mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
7055827b8f
This makes it clearer that we always want to do heimdal changes via the lorikeet-heimdal repository. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
1179 lines
39 KiB
Plaintext
1179 lines
39 KiB
Plaintext
|
||
|
||
|
||
Kerberos Working Group S. Hartman
|
||
Internet-Draft MIT
|
||
Expires: April 24, 2005 October 24, 2004
|
||
|
||
|
||
A Generalized Framework for Kerberos Pre-Authentication
|
||
draft-ietf-krb-wg-preauth-framework-02
|
||
|
||
Status of this Memo
|
||
|
||
This document is an Internet-Draft and is subject to all provisions
|
||
of section 3 of RFC 3667. By submitting this Internet-Draft, each
|
||
author represents that any applicable patent or other IPR claims of
|
||
which he or she is aware have been or will be disclosed, and any of
|
||
which he or she become aware will be disclosed, in accordance with
|
||
RFC 3668.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as
|
||
Internet-Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
This Internet-Draft will expire on April 24, 2005.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2004).
|
||
|
||
Abstract
|
||
|
||
Kerberos is a protocol for verifying the identity of principals
|
||
(e.g., a workstation user or a network server) on an open network.
|
||
The Kerberos protocol provides a mechanism called pre-authentication
|
||
for proving the identity of a principal and for better protecting
|
||
the long-term secret of the principal.
|
||
|
||
This document describes a model for Kerberos pre-authentication
|
||
mechanisms. The model describes what state in the Kerberos request a
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 1]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
pre-authentication mechanism is likely to change. It also describes
|
||
how multiple pre-authentication mechanisms used in the same request
|
||
will interact.
|
||
|
||
This document also provides common tools needed by multiple
|
||
pre-authentication mechanisms.
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in [1].
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||
2. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 4
|
||
2.1 Information Managed by Model . . . . . . . . . . . . . . . 5
|
||
2.2 The Initial Preauth_Required Error . . . . . . . . . . . . 7
|
||
2.3 Client to KDC . . . . . . . . . . . . . . . . . . . . . . 8
|
||
2.4 KDC to Client . . . . . . . . . . . . . . . . . . . . . . 8
|
||
3. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 10
|
||
3.1 Client Authentication . . . . . . . . . . . . . . . . . . 11
|
||
3.2 Strengthen Reply Key . . . . . . . . . . . . . . . . . . . 11
|
||
3.3 Replace Reply Key . . . . . . . . . . . . . . . . . . . . 12
|
||
3.4 Verify Response . . . . . . . . . . . . . . . . . . . . . 12
|
||
4. Requirements for Pre-Authentication Mechanisms . . . . . . . . 14
|
||
5. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 15
|
||
5.1 Combine Keys . . . . . . . . . . . . . . . . . . . . . . . 15
|
||
5.2 Signing Requests/Responses . . . . . . . . . . . . . . . . 15
|
||
5.3 Managing State for the KDC . . . . . . . . . . . . . . . . 15
|
||
5.4 PA-AUTHENTICATION-SET . . . . . . . . . . . . . . . . . . 15
|
||
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
|
||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 17
|
||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
|
||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
|
||
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 19
|
||
9.2 Informative References . . . . . . . . . . . . . . . . . . . 19
|
||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 19
|
||
A. Todo List . . . . . . . . . . . . . . . . . . . . . . . . . . 20
|
||
Intellectual Property and Copyright Statements . . . . . . . . 21
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 2]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
1. Introduction
|
||
|
||
The core Kerberos specification treats pre-authentication data as an
|
||
opaque typed hole in the messages to the KDC that may influence the
|
||
reply key used to encrypt the KDC response. This generality has been
|
||
useful: pre-authentication data is used for a variety of extensions
|
||
to the protocol, many outside the expectations of the initial
|
||
designers. However, this generality makes designing the more common
|
||
types of pre-authentication mechanisms difficult. Each mechanism
|
||
needs to specify how it interacts with other mechanisms. Also,
|
||
problems like combining a key with the long-term secret or proving
|
||
the identity of the user are common to multiple mechanisms. Where
|
||
there are generally well-accepted solutions to these problems, it is
|
||
desirable to standardize one of these solutions so mechanisms can
|
||
avoid duplication of work. In other cases, a modular approach to
|
||
these problems is appropriate. The modular approach will allow new
|
||
and better solutions to common pre-authentication problems to be used
|
||
by existing mechanisms as they are developed.
|
||
|
||
This document specifies a framework for Kerberos pre-authentication
|
||
mechanisms. IT defines the common set of functions
|
||
pre-authentication mechanisms perform as well as how these functions
|
||
affect the state of the request and response. In addition several
|
||
common tools needed by pre-authentication mechanisms are provided.
|
||
Unlike [3], this framework is not complete--it does not describe all
|
||
the inputs and outputs for the pre-authentication mechanisms.
|
||
Mechanism designers should try to be consistent with this framework
|
||
because doing so will make their mechanisms easier to implement.
|
||
Kerberos implementations are likely to have plugin architectures for
|
||
pre-authentication; such architectures are likely to support
|
||
mechanisms that follow this framework plus commonly used extensions.
|
||
|
||
This document should be read only after reading the documents
|
||
describing the Kerberos cryptography framework [3] and the core
|
||
Kerberos protocol [2]. This document freely uses terminology and
|
||
notation from these documents without reference or further
|
||
explanation.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 3]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
2. Model for Pre-Authentication
|
||
|
||
when a Kerberos client wishes to obtain a ticket using the
|
||
authentication server, it sends an initial AS request. If
|
||
pre-authentication is being used, then the KDC will respond with a
|
||
KDC_ERR_PREAUTH_REQUIRED error. Alternatively, if the client knows
|
||
what pre-authentication to use, it MAY optimize a round-trip and send
|
||
an initial request with padata included. If the client includes the
|
||
wrong padata, the server MAY return KDC_ERR_PREAUTH_FAILED with no
|
||
indication of what padata should have been included. For
|
||
interoperability reasons, clients that include optimistic
|
||
pre-authentication MUST retry with no padata and examine the
|
||
KDC_ERR_PREAUTH_REQUIRED if they receive a KDC_ERR_PREAUTH_FAILED in
|
||
response to their initial optimistic request.
|
||
|
||
The KDC maintains no state between two requests; subsequent requests
|
||
may even be processed by a different KDC. On the other hand, the
|
||
client treats a series of exchanges with KDCs as a single
|
||
authentication session. Each exchange accumulates state and
|
||
hopefully brings the client closer to a successful authentication.
|
||
|
||
These models for state management are in apparent conflict. For many
|
||
of the simpler pre-authentication scenarios, the client uses one
|
||
round trip to find out what mechanisms the KDC supports. Then the
|
||
next request contains sufficient pre-authentication for the KDC to be
|
||
able to return a successful response. For these simple scenarios,
|
||
the client only sends one request with pre-authentication data and so
|
||
the authentication session is trivial. For more complex
|
||
authentication sessions, the KDC needs to provide the client with a
|
||
cookie to include in future requests to capture the current state of
|
||
the authentication session. Handling of multiple round-trip
|
||
mechanisms is discussed in Section 5.3.
|
||
|
||
This framework specifies the behavior of Kerberos pre-authentication
|
||
mechanisms used to identify users or to modify the reply key used to
|
||
encrypt the KDC response. The padata typed hole may be used to carry
|
||
extensions to Kerberos that have nothing to do with proving the
|
||
identity of the user or establishing a reply key. These extensions
|
||
are outside the scope of this framework. However mechanisms that do
|
||
accomplish these goals should follow this framework.
|
||
|
||
This framework specifies the minimum state that a Kerberos
|
||
implementation needs to maintain while handling a request in order to
|
||
process pre-authentication. It also specifies how Kerberos
|
||
implementations process the pre-authentication data at each step of
|
||
the AS request process.
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 4]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
2.1 Information Managed by Model
|
||
|
||
The following information is maintained by the client and KDC as each
|
||
request is being processed:
|
||
o The reply key used to encrypt the KDC response
|
||
o How strongly the identity of the client has been authenticated
|
||
o Whether the reply key has been used in this authentication session
|
||
o Whether the reply key has been replaced in this authentication
|
||
session
|
||
o Whether the contents of the KDC response can be verified by the
|
||
client principal
|
||
o Whether the contents of the KDC response can be verified by the
|
||
client machine
|
||
|
||
Conceptually, the reply key is initially the long-term key of the
|
||
principal. However, principals can have multiple long-term keys
|
||
because of support for multiple encryption types, salts and
|
||
string2key parameters. As described in section 5.2.7.5 of the
|
||
Kerberos protocol [2], the KDC sends PA-ETYPe-INFO2 to notify the
|
||
client what types of keys are available. Thus in full generality,
|
||
the reply key in the pre-authentication model is actually a set of
|
||
keys. At the beginning of a request, it is initialized to the set of
|
||
long-term keys advertised in the PA-ETYPE-INFO2 element on the KDC.
|
||
If multiple reply keys are available, the client chooses which one to
|
||
use. Thus the client does not need to treat the reply key as a set.
|
||
At the beginning of a handling a request, the client picks a reply
|
||
key to use.
|
||
|
||
KDC implementations MAY choose to offer only one key in the
|
||
PA-ETYPE-INFO2 element. Since the KDC already knows the client's
|
||
list of supported enctypes from the request, no interoperability
|
||
problems are created by choosing a single possible reply key. This
|
||
way, the KDC implementation avoids the complexity of treating the
|
||
reply key as a set.
|
||
|
||
At the beginning of handling a message on both the client and KDC,
|
||
the client's identity is not authenticated. A mechanism may indicate
|
||
that it has successfully authenticated the client's identity. This
|
||
information is useful to keep track of on the client in order to
|
||
know what pre-authentication mechanisms should be used. The KDC
|
||
needs to keep track of whether the client is authenticated because
|
||
the primary purpose of pre-authentication is to authenticate the
|
||
client identity before issuing a ticket. Implementations that have
|
||
pre-authentication mechanisms offering significantly different
|
||
strengths of client authentication MAY choose to keep track of the
|
||
strength of the authentication used as an input into policy
|
||
decisions. For example, some principals might require strong
|
||
pre-authentication, while less sensitive principals can use
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 5]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
relatively weak forms of pre-authentication like encrypted timestamp.
|
||
|
||
Initially the reply key has not been used. A pre-authentication
|
||
mechanism that uses the reply key either directly to encrypt or
|
||
checksum some data or indirectly in the generation of new keys MUST
|
||
indicate that the reply key is used. This state is maintained by the
|
||
client and KDC to enforce the security requirement stated in Section
|
||
3.3 that the reply key cannot be replaced after it is used.
|
||
|
||
Initially the reply key has not been replaced. If a mechanism
|
||
implements the Replace Reply Key facility discussed in Section 3.3,
|
||
then the state MUST be updated to indicate that the reply key has
|
||
been replaced. Once the reply key has been replaced, knowledge of
|
||
the reply key is insufficient to authenticate the client. The reply
|
||
key is marked replaced in exactly the same situations as the KDC
|
||
reply is marked as not being verified to the client principal.
|
||
However, while mechanisms can verify the KDC request to the client,
|
||
once the reply key is replaced, then the reply key remains replaced
|
||
for the remainder of the authentication session.
|
||
|
||
Without pre-authentication, the client knows that the KDC request is
|
||
authentic and has not been modified because it is encrypted in the
|
||
long-term key of the client. Only the KDC and client know that key.
|
||
So at the start of handling any message the KDC request is presumed
|
||
to be verified to the client principal. Any pre-authentication
|
||
mechanism that sets a new reply key not based on the principal's
|
||
long-term secret MUST either verify the KDC response some other way
|
||
or indicate that the response is not verified. If a mechanism
|
||
indicates that the response is not verified then the client
|
||
implementation MUST return an error unless a subsequent mechanism
|
||
verifies the response. The KDC needs to track this state so it can
|
||
avoid generating a response that is not verified.
|
||
|
||
The typical Kerberos request does not provide a way for the client
|
||
machine to know that it is talking to the correct KDC. Someone who
|
||
can inject packets into the network between the client machine and
|
||
the KDC and who knows the password that the user will give to the
|
||
client machine can generate a KDC response that will decrypt
|
||
properly. So, if the client machine needs to authenticate that the
|
||
user is in fact the named principal, then the client machine needs to
|
||
do a TGS request for itself as a service. Some pre-authentication
|
||
mechanisms may provide a way for the client to authenticate the KDC.
|
||
Examples of this include signing the response with a well-known
|
||
public key or providing a ticket for the client machine as a service
|
||
in addition to the requested ticket.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 6]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
2.2 The Initial Preauth_Required Error
|
||
|
||
Typically a client starts an authentication session by sending an
|
||
initial request with no pre-authentication. If the KDC requires
|
||
pre-authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED
|
||
message. This message MAY also be returned for pre-authentication
|
||
configurations that use multi-round-trip mechanisms; see Section 2.4
|
||
for details of that case. This
|
||
|
||
The KDC needs to choose which mechanisms to offer the client. The
|
||
client needs to be able to choose what mechanisms to use from the
|
||
first message. For example consider the KDC that will accept
|
||
mechanism A followed by mechanism B or alternatively the single
|
||
mechanism C. A client that supports A and C needs to know that it
|
||
should not bother trying A.
|
||
|
||
Mechanisms can either be sufficient on their own or can be part of an
|
||
authentication set--a group of mechanisms that all need to
|
||
successfully complete in order to authenticate a client. Some
|
||
mechanisms may only be useful in authentication sets; others may be
|
||
useful alone or in authentication sets. For the second group of
|
||
mechanisms, KDC policy dictates whether the mechanism will be part of
|
||
an authentication set or offered alone. For each mechanism that is
|
||
offered alone, the KDC includes the pre-authentication type ID of the
|
||
mechanism in the padata sequence returned in the
|
||
KDC_ERR_PREAUTH_REQUIRED error. The KDC MAY include any initial
|
||
data for the mechanisms.
|
||
|
||
The KDC includes a a PA-AUTHENTICATION-SET padata element for each
|
||
authentication set; this element is defined in Section 5.4. This
|
||
element includes the pa-type and pa-value for the first mechanism in
|
||
the authentication set. It also includes the pa-type for each of
|
||
the other mechanisms. Associated with the second and following
|
||
pa-type is a pa-hint, which is an octet-string specified by the
|
||
pre-authentication mechanism. This hint may provide information for
|
||
the client which helps it determine whether the mechanism can be
|
||
used. For example a public-key mechanism might include the
|
||
certificate authorities it trusts in the hint info. Most mechanisms
|
||
today do not specify hint info; if a mechanism does not specify hint
|
||
info the KDC MUST not send a hint for that mechanism. To allow
|
||
future revisions of mechanism specifications to add hint info,
|
||
clients MUST ignore hint info received for mechanisms that the client
|
||
believes do not support hint info.
|
||
|
||
The KDC SHOULD NOT send data that is encrypted in the long-term
|
||
password-based key of the principal. Doing so has the same security
|
||
exposures as the Kerberos protocol without pre-authentication. There
|
||
are few situations where pre-authentication is desirable and where
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 7]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
the KDC needs to expose ciphertext encrypted in a weak key before the
|
||
client has proven knowledge of that key.
|
||
|
||
2.3 Client to KDC
|
||
|
||
This description assumes a client has already received a
|
||
KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs
|
||
optimistic pre-authentication then the client needs to optimisticly
|
||
choose the information it would normally receive from that error
|
||
response.
|
||
|
||
The client starts by initializing the pre-authentication state as
|
||
specified. It then processes the padata in the
|
||
KDC_ERR_PREAUTH_REQUIRED.
|
||
|
||
When processing the response to the first KDC_ERR_PREAUTH_REQUIRED,
|
||
the client MAY ignore any padata it chooses unless doing so violates
|
||
a specification to which the client conforms. Clients MUST NOT
|
||
ignore the padata defined in Section 5.3. Clients SHOULD process
|
||
padata unrelated to this framework or other means of authenticating
|
||
the user. Clients SHOULD choose one authentication set or mechanism
|
||
that could lead to authenticating the user and ignore the rest.
|
||
Since the set of mechanisms offered by the KDC is ordered, clients
|
||
typically choose the first mechanism that the client can usefully
|
||
perform. If a client chooses to ignore a padata it MUST NOT process
|
||
the padata, allow the padata to affect the pre-authentication state,
|
||
nor respond to the padata.
|
||
|
||
For each padata the client chooses to process, the client processes
|
||
the padata and modifies the pre-authentication state as required by
|
||
that mechanism. Padata are processed in the order received from the
|
||
KDC.
|
||
|
||
After processing the padata in the KDC error, the client generates a
|
||
new request. It processes the pre-authentication mechanisms in the
|
||
order in which they will appear in the next request, updating the
|
||
state as appropriate. When the request is complete it is sent.
|
||
|
||
2.4 KDC to Client
|
||
|
||
When a KDC receives an AS request from a client, it needs to
|
||
determine whether it will respond with an error or a AS reply.
|
||
There are many causes for an error to be generated that have nothing
|
||
to do with pre-authentication; they are discussed in the Kerberos
|
||
specification.
|
||
|
||
From the standpoint of evaluating the pre-authentication, the KDC
|
||
first starts by initializing the pre-authentication state. IT then
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 8]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
processes the padata in the request. AS mentioned in Section 2.2,
|
||
the KDC MAY ignore padata that is inappropriate for the configuration
|
||
and MUST ignore padata of an unknown type.
|
||
|
||
At this point the KDC decides whether it will issue a
|
||
pre-authentication required error or a reply. Typically a KDC will
|
||
issue a reply if the client's identity has been authenticated to a
|
||
sufficient degree.
|
||
|
||
In the case of a PREAUTH_REQUIRED error, the KDC first starts by
|
||
initializing the pre-authentication state. Then it processes any
|
||
padata in the client's request in the order provided by the client.
|
||
Mechanisms that are not understood by the KDC are ignored.
|
||
Mechanisms that are inappropriate for the client principal or request
|
||
SHOULD also be ignored. Next, it generates padata for the error
|
||
response, modifying the pre-authentication state appropriately as
|
||
each mechanism is processed. The KDC chooses the order in which it
|
||
will generated padata (and thus the order of padata in the response),
|
||
but it needs to modify the pre-authentication state consistently with
|
||
the choice of order. For example, if some mechanism establishes an
|
||
authenticated client identity, then the mechanisms subsequent in the
|
||
generated response receive this state as input. After the padata is
|
||
generated, the error response is sent. Typically the second and
|
||
following PREAUTH_REQUIRED errors in an authentication session will
|
||
include KDC state as discussed in Section 5.3.
|
||
|
||
To generate a final reply, the KDC generates the padata modifying the
|
||
pre-authentication state as necessary. Then it generates the final
|
||
response, encrypting it in the current pre-authentication reply key.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 9]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
3. Pre-Authentication Facilities
|
||
|
||
Pre-Authentication mechanisms can be thought of as providing various
|
||
conceptual facilities. This serves two useful purposes. First,
|
||
mechanism authors can choose only to solve one specific small
|
||
problem. It is often useful for a mechanism designed to offer key
|
||
management not to directly provide client authentication but instead
|
||
to allow one or more other mechanisms to handle this need. Secondly,
|
||
thinking about the abstract services that a 2mechanism provides
|
||
yields a minimum set of security requirements that all mechanisms
|
||
providing that facility must meet. These security requirements are
|
||
not complete; mechanisms will have additional security requirements
|
||
based on the specific protocol they employ.
|
||
|
||
A mechanism is not constrained to only offering one of these
|
||
facilities. While such mechanisms can be designed and are sometimes
|
||
useful, many pre-authentication mechanisms implement several
|
||
facilities. By combining multiple facilities in a single mechanism,
|
||
it is often easier to construct a secure, simple solution than by
|
||
solving the problem in full generality. Even when mechanisms provide
|
||
multiple facilities, they need to meet the security requirements for
|
||
all the facilities they provide.
|
||
|
||
According to Kerberos extensibility rules (section 1.4.2 of the
|
||
Kerberos specification [2]), an extension MUST NOT change the
|
||
semantics of a message unless a recipient is known to understand that
|
||
extension. Because a client does not know that the KDC supports a
|
||
particular pre-authentication mechanism when it sends an initial
|
||
request, a preauth mechanism MUST NOT change the semantics of the
|
||
request in a way that will break a KDC that does not understand that
|
||
mechanism. Similarly, KDCs MUST not send messages to clients that
|
||
affect the core semantics unless the clients have indicated support
|
||
for the message.
|
||
|
||
The only state in this model that would break the interpretation of a
|
||
message is changing the expected reply key. If one mechanism changed
|
||
the reply key and a later mechanism used that reply key, then a KDC
|
||
that interpreted the second mechanism but not the first would fail to
|
||
interpret the request correctly. In order to avoid this problem,
|
||
extensions that change core semantics are typically divided into two
|
||
parts. The first part proposes a change to the core semantic--for
|
||
example proposes a new reply key. The second part acknowledges that
|
||
the extension is understood and that the change takes effect.
|
||
Section 3.2 discusses how to design mechanisms that modify the reply
|
||
key to be split into a proposal and acceptance without requiring
|
||
additional round trips to use the new reply key in subsequent
|
||
pre-authentication. Other changes in the state described in Section
|
||
2.1 can safely be ignored by a KDC that does not understand a
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 10]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
mechanism. Mechanisms that modify the behavior of the request
|
||
outside the scope of this framework need to carefully consider the
|
||
Kerberos extensibility rules to avoid similar problems.
|
||
|
||
3.1 Client Authentication
|
||
|
||
The client authentication facility proves the identity of a user to
|
||
the KDC before a ticket is issued. Examples of mechanisms
|
||
implementing this facility include the encrypted timestamp facility
|
||
defined in Section 5.2.7.2 of the Kerberos specification [2] and the
|
||
single-use mechanism defined in [5]. Mechanisms that provide this
|
||
facility are expected to mark the client as authenticated.
|
||
|
||
Mechanisms implementing this facility SHOULD require the client to
|
||
prove knowledge of the reply key before transmitting a successful
|
||
KDC reply. Otherwise, an attacker can intercept the
|
||
pre-authentication exchange and get a reply to attack. One way of
|
||
proving the client knows the reply key is to implement the Replace
|
||
Reply Key facility along with this facility. The Pkinit mechanism
|
||
[6] implements Client Authentication along side Replace Reply Key.
|
||
|
||
If the reply key has been replaced, then mechanisms such as encrypted
|
||
timestamp that rely on knowledge of the reply key to authenticate the
|
||
client MUST NOT be used.
|
||
|
||
3.2 Strengthen Reply Key
|
||
|
||
Particularly, when dealing with keys based on passwords, it is
|
||
desirable to increase the strength of the key by adding additional
|
||
secrets to it. Examples of sources of additional secrets include the
|
||
results of a Diffie-Hellman key exchange or key bits from the output
|
||
of a smart card [5]. Typically these additional secrets are
|
||
converted into a Kerberos protocol key. Then they are combined with
|
||
the existing reply key as discussed in Section 5.1.
|
||
|
||
If a mechanism implementing this facility wishes to modify the reply
|
||
key before knowing that the other party in the exchange supports the
|
||
mechanism, it proposes modifying the reply key. The other party then
|
||
includes a message indicating that the proposal is accepted if it is
|
||
understood and meets policy. In many cases it is desirable to use
|
||
the new reply key for client authentication and for other facilities.
|
||
Waiting for the other party to accept the proposal and actually
|
||
modify the reply key state would add an additional round trip to the
|
||
exchange. Instead, mechanism designers are encouraged to include a
|
||
typed hole for additional padata in the message that proposes the
|
||
reply key change. The padata included in the typed hole are
|
||
generated assuming the new reply key. If the other party accepts the
|
||
proposal, then these padata are interpreted as if they were included
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 11]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
immediately following the proposal. The party generating the
|
||
proposal can determine whether the padata were processed based on
|
||
whether the proposal for the reply key is accepted.
|
||
|
||
The specific formats of the proposal message, including where padata
|
||
are are included is a matter for the mechanism specification.
|
||
Similarly, the format of the message accepting the proposal is
|
||
mechanism-specific.
|
||
|
||
Mechanisms implementing this facility and including a typed hole for
|
||
additional padata MUST checksum that padata using a keyed checksum or
|
||
encrypt the padata. Typically the reply key is used to protect the
|
||
padata. XXX If you are only minimally increasing the strength of the
|
||
reply key, this may give the attacker access to something too close
|
||
to the original reply key. However, binding the padata to the new
|
||
reply key seems potentially important from a security standpoint.
|
||
There may also be objections to this from a double encryption
|
||
standpoint because we also recommend client authentication facilities
|
||
be tied to the reply key.
|
||
|
||
3.3 Replace Reply Key
|
||
|
||
The Replace Reply Key facility replaces the key in which a successful
|
||
AS reply will be encrypted. This facility can only be used in cases
|
||
where knowledge of the reply key is not used to authenticate the
|
||
client. The new reply key MUST be communicated to the client and KDC
|
||
in a secure manner. Mechanisms implementing this facility MUST mark
|
||
the reply key as replaced in the pre-authentication state.
|
||
Mechanisms implementing this facility MUST either provide a mechanism
|
||
to verify the KDC reply to the client or mark the reply as unverified
|
||
in the pre-authentication state. Mechanisms implementing this
|
||
facility SHOULD NOT be used if a previous mechanism has used the
|
||
reply key.
|
||
|
||
As with the Strengthen Reply Key facility, Kerberos extensibility
|
||
rules require that the reply key not be changed unless both sides of
|
||
the exchange understand the extension. In the case of this facility
|
||
it will likely be more common for both sides to know that the
|
||
facility is available by the time that the new key is available to be
|
||
used. However, mechanism designers can use a container for padata in
|
||
a proposal message as discussed in Section 3.2 if appropriate.
|
||
|
||
3.4 Verify Response
|
||
|
||
This facility verifies that the response comes from the expected KDC.
|
||
In traditional Kerberos, the KDC and the client share a key, so if
|
||
the ticket can be decrypted then the client knows that a trusted KDC
|
||
responded. Note that the client machine cannot trust the client
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 12]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
unless the machine retrieves a service ticket for itself. However,
|
||
if the reply key is replaced, some mechanism is required to verify
|
||
the KDC. Mechanisms providing this facility provide such a
|
||
mechanism. They mark the pre-authentication state as having been
|
||
verified; they may also mark it as verified to the client host.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 13]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
4. Requirements for Pre-Authentication Mechanisms
|
||
|
||
This section lists requirements for specifications of
|
||
pre-authentication mechanisms.
|
||
|
||
For each message in the pre-authentication mechanism, the
|
||
specification describes the pa-type value to be used and the
|
||
contents of the message. The processing of the message my the
|
||
sender and recipient is also specified. This specification needs to
|
||
include all modifications to the pre-authentication state.
|
||
|
||
Generally mechanisms have a message that can be sent as part of the
|
||
first KDC_ERR_PREAUTH_REQUIRED or as part of an authentication set.
|
||
If the client will need information such as available certificate
|
||
authorities in order to determine if it can use the mechanism, then
|
||
this information should be in that first message. IN addition, such
|
||
mechanisms should also define a pa-hint to be included in
|
||
authentication sets when the mechanism is not the first mechanism in
|
||
the authentication set. Often, the same information included in the
|
||
first pa-value is appropriate to include in the pa-hint.
|
||
|
||
In order to ease in security analysis the mechanism specification
|
||
should describe what facilities from this document are offered by the
|
||
mechanism. For each facility, the security considerations section of
|
||
the mechanism specification should show that the security
|
||
requirements of that facility are met.
|
||
|
||
Significant problems have resulted in the specification of Kerberos
|
||
protocols because much of the KDC exchange is not protected against
|
||
authentication. The security considerations section should discuss
|
||
unauthenticated plaintext attacks. It should either show that
|
||
plaintext is protected or discuss what harm an attacker could do by
|
||
modifying the plaintext. It is generally acceptable for an attacker
|
||
to be able to cause the protocol negotiation to fail by modifying
|
||
plaintext. More significant attacks should be evaluated carefully.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 14]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
5. Tools for Use in Pre-Authentication Mechanisms
|
||
|
||
5.1 Combine Keys
|
||
|
||
5.2 Signing Requests/Responses
|
||
|
||
5.3 Managing State for the KDC
|
||
|
||
5.4 PA-AUTHENTICATION-SET
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 15]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
6. IANA Considerations
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 16]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
7. Security Considerations
|
||
|
||
Very little of the AS request is authenticated. Same for padata
|
||
in the reply or error. Discuss implications
|
||
Table of security requirements stated elsewhere in the document
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 17]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
8. Acknowledgements
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 18]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
9. References
|
||
|
||
9.1 Normative References
|
||
|
||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||
Levels", RFC 2119, BCP 14, March 1997.
|
||
|
||
[2] Neuman, C., Yu, T., Hartman, S. and K. Raeburn, "The Kerberos
|
||
Network Authentication Service (V5)",
|
||
draft-ietf-krb-wg-kerberos-clarifications-06.txt (work in
|
||
progress), June 2004.
|
||
|
||
[3] Raeburn, K., "Encryption and Checksum Specifications for
|
||
Kerberos 5", draft-ietf-krb-wg-crypto-03.txt (work in progress).
|
||
|
||
[4] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
|
||
2279, January 1998.
|
||
|
||
9.2 Informative References
|
||
|
||
[5] Hornstein, K., Renard, K., Neuman, C. and G. Zorn, "Integrating
|
||
Single-use Authentication Mechanisms with Kerberos",
|
||
draft-ietf-krb-wg-kerberos-sam-02.txt (work in progress),
|
||
October 2003.
|
||
|
||
[6] Tung, B., Neuman, C., Hur, M., Medvinsky, A. and S. Medvinsky,
|
||
"Public Key Cryptography for Initial Authentication in
|
||
Kerberos", draft-ietf-cat-kerberos-pk-init-19.txt (work in
|
||
progress), April 2004.
|
||
|
||
|
||
Author's Address
|
||
|
||
Sam hartman
|
||
MIT
|
||
|
||
EMail: hartmans@mit.edu
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 19]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
Appendix A. Todo List
|
||
|
||
Flesh out sections that are still outlines
|
||
Discuss cookies and multiple-round-trip mechanisms.
|
||
Talk about checksum contributions from each mechanism
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 20]
|
||
|
||
Internet-Draft Kerberos Preauth Framework October 2004
|
||
|
||
|
||
Intellectual Property Statement
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
|
||
Disclaimer of Validity
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2004). This document is subject
|
||
to the rights, licenses and restrictions contained in BCP 78, and
|
||
except as set forth therein, the authors retain all their rights.
|
||
|
||
|
||
Acknowledgment
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
Hartman Expires April 24, 2005 [Page 21]
|
||
|
||
|