diff options
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-02.txt')
-rw-r--r-- | third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-02.txt | 616 |
1 files changed, 616 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-02.txt b/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-02.txt new file mode 100644 index 00000000000..dd88349314e --- /dev/null +++ b/third_party/heimdal/doc/standardisation/draft-perez-krb-wg-gss-preauth-02.txt @@ -0,0 +1,616 @@ + + + +Kerberos Working Group A. Perez-Mendez +Internet-Draft R. Marin-Lopez +Intended status: Experimental F. Pereniguez-Garcia +Expires: March 5, 2013 G. Lopez-Millan + University of Murcia + Sep 2012 + + + GSS-API pre-authentication for Kerberos + draft-perez-krb-wg-gss-preauth-02 + +Abstract + + This document describes a pre-authentication mechanism for Kerberos + based on the Generic Security Service Application Program Interface + (GSS-API), which allows a Key Distribution Center (KDC) to + authenticate clients by using a GSS mechanism. + +Status of this Memo + + This Internet-Draft is submitted in full conformance with the + provisions of BCP 78 and BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at http://datatracker.ietf.org/drafts/current/. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + This Internet-Draft will expire on March 5, 2013. + +Copyright Notice + + Copyright (c) 2012 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 1] + +Internet-Draft GSS preauth Sep 2012 + + + described in the Simplified BSD License. + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 + 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Definition of the Kerberos GSS padata . . . . . . . . . . . . 4 + 4. GSS Pre-authentication Operation . . . . . . . . . . . . . . . 5 + 4.1. Generation of GSS preauth requests . . . . . . . . . . . . 5 + 4.2. Processing of GSS preauth requests . . . . . . . . . . . . 6 + 4.3. Generation of GSS preauth responses . . . . . . . . . . . 6 + 4.4. Processing of GSS preauth responses . . . . . . . . . . . 7 + 5. Data in the KDC_ERR_PREAUTH_REQUIRED . . . . . . . . . . . . . 7 + 6. Derivation of the reply key from the GSS context . . . . . . . 7 + 7. KDC state management . . . . . . . . . . . . . . . . . . . . . 8 + 8. Support for federated users . . . . . . . . . . . . . . . . . 8 + 9. GSS channel bindings . . . . . . . . . . . . . . . . . . . . . 9 + 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 + 11. Security Considerations . . . . . . . . . . . . . . . . . . . 9 + 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 + 13. Normative References . . . . . . . . . . . . . . . . . . . . . 9 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 + + + + + + + + + + + + + + + + + + + + + + + + + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 2] + +Internet-Draft GSS preauth Sep 2012 + + +1. Introduction + + The GSS-API (Generic Security Service Application Programming + Interface) [RFC2743] provides a generic toolset of functions that + allow applications to establish security contexts in order to protect + their communications through security services such as + authentication, confidentiality and integrity protection. Thanks to + the GSS-API, applications remain independent from the specific + underlying mechanism used to establish the context and provide + security. + + On the other hand, Kerberos [RFC4120] defines a process called pre- + authentication. This feature is intended to avoid the security risk + of providing tickets encrypted with the user's long-term key to + attackers, by requiring clients to proof their knowledge over these + credentials. The execution of a pre-authentication mechanism may + require the exchange of several KRB_AS_REQ/KRB_ERROR messages before + the KDC delivers the TGT requested by the client within a KRB_AS_REP. + These messages transport authentication information by means of pre- + authentication elements. + + There exists a variety of pre-authentication mechanisms, like PKINIT + [RFC4556] and encrypted time-stamp [RFC4120]. Furthermore, + [I-D.ietf-krb-wg-preauth-framework] provides a generic framework for + Kerberos pre-authentication, which aims to describe the features that + a pre-authentication mechanism may provide (e.g. mutual + authentication, replace reply key, etc.). Additionally, in order to + simplify the definition of new pre-authentication mechanisms, it + defines a mechanism called FAST (Flexible Authentication Secure + Tunneling), which provides a generic and secure transport for pre- + authentication elements. More specifically, FAST establishes a + secure tunnel providing confidentiality and integrity protection + between the client and the KDC prior to the exchange of any specific + pre-authentication data. Within this tunnel, different pre- + authentication methods can be executed. This inner mechanism is + called a FAST factor. It is important to note that FAST factors + cannot usually be used outside the FAST pre-authentication method + since they assume the underlying security layer provided by FAST. + + The aim of this draft is to define a new pre-authentication + mechanism, following the recommendations of + [I-D.ietf-krb-wg-preauth-framework], that relies on the GSS-API + security services to pre-authenticate clients. This pre- + authentication mechanism will allow the KDC to authenticate clients + making use of any current or future GSS mechanism, as long as they + satisfy the minimum security requirements described in this + specification. The Kerberos client will play the role of the GSS + initiator, while the Authentication Server (AS) in the KDC will play + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 3] + +Internet-Draft GSS preauth Sep 2012 + + + the role of the GSS acceptor. + +1.1. Requirements Language + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + + +2. Motivation + + This work is mainly motivated by the necessity of a way to allow the + KDC to make use of the technologies defined in the ABFAB WG to + perform the access control of federated users. Specifically, the + ABFAB architecture requires relying parties to make use of the GSS- + EAP mechanism to perform authentication. + [I-D.perez-abfab-eap-gss-preauth] defines how GSS-EAP is transported + on top of the GSS pre-authentication mechanism defined in this + document. + + +3. Definition of the Kerberos GSS padata + + To establish the security context, the GSS-API defines the exchange + of GSS tokens between the initiator and the acceptor. These tokens, + which contain mechanism-specific information, are completely opaque + to the application. However, how these tokens are transported + between the initiator and the responder depends on the specific + application. Since GSS-API is defined as independent of the + underlying communications service, its use does not require to + implement any specific security feature for the transport. For + instance, tokens could just be sent by means of plain UDP datagrams. + For this reason, security and ordered delivery of information must be + implemented by each specific GSS mechanism (if required). + + Therefore, GSS tokens are the atomic piece of information from the + application point of view when using GSS-API, which require a proper + transport between the initiator (Kerberos client) and the acceptor + (AS). In particular, the proposed GSS-based pre-authentication + mechanism defines a new pre-authentication element (hereafter padata) + called PA-GSS, to transport a generic GSS token from the Kerberos + client to the AS and vice-versa. This padata also transport state + information required to maintain the KDC stateless (see section + Section 7. + + PA-GSS To be defined (TBD) + + A PA-GSS padata element contains the ASN.1 DER encoding of the PA-GSS + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 4] + +Internet-Draft GSS preauth Sep 2012 + + + structure: + + PA-GSS ::= SEQUENCE { + sec-ctx-token [0] OCTET STRING, + state [1] EncryptedData OPTIONAL -- contains PA-GSS-STATE + } + + PA-GSS-STATE ::= SEQUENCE { + timestamp [0] KerberosTime, + exported-sec-ctx-token [1] OCTET STRING, + ... + } + + The sec-ctx-token element of the PA-GSS structure contains the + output_token token returned by either, the GSS_Init_sec_context and + the GSS_Accept_sec_context calls. The state element of the PA-GSS + structure is optional, and will be absent in the first AS_REQ message + from the client to the KDC and in the last AS_REP message from the + KDC to the client. It contains a PA-GSS-STATE structure encrypted + with the first krbtgt key and a key usage in the 512-1023 range (to + be defined TBD). The state element is generated by the KDC, while + the client just copy it from the previously received PA-GSS structure + (if present). + + The PA-GSS-STATE contains a timestamp element, meant to detect + possible replay situations, and a exported-sec-ctx-token element, + representing the whole GSS security context state corresponding to + the current authentication process. This value is generated by the + KDC by calling to the GSS_Export_sec_context, when the + GSS_Accept_sec_context returns GSS_S_CONTINUE_NEEDED. + + +4. GSS Pre-authentication Operation + +4.1. Generation of GSS preauth requests + + The Kerberos client (initiator) starts by calling to the + GSS_Init_sec_context function. In the first call to this function, + the client provides GSS_C_NO_CTX as the value of the context_handle + and NULL as the input_token, given that no context has been initiated + yet. When using multi round-trip GSS mechanisms, in subsequent calls + to this routine the client will use both, the context_handle value + obtained after the first call, and the input_token received from the + KDC. The mutual_req_flag, replay_det_req_flag and sequence_req_flag + MUST be set, as the GSS token is meant to be tranported over + cleartext channels. + + The GSS_Init_sec_context returns a context_handle, an output_token + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 5] + +Internet-Draft GSS preauth Sep 2012 + + + and a status value. In this first call, the only acceptable status + value is GSS_S_CONTINUE_NEEDED, as the KDC is expected to provide a + token in order to continue with the context establishment process. + The Kerberos client creates a new PA-GSS padata, with the obtained + output_token as the sec-ctx-token element, and with the state element + absent. The PA-GSS padata is sent to the KDC through a KRB_AS_REQ + message. + +4.2. Processing of GSS preauth requests + + When the KDC (GSS acceptor) receives a KRB_AS_REQ message containing + a PA-GSS padata, but a state element (see Section 7) is not included, + the KDC assumes that this is the first message of a context + establishment, and thus GSS_C_NO_CTX is used as context_handle to + invoke the GSS_Accept_sec_context routine. Conversely, if a state + element is included, the KDC assumes that this message is part an + ongoing authentication and the value of the state element is + decrypted and used to recover the state of the authentication (see + Section 7). In both cases, after receiving the message, the KDC + calls to the GSS_Accept_sec_context function, using the adequate + context_handle value and using the received token in the PA-GSS + padata as input_token. + + Once the execution of the GSS_Accept_sec_context function is + completed, the KDC obtains a context_handle, an output_token that + MUST be sent to the initiator in order to continue with the + authentication process, and a status value. If the obtained status + is GSS_S_COMPLETE, the client is considered authenticated. If the + status is GSS_S_CONTINUE_NEEDED, further information is required to + complete the process. + +4.3. Generation of GSS preauth responses + + Once the KDC has processed the input_token provided by the client (as + described in Section 4.2), two main different situations may occur + depending on the status value. If the client is successfully + authenticated (GSS_S_COMPLETE), the KDC will reply to the client with + a KRB_AS_REP message. This message will transport the final + output_token in a PA-GSS padata type. This PA-GSS padata will not + contain the state element. The reply key used to encrypt the enc- + part field of the KRB_AS_REP message is derived from the GSS security + context cryptographic material. Section 6 provides further details + regarding this derivation. At this moment, the KDC also verifies + that the cname provided in the AS_REQ matches the src_name obtained + through the final GSS_Accept_sec_ctx call (except when WELLKNOWN/ + FEDERATED is used as cname Section 8). + + On the contrary, if further data is required to complete the + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 6] + +Internet-Draft GSS preauth Sep 2012 + + + establishment process (GSS_S_CONTINUE_NEEDED), the KDC will reply to + the client with a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error message + [I-D.ietf-krb-wg-preauth-framework]. In the e-data field of the + message, the KDC will include the PA-GSS padata, containing both, the + GSS token (sec-ctx-token) and the exported GSS security context + (state) (see Section 7). + +4.4. Processing of GSS preauth responses + + When the client receives a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error, + it extracts the token from the PA-GSS element and invokes the + GSS_Init_sec_context function, as described in section Section 4.1. + If present, the state element of the PA-GSS padata is treated as an + opaque element, and it is simply copied and included into the + generated PA-GSS element without further processing. + + On the other hand, when the client receives a KRB_AS_REP, it knows + the context establishment has finalized successfully. The client + invokes the GSS_Init_sec_context function using the transported GSS + token. Note that, to be consistent, this call MUST return + GSS_S_COMPLETE and not generate any output_token, since the KDC does + not expect further data from the client. + + If the context establishment is completed correctly, the client MUST + use the same key derivation process followed by the KDC (Section 4.3) + to obtain the reply key to decrypt the enc-part of the KRB_AS_REP. + + +5. Data in the KDC_ERR_PREAUTH_REQUIRED + + When the KDC sends a KDC_ERR_PREAUTH_REQUIRED error to the client, it + includes a sequence of padata, each corresponding to an acceptable + pre-authentication method. Optionally, these padata elements contain + data valuable for the client to configure the selected mechanism. + The data to be included in the padata for this message is described + in this section. + + TBD. (For example, list of the OIDs of the GSS mechanisms supported + by the KDC) + + +6. Derivation of the reply key from the GSS context + + The GSS pre-authentication mechanism proposed in this draft provides + the "Replacing-reply-key" facility + [I-D.ietf-krb-wg-preauth-framework]. + + After a successful authentication, client and KDC may decide to + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 7] + +Internet-Draft GSS preauth Sep 2012 + + + completely replace the reply key used to encrypt the KRB_AS_REP by a + new one that is cryptographically independent from the client's + password stored in client password on the Kerberos users database. + This additional keying material can be obtained by means of calls to + the GSS_Pseudo_random [RFC4401] function, using "KRB-GSS" as the + prf_in parameter. + + +7. KDC state management + + The Kerberos standard [RFC4120] defines the KDC as a stateless + entity. This means that, if the GSS mechanism requires more than one + round-trip, the client MUST provide enough data to the KDC in the + following interactions to allow recovering the complete state of the + ongoing authentication. This is specially relevant when the client + switches from one KDC to different one (within the same realm) during + a pre-authentication process. This second KDC must be able to + continue with the process in a seamless way. + + The GSS-API manages the so-called security contexts. They represent + the whole context of an authentication, including all the state and + relevant data of the ongoing security context. Thus, this + information MUST be serialized and sent to the client in order to + ensure that the KDC receiving it will be able to reconstruct the + associated state. In order to prevent attacks, this information must + be confidentiality and integrity protected using a key shared amongst + all the KDCs deployed in the realm, and must be sent along with a + timestamp to prevent replay attacks. How this information is encoded + is described in section Section 3. + + To generate the serialized security context information, the + GSS_Export_sec_ctx() call is used. The main drawback of this + approach is that the current GSS-API specifications does not allow + the exportation of a security context which has not been completely + established. Nevertheless, some GSS mechanisms do allow the + exportation of partially established context (e.g. + [I-D.ietf-abfab-gss-eap]), and we expect that other GSS mechanisms + will do the same in the future. + + +8. Support for federated users + + This draft supports the authentication of users belonging to a + different domain than the authenticating KDC. This is achieved by + letting the GSS-API to provide both, the client name and the reply + key to be used. That means that the requested username may not be + present in the KDC's database. To avoid the generation of an error + of type KDC_ERR_C_PRINCIPAL_UNKNOWN, when the Kerberos client knows + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 8] + +Internet-Draft GSS preauth Sep 2012 + + + it is operating in a federated environment, it MUST set the value of + the cname field of the KRB_AS_REQ message to a new wellknown value, + WELLKNOWN/FEDERATED, following the model proposed in [RFC6111]. In + this way, the KDC will be completely authenticated by the GSS-API + calls, and thus no local verification of credentials should be done. + + +9. GSS channel bindings + + In order to link the GSS authentication with the actual Kerberos + exchange transporting GSS tokens, the DER-encoded KDC-REQ-BODY from + the AS-REQ is used as channel bindings. + + +10. Acknowledgements + + This work is supported by the project MULTIGIGABIT EUROPEAN ACADEMIC + NETWORK (FP7-INFRASTRUCTURES-2009-1). It is also funded by a Seneca + Foundation grant from the Human Resources Researching Training + Program 2007. Authors finally thank the Funding Program for Research + Groups of Excellence with code 04552/GERM/06 granted by the Fundacion + Seneca. + + +11. Security Considerations + + Protection of Request/Responses with FAST, restriction on GSS + mechanism, etc. TBD. + + +12. IANA Considerations + + This document has no actions for IANA. + + +13. Normative References + + [I-D.ietf-abfab-gss-eap] + Hartman, S. and J. Howlett, "A GSS-API Mechanism for the + Extensible Authentication Protocol", + draft-ietf-abfab-gss-eap-09 (work in progress), + August 2012. + + [I-D.ietf-krb-wg-preauth-framework] + Hartman, S. and L. Zhu, "A Generalized Framework for + Kerberos Pre-Authentication", + draft-ietf-krb-wg-preauth-framework-17 (work in progress), + June 2010. + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 9] + +Internet-Draft GSS preauth Sep 2012 + + + [I-D.perez-abfab-eap-gss-preauth] + Perez-Mendez, A., Lopez, R., Pereniguez-Garcia, F., and G. + Lopez-Millan, "GSS-EAP pre-authentication for Kerberos", + draft-perez-abfab-eap-gss-preauth-01 (work in progress), + March 2012. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2743] Linn, J., "Generic Security Service Application Program + Interface Version 2, Update 1", RFC 2743, January 2000. + + [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The + Kerberos Network Authentication Service (V5)", RFC 4120, + July 2005. + + [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API + Extension for the Generic Security Service Application + Program Interface (GSS-API)", RFC 4401, February 2006. + + [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial + Authentication in Kerberos (PKINIT)", RFC 4556, June 2006. + + [RFC6111] Zhu, L., "Additional Kerberos Naming Constraints", + RFC 6111, April 2011. + + +Authors' Addresses + + Alejandro Perez-Mendez (Ed.) + University of Murcia + Campus de Espinardo S/N, Faculty of Computer Science + Murcia, 30100 + Spain + + Phone: +34 868 88 46 44 + Email: alex@um.es + + + Rafa Marin-Lopez + University of Murcia + Campus de Espinardo S/N, Faculty of Computer Science + Murcia, 30100 + Spain + + Phone: +34 868 88 85 01 + Email: rafa@um.es + + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 10] + +Internet-Draft GSS preauth Sep 2012 + + + Fernando Pereniguez-Garcia + University of Murcia + Campus de Espinardo S/N, Faculty of Computer Science + Murcia, 30100 + Spain + + Phone: +34 868 88 78 82 + Email: pereniguez@um.es + + + Gabriel Lopez-Millan + University of Murcia + Campus de Espinardo S/N, Faculty of Computer Science + Murcia, 30100 + Spain + + Phone: +34 868 88 85 04 + Email: gabilm@um.es + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Perez-Mendez, et al. Expires March 5, 2013 [Page 11] + |