mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
7055827b8f
This makes it clearer that we always want to do heimdal changes via the lorikeet-heimdal repository. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Autobuild-User(master): Joseph Sutton <jsutton@samba.org> Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
673 lines
14 KiB
Plaintext
673 lines
14 KiB
Plaintext
|
||
|
||
|
||
Network Working Group S. Josefsson
|
||
Internet-Draft SJD
|
||
Intended status: Standards Track October 21, 2006
|
||
Expires: April 24, 2007
|
||
|
||
|
||
Using Kerberos V5 over the Transport Layer Security (TLS) protocol
|
||
draft-josefsson-kerberos5-starttls-02
|
||
|
||
Status of this Memo
|
||
|
||
By submitting this Internet-Draft, each author represents that any
|
||
applicable patent or other IPR claims of which he or she is aware
|
||
have been or will be disclosed, and any of which he or she becomes
|
||
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as Internet-
|
||
Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
This Internet-Draft will expire on April 24, 2007.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 1]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
Abstract
|
||
|
||
This document specify how the Kerberos V5 protocol can be transported
|
||
over the Transport Layer Security (TLS) protocol, to provide
|
||
additional security features.
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction and Background . . . . . . . . . . . . . . . . . 3
|
||
2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5
|
||
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
||
4. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 7
|
||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
|
||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
|
||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
|
||
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
|
||
7.2. Informative References . . . . . . . . . . . . . . . . . . 10
|
||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
|
||
Intellectual Property and Copyright Statements . . . . . . . . . . 12
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 2]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
1. Introduction and Background
|
||
|
||
This document describe how a Kerberos V5 [2] implementation may
|
||
upgrade communication between clients and Key Distribution Centers
|
||
(KDCs) to use the Transport Layer Security (TLS) [4] protocol.
|
||
|
||
The TLS protocol offer integrity and privacy protected exchanges that
|
||
can be authentication using X.509 certificates, OpenPGP keys [7], and
|
||
user name and passwords via SRP [6].
|
||
|
||
There are several reasons to use Kerberos V5 over TLS.
|
||
|
||
o Prevents downgrade attacks affecting, e.g., encryption types and
|
||
pre-auth data negotiation. The encryption type field in KDC-REQ,
|
||
and the METHOD-DATA field with the requested pre-auth types from
|
||
the server in KDC_ERR_PREAUTH_REQUIRED errors in KDC-REP, are sent
|
||
without integrity or privacy protection in Kerberos 5. This
|
||
allows an attacker to replace the encryption type with a
|
||
compromised encryption type, e.g., 56-bit DES, or request that
|
||
clients should use a broken pre-auth type. Since clients in
|
||
general cannot know the encryption types other servers support, or
|
||
the pre-auth types servers prefer or require, it is difficult for
|
||
the client to detect if there was a man-in-the-middle or if the
|
||
remote server simply did not support a stronger encryption type or
|
||
preferred another pre-auth type.
|
||
|
||
|
||
o Kerberos exchanges are privacy protected. Part of many Kerberos
|
||
packets are transfered without privacy protection (i.e.,
|
||
encryption). That part contains information, such as the client
|
||
principal name, the server principal name, the encryption types
|
||
supported by the client, the lifetime of tickets, etc. Revealing
|
||
such information is, in some threat models, considered a problem.
|
||
|
||
|
||
o Additional authentication against the KDC. In some situations,
|
||
users are equipped with smart cards with a RSA authentication key.
|
||
In others, users have a OpenPGP client on their desktop, with a
|
||
public OpenPGP key known to the server.
|
||
|
||
o The TLS protocol has been studied by many parties. In some threat
|
||
models, the designer prefer to reduce the number of protocols that
|
||
can hurt the overall system security if they are compromised.
|
||
|
||
|
||
o Explicit server authentication of the KDC to the client. In
|
||
traditional Kerberos 5, authentication of the KDC is proved as a
|
||
side effect that the KDC knows your encryption key (i.e., your
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 3]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
password).
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in RFC 2119 [1].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 4]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
2. Kerberos V5 STARTTLS Extension
|
||
|
||
The STARTTLS extension uses the Kerberos V5 TCP extension mechanism
|
||
[3]. The extension uses bit #TBD in the extension bitmask.
|
||
|
||
The protocol is as follows. After the server has sent the 4-octet
|
||
value 0x00000000 to indicate support of this extension, the stream
|
||
will be controlled by the TLS protocol and its framing. The TLS
|
||
protocol is initiated by the client.
|
||
|
||
Typically, the client initiate the TLS handshake protocol by sending
|
||
a client hello, and the server responds, and the handshake continues
|
||
until it either succeed or fails.
|
||
|
||
If for any reason the handshake fails, the STARTTLS protocol will
|
||
also fail, and the TLS error is used as the error indication.
|
||
|
||
If the handshake succeeds, the Kerberos V5 authentication protocol is
|
||
performed within the protected TLS channel, like a normal TCP
|
||
Kerberos V5 exchange. In particular, this means that every Kerberos
|
||
V5 packet will be prefixed by a 4-octet length field, that indicate
|
||
the length of the Kerberos V5 packet.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 5]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
3. Examples
|
||
|
||
A complete packet flow for a successful AS-REQ/REP exchange protected
|
||
by this mechanism will be as follows. The "STARTTLS-bit" is a
|
||
4-octet value with only the bit allocated for this extension set.
|
||
|
||
Client Server
|
||
|
||
[ Kerberos V5 TCP extension mechanism negotiation starts ]
|
||
|
||
[0x70000000 & STARTTLS-bit] -------->
|
||
[0x00000000]
|
||
<--------
|
||
|
||
[ TLS negotiation starts ]
|
||
|
||
|
||
ClientHello -------->
|
||
ServerHello
|
||
Certificate*
|
||
ServerKeyExchange*
|
||
CertificateRequest*
|
||
<-------- ServerHelloDone
|
||
Certificate*
|
||
ClientKeyExchange
|
||
CertificateVerify*
|
||
[ChangeCipherSpec]
|
||
Finished -------->
|
||
[ChangeCipherSpec]
|
||
<-------- Finished
|
||
|
||
[ Kerberos V5 negotiation starts ]
|
||
|
||
4 octet length field
|
||
Kerberos V5 AS-REQ -------->
|
||
4 octet length field
|
||
Kerberos V5 AS-REP
|
||
<--------
|
||
|
||
* Indicates optional or situation-dependent messages that are not
|
||
always sent.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 6]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
4. STARTTLS aware KDC Discovery
|
||
|
||
Section 7.2.3 of Kerberos V5 [2] describe how Domain Name System
|
||
(DNS) SRV records [5] can be used to find the address of an KDC.
|
||
Using the terminology of Section 7.2.3 of RFC 4120, we define a new
|
||
Proto of "tls" to indicate that the particular KDC is intended to
|
||
support this STARTTLS extension. The Service, Realm, TTL, Class,
|
||
SRV, Priority, Weight, Port and Target have the same meaning as in
|
||
RFC 4120.
|
||
|
||
For example:
|
||
|
||
_kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com.
|
||
_kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 7]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
5. IANA Considerations
|
||
|
||
The IANA is requested to allocate a bit in the "Kerberos TCP
|
||
Extensions" registry for the extension described in this document, as
|
||
per [3].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 8]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
6. Security Considerations
|
||
|
||
The security considerations in Kerberos V5, TLS, and the extension
|
||
mechanism framework are inherited.
|
||
|
||
To protect against the inherent downgrade attack in the extension
|
||
framework, it is suggested that implementations offer a policy to
|
||
require that this extension is successfully negotiated. For
|
||
interoperability with implementations that do not support this
|
||
extension, it is suggested that the policy is disabled by default.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 9]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
7. References
|
||
|
||
7.1. Normative References
|
||
|
||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||
Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[2] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos
|
||
Network Authentication Service (V5)", RFC 4120, July 2005.
|
||
|
||
[3] Josefsson, S., "Extended Kerberos Version 5 Key Distribution
|
||
Center (KDC) Exchanges Over TCP",
|
||
draft-ietf-krb-wg-tcp-expansion-01 (work in progress),
|
||
September 2006.
|
||
|
||
[4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
|
||
Protocol Version 1.1", RFC 4346, April 2006.
|
||
|
||
[5] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
|
||
specifying the location of services (DNS SRV)", RFC 2782,
|
||
February 2000.
|
||
|
||
7.2. Informative References
|
||
|
||
[6] Taylor, D., "Using SRP for TLS Authentication",
|
||
draft-ietf-tls-srp-12 (work in progress), June 2006.
|
||
|
||
[7] Mavroyanopoulos, N., "Using OpenPGP keys for TLS
|
||
authentication", draft-ietf-tls-openpgp-keys-10 (work in
|
||
progress), June 2006.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 10]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
Author's Address
|
||
|
||
Simon Josefsson
|
||
SJD
|
||
|
||
Email: simon@josefsson.org
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 11]
|
||
|
||
Internet-Draft Protecting Kerberos V5 with TLS October 2006
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2006).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
|
||
Acknowledgment
|
||
|
||
Funding for the RFC Editor function is provided by the IETF
|
||
Administrative Support Activity (IASA).
|
||
|
||
|
||
|
||
|
||
|
||
Josefsson Expires April 24, 2007 [Page 12]
|
||
|