summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-pkinit-alg-agility-00.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-pkinit-alg-agility-00.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-pkinit-alg-agility-00.txt672
1 files changed, 672 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-pkinit-alg-agility-00.txt b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-pkinit-alg-agility-00.txt
new file mode 100644
index 00000000000..bf2dd5f2d2f
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-pkinit-alg-agility-00.txt
@@ -0,0 +1,672 @@
+
+
+
+Network Working Group L. Hornquist Astrand
+Internet-Draft Stockholm University
+Expires: September 2, 2006 L. Zhu
+ Microsoft Corporation
+ March 2006
+
+
+ PK-INIT algorithm agility
+ draft-ietf-krb-wg-pkinit-alg-agility-00
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on September 2, 2006.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2006).
+
+Abstract
+
+ The PK-INIT protocol have in several places hard coded crypto
+ algorithms. The protocol specification needs to be updated so it can
+ support negotiation to upgrading to newer versions of crypto
+ algorithms. This document addresses this issue.
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 1]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Requirements notation . . . . . . . . . . . . . . . . . . . . 4
+ 3. paChecksum agility . . . . . . . . . . . . . . . . . . . . . . 5
+ 4. CMS Digest Algorithm agility . . . . . . . . . . . . . . . . . 6
+ 5. Certificate Signer Algorithm Identifier agility . . . . . . . 7
+ 6. octetstring2key function agility . . . . . . . . . . . . . . . 8
+ 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
+ 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
+ 9. Normative References . . . . . . . . . . . . . . . . . . . . . 10
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
+ Intellectual Property and Copyright Statements . . . . . . . . . . 12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 2]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+1. Introduction
+
+ The Kerberos PK-INIT document contains several hardcoded algorithms
+ that was know designed at design time that they had to be replaced by
+ something else at a later time, this document described how to use
+ other algorithms other then those that are hard-coded.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 3]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+2. Requirements notation
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 4]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+3. paChecksum agility
+
+ The paChecksum binds the PK-INIT part of the request to main body of
+ the Kerberos request (KDC-REQ-BODY). This is to makes sure an
+ attacker can not change the request from the client to the server.
+ The problem is that paChecksum is hardcoded to use SHA1-1, however,
+ there is a mechaism to provide algorithm agility for the paChecksum
+ within the PK-INIT prototcol. Newer clients can choose not send the
+ paChecksum field, but rather add some new fields after the existing
+ fields, older KDC will send back know failure-code so that newer
+ clients can fall back to the old protocol if local policy allows
+ that.
+
+ If the attacker can preserve the checksum in paChecksum, an attacker
+ can, for example, change the KDC-REQ-BODY is to downgrade the
+ encryption types used, expend the expiration time, etc, and then try
+ to brute-force the request.
+
+ In the Public Key Encryption case of PK-INIT the reply contains a
+ checksum over the whole request in the asChecksum field, in this case
+ the client will detect any modifications to the request. Since the
+ asChecksum is using the associated checksum of the session key
+ encryption type, asChecksum field is algorithm agile.
+
+ One way to solve this problem is to add the asChecksum to the Diffie-
+ Hellman case reply too, and just ignore the paCheckSum field. The
+ KDC should still not issue tickets that are too weak, since that
+ exposes the problem. This is regardless of the using PK-INIT or not.
+
+ Questions for wg: Wait for Kerberos Extensions that will solve this
+ problem (ignore the problem for how), or use add asChecksum to DH
+ case.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 5]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+4. CMS Digest Algorithm agility
+
+ The client can tell KDC what the supported CMS types are in the
+ requset packet, but there are no equivalent for KDC to the the client
+ what the digest algorithm are support in an reply.
+
+ Have KDC send the CMS list of supported encryption types in the
+ e-data field of KRB-ERROR when returning the
+ KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error.
+
+ DER encoded TS-SD-PARAMETERS specifies supported digest algorithms.
+ The list is in decreasing preference order.
+
+
+
+ TD-SD-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 6]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+5. Certificate Signer Algorithm Identifier agility
+
+ The KDC can reject a certificate based on the signers hash algorithm
+ with the error KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED, but doesn't tell
+ the client what algorithm are supported.
+
+ DER encoded TS-DC-PARAMETERS specifies supported certificate digest
+ algorithms. The AllowedAlgorithms is in decreasing preference order.
+ RejectedAlgorithm may be include my the KDC to tell what algorithm
+ was rejected in case the rejected certificate was part of a computed
+ chain.
+
+
+
+ TD-DC-PARAMETERS ::= SEQUENCE {
+ AllowedAlgorithms [0] SEQUENCE OF AlgorithmIdentifier,
+ RejectedAlgorithm [1] AlgorithmIdentifier OPTIONAL
+ }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 7]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+6. octetstring2key function agility
+
+ The PK-INIT standard uses a home-grown string 2 key function in the
+ DH case. The function uses SHA-1 to mix and stretch the DH shared
+ key.
+
+ Describe how the client announces that is supports the new String to
+ key function. Probably by stuffing it into the supportCMSTypes field
+ in the request.
+
+ Use NIST SP 800 56B when its published.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 8]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+7. Security Considerations
+
+ This document describes negotiation of checksum types and other
+ cryptographic functions. Most of this negotiation is done
+ unauthenticated with no way to very
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 9]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+8. IANA Considerations
+
+ No IANA considerations.
+
+9. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 10]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+Authors' Addresses
+
+ Love Hornquist Astrand
+ Stockholm University
+ SE-106 91 STOCKHOLM
+ SWEDEN
+
+ Email: lha@it.su.se
+
+
+ Larry Zhu
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ Email: lzhu@microsoft.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 11]
+
+Internet-Draft PK-INIT algorithm agility March 2006
+
+
+Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+ Copyright (C) The Internet Society (2006). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+Hornquist Astrand & Zhu Expires September 2, 2006 [Page 12]
+
View Lorry Controller Status