| blob | b407759662ca902247ece01dbc58d660d54ea614 |
7 Internet Engineering Task Force (IETF) L. Zhu
8 Request for Comments: 6112 P. Leach
9 Updates: 4120, 4121, 4556 Microsoft Corporation
10 Category: Standards Track S. Hartman
11 ISSN: 2070-1721 Painless Security
12 April 2011
15 Anonymity Support for Kerberos
17 Abstract
19 This document defines extensions to the Kerberos protocol to allow a
20 Kerberos client to securely communicate with a Kerberos application
21 service without revealing its identity, or without revealing more
22 than its Kerberos realm. It also defines extensions that allow a
23 Kerberos client to obtain anonymous credentials without revealing its
24 identity to the Kerberos Key Distribution Center (KDC). This
25 document updates RFCs 4120, 4121, and 4556.
27 Status of This Memo
29 This is an Internet Standards Track document.
31 This document is a product of the Internet Engineering Task Force
32 (IETF). It represents the consensus of the IETF community. It has
33 received public review and has been approved for publication by the
34 Internet Engineering Steering Group (IESG). Further information on
35 Internet Standards is available in Section 2 of RFC 5741.
37 Information about the current status of this document, any errata,
38 and how to provide feedback on it may be obtained at
39 http://www.rfc-editor.org/info/rfc6112.
41 Copyright Notice
43 Copyright (c) 2011 IETF Trust and the persons identified as the
44 document authors. All rights reserved.
46 This document is subject to BCP 78 and the IETF Trust's Legal
47 Provisions Relating to IETF Documents
48 (http://trustee.ietf.org/license-info) in effect on the date of
49 publication of this document. Please review these documents
50 carefully, as they describe your rights and restrictions with respect
51 to this document. Code Components extracted from this document must
52 include Simplified BSD License text as described in Section 4.e of
53 the Trust Legal Provisions and are provided without warranty as
54 described in the Simplified BSD License.
58 Zhu, et al. Standards Track [Page 1]
59 \f
60 RFC 6112 Kerberos Anonymity Support April 2011
63 This document may contain material from IETF Documents or IETF
64 Contributions published or made publicly available before November
65 10, 2008. The person(s) controlling the copyright in some of this
66 material may not have granted the IETF Trust the right to allow
67 modifications of such material outside the IETF Standards Process.
68 Without obtaining an adequate license from the person(s) controlling
69 the copyright in such materials, this document may not be modified
70 outside the IETF Standards Process, and derivative works of it may
71 not be created outside the IETF Standards Process, except to format
72 it for publication as an RFC or to translate it into languages other
73 than English.
75 Table of Contents
77 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
78 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
79 3. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3
80 4. Protocol Description . . . . . . . . . . . . . . . . . . . . . 5
81 4.1. Anonymity Support in AS Exchange . . . . . . . . . . . . . 5
82 4.1.1. Anonymous PKINIT . . . . . . . . . . . . . . . . . . . 6
83 4.2. Anonymity Support in TGS Exchange . . . . . . . . . . . . 7
84 4.3. Subsequent Exchanges and Protocol Actions Common to AS
85 and TGS for Anonymity Support . . . . . . . . . . . . . . 9
86 5. Interoperability Requirements . . . . . . . . . . . . . . . . 10
87 6. GSS-API Implementation Notes . . . . . . . . . . . . . . . . . 10
88 7. PKINIT Client Contribution to the Ticket Session Key . . . . . 11
89 7.1. Combining Two Protocol Keys . . . . . . . . . . . . . . . 12
90 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13
91 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
92 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
93 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
94 11.1. Normative References . . . . . . . . . . . . . . . . . . . 15
95 11.2. Informative References . . . . . . . . . . . . . . . . . . 16
114 Zhu, et al. Standards Track [Page 2]
115 \f
116 RFC 6112 Kerberos Anonymity Support April 2011
119 1. Introduction
121 In certain situations, the Kerberos [RFC4120] client may wish to
122 authenticate a server and/or protect communications without revealing
123 the client's own identity. For example, consider an application that
124 provides read access to a research database and that permits queries
125 by arbitrary requesters. A client of such a service might wish to
126 authenticate the service, to establish trust in the information
127 received from it, but might not wish to disclose the client's
128 identity to the service for privacy reasons.
130 Extensions to Kerberos are specified in this document by which a
131 client can authenticate the Key Distribution Center (KDC) and request
132 an anonymous ticket. The client can use the anonymous ticket to
133 authenticate the server and protect subsequent client-server
134 communications.
136 By using the extensions defined in this specification, the client can
137 request an anonymous ticket where the client may reveal the client's
138 identity to the client's own KDC, or the client can hide the client's
139 identity completely by using anonymous Public Key Cryptography for
140 Initial Authentication in Kerberos (PKINIT) as defined in
141 Section 4.1. Using the returned anonymous ticket, the client remains
142 anonymous in subsequent Kerberos exchanges thereafter to KDCs on the
143 cross-realm authentication path and to the server with which it
144 communicates.
146 In this specification, the client realm in the anonymous ticket is
147 the anonymous realm name when anonymous PKINIT is used to obtain the
148 ticket. The client realm is the client's real realm name if the
149 client is authenticated using the client's long-term keys. Note that
150 the membership of a realm can imply a member of the community
151 represented by the realm.
153 The interaction with Generic Security Service Application Program
154 Interface (GSS-API) is described after the protocol description.
156 2. Conventions Used in This Document
158 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
159 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
160 document are to be interpreted as described in [RFC2119].
162 3. Definitions
164 The anonymous Kerberos realm name is defined as a well-known realm
165 name based on [RFC6111], and the value of this well-known realm name
166 is the literal "WELLKNOWN:ANONYMOUS".
170 Zhu, et al. Standards Track [Page 3]
171 \f
172 RFC 6112 Kerberos Anonymity Support April 2011
175 The anonymous Kerberos principal name is defined as a well-known
176 Kerberos principal name based on [RFC6111]. The value of the name-
177 type field is KRB_NT_WELLKNOWN [RFC6111], and the value of the name-
178 string field is a sequence of two KerberosString components:
179 "WELLKNOWN", "ANONYMOUS".
181 The anonymous ticket flag is defined as bit 16 (with the first bit
182 being bit 0) in the TicketFlags:
184 TicketFlags ::= KerberosFlags
185 -- anonymous(16)
186 -- TicketFlags and KerberosFlags are defined in [RFC4120]
188 This is a new ticket flag that is used to indicate that a ticket is
189 an anonymous one.
191 An anonymous ticket is a ticket that has all of the following
192 properties:
194 o The cname field contains the anonymous Kerberos principal name.
196 o The crealm field contains the client's realm name or the anonymous
197 realm name.
199 o The anonymous ticket contains no information that can reveal the
200 client's identity. However, the ticket may contain the client
201 realm, intermediate realms on the client's authentication path,
202 and authorization data that may provide information related to the
203 client's identity. For example, an anonymous principal that is
204 identifiable only within a particular group of users can be
205 implemented using authorization data and such authorization data,
206 if included in the anonymous ticket, would disclose the client's
207 membership of that group.
209 o The anonymous ticket flag is set.
211 The anonymous KDC option is defined as bit 16 (with the first bit
212 being bit 0) in the KDCOptions:
214 KDCOptions ::= KerberosFlags
215 -- anonymous(16)
216 -- KDCOptions and KerberosFlags are defined in [RFC4120]
226 Zhu, et al. Standards Track [Page 4]
227 \f
228 RFC 6112 Kerberos Anonymity Support April 2011
231 As described in Section 4, the anonymous KDC option is set to request
232 an anonymous ticket in an Authentication Service (AS) request or a
233 Ticket Granting Service (TGS) request.
235 4. Protocol Description
237 In order to request an anonymous ticket, the client sets the
238 anonymous KDC option in an AS request or a TGS request.
240 The rest of this section is organized as follows: it first describes
241 protocol actions specific to AS exchanges, then it describes those of
242 TGS exchanges. These are then followed by the description of
243 protocol actions common to both AS and TGS and those in subsequent
244 exchanges.
246 4.1. Anonymity Support in AS Exchange
248 The client requests an anonymous ticket by setting the anonymous KDC
249 option in an AS exchange.
251 The Kerberos client can use the client's long-term keys, the client's
252 X.509 certificates [RFC4556], or any other pre-authentication data,
253 to authenticate to the KDC and requests an anonymous ticket in an AS
254 exchange where the client's identity is known to the KDC.
256 If the client in the AS request is anonymous, the anonymous KDC
257 option MUST be set in the request. Otherwise, the KDC MUST return a
258 KRB-ERROR message with the code KDC_ERR_BADOPTION.
260 If the client is anonymous and the KDC does not have a key to encrypt
261 the reply (this can happen when, for example, the KDC does not
262 support PKINIT [RFC4556]), the KDC MUST return an error message with
263 the code KDC_ERR_NULL_KEY [RFC4120].
265 When policy allows, the KDC issues an anonymous ticket. If the
266 client name in the request is the anonymous principal, the client
267 realm (crealm) in the reply is the anonymous realm, otherwise, the
268 client realm is the realm of the AS. According to [RFC4120], the
269 client name and the client realm in the EncTicketPart of the reply
270 MUST match with the corresponding client name and the client realm of
271 the KDC reply; the client MUST use the client name and the client
272 realm returned in the KDC-REP in subsequent message exchanges when
273 using the obtained anonymous ticket.
275 Care MUST be taken by the KDC not to reveal the client's identity in
276 the authorization data of the returned ticket when populating the
277 authorization data in a returned anonymous ticket.
282 Zhu, et al. Standards Track [Page 5]
283 \f
284 RFC 6112 Kerberos Anonymity Support April 2011
287 The AD-INITIAL-VERIFIED-CAS authorization data, as defined in
288 [RFC4556], contains the issuer name of the client certificate. This
289 authorization is not applicable and MUST NOT be present in the
290 returned anonymous ticket when anonymous PKINIT is used. When the
291 client is authenticated (i.e., anonymous PKINIT is not used), if it
292 is undesirable to disclose such information about the client's
293 identity, the AD-INITIAL-VERIFIED-CAS authorization data SHOULD be
294 removed from the returned anonymous ticket.
296 The client can use the client keys to mutually authenticate with the
297 KDC and request an anonymous Ticket Granting Ticket (TGT) in the AS
298 request. In that case, the reply key is selected as normal,
299 according to Section 3.1.3 of [RFC4120].
301 4.1.1. Anonymous PKINIT
303 This sub-section defines anonymous PKINIT.
305 As described earlier in this section, the client can request an
306 anonymous ticket by authenticating to the KDC using the client's
307 identity; alternatively, without revealing the client's identity to
308 the KDC, the Kerberos client can request an anonymous ticket as
309 follows: the client sets the client name as the anonymous principal
310 in the AS exchange and provides PA_PK_AS_REQ pre-authentication data
311 [RFC4556] where the signerInfos field of the SignedData [RFC5652] of
312 the PA_PK_AS_REQ is empty, and the certificates field is absent.
313 Because the anonymous client does not have an associated asymmetric
314 key pair, the client MUST choose the Diffie-Hellman key agreement
315 method by filling in the Diffie-Hellman domain parameters in the
316 clientPublicValue [RFC4556]. This use of the anonymous client name
317 in conjunction with PKINIT is referred to as anonymous PKINIT. If
318 anonymous PKINIT is used, the realm name in the returned anonymous
319 ticket MUST be the anonymous realm.
321 Upon receiving the anonymous PKINIT request from the client, the KDC
322 processes the request, according to Section 3.1.2 of [RFC4120]. The
323 KDC skips the checks for the client's signature and the client's
324 public key (such as the verification of the binding between the
325 client's public key and the client name), but performs otherwise
326 applicable checks, and proceeds as normal, according to [RFC4556].
327 For example, the AS MUST check if the client's Diffie-Hellman domain
328 parameters are acceptable. The Diffie-Hellman key agreement method
329 MUST be used and the reply key is derived according to Section
330 3.2.3.1 of [RFC4556]. If the clientPublicValue is not present in the
331 request, the KDC MUST return a KRB-ERROR with the code
332 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED [RFC4556]. If all goes
333 well, an anonymous ticket is generated, according to Section 3.1.3 of
334 [RFC4120], and PA_PK_AS_REP [RFC4556] pre-authentication data is
338 Zhu, et al. Standards Track [Page 6]
339 \f
340 RFC 6112 Kerberos Anonymity Support April 2011
343 included in the KDC reply, according to [RFC4556]. If the KDC does
344 not have an asymmetric key pair, it MAY reply anonymously or reject
345 the authentication attempt. If the KDC replies anonymously, the
346 signerInfos field of the SignedData [RFC5652] of PA_PK_AS_REP in the
347 reply is empty, and the certificates field is absent. The server
348 name in the anonymous KDC reply contains the name of the TGS.
350 Upon receipt of the KDC reply that contains an anonymous ticket and
351 PA_PK_AS_REP [RFC4556] pre-authentication data, the client can then
352 authenticate the KDC based on the KDC's signature in the
353 PA_PK_AS_REP. If the KDC's signature is missing in the KDC reply
354 (the reply is anonymous), the client MUST reject the returned ticket
355 if it cannot authenticate the KDC otherwise.
357 A KDC that supports anonymous PKINIT MUST indicate the support of
358 PKINIT, according to Section 3.4 of [RFC4556]. In addition, such a
359 KDC MUST indicate support for anonymous PKINIT by including a padata
360 element of padata-type PA_PKINIT_KX and empty padata-value when
361 including PA-PK-AS-REQ in an error reply.
363 When included in a KDC error, PA_PKINIT_KX indicates support for
364 anonymous PKINIT. As discussed in Section 7, when included in an AS-
365 REP, PA_PKINIT_KX proves that the KDC and client both contributed to
366 the session key for any use of Diffie-Hellman key agreement with
367 PKINIT.
369 Note that in order to obtain an anonymous ticket with the anonymous
370 realm name, the client MUST set the client name as the anonymous
371 principal in the request when requesting an anonymous ticket in an AS
372 exchange. Anonymity PKINIT is the only way via which an anonymous
373 ticket with the anonymous realm as the client realm can be generated
374 in this specification.
376 4.2. Anonymity Support in TGS Exchange
378 The client requests an anonymous ticket by setting the anonymous KDC
379 option in a TGS exchange, and in that request the client can use a
380 normal Ticket Granting Ticket (TGT) with the client's identity, or an
381 anonymous TGT, or an anonymous cross-realm TGT. If the client uses a
382 normal TGT, the client's identity is known to the TGS.
384 Note that the client can completely hide the client's identity in an
385 AS exchange using anonymous PKINIT, as described in the previous
386 section.
394 Zhu, et al. Standards Track [Page 7]
395 \f
396 RFC 6112 Kerberos Anonymity Support April 2011
399 If the ticket in the PA-TGS-REQ of the TGS request is an anonymous
400 one, the anonymous KDC option MUST be set in the request. Otherwise,
401 the KDC MUST return a KRB-ERROR message with the code
402 KDC_ERR_BADOPTION.
404 When policy allows, the KDC issues an anonymous ticket. If the
405 ticket in the TGS request is an anonymous one, the client name and
406 the client realm are copied from that ticket; otherwise, the ticket
407 in the TGS request is a normal ticket, the returned anonymous ticket
408 contains the client name as the anonymous principal and the client
409 realm as the true realm of the client. In all cases, according to
410 [RFC4120] the client name and the client realm in the EncTicketPart
411 of the reply MUST match with the corresponding client name and the
412 client realm of the anonymous ticket in the reply; the client MUST
413 use the client name and the client realm returned in the KDC-REP in
414 subsequent message exchanges when using the obtained anonymous
415 ticket.
417 Care MUST be taken by the TGS not to reveal the client's identity in
418 the authorization data of the returned ticket. When propagating
419 authorization data in the ticket or in the enc-authorization-data
420 field of the request, the TGS MUST ensure that the client
421 confidentiality is not violated in the returned anonymous ticket.
422 The TGS MUST process the authorization data recursively, according to
423 Section 5.2.6 of [RFC4120], beyond the container levels such that all
424 embedded authorization elements are interpreted. The TGS SHOULD NOT
425 populate identity-based authorization data into an anonymous ticket
426 in that such authorization data typically reveals the client's
427 identity. The specification of a new authorization data type MUST
428 specify the processing rules of the authorization data when an
429 anonymous ticket is returned. If there is no processing rule defined
430 for an authorization data element or the authorization data element
431 is unknown, the TGS MUST process it when an anonymous ticket is
432 returned as follows:
434 o If the authorization data element may reveal the client's
435 identity, it MUST be removed unless otherwise specified.
437 o If the authorization data element, that could reveal the client's
438 identity, is intended to restrict the use of the ticket or limit
439 the rights otherwise conveyed in the ticket, it cannot be removed
440 in order to hide the client's identity. In this case, the
441 authentication attempt MUST be rejected, and the TGS MUST return
442 an error message with the code KDC_ERR_POLICY. Note this is
443 applicable to both critical and optional authorization data.
450 Zhu, et al. Standards Track [Page 8]
451 \f
452 RFC 6112 Kerberos Anonymity Support April 2011
455 o If the authorization data element is unknown, the TGS MAY remove
456 it, or transfer it into the returned anonymous ticket, or reject
457 the authentication attempt, based on local policy for that
458 authorization data type unless otherwise specified. If there is
459 no policy defined for a given unknown authorization data type, the
460 authentication MUST be rejected. The error code is KDC_ERR_POLICY
461 when the authentication is rejected.
463 The AD-INITIAL-VERIFIED-CAS authorization data, as defined in
464 [RFC4556], contains the issuer name of the client certificate. If it
465 is undesirable to disclose such information about the client's
466 identity, the AD-INITIAL-VERIFIED-CAS authorization data SHOULD be
467 removed from an anonymous ticket.
469 The TGS encodes the name of the previous realm into the transited
470 field, according to Section 3.3.3.2 of [RFC4120]. Based on local
471 policy, the TGS MAY omit the previous realm, if the cross realm TGT
472 is an anonymous one, in order to hide the authentication path of the
473 client. The unordered set of realms in the transited field, if
474 present, can reveal which realm may potentially be the realm of the
475 client or the realm that issued the anonymous TGT. The anonymous
476 Kerberos realm name MUST NOT be present in the transited field of a
477 ticket. The true name of the realm that issued the anonymous ticket
478 MAY be present in the transited field of a ticket.
480 4.3. Subsequent Exchanges and Protocol Actions Common to AS and TGS for
481 Anonymity Support
483 In both AS and TGS exchanges, the realm field in the KDC request is
484 always the realm of the target KDC, not the anonymous realm when the
485 client requests an anonymous ticket.
487 Absent other information, the KDC MUST NOT include any identifier in
488 the returned anonymous ticket that could reveal the client's identity
489 to the server.
491 Unless anonymous PKINIT is used, if a client requires anonymous
492 communication, then the client MUST check to make sure that the
493 ticket in the reply is actually anonymous by checking the presence of
494 the anonymous ticket flag in the flags field of the EncKDCRepPart.
495 This is because KDCs ignore unknown KDC options. A KDC that does not
496 understand the anonymous KDC option will not return an error, but
497 will instead return a normal ticket.
499 The subsequent client and server communications then proceed as
500 described in [RFC4120].
506 Zhu, et al. Standards Track [Page 9]
507 \f
508 RFC 6112 Kerberos Anonymity Support April 2011
511 Note that the anonymous principal name and realm are only applicable
512 to the client in Kerberos messages, the server cannot be anonymous in
513 any Kerberos message per this specification.
515 A server accepting an anonymous service ticket may assume that
516 subsequent requests using the same ticket originate from the same
517 client. Requests with different tickets are likely to originate from
518 different clients.
520 Upon receipt of an anonymous ticket, the transited policy check is
521 performed in the same way as that of a normal ticket if the client's
522 realm is not the anonymous realm; if the client realm is the
523 anonymous realm, absent other information any realm in the
524 authentication path is allowed by the cross-realm policy check.
526 5. Interoperability Requirements
528 Conforming implementations MUST support the anonymous principal with
529 a non-anonymous realm, and they MAY support the anonymous principal
530 with the anonymous realm using anonymous PKINIT.
532 6. GSS-API Implementation Notes
534 GSS-API defines the name_type GSS_C_NT_ANONYMOUS [RFC2743] to
535 represent the anonymous identity. In addition, Section 2.1.1 of
536 [RFC1964] defines the single string representation of a Kerberos
537 principal name with the name_type GSS_KRB5_NT_PRINCIPAL_NAME. The
538 anonymous principal with the anonymous realm corresponds to the GSS-
539 API anonymous principal. A principal with the anonymous principal
540 name and a non-anonymous realm is an authenticated principal; hence,
541 such a principal does not correspond to the anonymous principal in
542 GSS-API with the GSS_C_NT_ANONYMOUS name type. The [RFC1964] name
543 syntax for GSS_KRB5_NT_PRINCIPAL_NAME MUST be used for importing the
544 anonymous principal name with a non-anonymous realm name and for
545 displaying and exporting these names. In addition, this syntax must
546 be used along with the name type GSS_C_NT_ANONYMOUS for displaying
547 and exporting the anonymous principal with the anonymous realm.
549 At the GSS-API [RFC2743] level, an initiator/client requests the use
550 of an anonymous principal with the anonymous realm by asserting the
551 "anonymous" flag when calling GSS_Init_Sec_Context(). The GSS-API
552 implementation MAY provide implementation-specific means for
553 requesting the use of an anonymous principal with a non-anonymous
554 realm.
556 GSS-API does not know or define "anonymous credentials", so the
557 (printable) name of the anonymous principal will rarely be used by or
558 relevant for the initiator/client. The printable name is relevant
562 Zhu, et al. Standards Track [Page 10]
563 \f
564 RFC 6112 Kerberos Anonymity Support April 2011
567 for the acceptor/server when performing an authorization decision
568 based on the initiator name that is returned from the acceptor side
569 upon the successful security context establishment.
571 A GSS-API initiator MUST carefully check the resulting context
572 attributes from the initial call to GSS_Init_Sec_Context() when
573 requesting anonymity, because (as in the GSS-API tradition and for
574 backwards compatibility) anonymity is just another optional context
575 attribute. It could be that the mechanism doesn't recognize the
576 attribute at all or that anonymity is not available for some other
577 reasons -- and in that case the initiator MUST NOT send the initial
578 security context token to the acceptor, because it will likely reveal
579 the initiators identity to the acceptor, something that can rarely be
580 "un-done".
582 Portable initiators are RECOMMENDED to use default credentials
583 whenever possible, and request anonymity only through the input
584 anon_req_flag [RFC2743] to GSS_Init_Sec_Context().
586 7. PKINIT Client Contribution to the Ticket Session Key
588 The definition in this section was motivated by protocol analysis of
589 anonymous PKINIT (defined in this document) in building tunneling
590 channels [RFC6113] and subsequent channel bindings. In order to
591 enable applications of anonymous PKINIT to form channels, all
592 implementations of anonymous PKINIT need to meet the requirements of
593 this section. There is otherwise no connection to the rest of this
594 document.
596 PKINIT is useful for constructing tunneling channels. To ensure that
597 an attacker cannot create a channel with a given name, it is
598 desirable that neither the KDC nor the client unilaterally determine
599 the ticket session key. To achieve that end, a KDC conforming to
600 this definition MUST encrypt a randomly generated key, called the KDC
601 contribution key, in the PA_PKINIT_KX padata (defined next in this
602 section). The KDC contribution key is then combined with the reply
603 key to form the ticket session key of the returned ticket. These two
604 keys are then combined using the KRB-FX-CF2 operation defined in
605 Section 7.1, where K1 is the KDC contribution key, K2 is the reply
606 key, the input pepper1 is American Standard Code for Information
607 Interchange (ASCII) [ASAX34] string "PKINIT", and the input pepper2
608 is ASCII string "KeyExchange".
618 Zhu, et al. Standards Track [Page 11]
619 \f
620 RFC 6112 Kerberos Anonymity Support April 2011
623 PA_PKINIT_KX 147
624 -- padata for PKINIT that contains an encrypted
625 -- KDC contribution key.
627 PA-PKINIT-KX ::= EncryptedData -- EncryptionKey
628 -- Contains an encrypted key randomly
629 -- generated by the KDC (known as the KDC contribution key).
630 -- Both EncryptedData and EncryptionKey are defined in [RFC4120]
632 The PA_PKINIT_KX padata MUST be included in the KDC reply when
633 anonymous PKINIT is used; it SHOULD be included if PKINIT is used
634 with the Diffie-Hellman key exchange but the client is not anonymous;
635 it MUST NOT be included otherwise (e.g., when PKINIT is used with the
636 public key encryption as the key exchange).
638 The padata-value field of the PA-PKINIT-KX type padata contains the
639 DER [X.680] [X.690] encoding of the Abstract Syntax Notation One
640 (ASN.1) type PA-PKINIT-KX. The PA-PKINIT-KX structure is an
641 EncryptedData. The cleartext data being encrypted is the DER-encoded
642 KDC contribution key randomly generated by the KDC. The encryption
643 key is the reply key and the key usage number is
644 KEY_USAGE_PA_PKINIT_KX (44).
646 The client then decrypts the KDC contribution key and verifies the
647 ticket session key in the returned ticket is the combined key of the
648 KDC contribution key and the reply key as described above. A
649 conforming client MUST reject anonymous PKINIT authentication if the
650 PA_PKINIT_KX padata is not present in the KDC reply or if the ticket
651 session key of the returned ticket is not the combined key of the KDC
652 contribution key and the reply key when PA-PKINIT-KX is present in
653 the KDC reply.
655 7.1. Combining Two Protocol Keys
657 KRB-FX-CF2() combines two protocol keys based on the pseudo-random()
658 function defined in [RFC3961].
660 Given two input keys, K1 and K2, where K1 and K2 can be of two
661 different enctypes, the output key of KRB-FX-CF2(), K3, is derived as
662 follows:
664 KRB-FX-CF2(protocol key, protocol key, octet string,
665 octet string) -> (protocol key)
667 PRF+(K1, pepper1) -> octet-string-1
668 PRF+(K2, pepper2) -> octet-string-2
669 KRB-FX-CF2(K1, K2, pepper1, pepper2) ->
670 random-to-key(octet-string-1 ^ octet-string-2)
674 Zhu, et al. Standards Track [Page 12]
675 \f
676 RFC 6112 Kerberos Anonymity Support April 2011
679 Where ^ denotes the exclusive-OR operation. PRF+() is defined as
680 follows:
682 PRF+(protocol key, octet string) -> (octet string)
684 PRF+(key, shared-info) -> pseudo-random( key, 1 || shared-info ) ||
685 pseudo-random( key, 2 || shared-info ) ||
686 pseudo-random( key, 3 || shared-info ) || ...
688 Here the counter value 1, 2, 3, and so on are encoded as a one-octet
689 integer. The pseudo-random() operation is specified by the enctype
690 of the protocol key. PRF+() uses the counter to generate enough bits
691 as needed by the random-to-key() [RFC3961] function for the
692 encryption type specified for the resulting key; unneeded bits are
693 removed from the tail.
695 8. Security Considerations
697 Since KDCs ignore unknown options, a client requiring anonymous
698 communication needs to make sure that the returned ticket is actually
699 anonymous. This is because a KDC that does not understand the
700 anonymous option would not return an anonymous ticket.
702 By using the mechanism defined in this specification, the client does
703 not reveal the client's identity to the server but the client
704 identity may be revealed to the KDC of the server principal (when the
705 server principal is in a different realm than that of the client),
706 and any KDC on the cross-realm authentication path. The Kerberos
707 client MUST verify the ticket being used is indeed anonymous before
708 communicating with the server, otherwise, the client's identity may
709 be revealed unintentionally.
711 In cases where specific server principals must not have access to the
712 client's identity (for example, an anonymous poll service), the KDC
713 can define server-principal-specific policy that ensures any normal
714 service ticket can NEVER be issued to any of these server principals.
716 If the KDC that issued an anonymous ticket were to maintain records
717 of the association of identities to an anonymous ticket, then someone
718 obtaining such records could breach the anonymity. Additionally, the
719 implementations of most (for now all) KDC's respond to requests at
720 the time that they are received. Traffic analysis on the connection
721 to the KDC will allow an attacker to match client identities to
722 anonymous tickets issued. Because there are plaintext parts of the
723 tickets that are exposed on the wire, such matching by a third-party
724 observer is relatively straightforward. A service that is
725 authenticated by the anonymous principals may be able to infer the
730 Zhu, et al. Standards Track [Page 13]
731 \f
732 RFC 6112 Kerberos Anonymity Support April 2011
735 identity of the client by examining and linking quasi-static protocol
736 information such as the IP address from which a request is received,
737 or by linking multiple uses of the same anonymous ticket.
739 Two mechanisms, the FAST facility with the hide-client-names option
740 in [RFC6113] and the Kerberos5 starttls option [STARTTLS], protect
741 the client identity so that an attacker would never be able to
742 observe the client identity sent to the KDC. Transport or network
743 layer security between the client and the server will help prevent
744 tracking of a particular ticket to link a ticket to a user. In
745 addition, clients can limit how often a ticket is reused to minimize
746 ticket linking.
748 The client's real identity is not revealed when the client is
749 authenticated as the anonymous principal. Application servers MAY
750 reject the authentication in order to, for example, prevent
751 information disclosure or as part of Denial of Service (DoS)
752 prevention. Application servers MUST avoid accepting anonymous
753 credentials in situations where they must record the client's
754 identity; for example, when there must be an audit trail.
756 9. Acknowledgements
758 JK Jaganathan helped editing early revisions of this document.
760 Clifford Neuman contributed the core notions of this document.
762 Ken Raeburn reviewed the document and provided suggestions for
763 improvements.
765 Martin Rex wrote the text for GSS-API considerations.
767 Nicolas Williams reviewed the GSS-API considerations section and
768 suggested ideas for improvements.
770 Sam Hartman and Nicolas Williams were great champions of this work.
772 Miguel Garcia and Phillip Hallam-Baker reviewed the document and
773 provided helpful suggestions.
775 In addition, the following individuals made significant
776 contributions: Jeffrey Altman, Tom Yu, Chaskiel M Grundman, Love
777 Hornquist Astrand, Jeffrey Hutzelman, and Olga Kornievskaia.
786 Zhu, et al. Standards Track [Page 14]
787 \f
788 RFC 6112 Kerberos Anonymity Support April 2011
791 10. IANA Considerations
793 This document defines a new 'anonymous' Kerberos well-known name and
794 a new 'anonymous' Kerberos well-known realm based on [RFC6111]. IANA
795 has added these two values to the Kerberos naming registries that are
796 created in [RFC6111].
798 11. References
800 11.1. Normative References
802 [ASAX34] American Standards Institute, "American Standard Code for
803 Information Interchange", ASA X3.4-1963, June 1963.
805 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
806 RFC 1964, June 1996.
808 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
809 Requirement Levels", BCP 14, RFC 2119, March 1997.
811 [RFC2743] Linn, J., "Generic Security Service Application Program
812 Interface Version 2, Update 1", RFC 2743, January 2000.
814 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
815 Kerberos 5", RFC 3961, February 2005.
817 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
818 Kerberos Network Authentication Service (V5)", RFC 4120,
819 July 2005.
821 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
822 Authentication in Kerberos (PKINIT)", RFC 4556,
823 June 2006.
825 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)",
826 STD 70, RFC 5652, September 2009.
828 [RFC6111] Zhu, L., "Additional Kerberos Naming Constraints",
829 RFC 6111, April 2011.
831 [X.680] "Abstract Syntax Notation One (ASN.1): Specification of
832 Basic Notation", ITU-T Recommendation X.680: ISO/IEC
833 International Standard 8824-1:1998, 1997.
835 [X.690] "ASN.1 encoding rules: Specification of Basic Encoding
836 Rules (BER), Canonical Encoding Rules (CER) and
837 Distinguished Encoding Rules (DER)", ITU-T Recommendation
838 X.690 ISO/IEC International Standard 8825-1:1998, 1997.
842 Zhu, et al. Standards Track [Page 15]
843 \f
844 RFC 6112 Kerberos Anonymity Support April 2011
847 11.2. Informative References
849 [RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for
850 Kerberos Pre-Authentication", RFC 6113, April 2011.
852 [STARTTLS] Josefsson, S., "Using Kerberos V5 over the Transport
853 Layer Security (TLS) protocol", Work in Progress,
854 August 2010.
856 Authors' Addresses
858 Larry Zhu
859 Microsoft Corporation
860 One Microsoft Way
861 Redmond, WA 98052
862 US
864 EMail: larry.zhu@microsoft.com
867 Paul Leach
868 Microsoft Corporation
869 One Microsoft Way
870 Redmond, WA 98052
871 US
873 EMail: paulle@microsoft.com
876 Sam Hartman
877 Painless Security
879 EMail: hartmans-ietf@mit.edu
898 Zhu, et al. Standards Track [Page 16]
899 \f