diff options
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-yu-krb-wg-kerberos-extensions-00.txt')
-rw-r--r-- | third_party/heimdal/doc/standardisation/draft-yu-krb-wg-kerberos-extensions-00.txt | 3585 |
1 files changed, 3585 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-yu-krb-wg-kerberos-extensions-00.txt b/third_party/heimdal/doc/standardisation/draft-yu-krb-wg-kerberos-extensions-00.txt new file mode 100644 index 00000000000..dd902349590 --- /dev/null +++ b/third_party/heimdal/doc/standardisation/draft-yu-krb-wg-kerberos-extensions-00.txt @@ -0,0 +1,3585 @@ + + +INTERNET-DRAFT Tom Yu +draft-yu-krb-wg-kerberos-extensions-00.txt MIT +Expires: 09 August 2004 09 February 2004 + + The Kerberos Network Authentication Service (Version 5) + +Status of This Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC 2026. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + + http://www.ietf.org/ietf/1id-abstracts.txt + + The list of Internet-Draft Shadow Directories can be accessed at + + http://www.ietf.org/shadow.html + + +Copyright Notice + + Copyright (C) The Internet Society (2004). All Rights Reserved. + +Abstract + + This document describes version 5 of the Kerberos network + authentication protocol. It describes changes to the protocol which + allow for extensions to be made to the protocol without creating + interoperability problems. + + [ This document is a VERY rough draft. Many sections are not yet + fully filled out. The main purpose is to illustrate the beginnings + of a new document structure as a starting point. ] + +Key Words for Requirements + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", and "MAY" in this document are + to be interpreted as described in RFC 2119. + + +Yu Expires: Aug 2004 [Page 1] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + +Table of Contents + + Status of This Memo ....................................... 1 + Copyright Notice .......................................... 1 + Abstract .................................................. 1 + Key Words for Requirements ................................ 1 + Table of Contents ......................................... 2 + 1. Introduction .......................................... 4 + 1.1. Kerberos Protocol Overview .......................... 4 + 1.2. Overview of Document ................................ 5 + 2. Extensibility ......................................... 5 + 3. Criticality ........................................... 6 + 4. Use of ASN.1 .......................................... 6 + 4.1. Module Header ....................................... 6 + 4.2. Top-Level Type ...................................... 7 + 4.3. Parameterized Types ................................. 7 + 4.4. Constraints ......................................... 8 + 4.5. New Types ........................................... 8 + 5. Basic Types ........................................... 8 + 5.1. Constrained Integer Types ........................... 8 + 5.2. KerberosTime ........................................ 9 + 5.3. KerberosString ...................................... 9 + 6. Principals ............................................ 10 + 6.1. Name Types .......................................... 10 + 6.2. Principal Name Reuse ................................ 11 + 7. Types Relating to Encryption .......................... 11 + 7.1. EncryptedData ....................................... 11 + 7.2. EncryptionKey ....................................... 13 + 7.3. Checksums ........................................... 13 + 7.3.1. ChecksumOf ........................................ 14 + 7.3.2. Signed ............................................ 15 + 8. Tickets ............................................... 15 + 8.1. Timestamps .......................................... 16 + 8.2. Ticket Flags ........................................ 16 + 8.2.1. Flags Relating to Initial Ticket Acquisition ...... 17 + 8.2.2. Invalid Tickets ................................... 17 + 8.2.3. OK as Delegate .................................... 18 + 8.3. Renewable Tickets ................................... 18 + 8.4. Postdated Tickets ................................... 19 + 8.5. Proxiable and Proxy Tickets ......................... 20 + 8.6. Forwardable Tickets ................................. 21 + 8.7. Transited Realms .................................... 21 + 8.8. Authorization Data .................................. 21 + 8.9. Encrypted Part of Ticket ............................ 21 + 8.10. Cleartext Part of Ticket ........................... 22 + 9. Credential Acquisition ................................ 23 + 9.1. KDC-REQ ............................................. 24 + 9.2. PA-DATA ............................................. 26 + 9.3. KDC-REQ Processing .................................. 26 + 9.3.1. Handling Replays .................................. 26 + 9.3.2. Request Validation ................................ 26 + +Yu Expires: Aug 2004 [Page 2] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + 9.3.2.1. AS-REQ Authentication ........................... 27 + 9.3.2.2. TGS-REQ Authentication .......................... 27 + 9.3.2.3. Principal Validation ............................ 27 + 9.3.3. Timestamp Handling ................................ 27 + 9.3.3.1. AS-REQ Timestamp Processing ..................... 28 + 9.3.3.2. TGS-REQ Timestamp Processing .................... 29 + 9.3.4. Key Selection ..................................... 29 + 9.3.5. Checking For Revoked Tickets ...................... 30 + 9.4. Reply Validation .................................... 30 + 10. Application Authentication ........................... 30 + 11. Session Key Use ...................................... 30 + 11.1. KRB-SAFE ........................................... 30 + 11.2. KRB-PRIV ........................................... 30 + 11.3. KRB-CRED ........................................... 30 + 12. Security Considerations .............................. 30 + 12.1. Time Synchronization ............................... 30 + 12.2. Replays ............................................ 30 + 12.3. Principal Name Reuse ............................... 30 + 12.4. Password Guessing .................................. 30 + 12.5. Forward Secrecy .................................... 30 + 12.6. Authorization ...................................... 31 + 12.7. Login Authentication ............................... 31 + Appendices ................................................ 31 + A. ASN.1 Module (Normative) .............................. 31 + B. Kerberos and Character Encodings (Informative) ........ 60 + C. Kerberos History (Informative) ........................ 62 + Normative References ...................................... 62 + Informative References .................................... 63 + Acknowledgments ........................................... 63 + Author's Address .......................................... 63 + Full Copyright Statement .................................. 63 + + + + + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 3] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + +1. Introduction + + The Kerberos network authentication protocol is a trusted third-party + protocol utilizing symmetric-key cryptography. It assumes that all + communications between parties in the protocol may be arbitrarily + tampered with or monitored, and that the security of the overall + system depends only on the effectiveness of the cryptographic + techniques and the secrecy of the keys used. The protocol + authenticates an application client's identity to an application + server, and likewise authenticates the application server's identity + to the application client. These assurances are made possible by the + client and the server sharing secrets with the trusted third party: + the Kerberos server, also known as the Key Distribution Center (KDC). + In addition, the protocol establishes an ephemeral shared secret (the + session key) between the client and the server, allowing the + protection of further communications between them. + +1.1. Kerberos Protocol Overview + + Kerberos comprises three main sub-protocols: credentials acquisition, + application authentication, and session key usage. A client acquires + credentials by asking the for KDC a credential for a service; the KDC + issues the credential, consisting of a ticket and a session key. The + ticket, containing the client's identity, timestamps, expiration + time, and a session key, is a encrypted in a key known to the + application server. The KDC encrypts the credential using a key + known to the client, and transmits the credential to the client. + + There are two means of requesting credentials: the Authentication + Service (AS) exchange, and the Ticket-Granting Service (TGS) + exchange. The AS exchange typically involves a client using a + password-derived key to decrypt the response. The TGS exchange + involves the KDC behaving as an application, which the client + authenticates to using a Ticket-Granting Ticket (TGT). The client + usually obtains the TGT by using the AS exchange. + + Application authentication consists of the client establishing the + session key with the application server by transmitting the ticket to + the application server, along with an authenticator. The + authenticator contains a timestamp and additional data encrypted + using the ticket's session key. The application server decrypts the + ticket, extracting the session key. The application server then uses + the session key to decrypt the authenticator. Upon successful + decryption of the authenticator, the application server knows that + the data in the authenticator were sent by the client named in the + associated ticket. Additionally, since authenticators expire more + quickly than tickets, the application server has some assurance that + the transaction is not a replay. The application server may send an + encrypted acknowledgment to the client, verifying its identity to the + client. + + +Yu Expires: Aug 2004 [Page 4] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Once application authentication has occurred, the client and server + may use the established session key to protect further traffic. This + protection may consist of protection of integrity only, or of + protection of confidentiality and integrity. Additional measures + exist for a client to forward credentials to a server. + + The entire scheme depends on loosely synchronized clocks. + Synchronization of the clock on the KDC with the application server + clock allows the application server to accurately determine whether a + credential is expired. Likewise, synchronization of the clock on the + client with the application server clock prevents replay attacks + utilizing the same credential. Careful design of the application + protocol may allow replay prevention without requiring client-server + clock synchronization. + + Following the establishment of a session key between the application + client and the application server, the Kerberos protocol provides + messages that use the session key to protect the integrity or + confidentiality of communications between the client and the server. + Additionally, the client may forward credentials to the application + server. + + The credentials acquisition protocol takes place over specific, + defined transports (UDP and TCP). Application protocols define which + transport to use for the session key establishment protocol and for + messages using the session key; the application may choose to perform + its own encapsulation of the Kerberos messages, for example. + +1.2. Overview of Document + + The remainder of this document begins by describing the general + frameworks for protocol extensibility, including whether to interpret + unknown extensions as critical. It then defines the protocol + messages and exchanges. + + The definition of the Kerberos protocol uses Abstract Syntax Notation + One (ASN.1) [X680], which specifies notation for describing the + abstract content of protocol messages. This document defines a + number of base types using ASN.1; these base types subsequently + appear in multiple types which define actual protocol messages. + Definitions of principal names and of tickets, which are central to + the protocol, also appear preceding the protocol message definitions. + +2. Extensibility + + As originally defined in [RFC1510], the Kerberos protocol does not + readily allow for backwards-compatible extensions to the protocol. + Various proposals to extend the Kerberos protocol have appeared since + RFC 1510, many of them creating problems for backwards compatibility. + This document adopts the technique of creating new extensible types + which encode to messages which are very similar to RFC 1510 messages + +Yu Expires: Aug 2004 [Page 5] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + on the wire. This similarity allows implementors to use shared code + paths for encoding and decoding both new and old messages. + + The protocol defined in RFC 1510 already contains some elements + allowing for limited backwards-compatible extensions to the protocol. + Most of these elements consist of "typed holes"; these are octet + strings whose contents have types defined by an assigned number. + This document adds a number of typed holes to types which have + previously lacked typed holes. This document also describes + procedures for the IETF to use the extensibility model of ASN.1 make + further backwards-compatible extensions of the Kerberos protocol, if + typed holes prove inadequate for some desired extension. + +3. Criticality + + In general, implementations SHOULD treat unknown extension, flags, + etc. as non-critical; i.e., they should ignore them when they do not + understand them. Exceptions are clearly marked. An implementation + SHOULD NOT reject a request merely because it does not understand + some element of the request. As a related consequence, + implementations SHOULD handle talking to other implementations which + do not implement some requested options. This may require designers + of extensions or options to provide means detect whether extensions + or options are rejected, or whether such extensions or options are + merely not understood, or (perhaps maliciously) deleted in transit. + +4. Use of ASN.1 + + Kerberos uses the ASN.1 Distinguished Encoding Rules (DER) [X690]. + Even though ASN.1 theoretically allows the description of protocol + messages to be independent of the encoding rules used to encode the + messages, Kerberos messages MUST be encoded with DER. Subtleties in + the semantics of the notation, such as whether tags carry any + semantic content to the application, may cause the use of other ASN.1 + encoding rules to be problematic. + + Implementors not using existing ASN.1 compilers or support libraries + are cautioned to thoroughly read and understand the actual ASN.1 + specification to ensure correct implementation behavior. There is + more complexity in the notation than is immediately obvious, and some + tutorials and guides to ASN.1 are misleading or erroneous. + +4.1. Module Header + + The type definitions in this section assume an ASN.1 module + definition of the following form: + + + + + + +Yu Expires: Aug 2004 [Page 6] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KerberosV5Spec3 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec3(4) + } DEFINITIONS EXPLICIT TAGS ::= BEGIN + + -- Rest of definitions here + + END + + This specifies that the tagging context for the module will be + explicit and that automatic tagging is not done. + + Some other publications [RFC1510] [RFC1964] erroneously specify an + object identifier (OID) having an incorrect value of "5" for the + "dod" component of the OID. In the case of RFC 1964, use of the + "correct" OID value would result in a change in the wire protocol; + therefore, the RFC 1964 OID remains unchanged for now. + +4.2. Top-Level Type + + The ASN.1 type "KRB-PDU" is a CHOICE over all the types (Protocol + Data Units or PDUs) which an application may directly reference. + Applications SHOULD NOT transmit any types other than those which are + alternatives of the KRB-PDU CHOICE. + + -- top-level type + -- + -- Applications should not directly reference any types + -- other than KRB-PDU and its component types. + -- + KRB-PDU ::= CHOICE { + ticket Ticket, + as-req AS-REQ, + as-rep AS-REP, + tgs-req TGS-REQ, + tgs-rep TGS-REP, + ap-req AP-REQ, + ap-rep AP-REP, + krb-safe KRB-SAFE, + krb-priv KRB-PRIV, + krb-cred KRB-CRED, + tgt-req TGT-REQ, + krb-error KRB-ERROR, + ... + } + + +4.3. Parameterized Types + + This document uses ASN.1 parameterized types [X683] to make + definitions of types more readable. For some types, some or all of + +Yu Expires: Aug 2004 [Page 7] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + the parameters are advisory, i.e., they are not encoded in any form + for transmission in a protocol message. These advisory parameters + can describe implementation behavior associated with the type. + +4.4. Constraints + + This document uses ASN.1 constraints, including the + "UserDefinedConstraint" syntax [X682]. Some constraints can be + handled automatically by tools that can parse them. Uses of the + "UserDefinedConstraint" syntax (the "CONSTRAINED BY" syntax) will + typically need to have behavior manually coded; these uses provide a + formalized way of conveying intended implementation behavior. + +4.5. New Types + + This document defines a number of new ASN.1 types. The names of + these types will typically have a suffix like "Ext", indicating that + the types are intended to support extensibility. Types original to + RFC 1510 have been renamed to have a suffix like "1510". The "Ext" + and "1510" types often contain a number of common elements; these + common elements have a suffix like "Common". The "1510" types have + various ASN.1 constraints applied to them; the constraints limit the + possible values of the "1510" types to those permitted by RFC 1510 or + by [KCLAR]. The "Ext" types may have different constraints, + typically to force string values to be sent as UTF-8. + +5. Basic Types + + Certain ASN.1 types in Kerberos appear in numerous other types. + +5.1. Constrained Integer Types + + In [RFC1510], many types contained references to the unconstrained + INTEGER type. Since an unconstrained INTEGER may contain any + possible abstract integer value, most of the unconstrained references + to INTEGER in [RFC1510] have been constrained to 32 bits or smaller. + + -- signed values representable in 32 bits + -- + -- These are often used as assigned numbers for various things. + Int32 ::= INTEGER (-2147483648..2147483647) + + -- unsigned 32 bit values + UInt32 ::= INTEGER (0..4294967295) + + The "Int32" type often contains an assigned number identifying the + type of a protocol element. Unless otherwise stated, non-negative + values are registered, and negative values are available for local + use. + + + +Yu Expires: Aug 2004 [Page 8] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- microseconds + Microseconds ::= INTEGER (0..999999) + + + -- sequence numbers + -- + -- We may want to increase this to 2**64 and define a UInt64 + -- type. + SeqNum ::= UInt32 + + + -- nonces + -- + -- Likewise, we may want to make this UInt64. + Nonce ::= UInt32 + + While these types have different abstract types from their + equivalents in [RFC1510], their DER encodings remain identical. + +5.2. KerberosTime + + -- must not have fractional seconds + KerberosTime ::= GeneralizedTime + + The timestamps used in Kerberos are encoded as GeneralizedTimes. A + KerberosTime value MUST NOT include any fractional portions of the + seconds. As required by the DER, it further MUST NOT include any + separators, and it specifies the UTC time zone (Z). Example: The only + valid format for UTC time 6 minutes, 27 seconds after 9 pm on 6 + November 1985 is "19851106210627Z". + +5.3. KerberosString + + -- used for names and for error messages + KerberosString ::= CHOICE { + ia5 GeneralString (IA5String), + utf8 UTF8String, + ... -- no extension may be sent + -- to an rfc1510 implementation -- + } + + The KerberosString type is used for strings in various places in the + Kerberos protocol. For compatibility with RFC 1510, GeneralString + values constrained to IA5String (US-ASCII) are permitted in messages + exchanged with RFC 1510 implementations. The new protocol messages + contain strings encoded as UTF-8. KerberosString values are present + in principal names and in error messages. Control characters SHOULD + NOT be used in principal names, and used with caution in error + messages. + + + +Yu Expires: Aug 2004 [Page 9] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + For detailed background regarding the history of character string use + in Kerberos, as well as discussion of some compatibility issues, see + Appendix B. + +6. Principals + + Principals are participants in the Kerberos protocol. A "realm" + consists of principals in one administrative domain, served by one + KDC (or one replicated set of KDCs). Each principal name has an + arbitrary number of components, though typical principal names will + only have one or two components. A principal name is meant to be + readable by and meaningful to humans, especially in a realm lacking a + centrally adminstered authorization infrastructure. + + Realm ::= KerberosString + + PrincipalName ::= SEQUENCE { + name-type [0] NameType, + -- May have zero elements, or individual elements may be + -- zero-length, but this is not recommended. + name-string [1] SEQUENCE OF KerberosString + } + + -- assigned numbers for name types (used in principal names) + NameType ::= Int32 + + + Kerberos realm names are KerberosStrings. Realms MUST NOT contain a + character with the code 0 (the US-ASCII NUL). Most realms will + usually consist of several components separated by periods (.), in + the style of Internet Domain Names, or separated by slashes (/) in + the style of X.500 names. + + name-type + Specifies the type of name that follows. The name-type SHOULD + be treated as a hint. Ignoring the name type, no two names can + be the same (i.e., at least one of the components, or the realm, + must be different). + + name-string + Encodes a sequence of components that form a name, each + component encoded as a KerberosString. Taken together, a + PrincipalName and a Realm form a principal identifier. Most + PrincipalNames will have only a few components (typically one or + two). + +6.1. Name Types + + + + + +Yu Expires: Aug 2004 [Page 10] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- Name type not known + nt-unknown NameType ::= 0 + -- Just the name of the principal as in DCE, or for users + nt-principal NameType ::= 1 + -- Service and other unique instance (krbtgt) + nt-srv-inst NameType ::= 2 + -- Service with host name as instance (telnet, rcommands) + nt-srv-hst NameType ::= 3 + -- Service with host as remaining components + nt-srv-xhst NameType ::= 4 + -- Unique ID + nt-uid NameType ::= 5 + -- Encoded X.509 Distingished name [RFC 2253] + nt-x500-principal NameType ::= 6 + -- Name in form of SMTP email name (e.g. user@foo.com) + nt-smtp-name NameType ::= 7 + -- Enterprise name - may be mapped to principal name + nt-enterprise NameType ::= 10 + + +6.2. Principal Name Reuse + + Realm administrators SHOULD use extreme caution when considering + reusing a principal name. A service administrator might explicitly + enter principal names into a local access control list (ACL) for the + service. If such local ACLs exist independently of a centrally + administered authorization infrastructure, realm administrators + SHOULD NOT reuse principal names until confirming that all extant ACL + entries referencing that principal name have been updated. Failure + to perform this check can result in a security vulnerability, as a + new principal can inadvertently inherit unauthorized privileges upon + receiving a reused principal name. An organization whose Kerberos- + authenticated services all use a centrally-adminstered authorization + infrastructure may not need to take these precautions regarding + principal name reuse. + +7. Types Relating to Encryption + + Many Kerberos protocol messages contain encryptions of various data + types. Kerberos protocol messages also contain checksums + (signatures) of various types. + +7.1. EncryptedData + + The "EncryptedData" type contains the encryption of another data + type. The recipient uses fields within EncryptedData to determine + which key to use for decryption. + + + + + +Yu Expires: Aug 2004 [Page 11] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- "Type" specifies which ASN.1 type is encrypted to the + -- ciphertext in the EncryptedData. "Keys" specifies a set of + -- keys of which one key may be used to encrypt the data. + -- "KeyUsages" specifies a set of key usages, one of which may + -- be used to encrypt. + -- + -- None of the parameters is transmitted over the wire. + EncryptedData { Type, KeyToUse:Keys, KeyUsage:KeyUsages } ::= + SEQUENCE { + etype [0] EType, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING (CONSTRAINED BY { + -- must be encryption of -- + OCTET STRING (CONTAINING Type), + -- with one of the keys -- KeyToUse:Keys, + -- with key usage being one of -- + KeyUsage:KeyUsages + }), + ... + } + + -- Assigned numbers denoting encryption mechanisms. + EType ::= Int32 + + -- Assigned numbers denoting key usages. + KeyUsage ::= UInt32 + + + EType + Integer type for assigned numbers for encryption algorithms. + Defined in [KCRYPTO] + + KeyUsage + Integer type for assigned numbers for key usages. Key usage + values are inputs to the encryption and decryption functions + described in [KCRYPTO]. + + Type + Advisory parameter indicating the ASN.1 type whose DER encoding + is the plaintext encrypted into the EncryptedData. + + Keys + Advisory parameter indicating which key to use to perform the + encryption. If "Keys" indicate multiple "KeyToUse" values, the + detailed description of the containing message will indicate + which key to use under which conditions. + + + + + + +Yu Expires: Aug 2004 [Page 12] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- KeyToUse identifies which key is to be used to encrypt or + -- sign a given value. + -- + -- Values of KeyToUse are never actually transmitted over the + -- wire, or even used directly by the implementation in any + -- way, as key usages are; it exists primarily to identify + -- which key gets used for what purpose. Thus, the specific + -- numeric values associated with this type are irrelevant. + KeyToUse ::= ENUMERATED { + -- unspecified + key-unspecified, + -- server long term key + key-server, + -- client long term key + key-client, + -- key selected by KDC for encryption of a KDC-REP + key-kdc-rep, + -- session key from ticket + key-session, + -- subsession key negotiated via AP-REQ/AP-REP + key-subsession, + ... + } + + + KeyUsages + Advisory parameter indicating which "KeyUsage" value is used to + encrypt. If "KeyUsages" indicates multiple "KeyUsage" values, + the detailed description of the containing message will indicate + which key usage to use under which conditions. + +7.2. EncryptionKey + + The "EncryptionKey" type holds an encryption key. + + EncryptionKey ::= SEQUENCE { + keytype [0] EType, + keyvalue [1] OCTET STRING + } + + + keytype + This "EType" identifies the encryption algorithm, described in + [KCRYPTO]. + + keyvalue + Contains the actual key. + +7.3. Checksums + + + +Yu Expires: Aug 2004 [Page 13] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Several types contain checksums (actually signatures) of data. + + CksumType ::= Int32 + + -- The parameters specify which key to use to produce the + -- signature, as well as which key usage to use. The + -- parameters are not actually sent over the wire. + Checksum { KeyToUse:Keys, KeyUsage:KeyUsages } ::= SEQUENCE { + cksumtype [0] CksumType, + checksum [1] OCTET STRING (CONSTRAINED BY { + -- signed using one of the keys -- + KeyToUse:Keys, + -- with key usage being one of -- + KeyUsage:KeyUsages + }) + } + + + CksumType + Integer type for assigned numbers for signature algorithms. + Defined in [KCRYPTO] + + Keys + As in EncryptedData + + KeyUsages + As in EncryptedData + + cksumtype + Signature algorithm used to produce the signature. + + checksum + The actual checksum. + +7.3.1. ChecksumOf + + ChecksumOf is like "Checksum", but specifies which type is signed. + + -- a Checksum that must contain the checksum of a particular type + ChecksumOf { Type, KeyToUse:Keys, KeyUsage:KeyUsages } ::= + Checksum { Keys, KeyUsages } + (WITH COMPONENTS { + ..., + checksum (CONSTRAINED BY { + -- must be checksum of -- + OCTET STRING (CONTAINING Type) + }) + }) + + + + +Yu Expires: Aug 2004 [Page 14] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Type + Indicates the ASN.1 type whose DER encoding is signed. + +7.3.2. Signed + + Signed is like "ChecksumOf", but contains an actual instance of the + type being signed in addition to the signature. + + -- parameterized type for wrapping authenticated plaintext + Signed { InnerType, KeyToUse:Keys, KeyUsage:KeyUsages } ::= + SEQUENCE { + cksum [0] ChecksumOf + { InnerType, Keys, KeyUsages } OPTIONAL, + inner [1] InnerType, + ... + } + + +8. Tickets + + The important fields of a ticket are in the encrypted part. The + components in common between the RFC 1510 and the extensible versions + are + + EncTicketPartCommon ::= SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] PrincipalName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL, + ... + } + + + crealm + This field contains the client's realm. + + cname + This field contains the client's name. + + caddr + This field lists the network addresses (if absent, all addresses + are permitted) from which the ticket is valid. + + + +Yu Expires: Aug 2004 [Page 15] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Descriptions of the other fields appear in the following sections. + +8.1. Timestamps + + Three of the ticket timestamps may be requested from the KDC. The + timestamps may differ from those requested, depending on site policy. + + authtime + The time at which the client authenticated, as recorded by the + KDC. + + starttime + The earliest time when the ticket is valid. If not present, the + ticket is valid starting at the authtime. This is requested as + the "from" field of KDC-REQ-BODY-COMMON. + + endtime + This time is requested in the "till" field of KDC-REQ-BODY- + COMMON. Contains the time after which the ticket will not be + honored (its expiration time). Note that individual services + MAY place their own limits on the life of a ticket and MAY + reject tickets which have not yet expired. As such, this is + really an upper bound on the expiration time for the ticket. + + renew-till + This time is requested in the "rtime" field of KDC-REQ-BODY- + COMMON. It is only present in tickets that have the "renewable" + flag set in the flags field. It indicates the maximum endtime + that may be included in a renewal. It can be thought of as the + absolute expiration time for the ticket, including all renewals. + +8.2. Ticket Flags + + A number of flags may be set in the ticket, further defining some of + its capabilities. Some of these flags map to flags in a KDC request. + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 16] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + TicketFlags ::= KerberosFlags { TicketFlagsBits } + + TicketFlagsBits ::= BIT STRING { + reserved (0), + forwardable (1), + forwarded (2), + proxiable (3), + proxy (4), + may-postdate (5), + postdated (6), + invalid (7), + renewable (8), + initial (9), + pre-authent (10), + hw-authent (11), + transited-policy-checked (12), + ok-as-delegate (13), + anonymous (14), + cksummed-ticket (15) + } + + +8.2.1. Flags Relating to Initial Ticket Acquisition + + [ adapted KCLAR 2.1. ] + + Several flags indicate the details of how the initial ticket was + acquired. + + initial + The "initial" flag indicates that a ticket was issued using the + AS protocol, rather than issued based on a ticket-granting + ticket. Application servers (e.g., a password-changing program) + requiring a client's definite knowledge of its secret keycan + insist that this flag be set in any tickets they accept, and + thus be assured that the client's key was recently presented to + the application client. + + pre-authent + The "pre-authent" flag indicates that some sort of pre- + authentication was used during the AS exchange. + + hw-authent + The "hw-authent" flag indicates that some sort of hardware-based + pre-authentication occurred during the AS exchange. + + Both the "pre-authent" and the "hw-authent" flags may be present with + or without the "initial" flag; such tickets with the "initial" flag + clear are ones which are derived from initial tickets with the "pre- + authent" or "hw-authent" flags set. + + +Yu Expires: Aug 2004 [Page 17] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + +8.2.2. Invalid Tickets + + [ KCLAR 2.2. ] + + The "invalid" flag indicates that a ticket is invalid. Application + servers MUST reject tickets which have this flag set. A postdated + ticket will be issued in this form. Invalid tickets MUST be + validated by the KDC before use, by presenting them to the KDC in a + TGS request with the "validate" option specified. The KDC will only + validate tickets after their starttime has passed. The validation is + required so that postdated tickets which have been stolen before + their starttime can be rendered permanently invalid (through a hot- + list mechanism -- see Section 9.3.5). + +8.2.3. OK as Delegate + + [ KCLAR 2.8. ] + + For some applications a client may need to delegate authority to a + server to act on its behalf in contacting other services. This + requires that the client forward credentials to an intermediate + server. The ability for a client to obtain a service ticket to a + server conveys no information to the client about whether the server + should be trusted to accept delegated credentials. The "ok-as- + delegate" flag provides a way for a KDC to communicate local realm + policy to a client regarding whether an intermediate server is + trusted to accept such credentials. + + The copy of the ticket flags visible to the client may have the "ok- + as-delegate" flag set to indicate to the client that the server + specified in the ticket has been determined by policy of the realm to + be a suitable recipient of delegation. A client can use the presence + of this flag to help it make a decision whether to delegate + credentials (either grant a proxy or a forwarded ticket-granting + ticket) to this server. It is acceptable to ignore the value of this + flag. When setting this flag, an administrator should consider the + security and placement of the server on which the service will run, + as well as whether the service requires the use of delegated + credentials. + +8.3. Renewable Tickets + + [ adapted KCLAR 2.3. ] + + Renewable tickets can be used to mitigate the consequences of ticket + theft. Applications may desire to hold tickets which can be valid + for long periods of time. However, this can expose their credentials + to potential theft for equally long periods, and those stolen + credentials would be valid until the expiration time of the + ticket(s). Simply using short-lived tickets and obtaining new ones + periodically would require the client to have long-term access to its + +Yu Expires: Aug 2004 [Page 18] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + secret key, an even greater risk. + + Renewable tickets have two "expiration times": the first is when the + current instance of the ticket expires, and the second is the latest + permissible value for an individual expiration time. An application + client must periodically (i.e., before it expires) present a + renewable ticket to the KDC, with the "renew" option set in the KDC + request. The KDC will issue a new ticket with a new session key and + a later expiration time. All other fields of the ticket are left + unmodified by the renewal process. When the latest permissible + expiration time arrives, the ticket expires permanently. At each + renewal, the KDC MAY consult a hot-list to determine if the ticket + had been reported stolen since its last renewal; it will refuse to + renew such stolen tickets, and thus the usable lifetime of stolen + tickets is reduced. + + The "renewable" flag in a ticket is normally only interpreted by the + ticket-granting service. It can usually be ignored by application + servers. However, some particularly careful application servers MAY + disallow renewable tickets. + + If a renewable ticket is not renewed by its expiration time, the KDC + will not renew the ticket. The "renewable" flag is clear by default, + but a client can request it be set by setting the "renewable" option + in the AS-REQ message. If it is set, then the "renew-till" field in + the ticket contains the time after which the ticket may not be + renewed. + +8.4. Postdated Tickets + + [ KCLAR 2.4. ] + + Applications may occasionally need to obtain tickets for use much + later, e.g., a batch submission system would need tickets to be valid + at the time the batch job is serviced. However, it is dangerous to + hold valid tickets in a batch queue, since they will be on-line + longer and more prone to theft. Postdated tickets provide a way to + obtain these tickets from the KDC at job submission time, but to + leave them "dormant" until they are activated and validated by a + further request of the KDC. If a ticket theft were reported in the + interim, the KDC would refuse to validate the ticket, and the thief + would be foiled. + + The "may-postdate" flag in a ticket is normally only interpreted by + the TGS. It can be ignored by application servers. This flag MUST be + set in a ticket-granting ticket in order for the KDC to issue a + postdated ticket based on the presented ticket. It is reset by + default; it MAY be requested by a client by setting the "allow- + postdate" option in the AS-REQ [?also TGS-REQ?] message. This flag + does not allow a client to obtain a postdated ticket-granting ticket; + postdated ticket-granting tickets can only by obtained by requesting + +Yu Expires: Aug 2004 [Page 19] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + the postdating in the AS-REQ message. The life (endtime-starttime) + of a postdated ticket will be the remaining life of the ticket- + granting ticket at the time of the request, unless the "renewable" + option is also set, in which case it can be the full life (endtime- + starttime) of the ticket-granting ticket. The KDC MAY limit how far + in the future a ticket may be postdated. + + The "postdated" flag indicates that a ticket has been postdated. The + application server can check the authtime field in the ticket to see + when the original authentication occurred. Some services MAY choose + to reject postdated tickets, or they may only accept them within a + certain period after the original authentication. When the KDC issues + a "postdated" ticket, it will also be marked as "invalid", so that + the application client MUST present the ticket to the KDC for + validation before use. + +8.5. Proxiable and Proxy Tickets + + [ KCLAR 2.5. ] + + At times it may be necessary for a principal to allow a service to + perform an operation on its behalf. The service must be able to take + on the identity of the client, but only for a particular purpose. A + principal can allow a service to take on the principal's identity for + a particular purpose by granting it a proxy. + + The process of granting a proxy using the "proxy" and "proxiable" + flags is used to provide credentials for use with specific services. + Though conceptually also a proxy, users wishing to delegate their + identity in a form usable for all purposes MUST use the ticket + forwarding mechanism described in the next section to forward a + ticket-granting ticket. + + The "proxiable" flag in a ticket is normally only interpreted by the + ticket-granting service. It can be ignored by application servers. + When set, this flag tells the ticket-granting server that it is OK to + issue a new ticket (but not a ticket-granting ticket) with a + different network address based on this ticket. This flag is set if + requested by the client on initial authentication. By default, the + client will request that it be set when requesting a ticket-granting + ticket, and reset when requesting any other ticket. + + This flag allows a client to pass a proxy to a server to perform a + remote request on its behalf (e.g. a print service client can give + the print server a proxy to access the client's files on a particular + file server in order to satisfy a print request). + + In order to complicate the use of stolen credentials, Kerberos + tickets may contain a set of network addresses from which they are + valid. When granting a proxy, the client MUST specify the new network + address from which the proxy is to be used, or indicate that the + +Yu Expires: Aug 2004 [Page 20] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + proxy is to be issued for use from any address. + + The "proxy" flag is set in a ticket by the TGS when it issues a proxy + ticket. Application servers MAY check this flag and at their option + they MAY require additional authentication from the agent presenting + the proxy in order to provide an audit trail. + +8.6. Forwardable Tickets + + [ KCLAR 2.6. ] + +8.7. Transited Realms + + [ KCLAR 2.7., plus new stuff ] + +8.8. Authorization Data + +8.9. Encrypted Part of Ticket + + The complete definition of the encrypted part is + + -- Encrypted part of ticket + EncTicketPart ::= CHOICE { + rfc1510 [APPLICATION 3] EncTicketPart1510, + ext [APPLICATION 5] EncTicketPartExt + } + + + EncTicketPart1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF EncTicketPartCommon + } (WITH COMPONENTS { + ..., + -- explicitly force IA5 in strings + crealm (WITH COMPONENTS { ia5 PRESENT }), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }) + }) + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 21] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + EncTicketPartExt ::= EncTicketPartCommon + (WITH COMPONENTS { + ..., + -- explicitly force UTF-8 in strings + crealm (WITH COMPONENTS { ia5 ABSENT }), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }), + -- explicitly constrain caddr to be non-empty if present + caddr (SIZE (1..MAX)), + -- explicitly constrain authorization-data to be non-empty + -- if present + authorization-data (SIZE (1..MAX)) + }) + + +8.10. Cleartext Part of Ticket + + Ticket ::= CHOICE { + rfc1510 [APPLICATION 1] Ticket1510, + ext [APPLICATION 4] Signed { + TicketExt, { key-server }, { ku-Ticket-cksum } + } + } + + + -- takes a parameter specifying which type gets encrypted + TicketCommon { EncPart } ::= SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] PrincipalName, + enc-part [3] EncryptedData { + EncPart, { key-server }, { ku-Ticket } + }, + extensions [4] TicketExtensions OPTIONAL, + ... + } + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 22] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Ticket1510 ::= SEQUENCE { + -- "COMPONENTS OF" drops the extension marker from + -- TicketCommon + COMPONENTS OF TicketCommon { EncTicketPart1510 } + } (WITH COMPONENTS { + ..., + -- explicitly force IA5 in strings + realm (WITH COMPONENTS { ia5 PRESENT }), + sname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }), + extensions ABSENT + }) + + + -- APPLICATION tag goes inside Signed{} as well as outside, + -- to prevent possible substitution attacks. + TicketExt ::= [APPLICATION 4] TicketCommon + (WITH COMPONENTS { + ..., + -- explicitly force UTF-8 in strings + realm (WITH COMPONENTS { ia5 ABSENT }), + sname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }) + }) + + + TEType ::= Int32 + + TICKETEXTENSION ::= TYPEDHOLE { TEType } + + -- ticket extensions: for TicketExt only + TicketExtensions ::= SEQUENCE (SIZE (1..MAX)) OF SEQUENCE { + te-type [0] TICKETEXTENSION.&id + ({TicketExtension-Set}), + te-data [1] OCTET STRING (TICKETEXTENSION.&Type) + ({TicketExtension-Set}{@te-type}) + } + + -- no mandatory ticket extensions currently + TicketExtensionSet TICKETEXTENSION ::= { ... } + + +9. Credential Acquisition + + + +Yu Expires: Aug 2004 [Page 23] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + There are two exchanges that can be used for acquiring credentials: + the AS exchange and the TGS exchange. These exchanges have many + similarities, and this document describes them in parallel, noting + which behaviors are specific to one type of exchange. The AS request + (AS-REQ) and TGS request (TGS-REQ) are both forms of KDC requests + (KDC-REQ). Likewise, the AS reply (AS-REP) and TGS reply (TGS-REP) + are forms of KDC replies (KDC-REP). + +9.1. KDC-REQ + + The KDC-REQ has a large number of fields in common between the RFC + 1510 and the extensible versions. + + KDC-REQ-COMMON ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5), + msg-type [2] INTEGER (10 -- AS-REQ.rfc1510 -- + | 12 -- TGS-REQ.rfc1510 -- + | 6 -- AS-REQ.ext -- + | 8 -- TGS-REQ.ext -- ), + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty + } + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 24] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KDC-REQ-BODY-COMMON ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] PrincipalName OPTIONAL + -- Used only in AS-REQ --, + + realm [2] Realm + -- Server's realm; also client's in AS-REQ --, + + sname [3] PrincipalName OPTIONAL, + from [4] KerberosTime OPTIONAL, + till [5] KerberosTime OPTIONAL + -- was required in rfc1510; + -- still required for compat versions + -- of messages --, + + rtime [6] KerberosTime OPTIONAL, + nonce [7] Nonce, + etype [8] SEQUENCE OF EType + -- in preference order --, + + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedData { + AuthorizationData, { key-session | key-subsession }, + { ku-TGSReqAuthData-subkey | + ku-TGSReqAuthData-sesskey } + } OPTIONAL, + + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty --, + ... + } + + + Many fields of KDC-REQ-BODY-COMMON correspond directly to fields of + an EncTicketPartCommon. The KDC copies most of them unchanged, + provided that their values meet site policy. + + kdc-options + These flags do not correspond directly to "flags" in + EncTicketPartCommon. [ insert mapping table here ] + + cname + This field is copied to the "cname" field in + EncTicketPartCommon. The "cname" field is required in an AS- + REQ; the client places its own name here. In a TGS-REQ, the + "cname" in the ticket in the AP-REQ takes precedence. + + realm + This field is the server's realm, and also holds the client's + realm in an AS-REQ. + + +Yu Expires: Aug 2004 [Page 25] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + The "from", "till", and "rtime" fields correspond to the "starttime", + "endtime", and "renew-till" fields of EncTicketPartCommon. + + addresses + This field corresponds to the "caddr" field of + EncTicketPartCommon. + + enc-authorization-data + For TGS-REQ, this field contains authorization data encrypted + using either the TGT session key or the AP-REQ subsession key; + these may be copied into the "authorization-data" field of + EncTicketPartCommon if policy permits. + +9.2. PA-DATA + + PA-DATA have multiple uses in the Kerberos protocol. They may pre- + authenticate an AS-REQ; they may also modify several of the + encryption keys used in a KDC-REP. PA-DATA may also provide "hints" + to the client about which long-term key (usually password-derived) to + use. PA-DATA may also include "hints" about which pre-authentication + mechanisms to use, or include data for input into a pre- + authentication mechanism. + +9.3. KDC-REQ Processing + + Processing of a KDC-REQ proceeds through several steps. An + implementation need not perform these steps exactly as described, as + long as the resulting behavior is as if the steps were performed as + described. The KDC performs replay handling on receipt of the + request; it then validates the request, adjusts timestamps, and + selects the keys used in the reply. It copies data from the request + into the issued ticket, adjusting for policy. The KDC then transmits + the reply to the client. + +9.3.1. Handling Replays + + Because Kerberos can run over unreliable transports such as UDP, the + KDC MUST be prepared to retransmit responses in case they are lost. + If a KDC receives a request identical to one it has recently + successfully processed, the KDC MUST respond with an KDC-REP message + rather than a replay error. In order to reduce the amount of + ciphertext given to a potential attacker, KDCs MAY send the same + response generated when the request was first handled. KDCs MUST + obey this replay behavior even if the actual transport in use is + reliable. If the AP-REQ which authenticates a TGS-REQ is a replay, + and the entire request is not identical to a recently successfully + processed request, the KDC SHOULD return "krb-ap-err-repeat", as is + appropriate for AP-REQ processing. + + + + +Yu Expires: Aug 2004 [Page 26] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + +9.3.2. Request Validation + +9.3.2.1. AS-REQ Authentication + + Site policy determines whether a given client principal is required + to provide some pre-authentication prior to receiving an AS-REP. + Since the default reply key is typically the client's long-term + password-based key, an attacker may easily request known plaintext + (in the form of an AS-REP) upon which to mount a dictionary attack. + Pre-authentication can limit the possibility of such an attack. + + If site policy requires pre-authentication for a client principal, + and no pre-authentication is provided, the KDC returns the error + "kdc-err-preauth-required". Accompanying this error are "e-data" + which include hints telling the client which pre-authentication + mechanisms to use, or data for input to pre-authentication mechanisms + (e.g., input to challenge-response systems). If pre-authentication + fails, the KDC returns the error "kdc-err-preauth-failed". + + [ may need additional changes based on Sam's preauth draft ] + +9.3.2.2. TGS-REQ Authentication + + A TGS-REQ has an accompanying AP-REQ, which is included in the "pa- + tgs-req". The KDC MUST validate the checksum in the Authenticator of + the AP-REQ, which is computed over the KDC-REQ-BODY-1510 or KDC-REQ- + BODY-EXT (for TGS-REQ-1510 or TGS-REQ-EXT, respectively) of the + request. [ padata not signed by authenticator! ] Any error from the + AP-REQ validation process SHOULD be returned in a KRB-ERROR message. + The service principal in the ticket of the AP-REQ may be a ticket- + granting service principal, or a normal application service + principal. An AP-REQ ticket which is not a ticket-granting ticket + MUST NOT be used to issue a ticket for any service other than the one + named in the ticket. In this case, the "renew", "validate", or + "proxy" [?also forwarded?] option must be set in the request. + +9.3.2.3. Principal Validation + + If the client principal in an AS-REQ is unknown, the KDC returns the + error "kdc-err-c-principal-unknown". If the server principal is + unknown, the KDC returns the error "kdc-err-c-principal-unknown". + +9.3.3. Timestamp Handling + + [ some aspects of timestamp handling, especially regarding postdating + and renewal, are difficult to read in KCLAR... needs closer + examination here ] + + For the AS exchange, the "authtime" of a ticket is set to the local + time at the KDC. For the TGS exchange, the KDC sets the "authtime" + to that of the ticket in the AP-REQ authenticating the TGS-REQ. + +Yu Expires: Aug 2004 [Page 27] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + [?application server can spoof the authtime. security issues for + hot-list?] [ MIT implementation may change authtime of renewed + tickets; needs check... ] + + Processing of "starttime" (requested in the "from" field) differs + depending on whether the "postdated" option is set in the request. + If the "postdated" option is not set, and the requested "starttime" + is in the future beyond the window of acceptable clock skew, the KDC + returns the error "kdc-err-cannot-postdate". If the "postdated" + option is not set, and the requested "starttime" is absent or does + not indicate a time in the future beyond the acceptable clock skew, + the KDC sets the "starttime" to the KDC's current time. The + "postdated" option MUST NOT be honored if the ticket is being + requested by TGS-REQ and the "may-postdate" is not set in the TGT. + Otherwise, if the "postdated" option is set, and site policy permits, + the KDC sets the "starttime" as requested, and sets the "invalid" + flag in the new ticket. + +9.3.3.1. AS-REQ Timestamp Processing + + The "endtime" of the ticket will be set to the earlier of the + requested "till" time and a time determined by local policy, possibly + determined using factors specific to the realm or principal. For + example, the expiration time MAY be set to the earliest of the + following: + + * The expiration time (till) requested. + + * The ticket's start time plus the maximum allowable lifetime + associated with the client principal from the authentication + server's database. + + * The ticket's start time plus the maximum allowable lifetime + associated with the server principal. + + * The ticket's start time plus the maximum lifetime set by the + policy of the local realm. + + If the requested expiration time minus the start time (as determined + above) is less than a site-determined minimum lifetime, an error + message with code "kdc-err-never-valid" is returned. If the requested + expiration time for the ticket exceeds what was determined as above, + and if the "renewable-ok" option was requested, then the "renewable" + flag is set in the new ticket, and the "renew-till" value is set as + if the "renewable" option were requested. + + If the "renewable" option has been requested or if the "renewable-ok" + option has been set and a renewable ticket is to be issued, then the + renew-till field MAY be set to the earliest of: + + + +Yu Expires: Aug 2004 [Page 28] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + * Its requested value. + + * The start time of the ticket plus the minimum of the two maximum + renewable lifetimes associated with the principals' database + entries. + + * The start time of the ticket plus the maximum renewable lifetime + set by the policy of the local realm. + +9.3.3.2. TGS-REQ Timestamp Processing + + If the TGS-REQ has the TGT in its AP-REQ, and the TGS-REQ requests an + "endtime" (in the "till" field), then the "endtime" of the new ticket + is set to the minimum of (a) the requested "endtime" value, (b) the + "endtime" in the TGT, and (c) an "endtime" determined by site policy + on ticket lifetimes. If the new ticket is a renewal, the "endtime" + of the new ticket is bounded by (a) the requested "endtime" value, + (b) the value of the "renew-till" value of the old, and (c) the + "starttime" of the new ticket plus the life (endtime - starttime) of + the old ticket. [ the previous sentence is a bit confusing; adapted + from KCLAR 3.3.3. ] + + When handling a TGS-REQ, a KDC MUST NOT issue a postdated ticket with + a "starttime", "endtime", or "renew-till" time later than the "renew- + till" time of the TGT. + +9.3.4. Key Selection + + Three keys are involved in creating a KDC-REP. The reply key is used + to encrypt the encrypted part of the KDC-REP. The session key is + stored in the encrypted part of the ticket, and is also present in + the part of the reply which is visible to the client. The ticket key + is used to encrypt the ticket. These keys all have initial values + for a given exchange; pre-authentication and other extension + mechanisms may change the value used for any of these keys. + + [ again, may need changes based on Sam's preauth draft ] + + The set of encryption types the client will understand appears in the + "etype" field of KDC-REQ-BODY-COMMON. The KDC limits the set of + possible reply keys and the set of session key encryption types based + on the "etype" field. + + For the AS exchange, the reply key is initially a long-term key of + the client, limited to those encryption types specified by the + "etype" field. The KDC SHOULD use the first valid strong "etype" for + which an encryption key is available. For the TGS exchange, the + reply key is initially the subsession key of the Authenticator, or, + if that is not present, the session key of the ticket used to + authenticate the TGS-REQ. + + +Yu Expires: Aug 2004 [Page 29] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + The ticket key is initially the long-term key of the service. User- + to-user authentication sets the ticket key to be the session key of + the additional ticket in the request. + + The session key is initially randomly generated, and has an + encryption type which both the client and the server will understand. + Typically, the KDC has prior knowledge of which encryption types the + server will understand. It selects the first valid strong "etype" + listed the request which the server also will understand. + +9.3.5. Checking For Revoked Tickets + +9.4. Reply Validation + +10. Application Authentication + +11. Session Key Use + +11.1. KRB-SAFE + +11.2. KRB-PRIV + +11.3. KRB-CRED + +12. Security Considerations + +12.1. Time Synchronization + + Time synchronization between the KDC and application servers is + necessary to prevent acceptance of expired tickets. + + Time synchronization is needed between application servers and + clients to prevent replay attacks if a replay cache is being used. + If negotiated subsession keys are used to encrypt application data, + replay caches may not be necessary. + +12.2. Replays + +12.3. Principal Name Reuse + + See Section 6.2. + +12.4. Password Guessing + +12.5. Forward Secrecy + + [from KCLAR 10.; needs some rewriting] + + The Kerberos protocol in its basic form does not provide perfect + forward secrecy for communications. If traffic has been recorded by + an eavesdropper, then messages encrypted using the KRB-PRIV message, + +Yu Expires: Aug 2004 [Page 30] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + or messages encrypted using application-specific encryption under + keys exchanged using Kerberos can be decrypted if any of the user's, + application server's, or KDC's key is subsequently discovered. This + is because the session key used to encrypt such messages is + transmitted over the network encrypted in the key of the application + server, and also encrypted under the session key from the user's + ticket-granting ticket when returned to the user in the TGS-REP + message. The session key from the ticket-granting ticket was sent to + the user in the AS-REP message encrypted in the user's secret key, + and embedded in the ticket-granting ticket, which was encrypted in + the key of the KDC. Application requiring perfect forward secrecy + must exchange keys through mechanisms that provide such assurance, + but may use Kerberos for authentication of the encrypted channel + established through such other means. + +12.6. Authorization + + As an authentication service, Kerberos provides a means of verifying + the identity of principals on a network. Kerberos does not, by + itself, provide authorization. Applications SHOULD NOT accept the + mere issuance of a service ticket by the Kerberos server as granting + authority to use the service. + +12.7. Login Authentication + + Some applications, particularly those which provide login access when + provided with a password, SHOULD NOT treat successful acquisition of + credentials as sufficient proof of the user's identity. An attacker + posing as a user could generate an illegitimate KDC-REP message which + decrypts properly. To authenticate a user logging on to a local + system, the credentials obtained SHOULD be used in a TGS exchange to + obtain credentials for a local service. Successful use of those + credentials to authenticate to the local service assures that the + initially obtained credentials are from a valid KDC. + +Appendices + +A. ASN.1 Module (Normative) + + KerberosV5Spec3 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec3(4) + } DEFINITIONS EXPLICIT TAGS ::= BEGIN + + + + + + + + + +Yu Expires: Aug 2004 [Page 31] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- OID arc for KerberosV5 + -- + -- This OID may be used to identify Kerberos protocol messages + -- encapsulated in other protocols. + -- + -- This OID also designates the OID arc for KerberosV5-related + -- OIDs. + -- + -- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its + -- OID. + id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) + } + + + -- top-level type + -- + -- Applications should not directly reference any types + -- other than KRB-PDU and its component types. + -- + KRB-PDU ::= CHOICE { + ticket Ticket, + as-req AS-REQ, + as-rep AS-REP, + tgs-req TGS-REQ, + tgs-rep TGS-REP, + ap-req AP-REQ, + ap-rep AP-REP, + krb-safe KRB-SAFE, + krb-priv KRB-PRIV, + krb-cred KRB-CRED, + tgt-req TGT-REQ, + krb-error KRB-ERROR, + ... + } + + + -- + -- *** basic types + -- + + + -- signed values representable in 32 bits + -- + -- These are often used as assigned numbers for various things. + Int32 ::= INTEGER (-2147483648..2147483647) + + -- unsigned 32 bit values + UInt32 ::= INTEGER (0..4294967295) + + +Yu Expires: Aug 2004 [Page 32] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- microseconds + Microseconds ::= INTEGER (0..999999) + + + -- sequence numbers + -- + -- We may want to increase this to 2**64 and define a UInt64 + -- type. + SeqNum ::= UInt32 + + + -- nonces + -- + -- Likewise, we may want to make this UInt64. + Nonce ::= UInt32 + + + -- must not have fractional seconds + KerberosTime ::= GeneralizedTime + + + -- used for names and for error messages + KerberosString ::= CHOICE { + ia5 GeneralString (IA5String), + utf8 UTF8String, + ... -- no extension may be sent + -- to an rfc1510 implementation -- + } + + + -- used for language tags + LangTag ::= PrintableString (FROM ("A".."Z" | "a".."z" | "0".."9" | "-")) + + + Realm ::= KerberosString + + PrincipalName ::= SEQUENCE { + name-type [0] NameType, + -- May have zero elements, or individual elements may be + -- zero-length, but this is not recommended. + name-string [1] SEQUENCE OF KerberosString + } + + -- assigned numbers for name types (used in principal names) + NameType ::= Int32 + + + + + + + +Yu Expires: Aug 2004 [Page 33] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- Name type not known + nt-unknown NameType ::= 0 + -- Just the name of the principal as in DCE, or for users + nt-principal NameType ::= 1 + -- Service and other unique instance (krbtgt) + nt-srv-inst NameType ::= 2 + -- Service with host name as instance (telnet, rcommands) + nt-srv-hst NameType ::= 3 + -- Service with host as remaining components + nt-srv-xhst NameType ::= 4 + -- Unique ID + nt-uid NameType ::= 5 + -- Encoded X.509 Distingished name [RFC 2253] + nt-x500-principal NameType ::= 6 + -- Name in form of SMTP email name (e.g. user@foo.com) + nt-smtp-name NameType ::= 7 + -- Enterprise name - may be mapped to principal name + nt-enterprise NameType ::= 10 + + + -- Yet another refinement to kludge around historical + -- implementation bugs... we still send at least 32 bits, but + -- this parameterized type allows us to actually use named bit + -- string syntax to define flags, sort of. + KerberosFlags { NamedBits } + ::= BIT STRING (SIZE (32..MAX)) + (CONSTRAINED BY { + -- must be a valid value of -- NamedBits + -- but if the value to be sent would otherwise be shorter + -- than 32 bits, it must be padded with trailing zero bits + -- to 32 bits. Otherwise, no trailing zero bits may be + -- present. + }) + + + AddrType ::= Int32 + + HostAddress ::= SEQUENCE { + addr-type [0] AddrType, + address [1] OCTET STRING + } + + -- NOTE: HostAddresses is always used as an OPTIONAL field and + -- should not be a zero-length SEQUENCE OF. + -- + -- The extensible messages explicitly constrain this to be + -- non-empty. + HostAddresses ::= SEQUENCE OF HostAddress + + + + +Yu Expires: Aug 2004 [Page 34] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- + -- *** typed hole support + -- + + + -- Object class for generic typed holes, e.g., padata, + -- authorizationdata. + -- + -- Its parameter specifies the name of integer type used as a + -- unique identifier; usually this type is an aliased Int32. + -- + -- Usually, the &Type field will be an OctetstringHole, but if + -- there is a need to use a non-ASN.1 encoded type, it may be + -- simply an OCTET STRING, possibly with some comments + -- describing its contents. + TYPEDHOLE { IntType } ::= CLASS { + &id-int IntType UNIQUE, + &id-oid RELATIVE-OID UNIQUE OPTIONAL, + &Type, + &desc ObjectDescriptor OPTIONAL + } WITH SYNTAX { + SYNTAX &Type + IDENTIFIED BY &id-int + [ OID &id-oid ] + [ DESCRIPTION &desc ] + } + + + -- An octet string wrapping another ASN.1 type. + OctetstringHole { Type } ::= OCTET STRING (CONTAINING Type) + + + -- + -- *** crypto-related types and assignments + -- + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 35] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- + -- Actual identifier names are provisional and subject to + -- change. + -- + ku-pa-enc-ts KeyUsage ::= 1 + ku-Ticket KeyUsage ::= 2 + ku-EncASRepPart KeyUsage ::= 3 + ku-TGSReqAuthData-sesskey KeyUsage ::= 4 + ku-TGSReqAuthData-subkey KeyUsage ::= 5 + ku-pa-TGSReq-cksum KeyUsage ::= 6 + ku-pa-TGSReq-authenticator KeyUsage ::= 7 + ku-EncTGSRepPart-sesskey KeyUsage ::= 8 + ku-EncTGSRepPart-subkey KeyUsage ::= 9 + ku-Authenticator-cksum KeyUsage ::= 10 + ku-APReq-authenticator KeyUsage ::= 11 + ku-EncAPRepPart KeyUsage ::= 12 + ku-EncKrbPrivPart KeyUsage ::= 13 + ku-EncKrbCredPart KeyUsage ::= 14 + ku-KrbSafe-cksum KeyUsage ::= 15 + ku-ad-KDCIssued-cksum KeyUsage ::= 19 + + + -- The following numbers are provisional... conflicts may exist elsewhere. + ku-Ticket-cksum KeyUsage ::= 25 + ku-ASReq-cksum KeyUsage ::= 26 + ku-TGSReq-cksum KeyUsage ::= 27 + ku-ASRep-cksum KeyUsage ::= 28 + ku-TGSRep-cksum KeyUsage ::= 29 + ku-APReq-cksum KeyUsage ::= 30 + ku-APRep-cksum KeyUsage ::= 31 + ku-KrbCred-cksum KeyUsage ::= 32 + ku-KrbError-cksum KeyUsage ::= 33 + ku-KDCRep-cksum KeyUsage ::= 34 + + + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 36] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- assigned numbers for encryption schemes + et-des-cbc-crc EType ::= 1 + et-des-cbc-md4 EType ::= 2 + et-des-cbc-md5 EType ::= 3 + -- [reserved] 4 + et-des3-cbc-md5 EType ::= 5 + -- [reserved] 6 + et-des3-cbc-sha1 EType ::= 7 + et-dsaWithSHA1-CmsOID EType ::= 9 + et-md5WithRSAEncryption-CmsOID EType ::= 10 + et-sha1WithRSAEncryption-CmsOID EType ::= 11 + et-rc2CBC-EnvOID EType ::= 12 + et-rsaEncryption-EnvOID EType ::= 13 + et-rsaES-OAEP-ENV-OID EType ::= 14 + et-des-ede3-cbc-Env-OID EType ::= 15 + et-des3-cbc-sha1-kd EType ::= 16 + et-aes128-cts-hmac-sha1-96 EType ::= 17 -- AES + et-aes256-cts-hmac-sha1-96 EType ::= 18 -- AES + et-rc4-hmac EType ::= 23 -- Microsoft + et-rc4-hmac-exp EType ::= 24 -- Microsoft + et-subkey-keymaterial EType ::= 65 -- opaque; PacketCable + + + -- "Type" specifies which ASN.1 type is encrypted to the + -- ciphertext in the EncryptedData. "Keys" specifies a set of + -- keys of which one key may be used to encrypt the data. + -- "KeyUsages" specifies a set of key usages, one of which may + -- be used to encrypt. + -- + -- None of the parameters is transmitted over the wire. + EncryptedData { Type, KeyToUse:Keys, KeyUsage:KeyUsages } ::= + SEQUENCE { + etype [0] EType, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING (CONSTRAINED BY { + -- must be encryption of -- + OCTET STRING (CONTAINING Type), + -- with one of the keys -- KeyToUse:Keys, + -- with key usage being one of -- + KeyUsage:KeyUsages + }), + ... + } + + -- Assigned numbers denoting encryption mechanisms. + EType ::= Int32 + + -- Assigned numbers denoting key usages. + KeyUsage ::= UInt32 + + + +Yu Expires: Aug 2004 [Page 37] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- KeyToUse identifies which key is to be used to encrypt or + -- sign a given value. + -- + -- Values of KeyToUse are never actually transmitted over the + -- wire, or even used directly by the implementation in any + -- way, as key usages are; it exists primarily to identify + -- which key gets used for what purpose. Thus, the specific + -- numeric values associated with this type are irrelevant. + KeyToUse ::= ENUMERATED { + -- unspecified + key-unspecified, + -- server long term key + key-server, + -- client long term key + key-client, + -- key selected by KDC for encryption of a KDC-REP + key-kdc-rep, + -- session key from ticket + key-session, + -- subsession key negotiated via AP-REQ/AP-REP + key-subsession, + ... + } + + + EncryptionKey ::= SEQUENCE { + keytype [0] EType, + keyvalue [1] OCTET STRING + } + + + CksumType ::= Int32 + + -- The parameters specify which key to use to produce the + -- signature, as well as which key usage to use. The + -- parameters are not actually sent over the wire. + Checksum { KeyToUse:Keys, KeyUsage:KeyUsages } ::= SEQUENCE { + cksumtype [0] CksumType, + checksum [1] OCTET STRING (CONSTRAINED BY { + -- signed using one of the keys -- + KeyToUse:Keys, + -- with key usage being one of -- + KeyUsage:KeyUsages + }) + } + + + + + + + +Yu Expires: Aug 2004 [Page 38] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- a Checksum that must contain the checksum of a particular type + ChecksumOf { Type, KeyToUse:Keys, KeyUsage:KeyUsages } ::= + Checksum { Keys, KeyUsages } + (WITH COMPONENTS { + ..., + checksum (CONSTRAINED BY { + -- must be checksum of -- + OCTET STRING (CONTAINING Type) + }) + }) + + + -- parameterized type for wrapping authenticated plaintext + Signed { InnerType, KeyToUse:Keys, KeyUsage:KeyUsages } ::= + SEQUENCE { + cksum [0] ChecksumOf + { InnerType, Keys, KeyUsages } OPTIONAL, + inner [1] InnerType, + ... + } + + + -- + -- *** Tickets + -- + + + Ticket ::= CHOICE { + rfc1510 [APPLICATION 1] Ticket1510, + ext [APPLICATION 4] Signed { + TicketExt, { key-server }, { ku-Ticket-cksum } + } + } + + + -- takes a parameter specifying which type gets encrypted + TicketCommon { EncPart } ::= SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] PrincipalName, + enc-part [3] EncryptedData { + EncPart, { key-server }, { ku-Ticket } + }, + extensions [4] TicketExtensions OPTIONAL, + ... + } + + + + + + +Yu Expires: Aug 2004 [Page 39] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Ticket1510 ::= SEQUENCE { + -- "COMPONENTS OF" drops the extension marker from + -- TicketCommon + COMPONENTS OF TicketCommon { EncTicketPart1510 } + } (WITH COMPONENTS { + ..., + -- explicitly force IA5 in strings + realm (WITH COMPONENTS { ia5 PRESENT }), + sname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }), + extensions ABSENT + }) + + + -- APPLICATION tag goes inside Signed{} as well as outside, + -- to prevent possible substitution attacks. + TicketExt ::= [APPLICATION 4] TicketCommon + (WITH COMPONENTS { + ..., + -- explicitly force UTF-8 in strings + realm (WITH COMPONENTS { ia5 ABSENT }), + sname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }) + }) + + + -- Encrypted part of ticket + EncTicketPart ::= CHOICE { + rfc1510 [APPLICATION 3] EncTicketPart1510, + ext [APPLICATION 5] EncTicketPartExt + } + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 40] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + EncTicketPartCommon ::= SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] PrincipalName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL, + ... + } + + + EncTicketPart1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF EncTicketPartCommon + } (WITH COMPONENTS { + ..., + -- explicitly force IA5 in strings + crealm (WITH COMPONENTS { ia5 PRESENT }), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }) + }) + + + EncTicketPartExt ::= EncTicketPartCommon + (WITH COMPONENTS { + ..., + -- explicitly force UTF-8 in strings + crealm (WITH COMPONENTS { ia5 ABSENT }), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }), + -- explicitly constrain caddr to be non-empty if present + caddr (SIZE (1..MAX)), + -- explicitly constrain authorization-data to be non-empty + -- if present + authorization-data (SIZE (1..MAX)) + }) + + + + + +Yu Expires: Aug 2004 [Page 41] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- + -- *** Authorization Data + -- + + + ADType ::= Int32 + + AUTHDATA ::= TYPEDHOLE { ADType } + + -- NOTE: AuthorizationData is always used as an OPTIONAL field and + -- should not be a zero-length SEQUENCE OF. + -- + -- The extensible messages explicitly constrain this to be non-empty. + AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] AUTHDATA.&id-int ({Authdata-Set}), + ad-data [1] OCTET STRING (AUTHDATA.&Type) + ({Authdata-Set}{@ad-type}) + } + + + -- Mandatory AuthorizationData + Authdata-Set AUTHDATA ::= { + ad-if-relevant | + ad-kdcissued | + ad-and-or | + ad-mandatory-for-kdc , + ... + } + + + ad-if-relevant AUTHDATA ::= { + SYNTAX OctetstringHole { AuthorizationData } + IDENTIFIED BY 1 + DESCRIPTION + "Encapsulates another AuthorizationData. + Intended for application servers; receiving application servers + MAY ignore." + } + + + ad-kdcissued AUTHDATA ::= { + SYNTAX OctetstringHole { AD-KDCIssued } + IDENTIFIED BY 4 + DESCRIPTION "KDC-issued privilege attributes" + } + + + + + + + +Yu Expires: Aug 2004 [Page 42] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] ChecksumOf { + AuthorizationData, { key-session }, + { ku-ad-KDCIssued-cksum }}, + i-realm [1] Realm OPTIONAL, + i-sname [2] PrincipalName OPTIONAL, + elements [3] AuthorizationData + } + + + AD-AND-OR ::= SEQUENCE { + condition-count [0] INTEGER, + elements [1] AuthorizationData + } + + + AD-MANDATORY-FOR-KDC ::= AuthorizationData + + + ad-and-or AUTHDATA ::= { + SYNTAX OctetstringHole { AD-AND-OR } + IDENTIFIED BY 5 + DESCRIPTION "And/Or" + } + + AD-AND-OR ::= SEQUENCE { + condition-count [0] INTEGER, + elements [1] AuthorizationData + } + + + ad-mandatory-for-kdc AUTHDATA ::= { + SYNTAX OctetstringHole { AuthorizationData } + IDENTIFIED BY 8 + DESCRIPTION "KDCs MUST interpret any AuthorizationData + wrapped in this." + } + + + TrType ::= Int32 -- must be registered + + -- encoded Transited field + TransitedEncoding ::= SEQUENCE { + tr-type [0] TrType, + contents [1] OCTET STRING + } + + + + + + +Yu Expires: Aug 2004 [Page 43] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + TEType ::= Int32 + + TICKETEXTENSION ::= TYPEDHOLE { TEType } + + -- ticket extensions: for TicketExt only + TicketExtensions ::= SEQUENCE (SIZE (1..MAX)) OF SEQUENCE { + te-type [0] TICKETEXTENSION.&id + ({TicketExtension-Set}), + te-data [1] OCTET STRING (TICKETEXTENSION.&Type) + ({TicketExtension-Set}{@te-type}) + } + + -- no mandatory ticket extensions currently + TicketExtensionSet TICKETEXTENSION ::= { ... } + + + TicketFlags ::= KerberosFlags { TicketFlagsBits } + + TicketFlagsBits ::= BIT STRING { + reserved (0), + forwardable (1), + forwarded (2), + proxiable (3), + proxy (4), + may-postdate (5), + postdated (6), + invalid (7), + renewable (8), + initial (9), + pre-authent (10), + hw-authent (11), + transited-policy-checked (12), + ok-as-delegate (13), + anonymous (14), + cksummed-ticket (15) + } + + + -- + -- *** KDC protocol + -- + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 44] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + AS-REQ ::= CHOICE { + rfc1510 [APPLICATION 10] KDC-REQ-1510 + (WITH COMPONENTS { + ..., + msg-type (10), + -- AS-REQ must include client name + req-body (WITH COMPONENTS { ..., cname PRESENT }) + }), + ext [APPLICATION 6] Signed { + -- APPLICATION tag goes inside Signed{} as well as outside, + -- to prevent possible substitution attacks. + [APPLICATION 6] KDC-REQ-EXT, + -- not sure this is correct key to use; do we even want + -- to sign AS-REQ? + { key-client }, + { ku-ASReq-cksum } + } + (WITH COMPONENTS { + ..., + msg-type (6), + -- AS-REQ must include client name + req-body (WITH COMPONENTS { ..., cname PRESENT }) + }) + } + + + TGS-REQ ::= CHOICE { + rfc1510 [APPLICATION 12] KDC-REQ-1510 + (WITH COMPONENTS { + ..., + msg-type (12), + -- client name optional in TGS-REQ + req-body (WITH COMPONENTS { ..., cname ABSENT }) + }), + ext [APPLICATION 8] Signed { + -- APPLICATION tag goes inside Signed{} as well as outside, + -- to prevent possible substitution attacks. + [APPLICATION 8] KDC-REQ-EXT, + { key-session }, { ku-TGSReq-cksum } + } + (WITH COMPONENTS { + ..., + msg-type (8), + -- client name optional in TGS-REQ + req-body (WITH COMPONENTS { ..., cname ABSENT }) + }) + } + + + + + +Yu Expires: Aug 2004 [Page 45] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KDC-REQ-COMMON ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5), + msg-type [2] INTEGER (10 -- AS-REQ.rfc1510 -- + | 12 -- TGS-REQ.rfc1510 -- + | 6 -- AS-REQ.ext -- + | 8 -- TGS-REQ.ext -- ), + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty + } + + + KDC-REQ-1510 ::= SEQUENCE { + COMPONENTS OF KDC-REQ-COMMON, + req-body [4] KDC-REQ-BODY-1510 + } (WITH COMPONENTS { ..., msg-type (10 | 12) }) + + + -- APPLICATION tag goes inside Signed{} as well as outside, + -- to prevent possible substitution attacks. + KDC-REQ-EXT ::= SEQUENCE { + COMPONENTS OF KDC-REQ-COMMON, + req-body [4] KDC-REQ-BODY-EXT, + lang-tags [5] SEQUENCE (SIZE (1..MAX)) OF LangTag OPTIONAL, + ... + } (WITH COMPONENTS { + ..., + msg-type (6 | 8), + padata (SIZE (1..MAX)) + }) + + + + + + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 46] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KDC-REQ-BODY-COMMON ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] PrincipalName OPTIONAL + -- Used only in AS-REQ --, + + realm [2] Realm + -- Server's realm; also client's in AS-REQ --, + + sname [3] PrincipalName OPTIONAL, + from [4] KerberosTime OPTIONAL, + till [5] KerberosTime OPTIONAL + -- was required in rfc1510; + -- still required for compat versions + -- of messages --, + + rtime [6] KerberosTime OPTIONAL, + nonce [7] Nonce, + etype [8] SEQUENCE OF EType + -- in preference order --, + + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedData { + AuthorizationData, { key-session | key-subsession }, + { ku-TGSReqAuthData-subkey | + ku-TGSReqAuthData-sesskey } + } OPTIONAL, + + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty --, + ... + } + + + KDC-REQ-BODY-1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF KDC-REQ-BODY-COMMON + } (WITH COMPONENTS { + ..., + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }), + realm (WITH COMPONENTS { ia5 PRESENT }), + sname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }), + till PRESENT + }) + +Yu Expires: Aug 2004 [Page 47] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KDC-REQ-BODY-EXT ::= KDC-REQ-BODY-COMMON + (WITH COMPONENTS { + ..., + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }), + realm (WITH COMPONENTS { ia5 ABSENT }), + sname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }), + addresses (SIZE (1..MAX)), + enc-authorization-data (EncryptedData { + AuthorizationData (SIZE (1..MAX)), + { key-session | key-subsession }, + { ku-TGSReqAuthData-subkey | + ku-TGSReqAuthData-sesskey } + }), + additional-tickets (SIZE (1..MAX)) + }) + + + KDCOptions ::= KerberosFlags { KDCOptionsBits } + KDCOptionsBits ::= BIT STRING { + reserved (0), + forwardable (1), + forwarded (2), + proxiable (3), + proxy (4), + allow-postdate (5), + postdated (6), + unused7 (7), + renewable (8), + unused9 (9), + unused10 (10), + unused11 (11), + unused12 (12), + unused13 (13), + requestanonymous (14), + canonicalize (15), + disable-transited-check (26), + renewable-ok (27), + enc-tkt-in-skey (28), + renew (30), + validate (31) + -- XXX need "need ticket1" flag? + } + + +Yu Expires: Aug 2004 [Page 48] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + AS-REP ::= CHOICE { + rfc1510 [APPLICATION 11] KDC-REP-1510 { EncASRepPart } + (WITH COMPONENTS { ..., msg-type (11) }), + ext [APPLICATION 7] Signed { + [APPLICATION 7] KDC-REP-EXT { EncASRepPart }, + { key-reply }, { ku-ASRep-cksum } + } (WITH COMPONENTS { ..., msg-type (7) }) + } + + + TGS-REP ::= CHOICE { + rfc1510 [APPLICATION 13] KDC-REP-1510 { EncTGSRepPart } + (WITH COMPONENTS { ..., msg-type (13) }), + ext [APPLICATION 9] Signed { + [APPLICATION 9] KDC-REP-EXT { EncTGSRepPart }, + { key-reply }, { ku-TGSRep-cksum } + } (WITH COMPONENTS { ..., msg-type (9) }) + } + + + KDC-REP-COMMON { EncPart } ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (11 -- AS-REP.rfc1510 -- | + 13 -- TGS.rfc1510 -- | + 7 -- AS-REP.ext -- | + 9 -- TGS-REP.ext -- ), + padata [2] SEQUENCE OF PA-DATA OPTIONAL, + crealm [3] Realm, + cname [4] PrincipalName, + ticket [5] Ticket, + enc-part [6] EncryptedData { + EncPart, + { key-reply }, + -- maybe reach into EncryptedData in AS-REP/TGS-REP definitions + -- to apply constraints on key usages? + { ku-EncASRepPart -- if AS-REP -- | + ku-EncTGSRepPart-subkey -- if TGS-REP and using -- + -- Authenticator session key -- | + ku-EncTGSRepPart-sesskey -- if TGS-REP and using -- + -- subsession key -- } + }, + -- In extensible version, KDC signs original request + -- to avoid replay attacks agaginst client. + req-cksum [7] ChecksumOf { CHOICE { + as-req AS-REQ, + tgs-req TGS-REQ + }, { key-reply }, { ku-KDCRep-cksum }} OPTIONAL, + lang-tag [8] LangTag OPTIONAL, + ... + } + + +Yu Expires: Aug 2004 [Page 49] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KDC-REP-1510 { EncPart } ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF KDC-REP-COMMON { EncPart } + } (WITH COMPONENTS { + ..., + msg-type (11 | 13), + crealm (WITH COMPONENTS { ia5 PRESENT}), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 PRESENT })) + }), + req-cksum ABSENT, + lang-tag ABSENT + }) + + + KDC-REP-EXT { EncPart } ::= KDC-REP-COMMON { EncPart } + (WITH COMPONENTS { + ..., + msg-type (7 | 9), + crealm (WITH COMPONENTS { ia5 ABSENT }), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }) + }) + + + EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + + EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] Nonce, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] PrincipalName, + caddr [11] HostAddresses OPTIONAL, + ... -- ASN.1 extensions must be excluded + -- when sending to rfc1510 implementation + } + + + +Yu Expires: Aug 2004 [Page 50] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- convert to use object class? + LRType ::= Int32 + LastReq ::= SEQUENCE OF SEQUENCE { + lr-type [0] LRType, + lr-value [1] KerberosTime + } + + + -- + -- *** preauth + -- + + + PaDataType ::= Int32 + + -- TYPEDHOLE class that uses PaDataType as its unique ID type. + PADATA-OBJ ::= TYPEDHOLE { PaDataType } + + PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + padata-type [1] CHOICE { + -- example of possible use of RELATIVE-OIDs + int PADATA-OBJ.&id-int ({PaDataSet}), + oid PADATA-OBJ.&id-oid ({PaDataSet}{@int}) + }, + padata-value [2] OCTET STRING (PADATA-OBJ.&Type) + ({PaDataSet}{@padata-type.int}) + } + + + PaDataSet PADATA-OBJ ::= { + pa-tgs-req | + pa-enc-timestamp | + pa-etype-info | + pa-etype-info2 | + pa-pw-salt | + pa-as-req , + ... + } + + + pa-tgs-req PADATA-OBJ ::= { + SYNTAX OctetstringHole { AP-REQ } + IDENTIFIED BY 1 + DESCRIPTION + "AP-REQ authenticating a TGS-REQ" + } + + + + + +Yu Expires: Aug 2004 [Page 51] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + pa-enc-timestamp PADATA-OBJ ::= { + SYNTAX OctetstringHole { PA-ENC-TIMESTAMP } + IDENTIFIED BY 2 + DESCRIPTION + "Encrypted timestamp preauth; + Encryption key used is client's long-term key." + } + + PA-ENC-TIMESTAMP ::= EncryptedData { + PA-ENC-TS-ENC, { key-client }, { ku-pa-enc-ts } + } + + PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL + } + + + pa-etype-info PADATA-OBJ ::= { + SYNTAX OctetstringHole { ETYPE-INFO } + IDENTIFIED BY 11 + DESCRIPTION + "Hints returned in AS-REP or KRB-ERROR to help client + choose a password-derived key, either for preauthentication or + for decryption of the reply." + } + + ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + + ETYPE-INFO-ENTRY ::= SEQUENCE { + etype [0] EType, + salt [1] OCTET STRING OPTIONAL + } + + + pa-etype-info2 PADATA-OBJ ::= { + SYNTAX OctetstringHole { ETYPE-INFO2 } + IDENTIFIED BY 19 + DESCRIPTION + "Similar to etype-info, but with parameters provided for + the string-to-key function." + } + + ETYPE-INFO2 ::= SEQUENCE (SIZE (1..MAX)) + OF ETYPE-INFO-ENTRY + + ETYPE-INFO2-ENTRY ::= SEQUENCE { + etype [0] EType, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL + } + +Yu Expires: Aug 2004 [Page 52] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + pa-pw-salt PADATA-OBJ ::= { + SYNTAX OCTET STRING (CONSTRAINED BY { + -- Must consist of the salt string to be used by the + -- client, in an unspecified character encoding. -- }) + IDENTIFIED BY 3 + DESCRIPTION + "Obsolescent. Salt for client's long-term key. + Its character encoding is unspecified." + } + + + pa-as-req PADATA-OBJ ::= { + SYNTAX OctetstringHole { AS-REQ + (WITH COMPONENTS { + ext }) } + IDENTIFIED BY 42 -- provisional + DESCRIPTION + "An extensible AS-REQ may be sent as a padata in a + non-extensible AS-REQ to allow for backwards compatibility." + } + + + -- + -- *** Application session setup + -- + + + AP-REQ ::= CHOICE { + rfc1510 [APPLICATION 14] AP-REQ-1510, + ext [APPLICATION 18] Signed { + AP-REQ-EXT, { key-session }, { ku-APReq-cksum } + } + } + + + AP-REQ-COMMON ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (14 | 18), + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedData { + Authenticator, + { key-session }, + { ku-APReq-authenticator | + ku-pa-TGSReq-authenticator } + }, + extensions [5] ApReqExtensions OPTIONAL, + ... + } + + + +Yu Expires: Aug 2004 [Page 53] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + AP-REQ-1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF AP-REQ-COMMON + } (WITH COMPONENTS { + ..., + msg-type (14), + extensions ABSENT + }) + + + AP-REQ-EXT ::= AP-REQ-COMMON + (WITH COMPONENTS { + ..., + msg-type (18), + -- The following constraints on Authenticator assume that + -- we want to restrict the use of AP-REQ-EXT with TicketExt only, + -- since that is the only way we can enforce UTF-8. + authenticator (EncryptedData { + Authenticator (WITH COMPONENTS { + ..., + crealm (WITH COMPONENTS { ia5 ABSENT }), + cname (WITH COMPONENTS { + ..., + name-string (WITH COMPONENT + (WITH COMPONENTS { ia5 ABSENT })) + }), + authorization-data (SIZE (1..MAX)) + }), { key-session }, { ku-APReq-authenticator }}) + }) + + + ApReqExtType ::= Int32 + + ApReqExtensions ::= SEQUENCE (SIZE (1..MAX)) OF SEQUENCE { + apReqExt-Type [0] ApReqExtType, + apReqExt-Data [1] OCTET STRING + } + + + APOptions ::= KerberosFlags { APOptionsBits } + + APOptionsBits ::= BIT STRING { + reserved (0), + use-session-key (1), + mutual-required (2) + } + + + + + + +Yu Expires: Aug 2004 [Page 54] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- plaintext of authenticator + Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] PrincipalName, + cksum [3] Checksum {{ key-session }, + { ku-Authenticator-cksum | + ku-pa-TGSReq-cksum }} OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] SeqNum OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL + } + + + AP-REP ::= CHOICE { + rfc1510 [APPLICATION 15] AP-REP-1510, + ext [APPLICATION 19] Signed { + AP-REP-EXT, + { key-session | key-subsession }, { ku-APRep-cksum }} + } + + + AP-REP-COMMON { EncPart } ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (15 | 19), + enc-part [2] EncryptedData { + EncPart, + { key-session | key-subsession }, { ku-EncAPRepPart }}, + extensions [3] ApRepExtensions OPTIONAL, + ... + } + + + AP-REP-1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF AP-REP-COMMON { EncAPRepPart1510 } + } (WITH COMPONENTS { + ..., + msg-type (15), + extensions ABSENT + }) + + + AP-REP-EXT ::= [APPLICATION 19] AP-REP-COMMON { + EncAPRepPartExt } + (WITH COMPONENTS { ..., msg-type (19) }) + + + + +Yu Expires: Aug 2004 [Page 55] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + ApRepExtType ::= Int32 + + -- convert to use object class? + ApRepExtensions ::= SEQUENCE (SIZE (1..MAX)) OF SEQUENCE { + apRepExt-Type [0] ApRepExtType, + apRepExt-Data [1] OCTET STRING + } + + + EncAPRepPart ::= CHOICE { + rfc1510 [APPLICATION 27] EncAPRepPart1510, + ext [APPLICATION 31] EncAPRepPartExt + } + + + EncAPRepPart1510 ::= SEQUENCE { + COMPONENTS OF ENCAPRepPartCom + } (WITH COMPONENTS { + ..., + authorization-data ABSENT + }) + + + EncAPRepPartExt ::= EncAPRepPartCom + + + EncAPRepPartCom ::= SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] SeqNum OPTIONAL, + authorization-data [4] AuthorizationData OPTIONAL, + ... + } + + + -- + -- *** Application messages + -- + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 56] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + -- Do we chew up another tag for KRB-SAFE-EXT? That would allow us to + -- make safe-body optional, allowing for a GSS-MIC sort of message. + KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (20), + safe-body [2] KRB-SAFE-BODY, + cksum [3] ChecksumOf { + KRB-SAFE-BODY, + { key-session | key-subsession }, { ku-KrbSafe-cksum }}, + ... -- ASN.1 extensions must be excluded + -- when sending to rfc1510 implementations + } + + + KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] SeqNum OPTIONAL, + s-address [4] HostAddress, + r-address [5] HostAddress OPTIONAL, + ... -- ASN.1 extensions must be excluded + -- when sending to rfc1510 implementations + } + + + KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (21), + enc-part [3] EncryptedData { + EncKrbPrivPart, + { key-session | key-subsession }, { ku-EncKrbPrivPart }}, + ... + } + + + EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] SeqNum OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr --, + ... -- ASN.1 extensions must be excluded + -- when sending to rfc1510 implementations + } + + + + + + +Yu Expires: Aug 2004 [Page 57] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KRB-CRED ::= CHOICE { + rfc1510 [APPLICATION 22] KRB-CRED-1510, + ext [APPLICATION 24] Signed { + KRB-CRED-EXT, + { key-session | key-subsession }, { ku-KrbCred-cksum }} + } + + + KRB-CRED-COMMON ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (22 | 24), + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedData { + EncKrbCredPart, + { key-session | key-subsession }, { ku-EncKrbCredPart }}, + ... + } + + + KRB-CRED-1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF KRB-CRED-COMMON + } (WITH COMPONENTS { ..., msg-type (22) }) + + + KRB-CRED-EXT ::= [APPLICATION 24] KRB-CRED-COMMON + (WITH COMPONENTS { ..., msg-type (24) }) + + + EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] Nonce OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL + } + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 58] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] PrincipalName OPTIONAL, + caddr [10] HostAddresses OPTIONAL + } + + + TGT-REQ ::= [APPLICATION 16] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (16), + sname [2] PrincipalName OPTIONAL, + srealm [3] Realm OPTIONAL, + ... + } + + + -- + -- *** Error messages + -- + + + ErrCode ::= Int32 + + KRB-ERROR ::= CHOICE { + rfc1510 [APPLICATION 30] KRB-ERROR-1510, + ext [APPLICATION 23] Signed { + KRB-ERROR-EXT, { ku-KrbError-cksum } } + } + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 59] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + KRB-ERROR-COMMON ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (30 | 23), + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, + error-code [6] ErrCode, + crealm [7] Realm OPTIONAL, + cname [8] PrincipalName OPTIONAL, + realm [9] Realm -- Correct realm --, + sname [10] PrincipalName -- Correct name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL, + typed-data [13] TYPED-DATA OPTIONAL, + nonce [14] Nonce OPTIONAL, + lang-tag [15] LangTag OPTIONAL, + ... + } + + + KRB-ERROR-1510 ::= SEQUENCE { + -- effectively drops the extension marker + COMPONENTS OF KRB-ERROR-COMMON + } (WITH COMPONENTS { + ..., + msg-type (30), + typed-data ABSENT, + nonce ABSENT, + lang-tag ABSENT + }) + + + KRB-ERROR-EXT ::= [APPLICATION 23] KRB-ERROR-COMMON + (WITH COMPONENTS { ..., msg-type (23) }) + + + TDType ::= Int32 + + -- convert to information object class later + TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] TDType, + data-value [1] OCTET STRING OPTIONAL + } + + + END + + + + + +Yu Expires: Aug 2004 [Page 60] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + +B. Kerberos and Character Encodings (Informative) + + [adapted from KCLAR 5.2.1] + + The original specification of the Kerberos protocol in RFC 1510 uses + GeneralString in numerous places for human-readable string data. + Historical implementations of Kerberos cannot utilize the full power + of GeneralString. This ASN.1 type requires the use of designation + and invocation escape sequences as specified in ISO-2022/ECMA-35 + [ISO-2022/ECMA-35] to switch character sets, and the default + character set that is designated as G0 is the ISO-646/ECMA-6 + [ISO-646,ECMA-6] International Reference Version (IRV) (aka U.S. + ASCII), which mostly works. + + ISO-2022/ECMA-35 defines four character-set code elements (G0..G3) + and two Control-function code elements (C0..C1). DER previously + prohibited the designation of character sets as any but the G0 and C0 + sets. This had the side effect of prohibiting the use of ISO-8859 + (ISO Latin) [ISO-8859] character-sets or any other character-sets + that utilize a 96-character set, since it is prohibited by + ISO-2022/ECMA-35 to designate them as the G0 code element. Recent + revisions to the ASN.1 standards resolve this contradiction. + + In practice, many implementations treat RFC 1510 GeneralStrings as if + they were 8-bit strings of whichever character set the implementation + defaults to, without regard for correct usage of character-set + designation escape sequences. The default character set is often + determined by the current user's operating system dependent locale. + At least one major implementation places unescaped UTF-8 encoded + Unicode characters in the GeneralString. This failure to conform to + the GeneralString specifications results in interoperability issues + when conflicting character encodings are utilized by the Kerberos + clients, services, and KDC. + + This unfortunate situation is the result of improper documentation of + the restrictions of the ASN.1 GeneralString type in prior Kerberos + specifications. + + [the following should probably be rewritten and moved into the + principal name section] + + For compatibility, implementations MAY choose to accept GeneralString + values that contain characters other than those permitted by + IA5String, but they should be aware that character set designation + codes will likely be absent, and that the encoding should probably be + treated as locale-specific in almost every way. Implementations MAY + also choose to emit GeneralString values that are beyond those + permitted by IA5String, but should be aware that doing so is + extraordinarily risky from an interoperability perspective. + + + +Yu Expires: Aug 2004 [Page 61] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + Some existing implementations use GeneralString to encode unescaped + locale-specific characters. This is a violation of the ASN.1 + standard. Most of these implementations encode US-ASCII in the left- + hand half, so as long the implementation transmits only US-ASCII, the + ASN.1 standard is not violated in this regard. As soon as such an + implementation encodes unescaped locale-specific characters with the + high bit set, it violates the ASN.1 standard. + + Other implementations have been known to use GeneralString to contain + a UTF-8 encoding. This also violates the ASN.1 standard, since UTF-8 + is a different encoding, not a 94 or 96 character "G" set as defined + by ISO 2022. It is believed that these implementations do not even + use the ISO 2022 escape sequence to change the character encoding. + Even if implementations were to announce the change of encoding by + using that escape sequence, the ASN.1 standard prohibits the use of + any escape sequences other than those used to designate/invoke "G" or + "C" sets allowed by GeneralString. + +C. Kerberos History (Informative) + + [Adapted from KCLAR "BACKGROUND"] + + The Kerberos model is based in part on Needham and Schroeder's + trusted third-party authentication protocol [NS78] and on + modifications suggested by Denning and Sacco [DS81]. The original + design and implementation of Kerberos Versions 1 through 4 was the + work of two former Project Athena staff members, Steve Miller of + Digital Equipment Corporation and Clifford Neuman (now at the + Information Sciences Institute of the University of Southern + California), along with Jerome Saltzer, Technical Director of Project + Athena, and Jeffrey Schiller, MIT Campus Network Manager. Many other + members of Project Athena have also contributed to the work on + Kerberos. + + Version 5 of the Kerberos protocol (described in this document) has + evolved from Version 4 based on new requirements and desires for + features not available in Version 4. The design of Version 5 of the + Kerberos protocol was led by Clifford Neuman and John Kohl with much + input from the community. The development of the MIT reference + implementation was led at MIT by John Kohl and Theodore Ts'o, with + help and contributed code from many others. Since RFC1510 was issued, + extensions and revisions to the protocol have been proposed by many + individuals. Some of these proposals are reflected in this document. + Where such changes involved significant effort, the document cites + the contribution of the proposer. + + Reference implementations of both version 4 and version 5 of Kerberos + are publicly available and commercial implementations have been + developed and are widely used. Details on the differences between + Kerberos Versions 4 and 5 can be found in [KNT94]. + + +Yu Expires: Aug 2004 [Page 62] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + +Normative References + + [KCRYPTO] + + [RFC2119] + + [X680] + + [X681] + + [X682] + + [X683] + + [X690] + +Informative References + + [DS81] + + [KCLAR] + + [KNT94] + + [NS78] + + [RFC1510] + + [RFC1964] + + [ISO8859] + +Acknowledgments + + Some stuff lifted from draft-ietf-krb-wg-kerberos-clarifications-04. + +Author's Address + + Tom Yu + 77 Massachusetts Ave + Cambridge, MA 02139 + USA + tlyu@mit.edu + +Full Copyright Statement + + Copyright (C) The Internet Society (2004). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + +Yu Expires: Aug 2004 [Page 63] + +Internet-Draft yu-krb-extensions-00 09 Feb 2004 + + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Yu Expires: Aug 2004 [Page 64] + + |