| blob | 35d2f070961d5f9b464f38518dd2bff8e84de846 |
3 NETWORK WORKING GROUP L. Zhu
4 Internet-Draft P. Leach
5 Expires: June 4, 2005 K. Jaganathan
6 Microsoft Corporation
7 December 2004
10 Kerberos Cryptosystem Negotiation Extension
11 draft-zhu-kerb-enctype-nego-00
13 Status of this Memo
15 This document is an Internet-Draft and is subject to all provisions
16 of Section 3 of RFC 3667. By submitting this Internet-Draft, each
17 author represents that any applicable patent or other IPR claims of
18 which he or she is aware have been or will be disclosed, and any of
19 which he or she become aware will be disclosed, in accordance with
20 RFC 3668.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as
25 Internet-Drafts.
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress."
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/ietf/1id-abstracts.txt.
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html.
38 This Internet-Draft will expire on June 4, 2005.
40 Copyright Notice
42 Copyright (C) The Internet Society (2004).
44 Abstract
46 This document specifies an extension by Kerberos to negotiate new
47 encryption types between the client-server peers.
54 Zhu, et al. Expires June 4, 2005 [Page 1]
55 \f
56 Internet-Draft Enctype Negotiation December 2004
59 Table of Contents
61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
62 2. Conventions Used in This Document . . . . . . . . . . . . . 4
63 3. Negotiation Protocol . . . . . . . . . . . . . . . . . . . . 5
64 4. Security Considerations . . . . . . . . . . . . . . . . . . 6
65 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
66 6. Normative References . . . . . . . . . . . . . . . . . . . . 7
67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 7
68 A. Leveraging this Enctype Negotiation in Windows SPNEGO
69 Implementations . . . . . . . . . . . . . . . . . . . . . . 9
70 Intellectual Property and Copyright Statements . . . . . . . 10
110 Zhu, et al. Expires June 4, 2005 [Page 2]
111 \f
112 Internet-Draft Enctype Negotiation December 2004
115 1. Introduction
117 Under the current mechanism [CLAR], the KDC must limit the ticket
118 session key enctype chosen for a given service to one it believes is
119 supported by both the client and the server. If both the client and
120 server understand a stronger enctype than is selected by the KDC,
121 they can not negotiate it. As the result, the protection of
122 application traffic is often weaker than necessary when different
123 application software that support different set of enctypes can be
124 used by the same server principal.
126 This document specifies an extension to Kerberos to allow clients and
127 servers to negotiate a different and possible stronger cryptosystem
128 to be used in subsequent communication.
130 This extension utilizes an authorization data element in the
131 authenticator of the KRB_AP_REQ message [CLAR]. The client sends the
132 list of enctypes that it supports to the server, the server then
133 informs the client its choice. The negotiated subkey is sent in the
134 KRB_AP_REP.
166 Zhu, et al. Expires June 4, 2005 [Page 3]
167 \f
168 Internet-Draft Enctype Negotiation December 2004
171 2. Conventions Used in This Document
173 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
174 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
175 document are to be interpreted as described in [RFC2119].
222 Zhu, et al. Expires June 4, 2005 [Page 4]
223 \f
224 Internet-Draft Enctype Negotiation December 2004
227 3. Negotiation Protocol
229 If the client prefers an enctype over that of the service ticket
230 session key, then it MUST send the list of enctypes it supports
231 (including the one selected by the KDC), in decreasing preference
232 order.
234 The client sends the enctype list via the authorization-data of the
235 authenticator in the KRB_AP_REQ [CLAR]. A new authorization data
236 element type AD-ETYPE-NEGOTIATION (129) is defined. This
237 authorization data element itself is enclosed in the AD-IF-RELEVANT
238 container, thus a correctly implemented server that does not
239 understand this element should ignore it [CLAR]. The value of this
240 authorization element contains the DER [X60] encoding of the
241 following ASN.1 type:
243 EtypeList ::= SEQUENCE OF Int32
244 -- the client's proposed enctype list in decreasing
245 -- preference order, favorite choice first
247 If the EtypeList is present and the server prefers an enctype from
248 the client's enctype list over that of the KRB_AP_REQ authenticator
249 subkey (if that is present) or the service ticket session key, the
250 server MUST create a subkey using that enctype. This negotiated
251 subkey is sent in the subkey field of KRB_AP_REP message and it MUST
252 be used for subsequent communication.
254 Note that to preserve the quality of randomness provided by the KDC,
255 implementations of this protocol SHOULD consider using the service
256 ticket session key value as a source of additional entropy when
257 generating the negotiated subkey. If the KRB_AP_REQ authenticator
258 subkey is present, it MAY also be used as a source of entropy.
260 The policy by which the client or the server chooses an enctype
261 (i.e., how the preference order for the supported enctypes is
262 selected) is an implementation-specific local matter.
278 Zhu, et al. Expires June 4, 2005 [Page 5]
279 \f
280 Internet-Draft Enctype Negotiation December 2004
283 4. Security Considerations
285 The client's enctype list and the server's reply enctype are part of
286 encrypted data, thus the security considerations are the same as
287 those of the Kerberos encrypted data.
289 In all cases, the communicating peers are exposed to the denial of
290 service threat.
334 Zhu, et al. Expires June 4, 2005 [Page 6]
335 \f
336 Internet-Draft Enctype Negotiation December 2004
339 5. IANA Considerations
341 No IANA actions are required for this document.
343 6. Normative References
345 [CLAR] Neuman, B., Yu, Y., Hartman, S. and K. Raeburn, "The
346 Kerberos Network Authentication Service (V5)", August
347 2004.
349 [GSS-CFX] Zhu, L., Jaganathan, K. and S. Hartman, "The Kerberos
350 Version 5 GSS-API Mechanism: Version 2", November 2004.
352 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
353 Requirement Levels", BCP 14, RFC 2119, March 1997.
355 [RFC2743] Linn, J., "Generic Security Service Application Program
356 Interface Version 2, Update 1", RFC 2743, January 2000.
358 [SPNEGOBIS]
359 Zhu, L., Leach, P., Jaganathan, K., Hartman, S. and W.
360 Ingersoll, "The Simple and Protected GSS-API Negotiation
361 Mechanism", November 2004.
364 Authors' Addresses
366 Larry Zhu
367 Microsoft Corporation
368 One Microsoft Way
369 Redmond, WA 98052
370 US
372 Email: lzhu@microsoft.com
375 Paul Leach
376 Microsoft Corporation
377 One Microsoft Way
378 Redmond, WA 98052
379 US
381 Email: paulle@microsoft.com
390 Zhu, et al. Expires June 4, 2005 [Page 7]
391 \f
392 Internet-Draft Enctype Negotiation December 2004
395 Karthik Jaganathan
396 Microsoft Corporation
397 One Microsoft Way
398 Redmond, WA 98052
399 US
401 Email: karthikj@microsoft.com
446 Zhu, et al. Expires June 4, 2005 [Page 8]
447 \f
448 Internet-Draft Enctype Negotiation December 2004
451 Appendix A. Leveraging this Enctype Negotiation in Windows SPNEGO
452 Implementations
454 The SPNEGO implementations in Windows 2000, Windows XP and Windows
455 2003 do not generate or verify the mechlistMIC field when it is
456 required [SPNEGOBIS].
458 When the SPNEGO implementations that are updated according to
459 [SPNEGOBIS], an SSPI initiator or acceptor needs to determine if the
460 peer is updated, so that it can generate the mechlistMIC token when
461 the peer can process it. With the bidirectional negotiation, the
462 updated SPNEGO implementation can achieve the following two goals:
464 o It can remain backward compatible with legacy implementations, if
465 local policy allows unsafe and unprotected negotiation with
466 downlevel implementations when the mechlistMIC token exchange
467 would otherwise be required by [SPNEGOBIS].
468 o The mechanism negotiation is protected according to [SPNEGOBIS]
469 when both peers are updated.
471 However, the updated SPNEGO implementation itself can not securely
472 inform the peer whether the local implementation is updated, thus it
473 has to obtain such information from the negotiated mechanism.
475 For Windows SPNEGO implementations, both the initiator and the
476 acceptor are assumed to have been updated if a "newer" [CLAR] or
477 different enctype is negotiated for use by the Kerberos GSS-API
478 mechanism.
502 Zhu, et al. Expires June 4, 2005 [Page 9]
503 \f
504 Internet-Draft Enctype Negotiation December 2004
507 Intellectual Property Statement
509 The IETF takes no position regarding the validity or scope of any
510 Intellectual Property Rights or other rights that might be claimed to
511 pertain to the implementation or use of the technology described in
512 this document or the extent to which any license under such rights
513 might or might not be available; nor does it represent that it has
514 made any independent effort to identify any such rights. Information
515 on the procedures with respect to rights in RFC documents can be
516 found in BCP 78 and BCP 79.
518 Copies of IPR disclosures made to the IETF Secretariat and any
519 assurances of licenses to be made available, or the result of an
520 attempt made to obtain a general license or permission for the use of
521 such proprietary rights by implementers or users of this
522 specification can be obtained from the IETF on-line IPR repository at
523 http://www.ietf.org/ipr.
525 The IETF invites any interested party to bring to its attention any
526 copyrights, patents or patent applications, or other proprietary
527 rights that may cover technology that may be required to implement
528 this standard. Please address the information to the IETF at
529 ietf-ipr@ietf.org.
532 Disclaimer of Validity
534 This document and the information contained herein are provided on an
535 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
536 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
537 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
538 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
539 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
540 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
543 Copyright Statement
545 Copyright (C) The Internet Society (2004). This document is subject
546 to the rights, licenses and restrictions contained in BCP 78, and
547 except as set forth therein, the authors retain all their rights.
550 Acknowledgment
552 Funding for the RFC Editor function is currently provided by the
553 Internet Society.
558 Zhu, et al. Expires June 4, 2005 [Page 10]
559 \f