summaryrefslogtreecommitdiff
path: root/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-preauth-framework-06.txt
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-preauth-framework-06.txt')
-rw-r--r--third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-preauth-framework-06.txt2184
1 files changed, 2184 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-preauth-framework-06.txt b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-preauth-framework-06.txt
new file mode 100644
index 00000000000..7df5301bd1d
--- /dev/null
+++ b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-preauth-framework-06.txt
@@ -0,0 +1,2184 @@
+
+
+
+Kerberos Working Group L. Zhu
+Internet-Draft Microsoft Corporation
+Updates: 4120 (if approved) S. Hartman
+Intended status: Standards Track MIT
+Expires: January 9, 2008 July 8, 2007
+
+
+ A Generalized Framework for Kerberos Pre-Authentication
+ draft-ietf-krb-wg-preauth-framework-06
+
+Status of this Memo
+
+ By submitting this Internet-Draft, each author represents that any
+ applicable patent or other IPR claims of which he or she is aware
+ have been or will be disclosed, and any of which he or she becomes
+ aware will be disclosed, in accordance with Section 6 of BCP 79.
+
+ Internet-Drafts are working documents of the Internet Engineering
+ Task Force (IETF), its areas, and its working groups. Note that
+ other groups may also distribute working documents as Internet-
+ Drafts.
+
+ Internet-Drafts are draft documents valid for a maximum of six months
+ and may be updated, replaced, or obsoleted by other documents at any
+ time. It is inappropriate to use Internet-Drafts as reference
+ material or to cite them other than as "work in progress."
+
+ The list of current Internet-Drafts can be accessed at
+ http://www.ietf.org/ietf/1id-abstracts.txt.
+
+ The list of Internet-Draft Shadow Directories can be accessed at
+ http://www.ietf.org/shadow.html.
+
+ This Internet-Draft will expire on January 9, 2008.
+
+Copyright Notice
+
+ Copyright (C) The IETF Trust (2007).
+
+Abstract
+
+ Kerberos is a protocol for verifying the identity of principals
+ (e.g., a workstation user or a network server) on an open network.
+ The Kerberos protocol provides a mechanism called pre-authentication
+ for proving the identity of a principal and for better protecting the
+ long-term secret of the principal.
+
+ This document describes a model for Kerberos pre-authentication
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 1]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ mechanisms. The model describes what state in the Kerberos request a
+ pre-authentication mechanism is likely to change. It also describes
+ how multiple pre-authentication mechanisms used in the same request
+ will interact.
+
+ This document also provides common tools needed by multiple pre-
+ authentication mechanisms. One of these tools is a secure channel
+ between the client and the KDC with a reply key delivery mechanism;
+ this secure channel can be used to protect the authentication
+ exchange thus eliminate offline dictionary attacks. With these
+ tools, it is relatively straightforward to chain multiple
+ authentication mechanisms, utilize a different key management system,
+ or support a new key agreement algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 2]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Conventions and Terminology Used in This Document . . . . . . 5
+ 3. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 5
+ 3.1. Information Managed by the Pre-authentication Model . . . 6
+ 3.2. Initial Pre-authentication Required Error . . . . . . . . 8
+ 3.3. Client to KDC . . . . . . . . . . . . . . . . . . . . . . 9
+ 3.4. KDC to Client . . . . . . . . . . . . . . . . . . . . . . 10
+ 4. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 10
+ 4.1. Client-authentication Facility . . . . . . . . . . . . . . 12
+ 4.2. Strengthening-reply-key Facility . . . . . . . . . . . . . 12
+ 4.3. Replacing-reply-key Facility . . . . . . . . . . . . . . . 13
+ 4.4. KDC-authentication Facility . . . . . . . . . . . . . . . 14
+ 5. Requirements for Pre-Authentication Mechanisms . . . . . . . . 14
+ 6. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 15
+ 6.1. Combining Keys . . . . . . . . . . . . . . . . . . . . . . 15
+ 6.2. Protecting Requests/Responses . . . . . . . . . . . . . . 16
+ 6.3. Managing States for the KDC . . . . . . . . . . . . . . . 17
+ 6.4. Pre-authentication Set . . . . . . . . . . . . . . . . . . 19
+ 6.5. Definition of Kerberos FAST Padata . . . . . . . . . . . . 21
+ 6.5.1. FAST Armors . . . . . . . . . . . . . . . . . . . . . 22
+ 6.5.2. FAST Request . . . . . . . . . . . . . . . . . . . . . 23
+ 6.5.3. FAST Response . . . . . . . . . . . . . . . . . . . . 27
+ 6.5.4. Authenticated Kerberos Error Messages using
+ Kerberos FAST . . . . . . . . . . . . . . . . . . . . 29
+ 6.5.5. The Authenticated Timestamp FAST Factor . . . . . . . 30
+ 6.6. Authentication Strength Indication . . . . . . . . . . . . 32
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 33
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . . 34
+ 10.2. Informative References . . . . . . . . . . . . . . . . . . 34
+ Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 35
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38
+ Intellectual Property and Copyright Statements . . . . . . . . . . 39
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 3]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+1. Introduction
+
+ The core Kerberos specification [RFC4120] treats pre-authentication
+ data as an opaque typed hole in the messages to the KDC that may
+ influence the reply key used to encrypt the KDC reply. This
+ generality has been useful: pre-authentication data is used for a
+ variety of extensions to the protocol, many outside the expectations
+ of the initial designers. However, this generality makes designing
+ more common types of pre-authentication mechanisms difficult. Each
+ mechanism needs to specify how it interacts with other mechanisms.
+ Also, problems like combining a key with the long-term secret or
+ proving the identity of the user are common to multiple mechanisms.
+ Where there are generally well-accepted solutions to these problems,
+ it is desirable to standardize one of these solutions so mechanisms
+ can avoid duplication of work. In other cases, a modular approach to
+ these problems is appropriate. The modular approach will allow new
+ and better solutions to common pre-authentication problems to be used
+ by existing mechanisms as they are developed.
+
+ This document specifies a framework for Kerberos pre-authentication
+ mechanisms. It defines the common set of functions that pre-
+ authentication mechanisms perform as well as how these functions
+ affect the state of the request and reply. In addition several
+ common tools needed by pre-authentication mechanisms are provided.
+ Unlike [RFC3961], this framework is not complete--it does not
+ describe all the inputs and outputs for the pre-authentication
+ mechanisms. Pre-Authentication mechanism designers should try to be
+ consistent with this framework because doing so will make their
+ mechanisms easier to implement. Kerberos implementations are likely
+ to have plugin architectures for pre-authentication; such
+ architectures are likely to support mechanisms that follow this
+ framework plus commonly used extensions.
+
+ One of these common tools is the flexible authentication secure
+ tunneling (FAST) padata type. FAST provides a protected channel
+ between the client and the KDC, and it can optionally deliver a reply
+ key within the protected channel. Based on FAST, pre-authentication
+ mechanisms can extend Kerberos with ease, to support, for example,
+ password authenticated key exchange (PAKE) protocols with zero
+ knowledge password proof (ZKPP) [EKE] [IEEE1363.2]. Any pre-
+ authentication mechanism can be encapsulated in the FAST messages as
+ defined in Section 6.5. A pre-authentication type carried within
+ FAST is called a FAST factor. Creating a FAST factor is the easiest
+ path to create a new pre-authentication mechanism. FAST factors are
+ significantly easier to analyze from a security standpoint than other
+ pre-authentication mechanisms.
+
+ Mechanism designers should design FAST factors, instead of new pre-
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 4]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ authentication mechanisms outside of FAST.
+
+
+2. Conventions and Terminology Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+ The word padata is used as a shorthand for pre-authentication data.
+
+ A conversation is the set of all authentication messages exchanged
+ between the client and the KDCs in order to authenticate the client
+ principal. A conversation as defined here consists of all messages
+ that are necessary to complete the authentication between the client
+ and the KDC.
+
+ Lastly, this document should be read only after reading the documents
+ describing the Kerberos cryptography framework [RFC3961] and the core
+ Kerberos protocol [RFC4120]. This document may freely use
+ terminology and notation from these documents without reference or
+ further explanation.
+
+
+3. Model for Pre-Authentication
+
+ When a Kerberos client wishes to obtain a ticket using the
+ authentication server, it sends an initial Authentication Service
+ (AS) request. If pre-authentication is required but not being used,
+ then the KDC will respond with a KDC_ERR_PREAUTH_REQUIRED error.
+ Alternatively, if the client knows what pre-authentication to use, it
+ MAY optimize away a round-trip and send an initial request with
+ padata included in the initial request. If the client includes the
+ padata computed using the wrong pre-authentication mechanism or
+ incorrect keys, the KDC MAY return KDC_ERR_PREAUTH_FAILED with no
+ indication of what padata should have been included. In that case,
+ the client MUST retry with no padata and examine the error data of
+ the KDC_ERR_PREAUTH_REQUIRED error. If the KDC includes pre-
+ authentication information in the accompanying error data of
+ KDC_ERR_PREAUTH_FAILED, the client SHOULD process the error data, and
+ then retry.
+
+ The conventional KDC maintains no state between two requests;
+ subsequent requests may even be processed by a different KDC. On the
+ other hand, the client treats a series of exchanges with KDCs as a
+ single conversation. Each exchange accumulates state and hopefully
+ brings the client closer to a successful authentication.
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 5]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ These models for state management are in apparent conflict. For many
+ of the simpler pre-authentication scenarios, the client uses one
+ round trip to find out what mechanisms the KDC supports. Then the
+ next request contains sufficient pre-authentication for the KDC to be
+ able to return a successful reply. For these simple scenarios, the
+ client only sends one request with pre-authentication data and so the
+ conversation is trivial. For more complex conversations, the KDC
+ needs to provide the client with a cookie to include in future
+ requests to capture the current state of the authentication session.
+ Handling of multiple round-trip mechanisms is discussed in
+ Section 6.3.
+
+ This framework specifies the behavior of Kerberos pre-authentication
+ mechanisms used to identify users or to modify the reply key used to
+ encrypt the KDC reply. The PA-DATA typed hole may be used to carry
+ extensions to Kerberos that have nothing to do with proving the
+ identity of the user or establishing a reply key. Such extensions
+ are outside the scope of this framework. However mechanisms that do
+ accomplish these goals should follow this framework.
+
+ This framework specifies the minimum state that a Kerberos
+ implementation needs to maintain while handling a request in order to
+ process pre-authentication. It also specifies how Kerberos
+ implementations process the padata at each step of the AS request
+ process.
+
+3.1. Information Managed by the Pre-authentication Model
+
+ The following information is maintained by the client and KDC as each
+ request is being processed:
+
+ o The reply key used to encrypt the KDC reply
+
+ o How strongly the identity of the client has been authenticated
+
+ o Whether the reply key has been used in this conversation
+
+ o Whether the reply key has been replaced in this conversation
+
+ o Whether the contents of the KDC reply can be verified by the
+ client principal
+
+
+ Conceptually, the reply key is initially the long-term key of the
+ principal. However, principals can have multiple long-term keys
+ because of support for multiple encryption types, salts and
+ string2key parameters. As described in Section 5.2.7.5 of the
+ Kerberos protocol [RFC4120], the KDC sends PA-ETYPE-INFO2 to notify
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 6]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ the client what types of keys are available. Thus in full
+ generality, the reply key in the pre-authentication model is actually
+ a set of keys. At the beginning of a request, it is initialized to
+ the set of long-term keys advertised in the PA-ETYPE-INFO2 element on
+ the KDC. If multiple reply keys are available, the client chooses
+ which one to use. Thus the client does not need to treat the reply
+ key as a set. At the beginning of a request, the client picks a
+ reply key to use.
+
+ KDC implementations MAY choose to offer only one key in the PA-ETYPE-
+ INFO2 element. Since the KDC already knows the client's list of
+ supported enctypes from the request, no interoperability problems are
+ created by choosing a single possible reply key. This way, the KDC
+ implementation avoids the complexity of treating the reply key as a
+ set.
+
+ When the padata in the request is verified by the KDC, then the
+ client is known to have that key, therefore the KDC SHOULD pick the
+ same key as the reply key.
+
+ At the beginning of handling a message on both the client and the
+ KDC, the client's identity is not authenticated. A mechanism may
+ indicate that it has successfully authenticated the client's
+ identity. This information is useful to keep track of on the client
+ in order to know what pre-authentication mechanisms should be used.
+ The KDC needs to keep track of whether the client is authenticated
+ because the primary purpose of pre-authentication is to authenticate
+ the client identity before issuing a ticket. The handling of
+ authentication strength using various authentication mechanisms is
+ discussed in Section 6.6.
+
+ Initially the reply key has not been used. A pre-authentication
+ mechanism that uses the reply key to encrypt or checksum some data in
+ the generation of new keys MUST indicate that the reply key is used.
+ This state is maintained by the client and the KDC to enforce the
+ security requirement stated in Section 4.3 that the reply key cannot
+ be replaced after it is used.
+
+ Initially the reply key has not been replaced. If a mechanism
+ implements the Replace Reply Key facility discussed in Section 4.3,
+ then the state MUST be updated to indicate that the reply key has
+ been replaced. Once the reply key has been replaced, knowledge of
+ the reply key is insufficient to authenticate the client. The reply
+ key is marked replaced in exactly the same situations as the KDC
+ reply is marked as not being verified to the client principal.
+ However, while mechanisms can verify the KDC reply to the client,
+ once the reply key is replaced, then the reply key remains replaced
+ for the remainder of the conversation.
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 7]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ Without pre-authentication, the client knows that the KDC reply is
+ authentic and has not been modified because it is encrypted in a
+ long-term key of the client. Only the KDC and the client know that
+ key. So at the start of handling any message the KDC reply is
+ presumed to be verified using the client principal's long-term key.
+ Any pre-authentication mechanism that sets a new reply key not based
+ on the principal's long-term secret MUST either verify the KDC reply
+ some other way or indicate that the reply is not verified. If a
+ mechanism indicates that the reply is not verified then the client
+ implementation MUST return an error unless a subsequent mechanism
+ verifies the reply. The KDC needs to track this state so it can
+ avoid generating a reply that is not verified.
+
+ The typical Kerberos request does not provide a way for the client
+ machine to know that it is talking to the correct KDC. Someone who
+ can inject packets into the network between the client machine and
+ the KDC and who knows the password that the user will give to the
+ client machine can generate a KDC reply that will decrypt properly.
+ So, if the client machine needs to authenticate that the user is in
+ fact the named principal, then the client machine needs to do a TGS
+ request for itself as a service. Some pre-authentication mechanisms
+ may provide a way for the client to authenticate the KDC. Examples
+ of this include signing the reply that can be verified using a well-
+ known public key or providing a ticket for the client machine as a
+ service.
+
+3.2. Initial Pre-authentication Required Error
+
+ Typically a client starts a conversation by sending an initial
+ request with no pre-authentication. If the KDC requires pre-
+ authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED message.
+ After the first reply with the KDC_ERR_PREAUTH_REQUIRED error code,
+ the KDC returns the error code KDC_ERR_MORE_PREAUTH_DATA_NEEDED
+ (defined in Section 6.3) for pre-authentication configurations that
+ use multi-round-trip mechanisms; see Section 3.4 for details of that
+ case.
+
+ The KDC needs to choose which mechanisms to offer the client. The
+ client needs to be able to choose what mechanisms to use from the
+ first message. For example consider the KDC that will accept
+ mechanism A followed by mechanism B or alternatively the single
+ mechanism C. A client that supports A and C needs to know that it
+ should not bother trying A.
+
+ Mechanisms can either be sufficient on their own or can be part of an
+ authentication set--a group of mechanisms that all need to
+ successfully complete in order to authenticate a client. Some
+ mechanisms may only be useful in authentication sets; others may be
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 8]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ useful alone or in authentication sets. For the second group of
+ mechanisms, KDC policy dictates whether the mechanism will be part of
+ an authentication set or offered alone. For each mechanism that is
+ offered alone, the KDC includes the pre-authentication type ID of the
+ mechanism in the padata sequence returned in the
+ KDC_ERR_PREAUTH_REQUIRED error.
+
+ The KDC SHOULD NOT send data that is encrypted in the long-term
+ password-based key of the principal. Doing so has the same security
+ exposures as the Kerberos protocol without pre-authentication. There
+ are few situations where pre-authentication is desirable and where
+ the KDC needs to expose cipher text encrypted in a weak key before
+ the client has proven knowledge of that key.
+
+3.3. Client to KDC
+
+ This description assumes that a client has already received a
+ KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs
+ optimistic pre-authentication then the client needs to optimistically
+ guess values for the information it would normally receive from that
+ error response.
+
+ The client starts by initializing the pre-authentication state as
+ specified. It then processes the padata in the
+ KDC_ERR_PREAUTH_REQUIRED.
+
+ When processing the response to the KDC_ERR_PREAUTH_REQUIRED, the
+ client MAY ignore any padata it chooses unless doing so violates a
+ specification to which the client conforms. Clients conforming to
+ this specification MUST NOT ignore the padata defined in Section 6.3.
+ Clients SHOULD process padata unrelated to this framework or other
+ means of authenticating the user. Clients SHOULD choose one
+ authentication set or mechanism that could lead to authenticating the
+ user and ignore the rest. Since the list of mechanisms offered by
+ the KDC is in the decreasing preference order, clients typically
+ choose the first mechanism or authentication set that the client can
+ usefully perform. If a client chooses to ignore a padata it MUST NOT
+ process the padata, allow the padata to affect the pre-authentication
+ state, nor respond to the padata.
+
+ For each padata the client chooses to process, the client processes
+ the padata and modifies the pre-authentication state as required by
+ that mechanism. Padata are processed in the order received from the
+ KDC.
+
+ After processing the padata in the KDC error, the client generates a
+ new request. It processes the pre-authentication mechanisms in the
+ order in which they will appear in the next request, updating the
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 9]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ state as appropriate. The request is sent when it is complete.
+
+3.4. KDC to Client
+
+ When a KDC receives an AS request from a client, it needs to
+ determine whether it will respond with an error or an AS reply.
+ There are many causes for an error to be generated that have nothing
+ to do with pre-authentication; they are discussed in the core
+ Kerberos specification.
+
+ From the standpoint of evaluating the pre-authentication, the KDC
+ first starts by initializing the pre-authentication state. It then
+ processes the padata in the request. As mentioned in Section 3.3,
+ the KDC MAY ignore padata that is inappropriate for the configuration
+ and MUST ignore padata of an unknown type.
+
+ At this point the KDC decides whether it will issue a pre-
+ authentication required error or a reply. Typically a KDC will issue
+ a reply if the client's identity has been authenticated to a
+ sufficient degree.
+
+ In the case of a KDC_ERR_MORE_PREAUTH_DATA_NEEDED error, the KDC
+ first starts by initializing the pre-authentication state. Then it
+ processes any padata in the client's request in the order provided by
+ the client. Mechanisms that are not understood by the KDC are
+ ignored. Mechanisms that are inappropriate for the client principal
+ or the request SHOULD also be ignored. Next, it generates padata for
+ the error response, modifying the pre-authentication state
+ appropriately as each mechanism is processed. The KDC chooses the
+ order in which it will generate padata (and thus the order of padata
+ in the response), but it needs to modify the pre-authentication state
+ consistently with the choice of order. For example, if some
+ mechanism establishes an authenticated client identity, then the
+ subsequent mechanisms in the generated response receive this state as
+ input. After the padata is generated, the error response is sent.
+ Typically the errors with the code KDC_ERR_MORE_PREAUTH_DATA_NEEDED
+ in a converstation will include KDC state as discussed in
+ Section 6.3.
+
+ To generate a final reply, the KDC generates the padata modifying the
+ pre-authentication state as necessary. Then it generates the final
+ response, encrypting it in the current pre-authentication reply key.
+
+
+4. Pre-Authentication Facilities
+
+ Pre-Authentication mechanisms can be thought of as providing various
+ conceptual facilities. This serves two useful purposes. First,
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 10]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ mechanism authors can choose only to solve one specific small
+ problem. It is often useful for a mechanism designed to offer key
+ management not to directly provide client authentication but instead
+ to allow one or more other mechanisms to handle this need. Secondly,
+ thinking about the abstract services that a mechanism provides yields
+ a minimum set of security requirements that all mechanisms providing
+ that facility must meet. These security requirements are not
+ complete; mechanisms will have additional security requirements based
+ on the specific protocol they employ.
+
+ A mechanism is not constrained to only offering one of these
+ facilities. While such mechanisms can be designed and are sometimes
+ useful, many pre-authentication mechanisms implement several
+ facilities. By combining multiple facilities in a single mechanism,
+ it is often easier to construct a secure, simple solution than by
+ solving the problem in full generality. Even when mechanisms provide
+ multiple facilities, they need to meet the security requirements for
+ all the facilities they provide. If the FAST factor approach is
+ used, it is likely that one or a small number of facilities can be
+ provided by a single mechanism without complicating the security
+ analysis.
+
+ According to Kerberos extensibility rules (Section 1.5 of the
+ Kerberos specification [RFC4120]), an extension MUST NOT change the
+ semantics of a message unless a recipient is known to understand that
+ extension. Because a client does not know that the KDC supports a
+ particular pre-authentication mechanism when it sends an initial
+ request, a pre-authentication mechanism MUST NOT change the semantics
+ of the request in a way that will break a KDC that does not
+ understand that mechanism. Similarly, KDCs MUST NOT send messages to
+ clients that affect the core semantics unless the client has
+ indicated support for the message.
+
+ The only state in this model that would break the interpretation of a
+ message is changing the expected reply key. If one mechanism changed
+ the reply key and a later mechanism used that reply key, then a KDC
+ that interpreted the second mechanism but not the first would fail to
+ interpret the request correctly. In order to avoid this problem,
+ extensions that change core semantics are typically divided into two
+ parts. The first part proposes a change to the core semantic--for
+ example proposes a new reply key. The second part acknowledges that
+ the extension is understood and that the change takes effect.
+ Section 4.2 discusses how to design mechanisms that modify the reply
+ key to be split into a proposal and acceptance without requiring
+ additional round trips to use the new reply key in subsequent pre-
+ authentication. Other changes in the state described in Section 3.1
+ can safely be ignored by a KDC that does not understand a mechanism.
+ Mechanisms that modify the behavior of the request outside the scope
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 11]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ of this framework need to carefully consider the Kerberos
+ extensibility rules to avoid similar problems.
+
+4.1. Client-authentication Facility
+
+ The client authentication facility proves the identity of a user to
+ the KDC before a ticket is issued. Examples of mechanisms
+ implementing this facility include the encrypted timestamp facility
+ defined in Section 5.2.7.2 of the Kerberos specification [RFC4120].
+ Mechanisms that provide this facility are expected to mark the client
+ as authenticated.
+
+ Mechanisms implementing this facility SHOULD require the client to
+ prove knowledge of the reply key before transmitting a successful KDC
+ reply. Otherwise, an attacker can intercept the pre-authentication
+ exchange and get a reply to attack. One way of proving the client
+ knows the reply key is to implement the Replace Reply Key facility
+ along with this facility. The PKINIT mechanism [RFC4556] implements
+ Client Authentication alongside Replace Reply Key.
+
+ If the reply key has been replaced, then mechanisms such as
+ encrypted-timestamp that rely on knowledge of the reply key to
+ authenticate the client MUST NOT be used.
+
+4.2. Strengthening-reply-key Facility
+
+ Particularly, when dealing with keys based on passwords, it is
+ desirable to increase the strength of the key by adding additional
+ secrets to it. Examples of sources of additional secrets include the
+ results of a Diffie-Hellman key exchange or key bits from the output
+ of a smart card [KRB-WG.SAM]. Typically these additional secrets can
+ be first combined with the existing reply key and then converted to a
+ protocol key using tools defined in Section 6.1.
+
+ If a mechanism implementing this facility wishes to modify the reply
+ key before knowing that the other party in the exchange supports the
+ mechanism, it proposes modifying the reply key. The other party then
+ includes a message indicating that the proposal is accepted if it is
+ understood and meets policy. In many cases it is desirable to use
+ the new reply key for client authentication and for other facilities.
+ Waiting for the other party to accept the proposal and actually
+ modify the reply key state would add an additional round trip to the
+ exchange. Instead, mechanism designers are encouraged to include a
+ typed hole for additional padata in the message that proposes the
+ reply key change. The padata included in the typed hole are
+ generated assuming the new reply key. If the other party accepts the
+ proposal, then these padata are considered as an inner level. As
+ with the outer level, one authentication set or mechanism is
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 12]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ typically chosen for client authentication, along with auxiliary
+ mechanisms such as KDC cookies, and other mechanisms are ignored.
+ [[anchor5: Containers like this need more thought. For example if
+ you are constructing an authentication set do you expect to use a
+ strengthen reply key mechanism in conjunction with something else, do
+ you include the something else in the hint of the strengthen
+ mechanism or as its own entry. It's easier to configure and express
+ the authentication set as its own entry. However if you do that' the
+ composition of the mechanisms looks in practice than it appears in
+ the authentication set.]] The party generating the proposal can
+ determine whether the padata were processed based on whether the
+ proposal for the reply key is accepted.
+
+ The specific formats of the proposal message, including where padata
+ are included is a matter for the mechanism specification. Similarly,
+ the format of the message accepting the proposal is mechanism-
+ specific.
+
+ Mechanisms implementing this facility and including a typed hole for
+ additional padata MUST checksum that padata using a keyed checksum or
+ encrypt the padata. This requirement protects against modification
+ of the contents of the typed hole. By modifying these contents an
+ attacker might be able to choose which mechanism is used to
+ authenticate the client, or to convince a party to provide text
+ encrypted in a key that the attacker had manipulated. It is
+ important that mechanisms strengthen the reply key enough that using
+ it to checksum padata is appropriate.
+
+4.3. Replacing-reply-key Facility
+
+ The Replace Reply Key facility replaces the key in which a successful
+ AS reply will be encrypted. This facility can only be used in cases
+ where knowledge of the reply key is not used to authenticate the
+ client. The new reply key MUST be communicated to the client and the
+ KDC in a secure manner. Mechanisms implementing this facility MUST
+ mark the reply key as replaced in the pre-authentication state.
+ Mechanisms implementing this facility MUST either provide a mechanism
+ to verify the KDC reply to the client or mark the reply as unverified
+ in the pre-authentication state. Mechanisms implementing this
+ facility SHOULD NOT be used if a previous mechanism has used the
+ reply key.
+
+ As with the strengthening-reply-key facility, Kerberos extensibility
+ rules require that the reply key not be changed unless both sides of
+ the exchange understand the extension. In the case of this facility
+ it will likely be more common for both sides to know that the
+ facility is available by the time that the new key is available to be
+ used. However, mechanism designers can use a container for padata in
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 13]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ a proposal message as discussed in Section 4.2 if appropriate.
+
+4.4. KDC-authentication Facility
+
+ This facility verifies that the reply comes from the expected KDC.
+ In traditional Kerberos, the KDC and the client share a key, so if
+ the KDC reply can be decrypted then the client knows that a trusted
+ KDC responded. Note that the client machine cannot trust the client
+ unless the machine is presented with a service ticket for it
+ (typically the machine can retrieve this ticket by itself). However,
+ if the reply key is replaced, some mechanism is required to verify
+ the KDC. Pre-authentication mechanisms providing this facility allow
+ a client to determine that the expected KDC has responded even after
+ the reply key is replaced. They mark the pre-authentication state as
+ having been verified.
+
+
+5. Requirements for Pre-Authentication Mechanisms
+
+ This section lists requirements for specifications of pre-
+ authentication mechanisms.
+
+ For each message in the pre-authentication mechanism, the
+ specification describes the pa-type value to be used and the contents
+ of the message. The processing of the message by the sender and
+ recipient is also specified. This specification needs to include all
+ modifications to the pre-authentication state.
+
+ Generally mechanisms have a message that can be sent in the error
+ data of the KDC_ERR_PREAUTH_REQUIRED error message or in an
+ authentication set. If the client needs information such as trusted
+ certificate authorities in order to determine if it can use the
+ mechanism, then this information should be in that message. In
+ addition, such mechanisms should also define a pa-hint to be included
+ in authentication sets. Often, the same information included in the
+ padata-value is appropriate to include in the pa-hint (as defined in
+ Section 6.4).
+
+ In order to ease security analysis the mechanism specification should
+ describe what facilities from this document are offered by the
+ mechanism. For each facility, the security consideration section of
+ the mechanism specification should show that the security
+ requirements of that facility are met. This requirement is
+ applicable to any FAST factor that provides authentication
+ information.
+
+ Significant problems have resulted in the specification of Kerberos
+ protocols because much of the KDC exchange is not protected against
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 14]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ authentication. The security considerations section should discuss
+ unauthenticated plaintext attacks. It should either show that
+ plaintext is protected or discuss what harm an attacker could do by
+ modifying the plaintext. It is generally acceptable for an attacker
+ to be able to cause the protocol negotiation to fail by modifying
+ plaintext. More significant attacks should be evaluated carefully.
+
+ As discussed in Section 6.3, there is no guarantee that a client will
+ use the same KDCs for all messages in a conversation. The mechanism
+ specification needs to show why the mechanism is secure in this
+ situation. The hardest problem to deal with, especially for
+ challenge/response mechanisms is to make sure that the same response
+ cannot be replayed against two KDCs while allowing the client to talk
+ to any KDC.
+
+
+6. Tools for Use in Pre-Authentication Mechanisms
+
+ This section describes common tools needed by multiple pre-
+ authentication mechanisms. By using these tools mechanism designers
+ can use a modular approach to specify mechanism details and ease
+ security analysis.
+
+6.1. Combining Keys
+
+ Frequently a weak key needs to be combined with a stronger key before
+ use. For example, passwords are typically limited in size and
+ insufficiently random, therefore it is desirable to increase the
+ strength of the keys based on passwords by adding additional secrets.
+ Additional source of secrecy may come from hardware tokens.
+
+ This section provides standard ways to combine two keys into one.
+
+ KRB-FX-CF1() is defined to combine two pass-phrases.
+
+ KRB-FX-CF1(UTF-8 string, UTF-8 string) -> (UTF-8 string)
+ KRB-FX-CF1(x, y) -> x || y
+
+ Where || denotes concatenation. The strength of the final key is
+ roughly the total strength of the individual keys being combined
+ assuming that the string_to_key() function [RFC3961] uses all its
+ input evenly.
+
+ An example usage of KRB-FX-CF1() is when a device provides random but
+ short passwords, the password is often combined with a personal
+ identification number (PIN). The password and the PIN can be
+ combined using KRB-FX-CF1().
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 15]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ KRB-FX-CF2() combines two protocol keys based on the pseudo-random()
+ function defined in [RFC3961].
+
+ Given two input keys, K1 and K2, where K1 and K2 can be of two
+ different enctypes, the output key of KRB-FX-CF2(), K3, is derived as
+ follows:
+
+ KRB-FX-CF2(protocol key, protocol key, octet string,
+ octet string) -> (protocol key)
+
+ PRF+(K1, pepper1) -> octet-string-1
+ PRF+(K2, pepper2) -> octet-string-2
+ KRB-FX-CF2(K1, K2, pepper1, pepper2) ->
+ random-to-key(octet-string-1 ^ octet-string-2)
+
+ Where ^ denotes the exclusive-OR operation. PRF+() is defined as
+ follows:
+
+ PRF+(protocol key, octet string) -> (octet string)
+
+ PRF+(key, shared-info) -> pseudo-random( key, 1 || shared-info ) ||
+ pseudo-random( key, 2 || shared-info ) ||
+ pseudo-random( key, 3 || shared-info ) || ...
+
+ Here the counter value 1, 2, 3 and so on are encoded as a one-octet
+ integer. The pseudo-random() operation is specified by the enctype
+ of the protocol key. PRF+() uses the counter to generate enough bits
+ as needed by the random-to-key() [RFC3961] function for the
+ encryption type specified for the resulting key; unneeded bits are
+ removed from the tail.
+
+ Mechanism designers MUST specify the values for the input parameter
+ pepper1 and pepper2 when combining two keys using KRB-FX-CF2(). The
+ pepper1 and pepper2 MUST be distinct so that if the two keys being
+ combined are the same, the resulting key is not a trivial key.
+
+6.2. Protecting Requests/Responses
+
+ Mechanism designers SHOULD protect clear text portions of pre-
+ authentication data. Various denial of service attacks and downgrade
+ attacks against Kerberos are possible unless plaintexts are somehow
+ protected against modification. An early design goal of Kerberos
+ Version 5 [RFC4120] was to avoid encrypting more of the
+ authentication exchange that was required. (Version 4 doubly-
+ encrypted the encrypted part of a ticket in a KDC reply, for
+ example.) This minimization of encryption reduces the load on the
+ KDC and busy servers. Also, during the initial design of Version 5,
+ the existence of legal restrictions on the export of cryptography
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 16]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ made it desirable to minimize of the number of uses of encryption in
+ the protocol. Unfortunately, performing this minimization created
+ numerous instances of unauthenticated security-relevant plaintext
+ fields.
+
+ If there is more than one roundtrip for an authentication exchange,
+ mechanism designers need to allow either the client or the KDC to
+ provide a checksum of all the messages exchanged on the wire in the
+ conversation, and the checksum is then verified by the receiver.
+
+ New mechanisms MUST NOT be hard-wired to use a specific algorithm.
+
+ Primitives defined in [RFC3961] are RECOMMENDED for integrity
+ protection and confidentiality. Mechanisms based on these primitives
+ are crypto-agile as the result of using [RFC3961] along with
+ [RFC4120]. The advantage afforded by crypto-agility is the ability
+ to avoid a multi-year standardization and deployment cycle to fix a
+ problem that is specific to a particular algorithm, when real attacks
+ do arise against that algorithm.
+
+ Note that data used by FAST factors (defined in Section 6.5) is
+ encrypted in a protected channel, thus they do not share the un-
+ authenticated-text issues with mechanisms designed as full-blown pre-
+ authentication mechanisms.
+
+6.3. Managing States for the KDC
+
+ Kerberos KDCs are stateless. There is no requirement that clients
+ will choose the same KDC for the second request in a conversation.
+ Proxies or other intermediate nodes may also influence KDC selection.
+ So, each request from a client to a KDC must include sufficient
+ information that the KDC can regenerate any needed state. This is
+ accomplished by giving the client a potentially long opaque cookie in
+ responses to include in future requests in the same conversation.
+ The KDC MAY respond that a conversation is too old and needs to
+ restart by responding with a KDC_ERR_PREAUTH_EXPIRED error.
+
+ KDC_ERR_PREAUTH_EXPIRED TBA
+
+ When a client receives this error, the client SHOULD abort the
+ existing conversation, and restart a new one.
+
+ An example, where more than one message from the client is needed, is
+ when the client is authenticated based on a challenge-response
+ scheme. In that case, the KDC needs to keep track of the challenge
+ issued for a client authentication request.
+
+ The PA-FX-COOKIE pdata type is defined in this section to facilitate
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 17]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ state management. This padata is sent by the KDC when the KDC
+ requires state for a future transaction. The client includes this
+ opaque token in the next message in the conversation. The token may
+ be relatively large; clients MUST be prepared for tokens somewhat
+ larger than the size of all messages in a conversation.
+
+ PA_FX_COOKIE TBA
+ -- Stateless cookie that is not tied to a specific KDC.
+
+ The corresponding padata-value field [RFC4120] contains the
+ Distinguished Encoding Rules (DER) [X60] [X690] encoding of the
+ following Abstract Syntax Notation One (ASN.1) type PA-FX-COOKIE:
+
+ PA-FX-COOKIE ::= SEQUENCE {
+ conversationId [0] OCTET STRING,
+ -- Contains the identifier of this conversation. This field
+ -- must contain the same value for all the messages
+ -- within the same conversation.
+ enc-binding-key [1] EncryptedData OPTIONAL,
+ -- EncryptionKey --
+ -- This field is present when and only when a FAST
+ -- padata as defined in Section 6.5 is included.
+ -- The encrypted data, when decrypted, contains an
+ -- EncryptionKey structure.
+ -- This encryption key is encrypted using the armor key
+ -- (defined in Section 6.5.1), and the key usage for the
+ -- encryption is KEY_USAGE_FAST_BINDING_KEY.
+ -- Present only once in a converstation.
+ cookie [2] OCTET STRING OPTIONAL,
+ -- Opaque data, for use to associate all the messages in
+ -- a single conversation between the client and the KDC.
+ -- This is generated by the KDC and the client MUST copy
+ -- the exact cookie encapsulated in a PA_FX_COOKIE data
+ -- element into the next message of the same conversation.
+ ...
+ }
+ KEY_USAGE_FAST_BINDING_KEY TBA
+
+ The conversationId field contains a sufficiently-long rand number
+ that uniquely identifies the conversation. If a PA_FX_COOKIE padata
+ is present in one message, a PA_FX_COOKIE structure MUST be present
+ in all subsequent messages of the same converstation between the
+ client and the KDC, with the same conversationId value.
+
+ The enc-binding-key field is present when and only when a FAST padata
+ (defined in Section 6.5) is included. The enc-binding-key field is
+ present only once in a conversation. It MUST be ignored if it is
+ present in a subsequent message of the same conversation. The
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 18]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ encrypted data, when decrypted, contains an EncryptionKey structure
+ that is called the binding key. The binding key is encrypted using
+ the armor key (defined in Section 6.5.1), and the key usage for the
+ encryption is KEY_USAGE_FAST_BINDING_KEY.
+
+ If a Kerberos FAST padata as defined in Section 6.5 is included in
+ one message, it MUST be included in all subsequent messages of the
+ same conversation.
+
+ When FAST padata as defined Section 6.5 is included, the PA-FX-COOKIE
+ padata MUST be included.
+
+ The cookie token is generated by the KDC and the client MUST copy the
+ exact cookie encapsulated in a PA_FX_COOKIE data element into the
+ next message of the same conversation. The content of the cookie
+ field is a local matter of the KDC. However the KDC MUST construct
+ the cookie token in such a manner that a malicious client cannot
+ subvert the authentication process by manipulating the token. The
+ KDC implementation needs to consider expiration of tokens, key
+ rollover and other security issues in token design. The content of
+ the cookie field is likely specific to the pre-authentication
+ mechanisms used to authenticate the client. If a client
+ authentication response can be replayed to multiple KDCs via the
+ PA_FX_COOKIE mechanism, an expiration in the cookie is RECOMMENDED to
+ prevent the response being presented indefinitely.
+
+ If at least one more message for a mechanism or a mechanism set is
+ expected by the KDC, the KDC returns a
+ KDC_ERR_MORE_PREAUTH_DATA_NEEDED error with a PA_FX_COOKIE to
+ identify the conversation with the client according to Section 6.5.4.
+
+ KDC_ERR_MORE_PREAUTH_DATA_NEEDED TBA
+
+6.4. Pre-authentication Set
+
+ If all mechanisms in a group need to successfully complete in order
+ to authenticate a client, the client and the KDC SHOULD use the
+ PA_AUTHENTICATION_SET padata element.
+
+ A PA_AUTHENTICATION_SET padata element contains the ASN.1 DER
+ encoding of the PA-AUTHENTICATION-SET structure:
+
+
+
+
+
+
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 19]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM
+
+ PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE {
+ pa-type [0] Int32,
+ -- same as padata-type.
+ pa-hint [1] OCTET STRING,
+ -- hint data.
+ ...
+ }
+
+ The pa-type field of the PA-AUTHENTICATION-SET-ELEM structure
+ contains the corresponding value of padata-type in PA-DATA [RFC4120].
+ Associated with the pa-type is a pa-hint, which is an octet-string
+ specified by the pre-authentication mechanism. This hint may provide
+ information for the client which helps it determine whether the
+ mechanism can be used. For example a public-key mechanism might
+ include the certificate authorities it trusts in the hint info. Most
+ mechanisms today do not specify hint info; if a mechanism does not
+ specify hint info the KDC MUST NOT send a hint for that mechanism.
+ To allow future revisions of mechanism specifications to add hint
+ info, clients MUST ignore hint info received for mechanisms that the
+ client believes do not support hint info. If a member of the pre-
+ authentication mechanism set that requires a challenge, a separate
+ padata that carries the challenge SHOULD be included along with the
+ pre-authentication set padata.
+
+ The PA-AUTHENTICATION-SET appears only in the first message from the
+ KDC to the client. In particular, the client should not be prepared
+ for the future authentication mechanisms to change as the
+ conversation progresses. [[anchor9: I think this is correct; we
+ should discuss and if the WG agrees the text should reflect this.]]
+
+ When indicating which sets of pre-authentication mechanisms are
+ supported, the KDC includes a PA-AUTHENTICATION-SET padata element
+ for each pre-authentication mechanism set.
+
+ The client sends the padata-value for the first mechanism it picks in
+ the pre-authentication set, when the first mechanism completes, the
+ client and the KDC will proceed with the second mechanism, and so on
+ until all mechanisms complete successfully. The PA_FX_COOKIE as
+ defined in Section 6.3 MUST be sent by the KDC along with the first
+ message that contains a PA-AUTHENTICATION-SET, in order to keep track
+ of KDC states.
+
+ Before the authentication succeeds and a ticket is returned, the
+ message that the client sends is an AS_REQ and the message that the
+ KDC sends is a KRB-ERROR message. The error code in the KRB-ERROR
+ message from the KDC is KDC_ERR_MORE_PREAUTH_DATA_NEEDED as defined
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 20]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ in Section 6.3 and the accompanying e-data contains the DER encoding
+ of ASN.1 type METHOD-DATA. The KDC includes the padata elements in
+ the METHOD-DATA. If there is no padata, the e-data field is absent
+ in the KRB-ERROR message.
+
+ If one mechanism completes on the client side, and the client expects
+ the KDC to send the next padata for the next pre-authentication
+ mechanism before the authentication succeeds, the client sends an
+ AS_REQ with a padata of type PA_FX_HEARTBEAT.
+
+ PA_FX_HEARTBEAT TBA
+
+ The padata-value for the PA_FX_HEARTBEAT is empty.
+
+ If one mechanism completes on the KDC side, and the KDC expects the
+ client to send the next padata for the next pre-authentication
+ mechanism before the authentication succeeds, the KDC sends a KRB-
+ ERROR message with the code KDC_ERR_MORE_PREAUTH_DATA_NEEDED and
+ includes a padata of type PA_FX_HEARTBEAT.
+
+ [[anchor10: It's much easier to design UIs if you can determine ahead
+ of time what all the elements of your dialogue will need to be. If
+ we mandate that the pa-hints need to be sufficient that you can
+ determine what information you will require from a user ahead of time
+ we can simplify the UI for login. I propose that we make this
+ requirement. WG agreement required.]]
+
+6.5. Definition of Kerberos FAST Padata
+
+ As described in [RFC4120], Kerberos is vulnerable to offline
+ dictionary attacks. An attacker can request an AS-REP and try
+ various passwords to see if they can decrypt the resulting ticket.
+ RFC 4120 provides the entrypted timestap pre-authentication method
+ that ameliorates the situation somewhat by requiring that an attacker
+ observe a successful authentication. However stronger security is
+ desired in many environments. The Kerberos FAST pre-authentication
+ padata defined in this section provides a tool to significantly
+ reduce vulnerability to offline dictionary attack. When combined
+ with encrypted timestamp, FAST requires an attacker to mount a
+ successful man-in-the-middle attack to observe ciphertext. When
+ combined with host keys, FAST can even protect against active
+ attacks. FAST also provides solutions to common problems for pre-
+ authentication mechanisms such as binding of the request and the
+ reply, freshness guarantee of the authentication. FAST itself,
+ however, does not authenticate the client or the KDC, instead, it
+ provides a typed hole to allow pre-authentication data be tunneled.
+ A pre-authentication data element used within FAST is called a FAST
+ factor. A FAST factor captures the minimal work required for
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 21]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ extending Kerberos to support a new pre-authentication scheme.
+
+ A FAST factor MUST NOT be used outside of FAST unless its
+ specification explicitly allows so. The typed holes in FAST messages
+ can also be used as generic holes for other padata that are not
+ intended to prove the client's identity, or establish the reply key.
+
+ New pre-authentication mechanisms SHOULD be designed as FAST factors,
+ instead of full-blown pre-authentication mechanisms.
+
+ FAST factors that are pre-authentication mechanisms MUST meet the
+ requirements in Section 5.
+
+ FAST employs an armoring scheme. The armor can be a Ticket Granting
+ Ticket (TGT) obtained by the client's machine using the host keys to
+ pre-authenticate with the KDC, or an anonymous TGT obtained based on
+ anonymous PKINIT [KRB-ANON] [RFC4556].
+
+ The rest of this section describes the types of armors and the syntax
+ of the messages used by FAST. Conforming implementations MUST
+ support Kerberos FAST padata.
+
+6.5.1. FAST Armors
+
+ An armor key is used to encrypt pre-authentication data in the FAST
+ request and the response. The KrbFastArmor structure is defined to
+ identify the armor key. This structure contains the following two
+ fields: the armor-type identifies the type of armors, and the armor-
+ value as an OCTET STRING contains the description of the armor scheme
+ and the armor key.
+
+ KrbFastArmor ::= SEQUENCE {
+ armor-type [0] Int32,
+ -- Type of the armor.
+ armor-value [1] OCTET STRING,
+ -- Value of the armor.
+ ...
+ }
+
+ The value of the armor key is a matter of the armor type
+ specification. Only one armor type is defined in this document.
+
+ FX_FAST_ARMOR_AP_REQUEST TBA
+
+ The FX_FAST_ARMOR_AP_REQUEST armor is based on Kerberos tickets.
+
+ Conforming implementations MUST implement the
+ FX_FAST_ARMOR_AP_REQUEST armor type.
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 22]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+6.5.1.1. Ticket-based Armors
+
+ This is a ticket-based armoring scheme. The armor-type is
+ FX_FAST_ARMOR_AP_REQUEST, the armor-value contains an ASN.1 DER
+ encoded AP-REQ. The ticket in the AP-REQ is called an armor ticket
+ or an armor TGT. The subkey field in the AP-REQ MUST be present.
+ The armor key is the subkey in the AP-REQ authenticator.
+
+ The server name field of the armor ticket MUST identify the TGS of
+ the target realm. Here are three ways in the decreasing preference
+ order how an armor TGT SHOULD be obtained:
+
+ 1. If the client is authenticating from a host machine whose
+ Kerberos realm has a trust path to the client's realm, the host
+ machine obtains a TGT by pre-authenticating intitialy the realm
+ of the host machine using the host keys. If the client's realm
+ is different than the realm of the local host, the machine then
+ obtains a cross-realm TGT to the client's realm as the armor
+ ticket. Otherwise, the host's primary TGT is the armor ticket.
+
+ 2. If the client's host machine cannot obtain a host ticket strictly
+ based on RFC4120, but the KDC has an asymmetric signing key that
+ the client can verify the binding between the public key of the
+ signing key and the expected KDC, the client can use anonymous
+ PKINIT [KRB-ANON] [RFC4556] to authenticate the KDC and obtain an
+ anonymous TGT as the armor ticket. The armor key can be a cross-
+ team TGT obtained based on the initial primary TGT obtained using
+ anonymous PKINIT with KDC authentication.
+
+ 3. Otherwise, the client uses anonymous PKINIT to get an anonymous
+ TGT without KDC authentication and that TGT is the armor ticket.
+ Note that this mode of operation is vulnerable to man-in-the-
+ middle attacks at the time of obtaining the initial anonymous
+ armor TGT. The armor key can be a cross-team TGT obtained based
+ on the initial primary TGT obtained using anonymous PKINIT
+ without KDC authentication.
+
+ Because the KDC does not know if the client is able to trust the
+ ticket it has, the KDC MUST initialize the pre-authentication state
+ to an unverified KDC.
+
+6.5.2. FAST Request
+
+ A padata type PA_FX_FAST is defined for the Kerberos FAST pre-
+ authentication padata. The corresponding padata-value field
+ [RFC4120] contains the DER encoding of the ASN.1 type PA-FX-FAST-
+ REQUEST.
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 23]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ PA_FX_FAST TBA
+ -- Padata type for Kerberos FAST
+
+ PA-FX-FAST-REQUEST ::= CHOICE {
+ armored-data [0] KrbFastArmoredReq,
+ ...
+ }
+
+ KrbFastArmoredReq ::= SEQUENCE {
+ armor [0] KrbFastArmor OPTIONAL,
+ -- Contains the armor that identifies the armor key.
+ -- MUST be present in AS-REQ.
+ -- MUST be absent in TGS-REQ.
+ req-checksum [1] Checksum,
+ -- Checksum performed over the type KDC-REQ-BODY for
+ -- the req-body field of the KDC-REQ structure defined in
+ -- [RFC4120]
+ -- The checksum key is the armor key, the checksum
+ -- type is the required checksum type for the enctype of
+ -- the armor key, and the key usage number is
+ -- KEY_USAGE_FAST_REA_CHKSUM.
+ enc-fast-req [2] EncryptedData, -- KrbFastReq --
+ -- The encryption key is the armor key, and the key usage
+ -- number is KEY_USAGE_FAST_ENC.
+ ...
+ }
+
+ KEY_USAGE_FAST_REA_CHKSUM TBA
+ KEY_USAGE_FAST_ENC TBA
+
+ The PA-FX-FAST-REQUEST structure contains a KrbFastArmoredReq type.
+ The KrbFastArmoredReq encapsulates the encrypted padata.
+
+ The enc-fast-req field contains an encrypted KrbFastReq structure.
+ The armor key is used to encrypt the KrbFastReq structure, and the
+ key usage number for that encryption is KEY_USAGE_FAST_ARMOR.
+
+ KEY_USAGE_FAST_ARMOR TBA
+
+ The armor key is selected as follows:
+
+ o In an AS request, the armor field in the KrbFastArmoredReq
+ structure MUST be present and the armor key is identified
+ according to the specification of the armor type.
+
+ o In a TGS request, the armor field in the KrbFastArmoredReq
+ structure MUST NOT be present and the subkey in the AP-REQ
+ authenticator in the PA-TGS-REQ PA-DATA MUST be present. In this
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 24]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ case, the armor key is that subkey in the AP-REQ authenticator.
+
+ The req-checksum field contains a checksum that is performed over the
+ type KDC-REQ-BODY for the req-body field of the KDC-REQ [RFC4120]
+ structure of the containing message. The checksum key is the armor
+ key, and the checksum type is the required checksum type for the
+ enctype of the armor key per [RFC3961]. [[anchor12: Is this checksum
+ still needed if we include a full kdc-req-body]]
+
+ The KrbFastReq structure contains the following information:
+
+ KrbFastReq ::= SEQUENCE {
+ fast-options [0] FastOptions,
+ -- Additional options.
+ padata [1] SEQUENCE OF PA-DATA,
+ -- padata typed holes.
+ req-body [2] KDC-REQ-BODY,
+ -- Contains the KDC request body as defined in Section
+ -- 5.4.1 of [RFC4120]. The req-body field in the KDC-REQ
+ -- structure [RFC4120] MUST be ignored.
+ -- The client name and realm in the KDC-REQ [RFC4120]
+ -- MUST NOT be present for AS-REQ and TGS-REQ when
+ -- Kerberos FAST padata is included in the request.
+ ...
+ }
+
+ [[anchor13: See mailing list discussion about whether client name
+ absent is correct.]]
+
+ The fast-options field indicates various options that are to modify
+ the behavior of the KDC. The following options are defined:
+
+ FastOptions ::= KerberosFlags
+ -- reserved(0),
+ -- anonymous(1),
+ -- kdc-referrals(16)
+
+
+ Bits Name Description
+ -----------------------------------------------------------------
+ 0 RESERVED Reserved for future expansion of this field.
+ 1 anonymous Requesting the KDC to hide client names in
+ the KDC response, as described next in this
+ section.
+ 16 kdc-referrals Requesting the KDC to follow referrals, as
+ described next in this section.
+
+ Bits 1 through 15 (with bit 2 and bit 15 included) are critical
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 25]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ options. If the KDC does not support a critical option, it MUST fail
+ the request with KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS (there is no
+ accompanying e-data defined in this document for this error code).
+ Bit 16 and onward (with bit 16 included) are non-critical options.
+ KDCs conforming to this specification ignores unknown non-critical
+ options.
+
+ KDC_ERR_UNKNOWN_FAST_OPTIONS TBA
+
+ The anonymous Option
+
+ The Kerberos response defined in [RFC4120] contains the client
+ identity in clear text, This makes traffic analysis
+ straightforward. The anonymous option is designed to complicate
+ traffic analysis. If the anonymous option is set, the KDC
+ implementing PA_FX_FAST MUST identify the client as the anonymous
+ principal in the KDC reply and the error response. Hence this
+ option is set by the client if it wishes to conceal the client
+ identity in the KDC response.
+
+ The kdc-referrals Option
+
+ The Kerberos client described in [RFC4120] has to request referral
+ TGTs along the authentication path in order to get a service
+ ticket for the target service. The Kerberos client described in
+ the [REFERRALS] need to contact the AS specified in the error
+ response in order to complete client referrals. The kdc-referrals
+ option is designed to minimize the number of messages that need to
+ be processed by the client. This option is useful when, for
+ example, the client may contact the KDC via a satellite link that
+ has high network latency, or the client has limited computational
+ capabilities. If the kdc-referrals option is set, the KDC that
+ honors this option acts as the client to follow AS referrals and
+ TGS referrals [REFERRALS], and return the service ticket to the
+ named server principal in the client request using the reply key
+ expected by the client. The kdc-referrals option can be
+ implemented when the KDC knows the reply key. The KDC can ignore
+ kdc-referrals option when it does not understand it or it does not
+ allow this option based on local policy. The client SHOULD be
+ able to process the KDC responses when this option is not honored
+ by the KDC.
+
+ The padata field contains a list of PA-DATA structures as described
+ in Section 5.2.7 of [RFC4120]. These PA-DATA structures can contain
+ FAST factors. They can also be used as generic typed-holes to
+ contain data not intended for proving the client's identity or
+ establishing a reply key, but for protocol extensibility.
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 26]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ The KDC-REQ-BODY in the FAST structure is used in preference to the
+ KDC-REQ-BODY outside of the FAST pre-authentication. This outer
+ structure SHOULD be filled in for backwards compatibility with KDCs
+ that do not support FAST. The client MAY fill in the cname and
+ crealm fields in the kdc-req-body in the KrbFastReq structure and
+ leave the cname field and the crealm field in KDC-REQ absent, in
+ order to conceal the client's identity in the AS-REQ.[[anchor14:
+ Absent is probably wrong. Presumably we want a name similar to the
+ anonymous principal name.]]
+
+6.5.3. FAST Response
+
+ The KDC that supports the PA_FX_FAST padata MUST include a PA_FX_FAST
+ padata element in the KDC reply. In the case of an error, the
+ PA_FX_FAST padata is included in the KDC responses according to
+ Section 6.5.4.
+
+ The corresponding padata-value field [RFC4120] for the PA_FX_FAST in
+ the KDC response contains the DER encoding of the ASN.1 type PA-FX-
+ FAST-REPLY.
+
+ PA-FX-FAST-REPLY ::= CHOICE {
+ armored-data [0] KrbFastArmoredRep,
+ ...
+ }
+
+ KrbFastArmoredRep ::= SEQUENCE {
+ enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
+ -- The encryption key is the armor key in the request, and
+ -- the key usage number is KEY_USAGE_FAST_REP.
+ ...
+ }
+ KEY_USAGE_FAST_REP TBA
+
+ The PA-FX-FAST-REPLY structure contains a KrbFastArmoredRep
+ structure. The KrbFastArmoredRep structure encapsulates the padata
+ in the KDC reply in the encrypted form. The KrbFastResponse is
+ encrypted with the armor key used in the corresponding request, and
+ the key usage number is KEY_USAGE_FAST_REP.
+
+ The Kerberos client who does not receive a PA-FX-FAST-REPLY in the
+ KDC response MUST support a local policy that rejects the response.
+ Clients MAY also support policies that fall back to other mechanisms
+ or that do not use pre-authentication when FAST is unavailable. It
+ is important to consider the potential downgrade attacks when
+ deploying such a policy.
+
+ The KrbFastResponse structure contains the following information:
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 27]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ KrbFastResponse ::= SEQUENCE {
+ padata [0] SEQUENCE OF PA-DATA,
+ -- padata typed holes.
+ rep-key [1] EncryptionKey OPTIONAL,
+ -- This, if present, replaces the reply key for AS and TGS.
+ -- MUST be absent in KRB-ERROR.
+ finished [2] KrbFastFinished OPTIONAL,
+ -- MUST be present if the client is authenticated,
+ -- absent otherwise.
+ -- Typically this is present if and only if the containing
+ -- message is the last one in a conversation.
+ ...
+ }
+
+ The padata field in the KrbFastResponse structure contains a list of
+ PA-DATA structures as described in Section 5.2.7 of [RFC4120]. These
+ PA-DATA structures are used to carry data advancing the exchange
+ specific for the FAST factors. They can also be used as generic
+ typed-holes for protocol extensibility.
+
+ The rep-key field, if present, contains the reply key that is used to
+ encrypted the KDC reply. The rep-key field MUST be absent in the
+ case where an error occurs. The enctype of the rep-key is the
+ strongest mutually supported by the KDC and the client.
+
+ The finished field contains a KrbFastFinished structure. It is
+ filled by the KDC in the final message in the conversation; it MUST
+ be absent otherwise. In other words, this field can only be present
+ in an AS-REP or a TGS-REP when a ticket is returned.
+
+ The KrbFastFinished structure contains the following information:
+
+ KrbFastFinished ::= SEQUENCE {
+ timestamp [0] KerberosTime,
+ usec [1] Microseconds,
+ -- timestamp and usec represent the time on the KDC when
+ -- the reply was generated.
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ -- Contains the client realm and the client name.
+ checksum [4] Checksum,
+ -- Checksum performed over all the messages in the
+ -- conversation, except the containing message.
+ -- The checksum key is the binding key as defined in
+ -- Section 6.3, and the checksum type is the required
+ -- checksum type of the binding key.
+ ...
+ }
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 28]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ KEY_USAGE_FAST_FINISHED TBA
+
+ The timestamp and usec fields represent the time on the KDC when the
+ reply ticket was generated, these fields have the same semantics as
+ the corresponding-identically-named fields in Section 5.6.1 of
+ [RFC4120]. The client MUST use the KDC's time in these fields
+ thereafter when using the returned ticket. Note that the KDC's time
+ in AS-REP may not match the authtime in the reply ticket if the kdc-
+ referrals option is requested and honored by the KDC.
+
+ The cname and crealm fields identify the authenticated client.
+
+ The checksum field contains a checksum of all the messages in the
+ conversation prior to the containing message (the containing message
+ is excluded). The checksum key is the binding key as defined in
+ Section 6.3, and the checksum type is the required checksum type of
+ the enctype of that key, and the key usage number is
+ KEY_USAGE_FAST_FINISHED. [[anchor15: Examples would be good here;
+ what all goes into the checksum?]]
+
+ When FAST padata is included, the PA-FX-COOKIE padata as defined in
+ Section 6.3 MUST also be included if the KDC expects at least one
+ more message from the client in order to complete the authentication.
+
+6.5.4. Authenticated Kerberos Error Messages using Kerberos FAST
+
+ If the Kerberos FAST padata was included in the request, unless
+ otherwise specified, the e-data field of the KRB-ERROR message
+ [RFC4120] contains the ASN.1 DER encoding of the type METHOD-DATA
+ [RFC4120] and a PA_FX_FAST is included in the METHOD-DATA. The KDC
+ MUST include all the padata elements such as PA-ETYPE-INFO2 and
+ padata elments that indicate acceptable pre-authentication mechanisms
+ [RFC4120] and in the KrbFastResponse structure.
+
+ If the Kerberos FAST padata is included in the request but not
+ included in the error reply, it is a matter of the local policy on
+ the client to accept the information in the error message without
+ integrity protection. The Kerberos client MAY process an error
+ message without a PA-FX-FAST-REPLY, if that is only intended to
+ return better error information to the application, typically for
+ trouble-shooting purposes.
+
+ In the cases where the e-data field of the KRB-ERROR message is
+ expected to carry a TYPED-DATA [RFC4120] element, the
+ PA_FX_TYPED_DATA padata is included in the KrbFastResponse structure
+ to encapsulate the TYPED-DATA [RFC4120] elements. For example, the
+ TD_TRUSTED_CERTIFIERS structure is expected to be in the KRB-ERROR
+ message when the error code is KDC_ERR_CANT_VERIFY_CERTIFICATE
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 29]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ [RFC4556].
+
+ PA_FX_TYPED_DATA TBA
+ -- This is the padata element that encapsulates a TYPED-DATA
+ -- structure.
+
+ The corresponding padata-value for the PA_FX_TYPED_DATA padata type
+ contains the DER encoding of the ASN.1 type TYPED-DATA [RFC4120].
+
+6.5.5. The Authenticated Timestamp FAST Factor
+
+ The encrypted time stamp [RFC4120] padata can be used as a FAST
+ factor to authenticate the client and it does not expose the cipher
+ text derived using the client's long term keys. However this FAST
+ factor is not risk-free from current intellectual property claims as
+ of the time of this writing. To provide a clearn replacement FAST
+ factor that closely matches the encrypted timestamp FAST factor, the
+ authenticated timestamp pre-authentication is introduced in this
+ section.
+
+ The authenticated timestamp FAST factor authenticates a client by
+ means of computing a checksum over a time-stamped structure using the
+ client's long term keys. The padata-type is
+ PA_AUTHENTICATED_TIMESTAMP and the corresponding padata-value
+ contains the DER encoding of ASN.1 type AuthenticatedTimestamp.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 30]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ AuthenticatedTimestampToBeSigned ::= SEQUENCE {
+ timestamp [0] PA-ENC-TS-ENC,
+ -- Contains the timestamp field of the corresponding
+ -- AuthenticatedTimestamp structure.
+ req-body [1] KDC-REQ-BODY OPTIONAL,
+ -- MUST contain the req-body field of the KDC-REQ
+ -- structure in the containing AS-REQ for the client
+ -- request.
+ -- MUST be Absent for the KDC reply.
+ ...
+ }
+
+ AuthenticatedTimestamp ::= SEQUENCE {
+ timestamp [0] PA-ENC-TS-ENC,
+ -- Filled out according to Section 5.2.7.2 of [RFC4120].
+ -- Contains the client's current time for the client,
+ -- and the KDC's current time for the KDC.
+ checksum [1] CheckSum,
+ -- The checksum is performed over the type
+ -- AuthenticatedTimestampToBeSigned and the key usage is
+ -- KEY_USAGE_AUTHENTICATED_TS_CLIENT for the client and
+ _ KEY_USAGE_AUTHENTICATED_TS_KDC for the KDC
+ ...
+ }
+
+ KEY_USAGE_AUTHENTICATED_TS_CLIENT TBA
+ KEY_USAGE_AUTHENTICATED_TS_KDC TBA
+
+ The client fills out the AuthenticatedTimestamp structure as follows:
+
+ o The timestamp field in the AuthenticatedTimestamp structure is
+ filled out with the client's current time according to Section
+ 5.2.7.2 of [RFC4120].
+
+ o The checksum field in the AuthenticatedTimestamp structure is
+ performed over the type AuthenticatedTimestampToBeSigned. The
+ checksum key is one of the client's long term keys. The key usage
+ for the checksum operation is KEY_USAGE_AUTHENTICATED_TS_CLIENT.
+ The checksum type is the required checksum type for the strongest
+ enctype mutually supported by the client and the KDC.
+
+ o Within the AuthenticatedTimestampToBeSigned structure, the
+ timestamp field contains the timestamp field of the corresponding
+ AuthenticatedTimestamp structure, and the req-body field MUST
+ contain the req-body field of the KDC-REQ structure in the
+ containing AS-REQ.
+
+ Upon receipt of the PA_AUTHENTICATED_TIMESTAMP FAST factor, the KDC
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 31]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ MUST process the padata in a way similar to that of the encrypted
+ timestamp padata. The KDC MUST verify the checksum in the
+ AuthenticatedTimestamp structure and the timestamp is within the
+ window of acceptable clock skew for the KDC.
+
+ When the authenticated timestamp FAST factor is accepted by the KDC,
+ the KDC MUST include a PA_AUTHENTICATED_TIMESTAMP as a FAST factor in
+ in a successful KDC reply and it MUST include the rep-key field as
+ defined in Section 6.5.3.
+
+ The KDC fills out the AuthenticatedTimestamp structure as follows:
+
+ o The timestamp field in the AuthenticatedTimestamp structure is
+ filled out with the KDC's current time according to Section
+ 5.2.7.2 of [RFC4120].
+
+ o The checksum field in the AuthenticatedTimestamp structure is
+ performed over the type AuthenticatedTimestampToBeSigned. The
+ checksum key is the reply key picked from the client's long term
+ keys according to [RFC4120]. The key usage for the checksum
+ operation is KEY_USAGE_AUTHENTICATED_TS_KDC. The checksum type is
+ the required checksum type for the checksum key.
+
+ o Within the AuthenticatedTimestampToBeSigned structure, the
+ timestamp field contains the timestamp field of the corresponding
+ AuthenticatedTimestamp structure, and the req-body field MUST be
+ absent.
+
+ Upon receipt of the PA_AUTHENTICATED_TIMESTAMP FAST factor in the KDC
+ reply, the client MUST verify the checksum in the
+ AuthenticatedTimestamp structure and the timestamp is within the
+ window of acceptable clock skew for the client. The successful
+ verificaiton of the PA_AUTHENTICATED_TIMESTAMP padata authenticates
+ the KDC.
+
+ The authenticated timestamp FAST factor provides the following
+ facilities: client-authentication, replacing-reply-key, KDC-
+ authentication. It does not provide the strengthening-reply-key
+ facility. The security considerations section of this document
+ provides an explanation why the security requirements are met.
+
+ Conforming implementations MUST support the authenticated timestamp
+ FAST factor.
+
+6.6. Authentication Strength Indication
+
+ Implementations that have pre-authentication mechanisms offering
+ significantly different strengths of client authentication MAY choose
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 32]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ to keep track of the strength of the authentication used as an input
+ into policy decisions. For example, some principals might require
+ strong pre-authentication, while less sensitive principals can use
+ relatively weak forms of pre-authentication like encrypted timestamp.
+
+ An AuthorizationData data type AD-Authentication-Strength is defined
+ for this purpose.
+
+ AD-authentication-strength TBA
+
+ The corresponding ad-data field contains the DER encoding of the pre-
+ authentication data set as defined in Section 6.4. This set contains
+ all the pre-authentication mechanisms that were used to authenticate
+ the client. If only one pre-authentication mechanism was used to
+ authenticate the client, the pre-authentication set contains one
+ element.
+
+ The AD-authentication-strength element MUST be included in the AD-IF-
+ RELEVANT, thus it can be ignored if it is unknown to the receiver.
+
+
+7. IANA Considerations
+
+ This document defines several new pa-data types, key usages and error
+ codes. In addition it would be good to track which pa-data items are
+ only to be used as FAST factors.
+
+
+8. Security Considerations
+
+ The kdc-referrals option in the Kerberos FAST padata requests the KDC
+ to act as the client to follow referrals. This can overload the KDC.
+ To limit the damages of denied of service using this option, KDCs MAY
+ restrict the number of simultaneous active requests with this option
+ for any given client principal.
+
+ Because the client secrets are known only to the client and the KDC,
+ the verification of the authenticated timestamp proves the client's
+ identity, the verification of the authenticated timestamp in the KDC
+ reply proves that the expected KDC responded. The encrypted reply
+ key is contained in the rep-key in the PA-FX-FAST-REPLY. Therefore,
+ the authenticated timestamp FAST factor as a pre-authentication
+ mechanism offers the following facilities: client-authentication,
+ replacing-reply-key, KDC-authentication. There is no un-
+ authenticated clear text introduced by the authenticated timestamp
+ FAST factor.
+
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 33]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+9. Acknowledgements
+
+ Several suggestions from Jeffery Hutzman based on early revisions of
+ this documents led to significant improvements of this document.
+
+ The proposal to ask one KDC to chase down the referrals and return
+ the final ticket is based on requirements in [ID.CROSS].
+
+ Joel Webber had a proposal for a mechanism similar to FAST that
+ created a protected tunnel for Kerberos pre-authentication.
+
+
+10. References
+
+10.1. Normative References
+
+ [KRB-ANON]
+ Zhu, L. and P. Leach, "Kerberos Anonymity Support",
+ draft-ietf-krb-wg-anon-04.txt (work in progress), 2007.
+
+ [REFERRALS]
+ Raeburn, K. and L. Zhu, "Generating KDC Referrals to
+ Locate Kerberos Realms",
+ draft-ietf-krb-wg-kerberos-referrals-10.txt (work in
+ progress), 2007.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
+ Kerberos 5", RFC 3961, February 2005.
+
+ [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
+ Kerberos Network Authentication Service (V5)", RFC 4120,
+ July 2005.
+
+ [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
+ Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.
+
+10.2. Informative References
+
+ [ID.CROSS]
+ Sakane, S., Zrelli, S., and M. Ishiyama , "Problem
+ Statement on the Operation of Kerberos in a Specific
+ System", draft-sakane-krb-cross-problem-statement-02.txt
+ (work in progress), April 2007.
+
+ [KRB-WG.SAM]
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 34]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ Hornstein, K., Renard, K., Neuman, C., and G. Zorn,
+ "Integrating Single-use Authentication Mechanisms with
+ Kerberos", draft-ietf-krb-wg-kerberos-sam-02.txt (work in
+ progress), October 2003.
+
+
+Appendix A. ASN.1 module
+
+ KerberosPreauthFramework {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) kerberosV5(2) modules(4) preauth-framework(3)
+ } DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+ IMPORTS
+ KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum,
+ Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY
+ FROM KerberosV5Spec2 { iso(1) identified-organization(3)
+ dod(6) internet(1) security(5) kerberosV5(2)
+ modules(4) krb5spec2(2) };
+ -- as defined in RFC 4120.
+
+ PA-FX-COOKIE ::= SEQUENCE {
+ conversationId [0] OCTET STRING,
+ -- Contains the identifier of this conversation. This field
+ -- must contain the same value for all the messages
+ -- within the same conversation.
+ enc-binding-key [1] EncryptedData OPTIONAL,
+ -- EncryptionKey --
+ -- This field is present when and only when a FAST
+ -- padata as defined in Section 6.5 is included.
+ -- The encrypted data, when decrypted, contains an
+ -- EncryptionKey structure.
+ -- This encryption key is encrypted using the armor key
+ -- (defined in Section 6.5.1), and the key usage for the
+ -- encryption is KEY_USAGE_FAST_BINDING_KEY.
+ cookie [2] OCTET STRING OPTIONAL,
+ -- Opaque data, for use to associate all the messages in
+ -- a single conversation between the client and the KDC.
+ -- This is generated by the KDC and the client MUST copy
+ -- the exact cookie encapsulated in a PA_FX_COOKIE data
+ -- element into the next message of the same conversation.
+ ...
+ }
+
+ PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM
+
+ PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE {
+ pa-type [0] Int32,
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 35]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ -- same as padata-type.
+ pa-hint [1] OCTET STRING,
+ -- hint data.
+ ...
+ }
+
+ KrbFastArmor ::= SEQUENCE {
+ armor-type [0] Int32,
+ -- Type of the armor.
+ armor-value [1] OCTET STRING,
+ -- Value of the armor.
+ ...
+ }
+
+ PA-FX-FAST-REQUEST ::= CHOICE {
+ armored-data [0] KrbFastArmoredReq,
+ ...
+ }
+
+ KrbFastArmoredReq ::= SEQUENCE {
+ armor [0] KrbFastArmor OPTIONAL,
+ -- Contains the armor that identifies the armor key.
+ -- MUST be present in AS-REQ.
+ -- MUST be absent in TGS-REQ.
+ req-checksum [1] Checksum,
+ -- Checksum performed over the type KDC-REQ-BODY for
+ -- the req-body field of the KDC-REQ structure defined in
+ -- [RFC4120]
+ -- The checksum key is the armor key, the checksum
+ -- type is the required checksum type for the enctype of
+ -- the armor key, and the key usage number is
+ -- KEY_USAGE_FAST_REA_CHKSUM.
+ enc-fast-req [2] EncryptedData, -- KrbFastReq --
+ -- The encryption key is the armor key, and the key usage
+ -- number is KEY_USAGE_FAST_ENC.
+ ...
+ }
+
+ KrbFastReq ::= SEQUENCE {
+ fast-options [0] FastOptions,
+ -- Additional options.
+ padata [1] SEQUENCE OF PA-DATA,
+ -- padata typed holes.
+ req-body [2] KDC-REQ-BODY,
+ -- Contains the KDC request body as defined in Section
+ -- 5.4.1 of [RFC4120]. The req-body field in the KDC-REQ
+ -- structure [RFC4120] MUST be ignored.
+ -- The client name and realm in the KDC-REQ [RFC4120]
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 36]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ -- MUST NOT be present for AS-REQ and TGS-REQ when
+ -- Kerberos FAST padata is included in the request.
+ ...
+ }
+
+ FastOptions ::= KerberosFlags
+ -- reserved(0),
+ -- anonymous(1),
+ -- kdc-referrals(16)
+
+ PA-FX-FAST-REPLY ::= CHOICE {
+ armored-data [0] KrbFastArmoredRep,
+ ...
+ }
+
+ KrbFastArmoredRep ::= SEQUENCE {
+ enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
+ -- The encryption key is the armor key in the request, and
+ -- the key usage number is KEY_USAGE_FAST_REP.
+ ...
+ }
+
+ KrbFastResponse ::= SEQUENCE {
+ padata [0] SEQUENCE OF PA-DATA,
+ -- padata typed holes.
+ rep-key [1] EncryptionKey OPTIONAL,
+ -- This, if present, replaces the reply key for AS and TGS.
+ -- MUST be absent in KRB-ERROR.
+ finished [2] KrbFastFinished OPTIONAL,
+ -- MUST be present if the client is authenticated,
+ -- absent otherwise.
+ -- Typically this is present if and only if the containing
+ -- message is the last one in a conversation.
+ ...
+ }
+
+ KrbFastFinished ::= SEQUENCE {
+ timestamp [0] KerberosTime,
+ usec [1] Microseconds,
+ -- timestamp and usec represent the time on the KDC when
+ -- the reply was generated.
+ crealm [2] Realm,
+ cname [3] PrincipalName,
+ -- Contains the client realm and the client name.
+ checksum [4] Checksum,
+ -- Checksum performed over all the messages in the
+ -- conversation, except the containing message.
+ -- The checksum key is the binding key as defined in
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 37]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+ -- Section 6.3, and the checksum type is the required
+ -- checksum type of the binding key.
+ ...
+ }
+
+ AuthenticatedTimestampToBeSigned ::= SEQUENCE {
+ timestamp [0] PA-ENC-TS-ENC,
+ -- Contains the timestamp field of the corresponding
+ -- AuthenticatedTimestamp structure.
+ req-body [1] KDC-REQ-BODY OPTIONAL,
+ -- MUST contain the req-body field of the KDC-REQ
+ -- structure in the containing AS-REQ for the client
+ -- request.
+ -- MUST be Absent for the KDC reply.
+ ...
+ }
+
+ AuthenticatedTimestamp ::= SEQUENCE {
+ timestamp [0] PA-ENC-TS-ENC,
+ -- Filled out according to Section 5.2.7.2 of [RFC4120].
+ -- Contains the client's current time for the client,
+ -- and the KDC's current time for the KDC.
+ checksum [1] CheckSum,
+ -- The checksum is performed over the type
+ -- AuthenticatedTimestampToBeSigned and the key usage is
+ -- KEY_USAGE_AUTHENTICATED_TS_CLIENT for the client and
+ _ KEY_USAGE_AUTHENTICATED_TS_KDC for the KDC
+ ...
+ }
+ END
+
+
+Authors' Addresses
+
+ Larry Zhu
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ Email: lzhu@microsoft.com
+
+
+ Sam hartman
+ MIT
+
+ Email: hartmans@mit.edu
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 38]
+
+Internet-Draft Kerberos Preauth Framework July 2007
+
+
+Full Copyright Statement
+
+ Copyright (C) The IETF Trust (2007).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
+ THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+ THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
+
+
+Acknowledgment
+
+ Funding for the RFC Editor function is provided by the IETF
+ Administrative Support Activity (IASA).
+
+
+
+
+
+Zhu & Hartman Expires January 9, 2008 [Page 39]
+
View Lorry Controller Status