itself be secured from network
+ attackers.
+
+ Principal identifiers must not recycled on a short-term basis. A
+ typical mode of access control will use access control lists
+ (ACLs) to grant permissions to particular principals. If a stale
+ ACL entry remains for a deleted principal and the principal
+ identifier is reused, the new principal will inherit rights
+ specified in the stale ACL entry. By not reusing principal
+ identifiers, the danger of inadvertent access is removed.
+
+ Proper decryption of an KRB_AS_REP message from the KDC is not
+ sufficient for the host to verify the identity of the user; the
+ user and an attacker could cooperate to generate a KRB_AS_REP
+ format message which decrypts properly but is not from the proper
+ KDC. To authenticate a user logging on to a local system, the
+ credentials obtained in the AS exchange may first be used in a TGS
+
+
+
+February 2004 [Page 118]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ exchange to obtain credentials for a local server. Those
+ credentials must then be verified by a local server through
+ successful completion of the Client/Server exchange.
+
+ Many RFC 1510 compliant implementations ignore unknown
+ authorization data elements. Depending on these implementations to
+ honor authorization data restrictions may create a security
+ weakness.
+
+ Kerberos credentials contain clear-text information identifying
+ the principals to which they apply. If privacy of this information
+ is needed, this exchange should itself be encapsulated in a
+ protocol providing for confidentiality on the exchange of these
+ credentials.
+
+ Applications must take care to protect communications subsequent
+ to authentication either by using the KRB_PRIV or KRB_SAFE
+ messages as appropriate, or by applying their own confidentiality
+ or integrity mechanisms on such communications. Completion of the
+ KRB_AP_REQ and KRB_AP_REP exchange without subsequent use of
+ confidentiality and integrity mechanisms provides only for
+ authentication of the parties to the communication and not
+ confidentiality and integrity of the subsequent communication.
+ Application applying confidentiality and integrity protection
+ mechanisms other than KRB_PRIV and KRB_SAFE must make sure that
+ the authentication step is appropriately linked with the protected
+ communication channel that is established by the application.
+
+ Unless the application server provides its own suitable means to
+ protect against replay (for example, a challenge-response sequence
+ initiated by the server after authentication, or use of a server-
+ generated encryption subkey), the server must utilize a replay
+ cache to remember any authenticator presented within the allowable
+ clock skew. All services sharing a key need to use the same replay
+ cache. If separate replay caches are used, then and authenticator
+ used with one such service could later be replayed to a different
+ service with the same service principal.
+
+ If a server loses track of authenticators presented within the
+ allowable clock skew, it must reject all requests until the clock
+ skew interval has passed, providing assurance that any lost or
+ replayed authenticators will fall outside the allowable clock skew
+ and can no longer be successfully replayed.
+
+ Implementations of Kerberos should not use untrusted directory
+ servers to determine the realm of a host. To allow such would
+ allow the compromise of the directory server to enable an attacker
+ to direct the client to accept authentication with the wrong
+
+
+
+February 2004 [Page 119]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ principal (i.e. one with a similar name, but in a realm with which
+ the legitimate host was not registered).
+
+ Implementations of Kerberos must not use DNS to map one name to
+ another (canonicalize) to determine the host part of the principal
+ name with which one is to communicate. To allow such
+ canonicalization would allow a compromise of the DNS to result in
+ a client obtaining credentials and correctly authenticating to the
+ wrong principal. Though the client will know who it is
+ communicating with, it will not be the principal with which it
+ intended to communicate.
+
+ If the Kerberos server returns a TGT for a 'closer' realm other
+ than the desired realm, the client may use local policy
+ configuration to verify that the authentication path used is an
+ acceptable one. Alternatively, a client may choose its own
+ authentication path, rather than relying on the Kerberos server to
+ select one. In either case, any policy or configuration
+ information used to choose or validate authentication paths,
+ whether by the Kerberos server or client, must be obtained from a
+ trusted source.
+
+ The Kerberos protocol in its basic form does not provide perfect
+ forward secrecy for communications. If traffic has been recorded
+ by an eavesdropper, then messages encrypted using the KRB_PRIV
+ message, or messages encrypted using application specific
+ encryption under keys exchanged using Kerberos can be decrypted if
+ any of the user's, application server's, or KDC's key is
+ subsequently discovered. This is because the session key use to
+ encrypt such messages is transmitted over the network encrypted in
+ the key of the application server, and also encrypted under the
+ session key from the user's ticket-granting ticket when returned
+ to the user in the KRB_TGS_REP message. The session key from the
+ ticket-granting ticket was sent to the user in the KRB_AS_REP
+ message encrypted in the user's secret key, and embedded in the
+ ticket-granting ticket, which was encrypted in the key of the KDC.
+ Application requiring perfect forward secrecy must exchange keys
+ through mechanisms that provide such assurance, but may use
+ Kerberos for authentication of the encrypted channel established
+ through such other means.
+
+11. Author's Addresses
+
+
+ Clifford Neuman
+ Information Sciences Institute
+ University of Southern California
+ 4676 Admiralty Way
+
+
+
+February 2004 [Page 120]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Marina del Rey, CA 90292, USA
+ Email: bcn@isi.edu
+
+ Tom Yu
+ Massachusetts Institute of Technology
+ 77 Massachusetts Avenue
+ Cambridge, MA 02139, USA
+ Email: tlyu@mit.edu
+
+ Sam Hartman
+ Massachusetts Institute of Technology
+ 77 Massachusetts Avenue
+ Cambridge, MA 02139, USA
+ Email: hartmans@mit.edu
+
+ Kenneth Raeburn
+ Massachusetts Institute of Technology
+ 77 Massachusetts Avenue
+ Cambridge, MA 02139, USA
+ Email: raeburn@MIT.EDU
+
+
+12. Acknowledgements
+
+ This document is a revision to RFC1510 which was co-authored with
+ John Kohl. The specification of the Kerberos protocol described
+ in this document is the result of many years of effort. Over this
+ period many individuals have contributed to the definition of the
+ protocol and to the writing of the specification. Unfortunately it
+ is not possible to list all contributors as authors of this
+ document, though there are many not listed who are authors in
+ spirit, because they contributed text for parts of some sections,
+ because they contributed to the design of parts of the protocol,
+ or because they contributed significantly to the discussion of the
+ protocol in the IETF common authentication technology (CAT) and
+ Kerberos working groups.
+
+ Among those contributing to the development and specification of
+ Kerberos were Jeffrey Altman, John Brezak, Marc Colan, Johan
+ Danielsson, Don Davis, Doug Engert, Dan Geer, Paul Hill, John
+ Kohl, Marc Horowitz, Matt Hur, Jeffrey Hutzelman, Paul Leach, John
+ Linn, Ari Medvinsky, Sasha Medvinsky, Steve Miller, Jon Rochlis,
+ Jerome Saltzer, Jeffrey Schiller, Jennifer Steiner, Ralph Swick,
+ Mike Swift, Jonathan Trostle, Theodore Ts'o, Brian Tung, Jacques
+ Vidrine, Assar Westerlund, and Nicolas Williams. Many other
+ members of MIT Project Athena, the MIT networking group, and the
+ Kerberos and CAT working groups of the IETF contributed but are
+ not listed.
+
+
+
+February 2004 [Page 121]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+13. REFERENCES
+
+13.1 NORMATIVE REFERENCES
+
+ [@KCRYPTO]
+ RFC-Editor: To be replaced by RFC number for draft-ietf-krb-wg-
+ crypto.
+
+ [@AES]
+ RFC-Editor: To be replaced by RFC number for draft-raeburn0krb-
+ rijndael-krb.
+
+ [ISO-646/ECMA-6]
+ 7-bit Coded Character Set
+
+ [ISO-2022/ECMA-35]
+ Character Code Structure and Extension Techniques
+
+ [ISO-4873/ECMA-43]
+ 8-bit Coded Character Set Structure and Rules
+
+ [RFC1035]
+ P.V. Mockapetris, RFC1035: "Domain Names - Implementations and
+ Specification," November 1, 1987, Obsoletes - RFC973, RFC882,
+ RFC883. Updated by RFC1101, RFC1183, RFC1348, RFCRFC1876, RFC1982,
+ RFC1995, RFC1996, RFC2065, RFC2136, RFC2137, RFC2181, RFC2308,
+ RFC2535, RFC2845, and RFC3425. Status: Standard.
+
+ [RFC2119]
+
+ S. Bradner, RFC2119: "Key words for use in RFC's to Indicate
+ Requirement Levels", March 1997.
+
+ [RFC2434]
+ T. Narten, H. Alvestrand, RFC2434: "Guidelines for writing IANA
+ Consideration Secionts in RFCs" October, 1998.
+
+ [RFC2782]
+ A. Gulbrandsen, P. Vixie and L. Esibov., RFC2782: "A DNS RR for
+ Specifying the Location of Services (DNS SRV)," February 2000.
+
+ [RFC2253]
+ M. Wahl, S. Killie, and T. Howes, RFC2253: "Lightweight Directory
+ Access Protocol (v3): UTF-8 String Representation or Distinguished
+ Names," December 1997, Obsoletes - RFC1779, Updated by RFC3377,
+
+
+
+February 2004 [Page 122]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Status: Proposed Standard.
+
+ [RFC2373]
+ R. Hinden, S. Deering, RFC2373: "IP Version 6 Addressing
+ Architecture," July 1998, Status: Proposed Standard.
+
+ [X680]
+ Abstract Syntax Notation One (ASN.1): Specification of Basic
+ Notation, ITU-T Recommendation X.680 (1997) | ISO/IEC
+ International Standard 8824-1:1998.
+
+ [X690]
+ ASN.1 encoding rules: Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished Encoding Rules
+ (DER), ITU-T Recommendation X.690 (1997)| ISO/IEC International
+ Standard 8825-1:1998.
+
+13.2 INFORMATIVE REFERENCES
+
+ [DGT96]
+ Don Davis, Daniel Geer, and Theodore Ts'o, "Kerberos With Clocks
+ Adrift: History, Protocols, and Implementation", USENIX Computing
+ Systems 9:1 (January 1996).
+
+ [DS81]
+ Dorothy E. Denning and Giovanni Maria Sacco, "Time-stamps in Key
+ Distribution Protocols," Communications of the ACM, Vol. 24(8),
+ pp. 533-536 (August 1981).
+
+ [KNT94]
+
+ John T. Kohl, B. Clifford Neuman, and Theodore Y. Ts'o, "The
+ Evolution of the Kerberos Authentication System". In Distributed
+ Open Systems, pages 78-94. IEEE Computer Society Press, 1994.
+
+ [MNSS87]
+ S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer,
+ Section E.2.1: Kerberos Authentication and Authorization System,
+ M.I.T. Project Athena, Cambridge, Massachusetts (December 21,
+ 1987).
+
+ [NS78]
+ Roger M. Needham and Michael D. Schroeder, "Using Encryption for
+ Authentication in Large Networks of Computers," Communications of
+ the ACM, Vol. 21(12), pp. 993-999 (December, 1978).
+
+ [Neu93]
+ B. Clifford Neuman, "Proxy-Based Authorization and Accounting for
+
+
+
+February 2004 [Page 123]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ Distributed Systems," in Proceedings of the 13th International
+ Conference on Distributed Computing Systems, Pittsburgh, PA (May,
+ 1993).
+
+ [NT94]
+ B. Clifford Neuman and Theodore Y. Ts'o, "An Authentication
+ Service for Computer Networks," IEEE Communications Magazine, Vol.
+ 32(9), pp. 33-38 (September 1994).
+
+ [Pat92].
+ J. Pato, Using Pre-Authentication to Avoid Password Guessing
+ Attacks, Open Software Foundation DCE Request for Comments 26
+ (December 1992).
+
+ [RFC1510]
+ J. Kohl and B. C. Neuman, RFC1510: "The Kerberos Network
+ Authentication Service (v5)," September 1993, Status: Proposed
+ Standard.
+
+ [RFC1750]
+ D. Eastlake, S. Crocker, and J. Schiller "Randomness
+ Recommendation for Security" December 1994, Status: Informational.
+
+ [RFC2026]
+ S. Bradner, RFC2026: "The Internet Standard Process - Revision
+ 3," October 1996, Obsoletes - RFC 1602, Status: Best Current
+ Practice.
+
+ [SNS88]
+ J. G. Steiner, B. C. Neuman, and J. I. Schiller, "Kerberos: An
+ Authentication Service for Open Network Systems," pp. 191-202 in
+ Usenix Conference Proceedings, Dallas, Texas (February, 1988).
+
+
+14. Copyright Statement
+
+ Copyright (C) The Internet Society (2004). This document is
+ subject to the rights, licenses and restrictions contained in BCP
+ 78 and except as set forth therein, the authors retain all their
+ rights.
+
+ This document and the information contained herein are provided on
+ an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
+ REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
+ THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
+ ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
+
+
+
+February 2004 [Page 124]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ PARTICULAR PURPOSE.
+
+15. Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed
+ to pertain to the implementation or use of the technology
+ described in this document or the extent to which any license
+ under such rights might or might not be available; nor does it
+ represent that it has made any independent effort to identify any
+ such rights. Information on the procedures with respect to rights
+ in RFC documents can be found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use
+ of such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository
+ at http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention
+ any copyrights, patents or patent applications, or other
+ proprietary rights that may cover technology that may be required
+ to implement this standard. Please address the information to the
+ IETF at ietf-ipr@ietf.org.
+
+A. ASN.1 module
+
+ KerberosV5Spec2 {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) krb5spec2(2)
+ } DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+ -- OID arc for KerberosV5
+ --
+ -- This OID may be used to identify Kerberos protocol messages
+ -- encapsulated in other protocols.
+ --
+ -- This OID also designates the OID arc for KerberosV5-related OIDs.
+ --
+ -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID.
+ id-krb5 OBJECT IDENTIFIER ::= {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2)
+ }
+
+ Int32 ::= INTEGER (-2147483648..2147483647)
+ -- signed values representable in 32 bits
+
+
+
+February 2004 [Page 125]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ UInt32 ::= INTEGER (0..4294967295)
+ -- unsigned 32 bit values
+
+ Microseconds ::= INTEGER (0..999999)
+ -- microseconds
+
+ KerberosString ::= GeneralString (IA5String)
+
+ Realm ::= KerberosString
+
+ PrincipalName ::= SEQUENCE {
+ name-type [0] Int32,
+ name-string [1] SEQUENCE OF KerberosString
+ }
+
+ KerberosTime ::= GeneralizedTime -- with no fractional seconds
+
+ HostAddress ::= SEQUENCE {
+ addr-type [0] Int32,
+ address [1] OCTET STRING
+ }
+
+ -- NOTE: HostAddresses is always used as an OPTIONAL field and
+ -- should not be empty.
+ HostAddresses -- NOTE: subtly different from rfc1510,
+ -- but has a value mapping and encodes the same
+ ::= SEQUENCE OF HostAddress
+
+ -- NOTE: AuthorizationData is always used as an OPTIONAL field and
+ -- should not be empty.
+ AuthorizationData ::= SEQUENCE OF SEQUENCE {
+ ad-type [0] Int32,
+ ad-data [1] OCTET STRING
+ }
+
+ PA-DATA ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ padata-type [1] Int32,
+ padata-value [2] OCTET STRING -- might be encoded AP-REQ
+ }
+
+ KerberosFlags ::= BIT STRING (SIZE (32..MAX)) -- minimum number of bits
+ -- shall be sent, but no fewer than 32
+
+ EncryptedData ::= SEQUENCE {
+ etype [0] Int32 -- EncryptionType --,
+ kvno [1] UInt32 OPTIONAL,
+ cipher [2] OCTET STRING -- ciphertext
+
+
+
+February 2004 [Page 126]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ }
+
+ EncryptionKey ::= SEQUENCE {
+ keytype [0] Int32 -- actually encryption type --,
+ keyvalue [1] OCTET STRING
+ }
+
+ Checksum ::= SEQUENCE {
+ cksumtype [0] Int32,
+ checksum [1] OCTET STRING
+ }
+
+ Ticket ::= [APPLICATION 1] SEQUENCE {
+ tkt-vno [0] INTEGER (5),
+ realm [1] Realm,
+ sname [2] PrincipalName,
+ enc-part [3] EncryptedData -- EncTicketPart
+ }
+
+ -- Encrypted part of ticket
+ EncTicketPart ::= [APPLICATION 3] SEQUENCE {
+ flags [0] TicketFlags,
+ key [1] EncryptionKey,
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ transited [4] TransitedEncoding,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ caddr [9] HostAddresses OPTIONAL,
+ authorization-data [10] AuthorizationData OPTIONAL
+ }
+
+ -- encoded Transited field
+ TransitedEncoding ::= SEQUENCE {
+ tr-type [0] Int32 -- must be registered --,
+ contents [1] OCTET STRING
+ }
+
+ TicketFlags ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+ -- may-postdate(5),
+ -- postdated(6),
+
+
+
+February 2004 [Page 127]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ -- invalid(7),
+ -- renewable(8),
+ -- initial(9),
+ -- pre-authent(10),
+ -- hw-authent(11),
+ -- the following are new since 1510
+ -- transited-policy-checked(12),
+ -- ok-as-delegate(13)
+
+ AS-REQ ::= [APPLICATION 10] KDC-REQ
+
+ TGS-REQ ::= [APPLICATION 12] KDC-REQ
+
+ KDC-REQ ::= SEQUENCE {
+ -- NOTE: first tag is [1], not [0]
+ pvno [1] INTEGER (5) ,
+ msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --),
+ padata [3] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ req-body [4] KDC-REQ-BODY
+ }
+
+ KDC-REQ-BODY ::= SEQUENCE {
+ kdc-options [0] KDCOptions,
+ cname [1] PrincipalName OPTIONAL
+ -- Used only in AS-REQ --,
+ realm [2] Realm
+ -- Server's realm
+ -- Also client's in AS-REQ --,
+ sname [3] PrincipalName OPTIONAL,
+ from [4] KerberosTime OPTIONAL,
+ till [5] KerberosTime,
+ rtime [6] KerberosTime OPTIONAL,
+ nonce [7] UInt32,
+ etype [8] SEQUENCE OF Int32 -- EncryptionType
+ -- in preference order --,
+ addresses [9] HostAddresses OPTIONAL,
+ enc-authorization-data [10] EncryptedData -- AuthorizationData --,
+ additional-tickets [11] SEQUENCE OF Ticket OPTIONAL
+ -- NOTE: not empty
+ }
+
+ KDCOptions ::= KerberosFlags
+ -- reserved(0),
+ -- forwardable(1),
+ -- forwarded(2),
+ -- proxiable(3),
+ -- proxy(4),
+
+
+
+February 2004 [Page 128]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ -- allow-postdate(5),
+ -- postdated(6),
+ -- unused7(7),
+ -- renewable(8),
+ -- unused9(9),
+ -- unused10(10),
+ -- opt-hardware-auth(11),
+ -- unused12(12),
+ -- unused13(13),
+ -- 15 is reserved for canonicalize
+ -- unused15(15),
+ -- 26 was unused in 1510
+ -- disable-transited-check(26),
+ --
+ -- renewable-ok(27),
+ -- enc-tkt-in-skey(28),
+ -- renew(30),
+ -- validate(31)
+
+ AS-REP ::= [APPLICATION 11] KDC-REP
+
+ TGS-REP ::= [APPLICATION 13] KDC-REP
+
+ KDC-REP ::= SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --),
+ padata [2] SEQUENCE OF PA-DATA OPTIONAL
+ -- NOTE: not empty --,
+ crealm [3] Realm,
+ cname [4] PrincipalName,
+ ticket [5] Ticket,
+ enc-part [6] EncryptedData
+ -- EncASRepPart or EncTGSRepPart,
+ -- as appropriate
+ }
+
+ EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
+
+ EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart
+
+ EncKDCRepPart ::= SEQUENCE {
+ key [0] EncryptionKey,
+ last-req [1] LastReq,
+ nonce [2] UInt32,
+ key-expiration [3] KerberosTime OPTIONAL,
+ flags [4] TicketFlags,
+ authtime [5] KerberosTime,
+ starttime [6] KerberosTime OPTIONAL,
+
+
+
+February 2004 [Page 129]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ endtime [7] KerberosTime,
+ renew-till [8] KerberosTime OPTIONAL,
+ srealm [9] Realm,
+ sname [10] PrincipalName,
+ caddr [11] HostAddresses OPTIONAL
+ }
+
+ LastReq ::= SEQUENCE OF SEQUENCE {
+ lr-type [0] Int32,
+ lr-value [1] KerberosTime
+ }
+
+ AP-REQ ::= [APPLICATION 14] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (14),
+ ap-options [2] APOptions,
+ ticket [3] Ticket,
+ authenticator [4] EncryptedData -- Authenticator
+ }
+
+ APOptions ::= KerberosFlags
+ -- reserved(0),
+ -- use-session-key(1),
+ -- mutual-required(2)
+
+ -- Unencrypted authenticator
+ Authenticator ::= [APPLICATION 2] SEQUENCE {
+ authenticator-vno [0] INTEGER (5),
+ crealm [1] Realm,
+ cname [2] PrincipalName,
+ cksum [3] Checksum OPTIONAL,
+ cusec [4] Microseconds,
+ ctime [5] KerberosTime,
+ subkey [6] EncryptionKey OPTIONAL,
+ seq-number [7] UInt32 OPTIONAL,
+ authorization-data [8] AuthorizationData OPTIONAL
+ }
+
+ AP-REP ::= [APPLICATION 15] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (15),
+ enc-part [2] EncryptedData -- EncAPRepPart
+ }
+
+ EncAPRepPart ::= [APPLICATION 27] SEQUENCE {
+ ctime [0] KerberosTime,
+ cusec [1] Microseconds,
+ subkey [2] EncryptionKey OPTIONAL,
+
+
+
+February 2004 [Page 130]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ seq-number [3] UInt32 OPTIONAL
+ }
+
+ KRB-SAFE ::= [APPLICATION 20] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (20),
+ safe-body [2] KRB-SAFE-BODY,
+ cksum [3] Checksum
+ }
+
+ KRB-SAFE-BODY ::= SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress,
+ r-address [5] HostAddress OPTIONAL
+ }
+
+ KRB-PRIV ::= [APPLICATION 21] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (21),
+ -- NOTE: there is no [2] tag
+ enc-part [3] EncryptedData -- EncKrbPrivPart
+ }
+
+ EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE {
+ user-data [0] OCTET STRING,
+ timestamp [1] KerberosTime OPTIONAL,
+ usec [2] Microseconds OPTIONAL,
+ seq-number [3] UInt32 OPTIONAL,
+ s-address [4] HostAddress -- sender's addr --,
+ r-address [5] HostAddress OPTIONAL -- recip's addr
+ }
+
+ KRB-CRED ::= [APPLICATION 22] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (22),
+ tickets [2] SEQUENCE OF Ticket,
+ enc-part [3] EncryptedData -- EncKrbCredPart
+ }
+
+ EncKrbCredPart ::= [APPLICATION 29] SEQUENCE {
+ ticket-info [0] SEQUENCE OF KrbCredInfo,
+ nonce [1] UInt32 OPTIONAL,
+ timestamp [2] KerberosTime OPTIONAL,
+ usec [3] Microseconds OPTIONAL,
+ s-address [4] HostAddress OPTIONAL,
+
+
+
+February 2004 [Page 131]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ r-address [5] HostAddress OPTIONAL
+ }
+
+ KrbCredInfo ::= SEQUENCE {
+ key [0] EncryptionKey,
+ prealm [1] Realm OPTIONAL,
+ pname [2] PrincipalName OPTIONAL,
+ flags [3] TicketFlags OPTIONAL,
+ authtime [4] KerberosTime OPTIONAL,
+ starttime [5] KerberosTime OPTIONAL,
+ endtime [6] KerberosTime OPTIONAL,
+ renew-till [7] KerberosTime OPTIONAL,
+ srealm [8] Realm OPTIONAL,
+ sname [9] PrincipalName OPTIONAL,
+ caddr [10] HostAddresses OPTIONAL
+ }
+
+ KRB-ERROR ::= [APPLICATION 30] SEQUENCE {
+ pvno [0] INTEGER (5),
+ msg-type [1] INTEGER (30),
+ ctime [2] KerberosTime OPTIONAL,
+ cusec [3] Microseconds OPTIONAL,
+ stime [4] KerberosTime,
+ susec [5] Microseconds,
+ error-code [6] Int32,
+ crealm [7] Realm OPTIONAL,
+ cname [8] PrincipalName OPTIONAL,
+ realm [9] Realm -- service realm --,
+ sname [10] PrincipalName -- service name --,
+ e-text [11] KerberosString OPTIONAL,
+ e-data [12] OCTET STRING OPTIONAL
+ }
+
+ METHOD-DATA ::= SEQUENCE OF PA-DATA
+
+ TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
+ data-type [0] INTEGER,
+ data-value [1] OCTET STRING OPTIONAL
+ }
+
+ -- preauth stuff follows
+
+ PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC
+
+ PA-ENC-TS-ENC ::= SEQUENCE {
+ patimestamp [0] KerberosTime -- client's time --,
+ pausec [1] Microseconds OPTIONAL
+ }
+
+
+
+February 2004 [Page 132]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ ETYPE-INFO-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] OCTET STRING OPTIONAL
+ }
+
+ ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+
+ ETYPE-INFO2-ENTRY ::= SEQUENCE {
+ etype [0] Int32,
+ salt [1] KerberosString OPTIONAL,
+ s2kparams [2] OCTET STRING OPTIONAL
+ }
+
+ ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
+
+ AD-IF-RELEVANT ::= AuthorizationData
+
+ AD-KDCIssued ::= SEQUENCE {
+ ad-checksum [0] Checksum,
+ i-realm [1] Realm OPTIONAL,
+ i-sname [2] PrincipalName OPTIONAL,
+ elements [3] AuthorizationData
+ }
+
+ AD-AND-OR ::= SEQUENCE {
+ condition-count [0] INTEGER,
+ elements [1] AuthorizationData
+ }
+
+ AD-MANDATORY-FOR-KDC ::= AuthorizationData
+
+ END
+
+B. Changes since RFC-1510
+
+ This document replaces RFC-1510 and clarifies specification of
+ items that were not completely specified. Where changes to
+ recommended implementation choices were made, or where new options
+ were added, those changes are described within the document and
+ listed in this section. More significantly, "Specification 2" in
+ section 8 changes the required encryption and checksum methods to
+ bring them in line with the best current practices and to
+ deprecate methods that are no longer considered sufficiently
+ strong.
+
+ Discussion was added to section 1 regarding the ability to rely on
+ the KDC to check the transited field, and on the inclusion of a
+ flag in a ticket indicating that this check has occurred. This is
+
+
+
+February 2004 [Page 133]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ a new capability not present in RFC1510. Pre-existing
+ implementations may ignore or not set this flag without negative
+ security implications.
+
+ The definition of the secret key says that in the case of a user
+ the key may be derived from a password. In 1510, it said that the
+ key was derived from the password. This change was made to
+ accommodate situations where the user key might be stored on a
+ smart-card, or otherwise obtained independent of a password.
+
+ The introduction mentions the use of public key cryptography for
+ initial authentication in Kerberos by reference. RFC1510 did not
+ include such a reference.
+
+ Section 1.2 was added to explain that while Kerberos provides
+ authentication of a named principal, it is still the
+ responsibility of the application to ensure that the authenticated
+ name is the entity with which the application wishes to
+ communicate.
+
+ Discussion of extensibility has been added to the introduction.
+
+ Discussion of how extensibility affects ticket flags and KDC
+ options was added to the introduction of section 2. No changes
+ were made to existing options and flags specified in RFC1510,
+ though some of the sections in the specification were renumbered,
+ and text was revised to make the description and intent of
+ existing options clearer, especially with respect to the ENC-TKT-
+ IN-SKEY option (now section 2.9.2) which is used for user-to-user
+ authentication. The new option and ticket flag transited policy
+ checking (section 2.7) was added.
+
+ A warning regarding generation of session keys for application use
+ was added to section 3, urging the inclusion of key entropy from
+ the KDC generated session key in the ticket. An example regarding
+ use of the sub-session key was added to section 3.2.6.
+ Descriptions of the pa-etype-info, pa-etype-info2, and pa-pw-salt
+ pre-authentication data items were added. The recommendation for
+ use of pre-authentication was changed from "may" to "should" and a
+ note was added regarding known plaintext attacks.
+
+ In RFC 1510, section 4 described the database in the KDC. This
+ discussion was not necessary for interoperability and
+ unnecessarily constrained implementation. The old section 4 was
+ removed.
+
+ The current section 4 was formerly section 6 on encryption and
+ checksum specifications. The major part of this section was
+
+
+
+February 2004 [Page 134]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ brought up to date to support new encryption methods, and move to
+ a separate document. Those few remaining aspects of the encryption
+ and checksum specification specific to Kerberos are now specified
+ in section 4.
+
+ Significant changes were made to the layout of section 5 to
+ clarify the correct behavior for optional fields. Many of these
+ changes were made necessary because of improper ASN.1 description
+ in the original Kerberos specification which left the correct
+ behavior underspecified. Additionally, the wording in this section
+ was tightened wherever possible to ensure that implementations
+ conforming to this specification will be extensible with the
+ addition of new fields in future specifications.
+
+ Text was added describing time_t=0 issues in the ASN.1. Text was
+ also added, clarifying issues with implementations treating
+ omitted optional integers as zero. Text was added clarifying
+ behavior for optional SEQUENCE or SEQUENCE OF that may be empty.
+ Discussion was added regarding sequence numbers and behavior of
+ some implementations, including "zero" behavior and negative
+ numbers. A compatibility note was added regarding the
+ unconditional sending of EncTGSRepPart regardless of the enclosing
+ reply type. Minor changes were made to the description of the
+ HostAddresses type. Integer types were constrained. KerberosString
+ was defined as a (significantly) constrained GeneralString.
+ KerberosFlags was defined to reflect existing implementation
+ behavior that departs from the definition in RFC 1510. The
+ transited-policy-checked(12) and the ok-as-delegate(13) ticket
+ flags were added. The disable-transited-check(26) KDC option was
+ added.
+
+ Descriptions of commonly implemented PA-DATA were added to section
+ 5. The description of KRB-SAFE has been updated to note the
+ existing implementation behavior of double-encoding.
+
+ There were two definitions of METHOD-DATA in RFC 1510. The second
+ one, intended for use with KRB_AP_ERR_METHOD was removed leaving
+ the SEQUENCE OF PA-DATA definition.
+
+ Section 7, naming constraints, from RFC1510 was moved to section
+ 6.
+
+ Words were added describing the convention that domain based realm
+ names for newly created realms should be specified as upper case.
+ This recommendation does not make lower case realm names illegal.
+ Words were added highlighting that the slash separated components
+ in the X500 style of realm names is consistent with existing
+ RFC1510 based implementations, but that it conflicts with the
+
+
+
+February 2004 [Page 135]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ general recommendation of X.500 name representation specified in
+ RFC2253.
+
+ Section 8, network transport, constants and defined values, from
+ RFC1510 was moved to section 7. Since RFC1510, the definition of
+ the TCP transport for Kerberos messages was added, and the
+ encryption and checksum number assignments have been moved into a
+ separate document.
+
+ "Specification 2" in section 8 of the current document changes the
+ required encryption and checksum methods to bring them in line
+ with the best current practices and to deprecate methods that are
+ no longer considered sufficiently strong.
+
+ Two new sections, on IANA considerations and security
+ considerations were added.
+
+ The pseudo-code has been removed from the appendix. The pseudo-
+ code was sometimes misinterpreted to limit implementation choices
+ and in RFC 1510, it was not always consistent with the words in
+ the specification. Effort was made to clear up any ambiguities in
+ the specification, rather than to rely on the pseudo-code.
+
+ An appendix was added containing the complete ASN.1 module drawn
+ from the discussion in section 5 of the current document.
+
+END NOTES
+
+ [TM] Project Athena, Athena, and Kerberos are trademarks of the
+ Massachusetts Institute of Technology (MIT). No commercial use of
+ these trademarks may be made without prior written permission of
+ MIT.
+
+ [1] Note, however, that many applications use Kerberos' functions
+ only upon the initiation of a stream-based network connection.
+ Unless an application subsequently provides integrity protection
+ for the data stream, the identity verification applies only to the
+ initiation of the connection, and does not guarantee that
+ subsequent messages on the connection originate from the same
+ principal.
+
+ [2] Secret and private are often used interchangeably in the
+ literature. In our usage, it takes two (or more) to share a
+ secret, thus a shared DES key is a secret key. Something is only
+ private when no one but its owner knows it. Thus, in public key
+ cryptosystems, one has a public and a private key.
+
+ [3] Of course, with appropriate permission the client could
+
+
+
+February 2004 [Page 136]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ arrange registration of a separately-named principal in a remote
+ realm, and engage in normal exchanges with that realm's services.
+ However, for even small numbers of clients this becomes
+ cumbersome, and more automatic methods as described here are
+ necessary.
+
+ [4] Though it is permissible to request or issue tickets with no
+ network addresses specified.
+
+ [5] The password-changing request must not be honored unless the
+ requester can provide the old password (the user's current secret
+ key). Otherwise, it would be possible for someone to walk up to an
+ unattended session and change another user's password.
+
+ [6] To authenticate a user logging on to a local system, the
+ credentials obtained in the AS exchange may first be used in a TGS
+ exchange to obtain credentials for a local server. Those
+ credentials must then be verified by a local server through
+ successful completion of the Client/Server exchange.
+
+ [7] "Random" means that, among other things, it should be
+ impossible to guess the next session key based on knowledge of
+ past session keys. This can only be achieved in a pseudo-random
+ number generator if it is based on cryptographic principles. It is
+ more desirable to use a truly random number generator, such as one
+ based on measurements of random physical phenomena. See [RFC1750]
+ for an in depth discussion of randomness.
+
+ [8] Tickets contain both an encrypted and unencrypted portion, so
+ cleartext here refers to the entire unit, which can be copied from
+ one message and replayed in another without any cryptographic
+ skill.
+
+ [9] Note that this can make applications based on unreliable
+ transports difficult to code correctly. If the transport might
+ deliver duplicated messages, either a new authenticator must be
+ generated for each retry, or the application server must match
+ requests and replies and replay the first reply in response to a
+ detected duplicate.
+
+ [10] Note also that the rejection here is restricted to
+ authenticators from the same principal to the same server. Other
+ client principals communicating with the same server principal
+ should not be have their authenticators rejected if the time and
+ microsecond fields happen to match some other client's
+ authenticator.
+
+ [11] If this is not done, an attacker could subvert the
+
+
+
+February 2004 [Page 137]
+
+
+
+
+
+Neuman, et al. draft-ietf-krb-wg-kerberos-clarifications-05.txt DRAFT
+
+
+ authentication by recording the ticket and authenticator sent over
+ the network to a server and replaying them following an event that
+ caused the server to lose track of recently seen authenticators.
+
+ [12] In the Kerberos version 4 protocol, the timestamp in the
+ reply was the client's timestamp plus one. This is not necessary
+ in version 5 because version 5 messages are formatted in such a
+ way that it is not possible to create the reply by judicious
+ message surgery (even in encrypted form) without knowledge of the
+ appropriate encryption keys.
+
+ [13] Note that for encrypting the KRB_AP_REP message, the sub-
+ session key is not used, even if present in the Authenticator.
+
+ [14] Implementations of the protocol may provide routines to
+ choose subkeys based on session keys and random numbers and to
+ generate a negotiated key to be returned in the KRB_AP_REP
+ message.
+
+ [15]This can be accomplished in several ways. It might be known
+ beforehand (since the realm is part of the principal identifier),
+ it might be stored in a nameserver, or it might be obtained from a
+ configuration file. If the realm to be used is obtained from a
+ nameserver, there is a danger of being spoofed if the nameservice
+ providing the realm name is not authenticated. This might result
+ in the use of a realm which has been compromised, and would result
+ in an attacker's ability to compromise the authentication of the
+ application server to the client.
+
+ [16] If the client selects a sub-session key, care must be taken
+ to ensure the randomness of the selected sub-session key. One
+ approach would be to generate a random number and XOR it with the
+ session key from the ticket-granting ticket.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+February 2004 [Page 138]
View Lorry Controller Status