3 Kerberos Working Group M. Swift
4 Internet Draft University of WA
5 Document: draft-swift-win2k-krb-user2user-03.txt J. Brezak
6 Category: Informational Microsoft
12 User to User Kerberos Authentication using GSS-API
17 This document is an Internet-Draft and is in full conformance with
18 all provisions of Section 10 of RFC2026 [1].
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
23 Drafts. Internet-Drafts are draft documents valid for a maximum of
24 six months and may be updated, replaced, or obsoleted by other
25 documents at any time. It is inappropriate to use Internet-Drafts as
26 reference material or to cite them other than as "work in progress."
28 The list of current Internet-Drafts can be accessed at
29 http://www.ietf.org/ietf/1id-abstracts.txt
30 The list of Internet-Draft Shadow Directories can be accessed at
31 http://www.ietf.org/shadow.html.
35 This draft documents a simple extension to the Kerberos GSS-API
36 mechanism to support user to user authentication both in the case
37 where the client application explicitly requests user to user
38 authentication and when it does not know whether the server supports
39 user to user authentication.
41 2. Conventions used in this document
43 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
44 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
45 this document are to be interpreted as described in RFC-2119 [2].
50 The Kerberos user to user authentication mechanism allows for a
51 client application to connect to a service that is not in possession
52 of a long term secret key. Instead, the session ticket from the
53 KERB-AP-REQ is encrypted using the session key from the service's
54 ticket granting ticket. According to RFC 1510 [3]:
58 Swift Category - Informational 1
67 User to User Kerberos Authentication October 1999
70 If the ENC-TKT-IN-SKEY option has been specified and an
71 additional ticket has been included in the request, the KDC
72 will decrypt the additional ticket using the key for the server
73 to which the additional ticket was issued and verify that it is
74 a ticket-granting ticket. If the request succeeds, the session
75 key from the additional ticket will be used to encrypt the new
76 ticket that is issued instead of using the key of the server
77 for which the new ticket will be used (This allows easy
78 implementation of user-to-user authentication, which uses
79 ticket-granting ticket session keys in lieu of secret server
80 keys in situations where such secret keys could be easily
83 RFC2078 [5], in section 5.2, discusses a "Double-TGT K-5" mechanism
84 and scenario, but not in the detail required in order to implement
85 the mechanism. The RFC for the Kerberos V5 GSS-API mechanism at the
86 time this draft was prepared, RFC 1964 [4] does not support user-to-
89 This draft provides details as to mechanism type, token identifiers,
90 messages and message types sufficient to document an implementation
91 of user-to-user authentication in Kerberos GSS-API. It follows the
92 scenario described in RFC2078.
94 The approach documented in this draft has been used to support user-
95 to-user authentication in the Microsoft Windows 2000 SSPI with the
96 Kerberos V5 protocol, and in a patched Kerberos V5 implementation
97 being used to support a computing grid at Sandia, Lawrence
98 Livermore, and Los Alamos National Laboratories.
100 4. User to User as a New Mechanism
102 A new mechanism OID may be used to establish a user-to-user session:
104 {iso(1) member-body(2) United States(840) mit(113554)
105 infosys(1) gssapi(2) krb5(2) usertouser(3)}
107 In the case that the client application knows that the server
108 requires user-to-user authentication, then the initial call to
109 GSS_Init_Sec_Context will request this mechanism. This new mechanism
110 is used with a token exchange that extends the conventional Kerberos
111 GSS-API protocol by adding an additional round trip to request the
112 TGT from the service. As with all Kerberos GSS-API messages, the
113 following tokens are encapsulated in the GSS-API framing. The first
114 token of the exchange will have an innerContextToken with a 2-octet
115 TOK_ID field containing 04 00 (KERB-TGT-REQUEST) followed by a
116 Kerberos V5 message as follows:
118 KERB-TGT-REQUEST ::= SEQUENCE {
121 server-name[2] PrincipalName OPTIONAL,
122 realm[3] Realm OPTIONAL
124 Swift Category - Informational 2
133 User to User Kerberos Authentication October 1999
138 The TGT request consists of four fields:
140 pvno and msg-type are as defined in RFC1510 section 5.4.1. msg-
141 type is KRB_TGT_REQ (16).
143 server-name : this field optionally contains the name of the
144 server. If the client application doesn't know the
145 server name this can be left blank and the server
146 application will pick the appropriate server
147 credentials which may be the default credential.
149 realm : this field optionally contains the realm of the server.
150 If the client application doesn't know the server realm
151 this field can be left blank and the server application
152 will pick the appropriate server credentials which may
153 be the server's default realm.
155 The server name and realm are included to allow a server application
156 to act for multiple principles in different realms and to choose
157 which credentials to use.
159 The response to the KERB-TGT-REQUEST message will be a
160 KERB_TGT_REPLY token which will have an innerContextToken with a 2-
161 octet TOK_ID field containing 04 01 (KERB-TGT-REPLY) followed by a
162 Kerberos V5 message as follows:
164 KERB-TGT-REPLY ::= SEQUENCE {
170 The TGT reply contains the following fields:
172 pvno and msg-type are as defined in RFC1510 section 5.4.1. msg-
173 type is KRB_TGT_REP (17)
175 ticket : contains the TGT for the service specified by the
176 server name and realm passed by the client or the
179 If the service does not possess a ticket granting ticket, it should
180 return the error KRB_AP_ERR_NO_TGT (0x43).
182 If the server name and realm in the KERB-TGT-REQUEST message do not
183 match the name of the service, then the service should return the
184 error KRB_AP_ERR_NOT_US.
186 Following the exchange of the TGT request messages, the initiator
187 requests a ticket to the service from the KDC using a KERB-TGS-REQ
188 with the KDCoption ENC-TKT-IN_SKEY and the second ticket in the
190 Swift Category - Informational 3
199 User to User Kerberos Authentication October 1999
202 additional-tickets of the KDC-REQ-BODY. Upon receipt of the TGS-REP
203 the rest of the authentication identical to the Kerberos GSS-API
204 mechanism defined in RFC 1964 [4].
206 5. User-to-User when applied via KDC policy
208 Implementations MAY support the ability apply a policy on a user
209 account such that the KDC will not allow conventional service ticket
210 requests, and when presented with a KERB_TGS_REQ that does not
211 contain a second ticket with an ENC_TKT_IN_SKEY KDCoption will
212 respond with a KRB-ERROR with the msg-type
213 KDC_ERR_MUST_USE_USER2USER (or KRB5PLACEHOLD_27).
215 In this case, the client need not explicitly request user-to-user in
216 order to get a user-to-user connection. Implementations may use this
217 error code to set a flag and return a GSS_C_CONTINUE_NEEDED so that
218 the next round uses the mechanism described in section 4.
220 6. User to User when applied by server policy
222 In the case that the client application doesn't know that a service
223 requires user-to-user authentication, and requests and receives a
224 conventional KRB_AP_REP, the client will send the KRB_AP_REP
225 request, and the server will respond with a KRB_ERROR token as
226 described in RFC1964, with a msg-type of
227 KRB_AP_ERR_USER_TO_USER_REQUIRED (0x45). The server may optionally
228 pass the TGT in the data field of this error message. In response to
229 this error, the initiator sets flags and returns a
230 GSS_C_CONTINUE_NEEDED so that the next round uses the mechanism
231 described in section 4.
233 7. Security Considerations
235 These extensions simply enable an existing Kerberos 5 authentication
236 protocol so that it may be used from GSSAPI.
238 There is some risk in a server handing out its ticket-granting-
239 ticket to any client that requests it, in that it gives an attacker
240 a piece of encrypted material to decrypt. However, the same material
241 may be obtained from listening to any legitimate client connection.
243 It should be noted here that the exchange described in section 6
244 requires that the KDC provide tickets for user accounts, which will
245 contain known plaintext encrypted in the usersÆ private key. The
246 risk associated with this is entirely mitigated where a KDC supports
247 the KDC_MUST_USE_USER2USER feature, which allows a restriction on
248 user accounts to ensure that all tickets for that account are
249 encrypted in the TGT session key, and not the long term key of the
256 Swift Category - Informational 4
265 User to User Kerberos Authentication October 1999
269 1 Bradner, S., "The Internet Standards Process -- Revision 3", BCP
270 9, RFC 2026, October 1996.
272 2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
273 Levels", BCP 14, RFC 2119, March 1997
275 3 J. Kohl, C. Neuman, "The Kerberos Network Authentication
276 Service(V5)", RFC 1510.
278 4 J. Linn, "The Kerberos Version 5 GSS-API Mechanism", RFC 1964
280 5 J. Linn, "Generic Security Service Application Program Interface,
283 9. Author's Addresses
286 University of Washington
288 Email: mikesw@cs.washington.edu
294 Email: jbrezak@microsoft.com
297 Sandia National Laboratories
298 PO Box 5800 Mail Stop
299 Albuquerque, New Mexico
300 Email: pcmoore@sandia.gov
322 Swift Category - Informational 5
331 User to User Kerberos Authentication October 1999
335 Full Copyright Statement
337 Copyright (C) The Internet Society (1999). All Rights Reserved.
339 This document and translations of it may be copied and furnished to
340 others, and derivative works that comment on or otherwise explain it
341 or assist in its implementation may be prepared, copied, published
342 and distributed, in whole or in part, without restriction of any
343 kind, provided that the above copyright notice and this paragraph
344 are included on all such copies and derivative works. However, this
345 document itself may not be modified in any way, such as by removing
346 the copyright notice or references to the Internet Society or other
347 Internet organizations, except as needed for the purpose of
348 developing Internet standards in which case the procedures for
349 copyrights defined in the Internet Standards process must be
350 followed, or as required to translate it into languages other than
353 The limited permissions granted above are perpetual and will not be
354 revoked by the Internet Society or its successors or assigns.
356 This document and the information contained herein is provided on an
357 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
358 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
359 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
360 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
361 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
388 Swift Category - Informational 6