6 Expires: April 19, 2006 October 16, 2005
9 Clarifications and Extensions to the GSS-API for the Use of Channel
11 draft-ietf-kitten-gssapi-channel-bindings-01.txt
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on April 19, 2006.
40 Copyright (C) The Internet Society (2005).
44 This document clarifies and generalizes the GSS-API "channel
45 bindings" facility. This document also specifies the format of the
46 various types of channel bindings.
55 Williams Expires April 19, 2006 [Page 1]
57 Internet-Draft GSS-API Channel Bindings October 2005
62 1. Conventions used in this document . . . . . . . . . . . . . . 3
63 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
64 3. Generic Structure for GSS-API Channel Bindings . . . . . . . . 5
65 3.1. Proper Mechanism Use of Channel Bindings . . . . . . . . . 5
66 4. Channel Bindings for SSHv2 . . . . . . . . . . . . . . . . . . 6
67 4.1. GSS_Make_sshv2_channel_bindings() . . . . . . . . . . . . 6
68 4.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . 7
69 5. Channel Bindings for TLS . . . . . . . . . . . . . . . . . . . 8
70 5.1. GSS_Make_tls_channel_bindings() . . . . . . . . . . . . . 8
71 5.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . 9
72 6. Channel Bindings for IPsec . . . . . . . . . . . . . . . . . . 10
73 6.1. GSS_Make_ipsec_channel_bindings() . . . . . . . . . . . . 10
74 6.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . 11
75 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
76 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
77 8.1. Normative . . . . . . . . . . . . . . . . . . . . . . . . 13
78 8.2. Informative . . . . . . . . . . . . . . . . . . . . . . . 13
79 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 14
80 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
81 Intellectual Property and Copyright Statements . . . . . . . . . . 16
111 Williams Expires April 19, 2006 [Page 2]
113 Internet-Draft GSS-API Channel Bindings October 2005
116 1. Conventions used in this document
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
167 Williams Expires April 19, 2006 [Page 3]
169 Internet-Draft GSS-API Channel Bindings October 2005
174 The concept of "channel bindings" and the abstract construction of
175 channel bindings for several types of channels are described in
178 To actually use channel bindings in GSS-API aplications additional
179 details are required that are given below.
181 First the structure given to channel bindings data in [RFC2744] is
182 generalized to all of the GSS-API, not just its C-Bindings.
184 Then the actual construction of channel bindings to SSHv2, TLS and
185 IPsec channels is given.
223 Williams Expires April 19, 2006 [Page 4]
225 Internet-Draft GSS-API Channel Bindings October 2005
228 3. Generic Structure for GSS-API Channel Bindings
230 The base GSS-API v2, update 1 specification [RFC2743]describes
231 channel bindings as an OCTET STRING and leaves it to the GSS-API v2,
232 update 1 C-Bindings specification to specify the structure of the
233 contents of the channel bindings OCTET STRINGs. The C-Bindings
234 specification [RFC2744]then defines, in terms of C, what should be
235 generic structure for channel bindings. The Kerberos V GSS mechanism
236 [RFC1964]then defines a method for encoding GSS channel bindings in a
237 way that is independent of the C-Bindings!
239 In other words, the structure of GSS channel bindings given in
240 [RFC2744] is actually generic, rather than specific to the C
241 programming language.
243 Here, then, is a generic re-statement of this structure, in pseudo-
246 GSS-CHANNEL-BINDINGS := SEQUENCE {
247 initiator-address-type INTEGER,
248 initiator-address OCTET STRING,
249 acceptor-address-type INTEGER,
250 acceptor-address OCTET STRING,
251 application-data OCTET STRING,
254 The values for the address fields are described in [RFC2744].
256 Language-specific bindings of the GSS-API should specify a language-
257 specific formulation of this structure.
259 3.1. Proper Mechanism Use of Channel Bindings
261 As described in [CHANNEL-BINDINGS], GSS mechanisms should exchange
262 integrity protected proofs of channel bindings, where the proof is
263 obtained by running a strong hash of the channel bindings data
264 (encoded as per some mechanism-specific, such as in [RFC1964]) and a
265 binary value to represent the initiator->acceptor, and opposite,
268 The encoding of channel bindings used in [RFC1964], with the addition
269 of a binary value as described above, and the substitution of SHA-1
270 for MD5 is a reasonable, generic encoding of GSS-CHANNEL-BINDINGS
271 that any future GSS mechanisms can use.
279 Williams Expires April 19, 2006 [Page 5]
281 Internet-Draft GSS-API Channel Bindings October 2005
284 4. Channel Bindings for SSHv2
286 The SSHv2 channel bindings are constructed as an octet string for the
287 'application-data' field of the channel bindings by concatenating the
288 following values and in this order:
290 1. The ASCII string "GSS SSHv2 CB:"
292 2. The SSHv2 session ID
294 3. Any additional application-provided data, encoded as the DER
295 encoding of an ASN.1 OCTET STRING
297 4.1. GSS_Make_sshv2_channel_bindings()
302 o session_id OCTET STRING,
304 o additional_app_data OCTET STRING
309 o major_status INTEGER,
311 o minor_status INTEGER,
313 o channel_bindings_app_data OCTET STRING
315 Return major_status codes:
317 o GSS_S_COMPLETE indicates no error.
319 o GSS_S_FAILURE indicates failure to construct the channel bindings
320 as a result, perhaps, of a memory management, or similar failure.
322 This function constructs an OCTET STRING for use as the value of the
323 application-data field of the GSS-CHANNEL-BINDINGS structure
335 Williams Expires April 19, 2006 [Page 6]
337 Internet-Draft GSS-API Channel Bindings October 2005
342 OM_uint32 gss_make_sshv2_channel_bindings(
343 OM_uint32 *minor_status,
344 const gss_buffer_t session_id,
345 const gss_buffer_t additional_app_data,
346 gss_buffer_t channel_bindings_app_data
391 Williams Expires April 19, 2006 [Page 7]
393 Internet-Draft GSS-API Channel Bindings October 2005
396 5. Channel Bindings for TLS
398 The TLS channel bindings are constructed as an octet string for the
399 'application-data' field of the channel bindings by concatenating the
400 following values and in this order:
402 1. The ASCII string "GSS TLSv1.0 CB:"
404 2. The TLS finished message sent by the client
406 3. The TLS finished message sent by the server
408 4. Any additional application-provided data, encoded as the DER
409 encoding of an ASN.1 OCTET STRING
411 5.1. GSS_Make_tls_channel_bindings()
416 o client_finished_msg OCTET STRING,
418 o server_finished_msg OCTET STRING,
420 o additional_app_data OCTET STRING
425 o major_status INTEGER,
427 o minor_status INTEGER,
429 o channel_bindings_app_data OCTET STRING
431 Return major_status codes:
433 o GSS_S_COMPLETE indicates no error.
435 o GSS_S_FAILURE indicates failure to construct the channel bindings
436 as a result, perhaps, of a memory management, or similar failure.
438 This function constructs an OCTET STRING for use as the value of the
439 application-data field of the GSS-CHANNEL-BINDINGS structure
447 Williams Expires April 19, 2006 [Page 8]
449 Internet-Draft GSS-API Channel Bindings October 2005
454 OM_uint32 gss_make_tls_channel_bindings(
455 OM_uint32 *minor_status,
456 const gss_buffer_t client_finished_msg,
457 const gss_buffer_t server_finished_msg,
458 const gss_buffer_t additional_app_data,
459 gss_buffer_t channel_bindings_app_data
503 Williams Expires April 19, 2006 [Page 9]
505 Internet-Draft GSS-API Channel Bindings October 2005
508 6. Channel Bindings for IPsec
510 The IPsec channel bindings are constructed as an octet string for the
511 'application-data' field of the channel bindings by concatenating the
512 following values and in this order:
515 1. The ASCII string "GSS IPsec CB:"
517 2. The transform ID for encryption, as a 16-bit big-endian word
519 3. The transform ID for integrity protection, as 16-bit in big-
522 4. NOTE: The following needs to be updated to take into account
525 5. The initiator ID payload as used in the key exchange protocol
526 used for setting up the channel's SAs
528 6. The responder ID payload as used in the key exchange protocol
529 used for setting up the channel's SAs
531 7. Any additional application-provided data, encoded as the DER
532 encoding of an ASN.1 OCTET STRING
534 Note that traffic selectors are not included. Inclusion of
535 confidentiality/integrity algorithms protects against MITMs that can
536 compromise weaker algorithms that policy might permit, for the same
537 peers, for other traffic.
539 6.1. GSS_Make_ipsec_channel_bindings()
548 o initiator_id OCTET_STRING,
550 o acceptor_id OCTET_STRING,
552 o additional_app_data OCTET STRING
559 Williams Expires April 19, 2006 [Page 10]
561 Internet-Draft GSS-API Channel Bindings October 2005
564 o major_status INTEGER,
566 o minor_status INTEGER,
568 o channel_bindings_app_data OCTET STRING
570 Return major_status codes:
572 o GSS_S_COMPLETE indicates no error.
574 o GSS_S_FAILURE indicates failure to construct the channel bindings
575 as a result, perhaps, of a memory management, or similar failure.
577 This function constructs an OCTET STRING for use as the value of the
578 application-data field of the GSS-CHANNEL-BINDINGS structure
583 OM_uint32 gss_make_ipsec_channel_bindings(
584 OM_uint32 *minor_status,
587 const gss_buffer_t initiator_id,
588 const gss_buffer_t acceptor_id,
589 const gss_buffer_t additional_app_data,
590 gss_buffer_t channel_bindings_app_data
615 Williams Expires April 19, 2006 [Page 11]
617 Internet-Draft GSS-API Channel Bindings October 2005
620 7. Security Considerations
622 For general security considerations relating to channel bindings see
671 Williams Expires April 19, 2006 [Page 12]
673 Internet-Draft GSS-API Channel Bindings October 2005
680 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
683 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
684 Requirement Levels", BCP 14, RFC 2119, March 1997.
686 [RFC2743] Linn, J., "Generic Security Service Application Program
687 Interface Version 2, Update 1", RFC 2743, January 2000.
689 [RFC2744] Wray, J., "Generic Security Service API Version 2 :
690 C-bindings", RFC 2744, January 2000.
694 [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol
695 Specification", STD 8, RFC 854, May 1983.
697 [RFC1035] Mockapetris, P., "Domain names - implementation and
698 specification", STD 13, RFC 1035, November 1987.
700 [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
701 (SPKM)", RFC 2025, October 1996.
703 [RFC2203] Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol
704 Specification", RFC 2203, September 1997.
706 [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
707 Negotiation Mechanism", RFC 2478, December 1998.
709 [RFC2623] Eisler, M., "NFS Version 2 and Version 3 Security Issues
710 and the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5",
713 [RFC3530] Shepler, S., Callaghan, B., Robinson, D., Thurlow, R.,
714 Beame, C., Eisler, M., and D. Noveck, "Network File System
715 (NFS) version 4 Protocol", RFC 3530, April 2003.
727 Williams Expires April 19, 2006 [Page 13]
729 Internet-Draft GSS-API Channel Bindings October 2005
732 Appendix A. Acknowledgments
734 The author would like to thank Mike Eisler for his work on the
735 Channel Conjunction Mechanism I-D and for bringing the problem to a
736 head, Sam Hartman for pointing out that channel bindings provide a
737 general solution to the channel binding problem, Jeff Altman for his
738 suggestion of using the TLS finished messages as the TLS channel
739 bindings, Bill Sommerfeld, for his help in developing channel
740 bindings for IPsec, and Radia Perlman for her most helpful comments.
783 Williams Expires April 19, 2006 [Page 14]
785 Internet-Draft GSS-API Channel Bindings October 2005
796 Email: Nicolas.Williams@sun.com
839 Williams Expires April 19, 2006 [Page 15]
841 Internet-Draft GSS-API Channel Bindings October 2005
844 Intellectual Property Statement
846 The IETF takes no position regarding the validity or scope of any
847 Intellectual Property Rights or other rights that might be claimed to
848 pertain to the implementation or use of the technology described in
849 this document or the extent to which any license under such rights
850 might or might not be available; nor does it represent that it has
851 made any independent effort to identify any such rights. Information
852 on the procedures with respect to rights in RFC documents can be
853 found in BCP 78 and BCP 79.
855 Copies of IPR disclosures made to the IETF Secretariat and any
856 assurances of licenses to be made available, or the result of an
857 attempt made to obtain a general license or permission for the use of
858 such proprietary rights by implementers or users of this
859 specification can be obtained from the IETF on-line IPR repository at
860 http://www.ietf.org/ipr.
862 The IETF invites any interested party to bring to its attention any
863 copyrights, patents or patent applications, or other proprietary
864 rights that may cover technology that may be required to implement
865 this standard. Please address the information to the IETF at
869 Disclaimer of Validity
871 This document and the information contained herein are provided on an
872 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
873 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
874 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
875 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
876 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
877 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
882 Copyright (C) The Internet Society (2005). This document is subject
883 to the rights, licenses and restrictions contained in BCP 78, and
884 except as set forth therein, the authors retain all their rights.
889 Funding for the RFC Editor function is currently provided by the
895 Williams Expires April 19, 2006 [Page 16]