4 NETWORK WORKING GROUP L. Zhu
5 Internet-Draft Microsoft Corporation
6 Expires: June 24, 2006 B. Tung
7 USC Information Sciences Institute
11 Public Key Cryptography for Initial Authentication in Kerberos
12 draft-ietf-cat-kerberos-pk-init-31
16 By submitting this Internet-Draft, each author represents that any
17 applicable patent or other IPR claims of which he or she is aware
18 have been or will be disclosed, and any of which he or she becomes
19 aware will be disclosed, in accordance with Section 6 of BCP 79.
21 Internet-Drafts are working documents of the Internet Engineering
22 Task Force (IETF), its areas, and its working groups. Note that
23 other groups may also distribute working documents as Internet-
26 Internet-Drafts are draft documents valid for a maximum of six months
27 and may be updated, replaced, or obsoleted by other documents at any
28 time. It is inappropriate to use Internet-Drafts as reference
29 material or to cite them other than as "work in progress."
31 The list of current Internet-Drafts can be accessed at
32 http://www.ietf.org/ietf/1id-abstracts.txt.
34 The list of Internet-Draft Shadow Directories can be accessed at
35 http://www.ietf.org/shadow.html.
37 This Internet-Draft will expire on June 24, 2006.
41 Copyright (C) The Internet Society (2005).
45 This document describes protocol extensions (hereafter called PKINIT)
46 to the Kerberos protocol specification. These extensions provide a
47 method for integrating public key cryptography into the initial
48 authentication exchange, by using asymmetric-key signature and/or
49 encryption algorithms in pre-authentication data fields.
55 Zhu & Tung Expires June 24, 2006 [Page 1]
57 Internet-Draft PKINIT December 2005
62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
63 2. Conventions Used in This Document . . . . . . . . . . . . . . 5
64 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
65 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6
66 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6
67 3.1.2. Defined Message and Encryption Types . . . . . . . . . 6
68 3.1.3. Algorithm Identifiers . . . . . . . . . . . . . . . . 7
69 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9
70 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9
71 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 13
72 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 17
73 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 24
74 3.3. Interoperability Requirements . . . . . . . . . . . . . . 25
75 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 26
76 4. Security Considerations . . . . . . . . . . . . . . . . . . . 26
77 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
78 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
79 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
80 7.1. Normative References . . . . . . . . . . . . . . . . . . . 29
81 7.2. Informative References . . . . . . . . . . . . . . . . . . 31
82 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 31
83 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 36
84 Appendix C. Miscellaneous Information about Microsoft Windows
85 PKINIT Implementations . . . . . . . . . . . . . . . 38
86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
87 Intellectual Property and Copyright Statements . . . . . . . . . . 41
111 Zhu & Tung Expires June 24, 2006 [Page 2]
113 Internet-Draft PKINIT December 2005
118 The Kerberos V5 protocol [RFC4120] involves use of a trusted third
119 party known as the Key Distribution Center (KDC) to negotiate shared
120 session keys between clients and services and provide mutual
121 authentication between them.
123 The corner-stone of Kerberos V5 is the Ticket and the Authenticator.
124 A Ticket encapsulates a symmetric key (the ticket session key) in an
125 envelope (a public message) intended for a specific service. The
126 contents of the Ticket are encrypted with a symmetric key shared
127 between the service principal and the issuing KDC. The encrypted
128 part of the Ticket contains the client principal name, amongst other
129 items. An Authenticator is a record that can be shown to have been
130 recently generated using the ticket session key in the associated
131 Ticket. The ticket session key is known by the client who requested
132 the ticket. The contents of the Authenticator are encrypted with the
133 associated ticket session key. The encrypted part of an
134 Authenticator contains a timestamp and the client principal name,
137 As shown in Figure 1 below, the Kerberos V5 protocol consists of the
138 following message exchanges between the client and the KDC, and the
139 client and the application service:
141 - The Authentication Service (AS) Exchange
143 The client obtains an "initial" ticket from the Kerberos
144 authentication server (AS), typically a Ticket Granting Ticket
145 (TGT). The AS-REQ message and the AS-REP message are the request
146 and the reply message respectively between the client and the AS.
148 - The Ticket Granting Service (TGS) Exchange
150 The client subsequently uses the TGT to authenticate and request a
151 service ticket for a particular service, from the Kerberos ticket-
152 granting server (TGS). The TGS-REQ message and the TGS-REP
153 message are the request and the reply message respectively between
154 the client and the TGS.
156 - The Client/Server Authentication Protocol (AP) Exchange
158 The client then makes a request with an AP-REQ message, consisting
159 of a service ticket and an authenticator that certifies the
160 client's possession of the ticket session key. The server may
161 optionally reply with an AP-REP message. AP exchanges typically
162 negotiate session specific symmetric keys.
167 Zhu & Tung Expires June 24, 2006 [Page 3]
169 Internet-Draft PKINIT December 2005
172 Usually, the AS and TGS are integrated in a single device also known
175 Figure 1: The Message Exchanges in the Kerberos V5 Protocol
183 | | / TGS-REQ + TGS-REP
191 ++-------+------+ +-----------------+
192 | Client +------------>| Application |
193 | | AP-REQ | Server |
195 +---------------+ AP-REP +-----------------+
197 In the AS exchange, the KDC reply contains the ticket session key,
198 amongst other items, that is encrypted using a key (the AS reply key)
199 shared between the client and the KDC. The AS reply key is typically
200 derived from the client's password for human users. Therefore for
201 human users the attack resistance strength of the Kerberos protocol
202 is no stronger than the strength of their passwords.
204 The use of asymmetric cryptography in the form of X.509 certificates
205 [RFC3280] is popular for facilitating non-repudiation and perfect
206 secrecy. An established Public Key Infrastructure (PKI) provides key
207 management and key distribution mechanisms that can be used to
208 establish authentication and secure communication. Adding public-key
209 cryptography to Kerberos provides a nice congruence to public-key
210 protocols, obviates the human users' burden to manage strong
211 passwords, and allows Kerberized applications to take advantage of
212 existing key services and identity management.
214 The advantage afforded by the Kerberos TGT is that the client exposes
215 his long-term secrets only once. The TGT and its associated session
216 key can then be used for any subsequent service ticket requests. One
217 result of this is that all further authentication is independent of
218 the method by which the initial authentication was performed.
219 Consequently, initial authentication provides a convenient place to
223 Zhu & Tung Expires June 24, 2006 [Page 4]
225 Internet-Draft PKINIT December 2005
228 integrate public-key cryptography into Kerberos authentication. In
229 addition, the use of symmetric cryptography after the initial
230 exchange is preferred for performance.
232 This document describes the methods and data formats using which the
233 client and the KDC can use public and private key pairs to mutually
234 authenticate in the AS exchange and negotiate the AS reply key, known
235 only by the client and the KDC, to encrypt the AS-REP sent by the
239 2. Conventions Used in This Document
241 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
242 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
243 document are to be interpreted as described in [RFC2119].
245 In this protocol, both the client and the KDC have a public-private
246 key pair in order to prove their identities to each other over the
247 open network. The term "signature key" is used to refer to the
248 private key of the key pair being used.
250 The encryption key used to encrypt the enc-part field of the KDC-REP
251 in the AS-REP [RFC4120] is referred to as the AS reply key.
253 An empty sequence in an optional field can be either included or
254 omitted: both encodings are permitted and considered equivalent.
256 The term "Modular Exponential Diffie-Hellman" is used to refer to the
257 Diffie-Hellman key exchange as described in [RFC2631], in order to
258 differentiate it from other equivalent representations of the same
259 key agreement algorithm.
264 This section describes extensions to [RFC4120] for supporting the use
265 of public-key cryptography in the initial request for a ticket.
267 Briefly, this document defines the following extensions to [RFC4120]:
269 1. The client indicates the use of public-key authentication by
270 including a special preauthenticator in the initial request. This
271 preauthenticator contains the client's public-key data and a
279 Zhu & Tung Expires June 24, 2006 [Page 5]
281 Internet-Draft PKINIT December 2005
284 2. The KDC tests the client's request against its authentication
285 policy and trusted Certification Authorities (CAs).
287 3. If the request passes the verification tests, the KDC replies as
288 usual, but the reply is encrypted using either:
290 a. a key generated through a Diffie-Hellman (DH) key exchange
291 [RFC2631] [IEEE1363] with the client, signed using the KDC's
294 b. a symmetric encryption key, signed using the KDC's signature
295 key and encrypted using the client's public key.
297 Any keying material required by the client to obtain the
298 encryption key for decrypting the KDC reply is returned in a pre-
299 authentication field accompanying the usual reply.
301 4. The client validates the KDC's signature, obtains the encryption
302 key, decrypts the reply, and then proceeds as usual.
304 Section 3.1 of this document enumerates the required algorithms and
305 necessary extension message types. Section 3.2 describes the
306 extension messages in greater detail.
308 3.1. Definitions, Requirements, and Constants
310 3.1.1. Required Algorithms
312 All PKINIT implementations MUST support the following algorithms:
314 o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac-
317 o Signature algorithm: sha-1WithRSAEncryption [RFC3279].
319 o AS reply key delivery method: Diffie-Hellman key exchange
322 In addition, implementations of this specification MUST be capable of
323 processing the Extended Key Usage (EKU) extension and the id-pkinit-
324 san (as defined in Section 3.2.2) otherName of the Subject
325 Alternative Name (SAN) extension in X.509 certificates [RFC3280], if
328 3.1.2. Defined Message and Encryption Types
330 PKINIT makes use of the following new pre-authentication types:
335 Zhu & Tung Expires June 24, 2006 [Page 6]
337 Internet-Draft PKINIT December 2005
343 PKINIT also makes use of the following new authorization data type:
345 AD_INITIAL_VERIFIED_CAS 9
347 PKINIT introduces the following new error codes:
349 KDC_ERR_CLIENT_NOT_TRUSTED 62
350 KDC_ERR_INVALID_SIG 64
351 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65
352 KDC_ERR_CANT_VERIFY_CERTIFICATE 70
353 KDC_ERR_INVALID_CERTIFICATE 71
354 KDC_ERR_REVOKED_CERTIFICATE 72
355 KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
356 KDC_ERR_CLIENT_NAME_MISMATCH 75
357 KDC_ERR_INCONSISTENT_KEY_PURPOSE 77
358 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78
359 KDC_ERR_HASH_IN_KDF_NOT_ACCEPTED 79
360 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80
362 PKINIT uses the following typed data types for errors:
364 TD_TRUSTED_CERTIFIERS 104
365 TD_INVALID_CERTIFICATES 105
368 The ASN.1 module for all structures defined in this document (plus
369 IMPORT statements for all imported structures) is given in
372 All structures defined in or imported into this document MUST be
373 encoded using Distinguished Encoding Rules (DER) [X680] [X690]
374 (unless otherwise noted). All data structures carried in OCTET
375 STRINGs must be encoded according to the rules specified in
376 corresponding specifications.
378 Interoperability note: Some implementations may not be able to decode
379 wrapped CMS objects encoded with BER; specifically, they may not be
380 able to decode indefinite length encodings. To maximize
381 interoperability, implementers SHOULD encode CMS objects used in
384 3.1.3. Algorithm Identifiers
386 PKINIT does not define, but does make use of, the following algorithm
391 Zhu & Tung Expires June 24, 2006 [Page 7]
393 Internet-Draft PKINIT December 2005
396 PKINIT uses the following algorithm identifier(s) for Modular
397 Exponential Diffie-Hellman key agreement [RFC2631] [RFC3279]:
399 dhpublicnumber (as described in [RFC3279])
401 PKINIT uses the following signature algorithm identifiers as defined
404 sha-1WithRSAEncryption (RSA with SHA1)
405 md5WithRSAEncryption (RSA with MD5)
406 id-dsa-with-sha1 (DSA with SHA1)
408 PKINIT uses the following encryption algorithm identifiers as defined
409 in [RFC3447] for encrypting the temporary key with a public key:
414 PKINIT uses the following algorithm identifiers [RFC3370] [RFC3565]
415 for encrypting the AS reply key with the temporary key:
417 des-ede3-cbc (three-key 3DES, CBC mode, as defined in [RFC3370])
418 rc2-cbc (RC2, CBC mode, as defined in [RFC3370])
419 id-aes256-CBC (AES-256, CBC mode, as defined in [RFC3565])
421 PKINIT defines the following encryption types, for use in the etype
422 field of the AS-REQ [RFC4120] message to indicate acceptance of the
423 corresponding algorithms that can used by Cryptographic Message
424 Syntax (CMS) [RFC3852] messages in the reply:
426 id-dsa-with-sha1-CmsOID 9
427 -- Indicates that the client supports id-dsa-with-sha1.
428 md5WithRSAEncryption-CmsOID 10
429 -- Indicates that the client supports md5WithRSAEncryption.
430 sha-1WithRSAEncryption-CmsOID 11
431 -- Indicates that the client supports sha-1WithRSAEncryption.
433 -- Indicates that the client supports rc2-cbc.
434 rsaEncryption-EnvOID 13
435 -- Indicates that the client supports rsaEncryption.
436 id-RSAES-OAEP-EnvOID 14
437 -- Indicates that the client supports id-RSAES-OAEP.
438 des-ede3-cbc-EnvOID 15
439 -- Indicates that the client supports des-ede3-cbc.
447 Zhu & Tung Expires June 24, 2006 [Page 8]
449 Internet-Draft PKINIT December 2005
452 3.2. PKINIT Pre-authentication Syntax and Use
454 This section defines the syntax and use of the various pre-
455 authentication fields employed by PKINIT.
457 3.2.1. Generation of Client Request
459 The initial authentication request (AS-REQ) is sent as per [RFC4120];
460 in addition, a pre-authentication data element, whose padata-type is
461 PA_PK_AS_REQ and whose padata-value contains the DER encoding of the
462 type PA-PK-AS-REQ, is included.
464 PA-PK-AS-REQ ::= SEQUENCE {
465 signedAuthPack [0] IMPLICIT OCTET STRING,
466 -- Contains a CMS type ContentInfo encoded
467 -- according to [RFC3852].
468 -- The contentType field of the type ContentInfo
469 -- is id-signedData (1.2.840.113549.1.7.2),
470 -- and the content field is a SignedData.
471 -- The eContentType field for the type SignedData is
472 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
473 -- eContent field contains the DER encoding of the
475 -- AuthPack is defined below.
476 trustedCertifiers [1] SEQUENCE OF
477 ExternalPrincipalIdentifier OPTIONAL,
478 -- Contains a list of CAs, trusted by the client,
479 -- that can be used to certify the KDC.
480 -- Each ExternalPrincipalIdentifier identifies a CA
481 -- or a CA certificate (thereby its public key).
482 -- The information contained in the
483 -- trustedCertifiers SHOULD be used by the KDC as
484 -- hints to guide its selection of an appropriate
485 -- certificate chain to return to the client.
486 kdcPkId [2] IMPLICIT OCTET STRING
488 -- Contains a CMS type SignerIdentifier encoded
489 -- according to [RFC3852].
490 -- Identifies, if present, a particular KDC
491 -- public key that the client already has.
495 DHNonce ::= OCTET STRING
497 ExternalPrincipalIdentifier ::= SEQUENCE {
498 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
499 -- Contains a PKIX type Name encoded according to
503 Zhu & Tung Expires June 24, 2006 [Page 9]
505 Internet-Draft PKINIT December 2005
509 -- Identifies the certificate subject by the
510 -- distinguished subject name.
511 -- REQUIRED when there is a distinguished subject
512 -- name present in the certificate.
513 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
514 -- Contains a CMS type IssuerAndSerialNumber encoded
515 -- according to [RFC3852].
516 -- Identifies a certificate of the subject.
517 -- REQUIRED for TD-INVALID-CERTIFICATES and
518 -- TD-TRUSTED-CERTIFIERS.
519 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
520 -- Identifies the subject's public key by a key
521 -- identifier. When an X.509 certificate is
522 -- referenced, this key identifier matches the X.509
523 -- subjectKeyIdentifier extension value. When other
524 -- certificate formats are referenced, the documents
525 -- that specify the certificate format and their use
526 -- with the CMS must include details on matching the
527 -- key identifier to the appropriate certificate
529 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
533 AuthPack ::= SEQUENCE {
534 pkAuthenticator [0] PKAuthenticator,
535 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
536 -- Type SubjectPublicKeyInfo is defined in
538 -- Specifies Diffie-Hellman domain parameters
539 -- and the client's public key value [IEEE1363].
540 -- The DH public key value is encoded as a BIT
541 -- STRING according to [RFC3279].
542 -- This field is present only if the client wishes
543 -- to use the Diffie-Hellman key agreement method.
544 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
546 -- Type AlgorithmIdentifier is defined in
548 -- List of CMS encryption types supported by the
549 -- client in order of (decreasing) preference.
550 clientDHNonce [3] DHNonce OPTIONAL,
551 -- Present only if the client indicates that it
552 -- wishes to reuse DH keys or to allow the KDC to
553 -- do so (see Section 3.2.3.1).
559 Zhu & Tung Expires June 24, 2006 [Page 10]
561 Internet-Draft PKINIT December 2005
564 PKAuthenticator ::= SEQUENCE {
565 cusec [0] INTEGER (0..999999),
566 ctime [1] KerberosTime,
567 -- cusec and ctime are used as in [RFC4120], for
568 -- replay prevention.
569 nonce [2] INTEGER (0..4294967295),
570 -- Chosen randomly; This nonce does not need to
571 -- match with the nonce in the KDC-REQ-BODY.
572 paChecksum [3] OCTET STRING,
573 -- Contains the SHA1 checksum, performed over
578 The ContentInfo [RFC3852] structure contained in the signedAuthPack
579 field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and
580 is filled out as follows:
582 1. The contentType field of the type ContentInfo is id-signedData
583 (as defined in [RFC3852]), and the content field is a SignedData
584 (as defined in [RFC3852]).
586 2. The eContentType field for the type SignedData is id-pkinit-
587 authData: { iso(1) org(3) dod(6) internet(1) security(5)
588 kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS
589 implementers: the signed attribute content-type MUST be present
590 in this SignedData instance and its value is id-pkinit-authData
591 according to [RFC3852].
593 3. The eContent field for the type SignedData contains the DER
594 encoding of the type AuthPack.
596 4. The signerInfos field of the type SignedData contains a single
597 signerInfo, which contains the signature over the type AuthPack.
599 5. The AuthPack structure contains a PKAuthenticator, the client
600 public key information, the CMS encryption types supported by the
601 client and a DHNonce. The pkAuthenticator field certifies to the
602 KDC that the client has recent knowledge of the signing key that
603 authenticates the client. The clientPublicValue field specifies
604 Diffie-Hellman domain parameters and the client's public key
605 value. The DH public key value is encoded as a BIT STRING
606 according to [RFC3279]. The clientPublicValue field is present
607 only if the client wishes to use the Diffie-Hellman key agreement
608 method. The supportedCMSTypes field specifies the list of CMS
609 encryption types supported by the client in order of (decreasing)
610 preference. The clientDHNonce field is described later in this
615 Zhu & Tung Expires June 24, 2006 [Page 11]
617 Internet-Draft PKINIT December 2005
620 6. The ctime field in the PKAuthenticator structure contains the
621 current time on the client's host, and the cusec field contains
622 the microsecond part of the client's timestamp. The ctime and
623 cusec fields are used together to specify a reasonably accurate
624 timestamp [RFC4120]. The nonce field is chosen randomly. The
625 paChecksum field contains a SHA1 checksum that is performed over
626 the KDC-REQ-BODY [RFC4120].
628 7. The certificates field of the type SignedData contains
629 certificates intended to facilitate certification path
630 construction, so that the KDC can verify the signature over the
631 type AuthPack. For path validation, these certificates SHOULD be
632 sufficient to construct at least one certification path from the
633 client certificate to one trust anchor acceptable by the KDC
634 [RFC4158]. The client MUST be capable of including such a set of
635 certificates if configured to do so. The certificates field MUST
636 NOT contain "root" CA certificates.
638 8. The client's Diffie-Hellman public value (clientPublicValue) is
639 included if and only if the client wishes to use the Diffie-
640 Hellman key agreement method. The Diffie-Hellman domain
641 parameters [IEEE1363] for the client's public key are specified
642 in the algorithm field of the type SubjectPublicKeyInfo [RFC3279]
643 and the client's Diffie-Hellman public key value is mapped to a
644 subjectPublicKey (a BIT STRING) according to [RFC3279]. When
645 using the Diffie-Hellman key agreement method, implementations
646 MUST support Oakley 1024-bit Modular Exponential (MODP) well-
647 known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group
648 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known
651 The Diffie-Hellman field size should be chosen so as to provide
652 sufficient cryptographic security [RFC3766].
654 When MODP Diffie-Hellman is used, the exponents should have at
655 least twice as many bits as the symmetric keys that will be
656 derived from them [ODL99].
658 9. The client may wish to reuse DH keys or to allow the KDC to do so
659 (see Section 3.2.3.1). If so, then the client includes the
660 clientDHNonce field. This nonce string MUST be as long as the
661 longest key length of the symmetric key types that the client
662 supports. This nonce MUST be chosen randomly.
664 The ExternalPrincipalIdentifier structure is used in this document to
665 identify the subject's public key thereby the subject principal.
666 This structure is filled out as follows:
671 Zhu & Tung Expires June 24, 2006 [Page 12]
673 Internet-Draft PKINIT December 2005
676 1. The subjectName field contains a PKIX type Name encoded according
677 to [RFC3280]. This field identifies the certificate subject by
678 the distinguished subject name. This field is REQUIRED when
679 there is a distinguished subject name present in the certificate
682 2. The issuerAndSerialNumber field contains a CMS type
683 IssuerAndSerialNumber encoded according to [RFC3852]. This field
684 identifies a certificate of the subject. This field is REQUIRED
685 for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both
686 structures are defined in Section 3.2.2).
688 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's
689 public key by a key identifier. When an X.509 certificate is
690 referenced, this key identifier matches the X.509
691 subjectKeyIdentifier extension value. When other certificate
692 formats are referenced, the documents that specify the
693 certificate format and their use with the CMS must include
694 details on matching the key identifier to the appropriate
695 certificate field. This field is RECOMMENDED for TD-TRUSTED-
696 CERTIFIERS (as defined in Section 3.2.2).
698 The trustedCertifiers field of the type PA-PK-AS-REQ contains a list
699 of CAs, trusted by the client, that can be used to certify the KDC.
700 Each ExternalPrincipalIdentifier identifies a CA or a CA certificate
701 (thereby its public key).
703 The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type
704 SignerIdentifier encoded according to [RFC3852]. This field
705 identifies, if present, a particular KDC public key that the client
708 3.2.2. Receipt of Client Request
710 Upon receiving the client's request, the KDC validates it. This
711 section describes the steps that the KDC MUST (unless otherwise
712 noted) take in validating the request.
714 The KDC verifies the client's signature in the signedAuthPack field
715 according to [RFC3852].
717 If, while validating the client's X.509 certificate [RFC3280], the
718 KDC cannot build a certification path to validate the client's
719 certificate, it sends back a KRB-ERROR [RFC4120] message with the
720 code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for
721 this error message is a TYPED-DATA (as defined in [RFC4120]) that
722 contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and
723 whose data-value contains the DER encoding of the type TD-TRUSTED-
727 Zhu & Tung Expires June 24, 2006 [Page 13]
729 Internet-Draft PKINIT December 2005
734 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
735 ExternalPrincipalIdentifier
736 -- Identifies a list of CAs trusted by the KDC.
737 -- Each ExternalPrincipalIdentifier identifies a CA
738 -- or a CA certificate (thereby its public key).
740 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
741 TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate
742 (thereby its public key) trusted by the KDC.
744 Upon receiving this error message, the client SHOULD retry only if it
745 has a different set of certificates (from those of the previous
746 requests) that form a certification path (or a partial path) from one
747 of the trust anchors acceptable by the KDC to its own certificate.
749 If, while processing the certification path, the KDC determines that
750 the signature on one of the certificates in the signedAuthPack field
751 is invalid, it returns a KRB-ERROR [RFC4120] message with the code
752 KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error
753 message is a TYPED-DATA that contains an element whose data-type is
754 TD_INVALID_CERTIFICATES, and whose data-value contains the DER
755 encoding of the type TD-INVALID-CERTIFICATES:
757 TD-INVALID-CERTIFICATES ::= SEQUENCE OF
758 ExternalPrincipalIdentifier
759 -- Each ExternalPrincipalIdentifier identifies a
760 -- certificate (sent by the client) with an invalid
763 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
764 TD-INVALID-CERTIFICATES structure identifies a certificate (that was
765 sent by the client) with an invalid signature.
767 If more than one X.509 certificate signature is invalid, the KDC MAY
768 include one IssuerAndSerialNumber per invalid signature within the
769 TD-INVALID-CERTIFICATES.
771 The client's X.509 certificate is validated according to [RFC3280].
773 Based on local policy, the KDC may also check whether any X.509
774 certificates in the certification path validating the client's
775 certificate have been revoked. If any of them have been revoked, the
776 KDC MUST return an error message with the code
777 KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the
778 revocation status but is unable to do so, it SHOULD return an error
779 message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The
783 Zhu & Tung Expires June 24, 2006 [Page 14]
785 Internet-Draft PKINIT December 2005
788 certificate or certificates affected are identified exactly as for
789 the error code KDC_ERR_INVALID_CERTIFICATE (see above).
791 Note that the TD_INVALID_CERTIFICATES error data is only used to
792 identify invalid certificates sent by the client in the request.
794 The client's public key is then used to verify the signature. If the
795 signature fails to verify, the KDC MUST return an error message with
796 the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for
799 In addition to validating the client's signature, the KDC MUST also
800 check that the client's public key used to verify the client's
801 signature is bound to the client's principal name as specified in the
804 1. If the KDC has its own binding between either the client's
805 signature-verification public key or the client's certificate and
806 the client's Kerberos principal name, it uses that binding.
808 2. Otherwise, if the client's X.509 certificate contains a Subject
809 Alternative Name (SAN) extension carrying a KRB5PrincipalName
810 (defined below) in the otherName field of the type GeneralName
811 [RFC3280], it binds the client's X.509 certificate to that name.
813 The type of the otherName field is AnotherName. The type-id field
814 of the type AnotherName is id-pkinit-san:
816 id-pkinit-san OBJECT IDENTIFIER ::=
817 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
820 And the value field of the type AnotherName is a
823 KRB5PrincipalName ::= SEQUENCE {
825 principalName [1] PrincipalName
828 If the KDC does not have its own binding and there is no
829 KRB5PrincipalName name present in the client's X.509 certificate, or
830 if the Kerberos name in the request does not match the
831 KRB5PrincipalName in the client's X.509 certificate (including the
832 realm name), the KDC MUST return an error message with the code
833 KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for
839 Zhu & Tung Expires June 24, 2006 [Page 15]
841 Internet-Draft PKINIT December 2005
844 Even if the certification path is validated and the certificate is
845 mapped to the client's principal name, the KDC may decide not to
846 accept the client's certificate, depending on local policy.
848 The KDC MAY require the presence of an Extended Key Usage (EKU)
849 KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field
850 of the client's X.509 certificate:
852 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::=
853 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
854 pkinit(3) keyPurposeClientAuth(4) }
855 -- PKINIT client authentication.
856 -- Key usage bits that MUST be consistent:
859 The digitalSignature key usage bit [RFC3280] MUST be asserted when
860 the intended purpose of the client's X.509 certificate is restricted
861 with the id-pkinit-KPClientAuth EKU.
863 If this EKU KeyPurposeId is required but it is not present or if the
864 client certificate is restricted not to be used for PKINIT client
865 authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return
866 an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There
867 is no accompanying e-data for this error message. KDCs implementing
868 this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc-
869 logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there
870 are a large number of X.509 client certificates deployed for use with
871 PKINIT which have this EKU.
873 As a matter of local policy, the KDC MAY decide to reject requests on
874 the basis of the absence or presence of other specific EKU OID's.
876 If the digest algorithm used in generating the CA signature for the
877 public key in any certificate of the request is not acceptable by the
878 KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code
879 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be
880 encoded in TYPED-DATA although none is defined at this point.
882 If the client's public key is not accepted with reasons other than
883 what were specified above, the KDC returns a KRB-ERROR [RFC4120]
884 message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no
885 accompanying e-data currently defined for this error message.
887 The KDC MUST check the timestamp to ensure that the request is not a
888 replay, and that the time skew falls within acceptable limits. The
889 recommendations for clock skew times in [RFC4120] apply here. If the
890 check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or
891 KRB_AP_ERR_SKEW, respectively.
895 Zhu & Tung Expires June 24, 2006 [Page 16]
897 Internet-Draft PKINIT December 2005
900 If the clientPublicValue is filled in, indicating that the client
901 wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD
902 check to see if the key parameters satisfy its policy. If they do
903 not, it MUST return an error message with the code
904 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a
905 TYPED-DATA that contains an element whose data-type is
906 TD_DH_PARAMETERS, and whose data-value contains the DER encoding of
907 the type TD-DH-PARAMETERS:
909 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
910 -- Each AlgorithmIdentifier specifies a set of
911 -- Diffie-Hellman domain parameters [IEEE1363].
912 -- This list is in decreasing preference order.
914 TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters
915 that the KDC supports in decreasing preference order, from which the
916 client SHOULD pick one to retry the request.
918 The AlgorithmIdentifier structure is defined in [RFC3280] and is
919 filled in according to [RFC3279]. More specifically Section 2.3.3 of
920 [RFC3279] describes how to fill in the AlgorithmIdentifier structure
921 in the case where MODP Diffie-Hellman key exchange is used.
923 If the client included a kdcPkId field in the PA-PK-AS-REQ and the
924 KDC does not possess the corresponding key, the KDC MUST ignore the
925 kdcPkId field as if the client did not include one.
927 If the digest algorithm used by the id-pkinit-authData is not
928 acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120]
929 message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
930 The accompanying e-data MUST be encoded in TYPED-DATA although none
931 is defined at this point.
933 3.2.3. Generation of KDC Reply
935 Assuming that the client's request has been properly validated, the
936 KDC proceeds as per [RFC4120], except as follows.
938 The KDC MUST set the initial flag and include an authorization data
939 element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued
940 ticket. The ad-data [RFC4120] field contains the DER encoding of the
941 type AD-INITIAL-VERIFIED-CAS:
943 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
944 ExternalPrincipalIdentifier
945 -- Identifies the certification path based on which
946 -- the client certificate was validated.
947 -- Each ExternalPrincipalIdentifier identifies a CA
951 Zhu & Tung Expires June 24, 2006 [Page 17]
953 Internet-Draft PKINIT December 2005
956 -- or a CA certificate (thereby its public key).
958 The AD-INITIAL-VERIFIED-CAS structure identifies the certification
959 path based on which the client certificate was validated. Each
960 ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
961 INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
962 (thereby its public key).
964 The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
965 containers if the list of CAs satisfies the AS' realm's local policy
966 (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag
967 [RFC4120]). Furthermore, any TGS MUST copy such authorization data
968 from tickets used within a PA-TGS-REQ of the TGS-REQ into the
969 resulting ticket. If the list of CAs satisfies the local KDC's
970 realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT
971 container, otherwise it MAY unwrap the authorization data out of the
972 AD-IF-RELEVANT container.
974 Application servers that understand this authorization data type
975 SHOULD apply local policy to determine whether a given ticket bearing
976 such a type *not* contained within an AD-IF-RELEVANT container is
977 acceptable. (This corresponds to the AP server checking the
978 transited field when the TRANSITED-POLICY-CHECKED flag has not been
979 set [RFC4120].) If such a data type is contained within an AD-IF-
980 RELEVANT container, AP servers MAY apply local policy to determine
981 whether the authorization data is acceptable.
983 A pre-authentication data element, whose padata-type is PA_PK_AS_REP
984 and whose padata-value contains the DER encoding of the type PA-PK-
985 AS-REP (defined below), is included in the AS-REP [RFC4120].
987 PA-PK-AS-REP ::= CHOICE {
988 dhInfo [0] DHRepInfo,
989 -- Selected when Diffie-Hellman key exchange is
991 encKeyPack [1] IMPLICIT OCTET STRING,
992 -- Selected when public key encryption is used.
993 -- Contains a CMS type ContentInfo encoded
994 -- according to [RFC3852].
995 -- The contentType field of the type ContentInfo is
996 -- id-envelopedData (1.2.840.113549.1.7.3).
997 -- The content field is an EnvelopedData.
998 -- The contentType field for the type EnvelopedData
999 -- is id-signedData (1.2.840.113549.1.7.2).
1000 -- The eContentType field for the inner type
1001 -- SignedData (when unencrypted) is
1002 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
1003 -- eContent field contains the DER encoding of the
1007 Zhu & Tung Expires June 24, 2006 [Page 18]
1009 Internet-Draft PKINIT December 2005
1012 -- type ReplyKeyPack.
1013 -- ReplyKeyPack is defined in Section 3.2.3.2.
1017 DHRepInfo ::= SEQUENCE {
1018 dhSignedData [0] IMPLICIT OCTET STRING,
1019 -- Contains a CMS type ContentInfo encoded according
1021 -- The contentType field of the type ContentInfo is
1022 -- id-signedData (1.2.840.113549.1.7.2), and the
1023 -- content field is a SignedData.
1024 -- The eContentType field for the type SignedData is
1025 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
1026 -- eContent field contains the DER encoding of the
1027 -- type KDCDHKeyInfo.
1028 -- KDCDHKeyInfo is defined below.
1029 serverDHNonce [1] DHNonce OPTIONAL,
1030 -- Present if and only if dhKeyExpiration is
1031 -- present in the KDCDHKeyInfo.
1035 KDCDHKeyInfo ::= SEQUENCE {
1036 subjectPublicKey [0] BIT STRING,
1037 -- The KDC's DH public key.
1038 -- The DH public key value is encoded as a BIT
1039 -- STRING according to [RFC3279].
1040 nonce [1] INTEGER (0..4294967295),
1041 -- Contains the nonce in the pkAuthenticator field
1042 -- in the request if the DH keys are NOT reused,
1044 dhKeyExpiration [2] KerberosTime OPTIONAL,
1045 -- Expiration time for KDC's key pair,
1046 -- present if and only if the DH keys are reused.
1047 -- If present, the KDC's DH public key MUST not be
1048 -- used past the point of this expiration time.
1049 -- If this field is omitted then the serverDHNonce
1050 -- field MUST also be omitted.
1054 The content of the AS-REP is otherwise unchanged from [RFC4120]. The
1055 KDC encrypts the reply as usual, but not with the client's long-term
1056 key. Instead, it encrypts it with either a shared key derived from a
1057 Diffie-Hellman exchange, or a generated encryption key. The contents
1058 of the PA-PK-AS-REP indicate which key delivery method is used.
1063 Zhu & Tung Expires June 24, 2006 [Page 19]
1065 Internet-Draft PKINIT December 2005
1068 In addition, the lifetime of the ticket returned by the KDC MUST NOT
1069 exceed that of the client's public-private key pair. The ticket
1070 lifetime, however, can be shorter than that of the client's public-
1071 private key pair. For the implementations of this specification, the
1072 lifetime of the client's public-private key pair is the validity
1073 period in X.509 certificates [RFC3280], unless configured otherwise.
1075 3.2.3.1. Using Diffie-Hellman Key Exchange
1077 In this case, the PA-PK-AS-REP contains a DHRepInfo structure.
1079 The ContentInfo [RFC3852] structure for the dhSignedData field is
1080 filled in as follows:
1082 1. The contentType field of the type ContentInfo is id-signedData
1083 (as defined in [RFC3852]), and the content field is a SignedData
1084 (as defined in [RFC3852]).
1086 2. The eContentType field for the type SignedData is the OID value
1087 for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1)
1088 security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS
1089 implementers: the signed attribute content-type MUST be present
1090 in this SignedData instance and its value is id-pkinit-DHKeyData
1091 according to [RFC3852].
1093 3. The eContent field for the type SignedData contains the DER
1094 encoding of the type KDCDHKeyInfo.
1096 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce
1097 and optionally the expiration time of the KDC's DH key being
1098 reused. The subjectPublicKey field of the type KDCDHKeyInfo
1099 field identifies KDC's DH public key. This DH public key value
1100 is encoded as a BIT STRING according to [RFC3279]. The nonce
1101 field contains the nonce in the pkAuthenticator field in the
1102 request if the DH keys are NOT reused. The value of this nonce
1103 field is 0 if the DH keys are reused. The dhKeyExpiration field
1104 is present if and only if the DH keys are reused. If the
1105 dhKeyExpiration field is present, the KDC's public key in this
1106 KDCDHKeyInfo structure MUST NOT be used past the point of this
1107 expiration time. If this field is omitted then the serverDHNonce
1108 field MUST also be omitted.
1110 5. The signerInfos field of the type SignedData contains a single
1111 signerInfo, which contains the signature over the type
1119 Zhu & Tung Expires June 24, 2006 [Page 20]
1121 Internet-Draft PKINIT December 2005
1124 6. The certificates field of the type SignedData contains
1125 certificates intended to facilitate certification path
1126 construction, so that the client can verify the KDC's signature
1127 over the type KDCDHKeyInfo. The information contained in the
1128 trustedCertifiers in the request SHOULD be used by the KDC as
1129 hints to guide its selection of an appropriate certificate chain
1130 to return to the client. This field may be left empty if the KDC
1131 public key specified by the kdcPkId field in the PA-PK-AS-REQ was
1132 used for signing. Otherwise, for path validation, these
1133 certificates SHOULD be sufficient to construct at least one
1134 certification path from the KDC certificate to one trust anchor
1135 acceptable by the client [RFC4158]. The KDC MUST be capable of
1136 including such a set of certificates if configured to do so. The
1137 certificates field MUST NOT contain "root" CA certificates.
1139 7. If the client included the clientDHNonce field, then the KDC may
1140 choose to reuse its DH keys. If the server reuses DH keys then
1141 it MUST include an expiration time in the dhKeyExpiration field.
1142 Past the point of the expiration time, the signature over the
1143 type DHRepInfo is considered expired/invalid. When the server
1144 reuses DH keys then it MUST include a serverDHNonce at least as
1145 long as the length of keys for the symmetric encryption system
1146 used to encrypt the AS reply. Note that including the
1147 serverDHNonce changes how the client and server calculate the key
1148 to use to encrypt the reply; see below for details. The KDC
1149 SHOULD NOT reuse DH keys unless the clientDHNonce field is
1150 present in the request.
1152 The AS reply key is derived as follows:
1154 1. Both the KDC and the client calculate the shared secret value as
1157 a) When MODP Diffie-Hellman is used, let DHSharedSecret be the
1158 shared secret value. DHSharedSecret is the value ZZ as
1159 described in Section 2.1.1 of [RFC2631].
1161 DHSharedSecret is first padded with leading zeros such that the
1162 size of DHSharedSecret in octets is the same as that of the
1163 modulus, then represented as a string of octets in big-endian
1166 Implementation note: Both the client and the KDC can cache the
1167 triple (ya, yb, DHSharedSecret), where ya is the client's public
1168 key and yb is the KDC's public key. If both ya and yb are the
1169 same in a later exchange, the cached DHSharedSecret can be used.
1175 Zhu & Tung Expires June 24, 2006 [Page 21]
1177 Internet-Draft PKINIT December 2005
1180 2. Let K be the key-generation seed length [RFC3961] of the AS reply
1181 key whose enctype is selected according to [RFC4120].
1183 3. Define the function octetstring2key() as follows:
1185 octetstring2key(x) == random-to-key(K-truncate(
1192 where x is an octet string; | is the concatenation operator; 0x00,
1193 0x01, 0x02, etc., are each represented as a single octet; random-
1194 to-key() is an operation that generates a protocol key from a
1195 bitstring of length K; and K-truncate truncates its input to the
1196 first K bits. Both K and random-to-key() are as defined in the
1197 kcrypto profile [RFC3961] for the enctype of the AS reply key.
1199 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be
1200 the serverDHNonce; otherwise, let both n_c and n_k be empty octet
1203 5. The AS reply key k is:
1205 k = octetstring2key(DHSharedSecret | n_c | n_k)
1207 If the hash algorithm used in the key derivation function (currently
1208 only octetstring2key() is defined) is not acceptable by the KDC, the
1209 KDC MUST return a KRB-ERROR [RFC4120] message with the code
1210 KDC_ERR_HASH_IN_KDF_NOT_ACCEPTED. The accompanying e-data MUST be
1211 encoded in TYPED-DATA although none is defined at this point.
1213 3.2.3.2. Using Public Key Encryption
1215 In this case, the PA-PK-AS-REP contains the encKeyPack field where
1216 the AS reply key is encrypted.
1218 The ContentInfo [RFC3852] structure for the encKeyPack field is
1219 filled in as follows:
1221 1. The contentType field of the type ContentInfo is id-envelopedData
1222 (as defined in [RFC3852]), and the content field is an
1223 EnvelopedData (as defined in [RFC3852]).
1225 2. The contentType field for the type EnvelopedData is id-
1226 signedData: { iso (1) member-body (2) us (840) rsadsi (113549)
1227 pkcs (1) pkcs7 (7) signedData (2) }.
1231 Zhu & Tung Expires June 24, 2006 [Page 22]
1233 Internet-Draft PKINIT December 2005
1236 3. The eContentType field for the inner type SignedData (when
1237 decrypted from the encryptedContent field for the type
1238 EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6)
1239 internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }.
1240 Notes to CMS implementers: the signed attribute content-type MUST
1241 be present in this SignedData instance and its value is id-
1242 pkinit-rkeyData according to [RFC3852].
1244 4. The eContent field for the inner type SignedData contains the DER
1245 encoding of the type ReplyKeyPack (as described below).
1247 5. The signerInfos field of the inner type SignedData contains a
1248 single signerInfo, which contains the signature for the type
1251 6. The certificates field of the inner type SignedData contains
1252 certificates intended to facilitate certification path
1253 construction, so that the client can verify the KDC's signature
1254 for the type ReplyKeyPack. The information contained in the
1255 trustedCertifiers in the request SHOULD be used by the KDC as
1256 hints to guide its selection of an appropriate certificate chain
1257 to return to the client. This field may be left empty if the KDC
1258 public key specified by the kdcPkId field in the PA-PK-AS-REQ was
1259 used for signing. Otherwise, for path validation, these
1260 certificates SHOULD be sufficient to construct at least one
1261 certification path from the KDC certificate to one trust anchor
1262 acceptable by the client [RFC4158]. The KDC MUST be capable of
1263 including such a set of certificates if configured to do so. The
1264 certificates field MUST NOT contain "root" CA certificates.
1266 7. The recipientInfos field of the type EnvelopedData is a SET which
1267 MUST contain exactly one member of type KeyTransRecipientInfo.
1268 The encryptedKey of this member contains the temporary key which
1269 is encrypted using the client's public key.
1271 8. The unprotectedAttrs or originatorInfo fields of the type
1272 EnvelopedData MAY be present.
1274 If there is a supportedCMSTypes field in the AuthPack, the KDC must
1275 check to see if it supports any of the listed types. If it supports
1276 more than one of the types, the KDC SHOULD use the one listed first.
1277 If it does not support any of them, it MUST return an error message
1278 with the code KDC_ERR_ETYPE_NOSUPP [RFC4120].
1280 Furthermore the KDC computes the checksum of the AS-REQ in the client
1281 request. This checksum is performed over the type AS-REQ and the
1282 protocol key [RFC3961] of the checksum operation is the replyKey and
1283 the key usage number is 6. If the replyKey's enctype is "newer"
1287 Zhu & Tung Expires June 24, 2006 [Page 23]
1289 Internet-Draft PKINIT December 2005
1292 [RFC4120] [RFC4121], the checksum operation is the required checksum
1293 operation [RFC3961] of that enctype.
1295 ReplyKeyPack ::= SEQUENCE {
1296 replyKey [0] EncryptionKey,
1297 -- Contains the session key used to encrypt the
1298 -- enc-part field in the AS-REP, i.e. the
1300 asChecksum [1] Checksum,
1301 -- Contains the checksum of the AS-REQ
1302 -- corresponding to the containing AS-REP.
1303 -- The checksum is performed over the type AS-REQ.
1304 -- The protocol key [RFC3961] of the checksum is the
1305 -- replyKey and the key usage number is 6.
1306 -- If the replyKey's enctype is "newer" [RFC4120]
1307 -- [RFC4121], the checksum is the required
1308 -- checksum operation [RFC3961] for that enctype.
1309 -- The client MUST verify this checksum upon receipt
1314 Implementations of this RSA encryption key delivery method are
1315 RECOMMENDED to support RSA keys at least 2048 bits in size.
1317 3.2.4. Receipt of KDC Reply
1319 Upon receipt of the KDC's reply, the client proceeds as follows. If
1320 the PA-PK-AS-REP contains the dhSignedData field, the client derives
1321 the AS reply key using the same procedure used by the KDC as defined
1322 in Section 3.2.3.1. Otherwise, the message contains the encKeyPack
1323 field, and the client decrypts and extracts the temporary key in the
1324 encryptedKey field of the member KeyTransRecipientInfo, and then uses
1325 that as the AS reply key.
1327 If the public key encryption method is used, the client MUST verify
1328 the asChecksum contained in the ReplyKeyPack.
1330 In either case, the client MUST verify the signature in the
1331 SignedData according to [RFC3852]. The KDC's X.509 certificate MUST
1332 be validated according to [RFC3280]. In addition, unless the client
1333 can otherwise verify that the public key used to verify the KDC's
1334 signature is bound to the KDC of the target realm, the KDC's X.509
1335 certificate MUST contain a Subject Alternative Name extension
1336 [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as
1337 defined in Section 3.2.2) and whose value is a KRB5PrincipalName that
1338 matches the name of the TGS of the target realm (as defined in
1339 Section 7.3 of [RFC4120]).
1343 Zhu & Tung Expires June 24, 2006 [Page 24]
1345 Internet-Draft PKINIT December 2005
1348 Unless the client knows by some other means that the KDC certificate
1349 is intended for a Kerberos KDC, the client MUST require that the KDC
1350 certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc:
1352 id-pkinit-KPKdc OBJECT IDENTIFIER ::=
1353 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
1354 pkinit(3) keyPurposeKdc(5) }
1355 -- Signing KDC responses.
1356 -- Key usage bits that MUST be consistent:
1357 -- digitalSignature.
1359 The digitalSignature key usage bit [RFC3280] MUST be asserted when
1360 the intended purpose of the KDC's X.509 certificate is restricted
1361 with the id-pkinit-KPKdc EKU.
1363 If the KDC certificate contains the Kerberos TGS name encoded as an
1364 id-pkinit-san SAN, this certificate is certified by the issuing CA as
1365 a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required.
1367 If all applicable checks are satisfied, the client then decrypts the
1368 enc-part field of the KDC-REP in the AS-REP using the AS reply key,
1369 and then proceeds as described in [RFC4120].
1371 Implementation note: CAs issuing KDC certificates SHOULD place all
1372 "short" and "fully-qualified" Kerberos realm names of the KDC (one
1373 per GeneralName [RFC3280]) into the KDC certificate to allow maximum
1376 3.3. Interoperability Requirements
1378 The client MUST be capable of sending a set of certificates
1379 sufficient to allow the KDC to construct a certification path for the
1380 client's certificate, if the correct set of certificates is provided
1381 through configuration or policy.
1383 If the client sends all the X.509 certificates on a certification
1384 path to a trust anchor acceptable by the KDC, and the KDC can not
1385 verify the client's public key otherwise, the KDC MUST be able to
1386 process path validation for the client's certificate based on the
1387 certificates in the request.
1389 The KDC MUST be capable of sending a set of certificates sufficient
1390 to allow the client to construct a certification path for the KDC's
1391 certificate, if the correct set of certificates is provided through
1392 configuration or policy.
1394 If the KDC sends all the X.509 certificates on a certification path
1395 to a trust anchor acceptable by the client, and the client can not
1399 Zhu & Tung Expires June 24, 2006 [Page 25]
1401 Internet-Draft PKINIT December 2005
1404 verify the KDC's public key otherwise, the client MUST be able to
1405 process path validation for the KDC's certificate based on the
1406 certificates in the reply.
1408 3.4. KDC Indication of PKINIT Support
1410 If pre-authentication is required, but was not present in the
1411 request, per [RFC4120] an error message with the code
1412 KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be
1413 stored in the e-data field of the KRB-ERROR message to specify which
1414 pre-authentication mechanisms are acceptable. The KDC can then
1415 indicate the support of PKINIT by including an empty element whose
1416 padata-type is PA_PK_AS_REQ in that METHOD-DATA object.
1418 Otherwise if it is required by the KDC's local policy that the client
1419 must be pre-authenticated using the pre-authentication mechanism
1420 specified in this document, but no PKINIT pre-authentication was
1421 present in the request, an error message with the code
1422 KDC_ERR_PREAUTH_FAILED SHOULD be returned.
1424 KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in
1425 the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET
1426 STRING), and clients MUST ignore this and any other value. Future
1427 extensions to this protocol may specify other data to send instead of
1428 an empty OCTET STRING.
1431 4. Security Considerations
1433 Kerberos error messages are not integrity protected, as a result, the
1434 domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered
1435 with by an attacker so that the set of domain parameters selected
1436 could be either weaker or not mutually preferred. Local policy can
1437 configure sets of domain parameters acceptable locally, or disallow
1438 the negotiation of DH domain parameters.
1440 The symmetric reply key size and Diffie-Hellman field size or RSA
1441 modulus size should be chosen so as to provide sufficient
1442 cryptographic security [RFC3766].
1444 When MODP Diffie-Hellman is used, the exponents should have at least
1445 twice as many bits as the symmetric keys that will be derived from
1448 PKINIT raises certain security considerations beyond those that can
1449 be regulated strictly in protocol definitions. We will address them
1455 Zhu & Tung Expires June 24, 2006 [Page 26]
1457 Internet-Draft PKINIT December 2005
1460 PKINIT extends the cross-realm model to the public-key
1461 infrastructure. Users of PKINIT must understand security policies
1462 and procedures appropriate to the use of Public Key Infrastructures
1465 In order to trust a KDC certificate that is certified by a CA as a
1466 KDC certificate for a target realm (for example, by asserting the TGS
1467 name of that Kerberos realm as an id-pkinit-san SAN and/or
1468 restricting the certificate usage by using the id-pkinit-KPKdc EKU,
1469 as described in Section 3.2.4), the client MUST verify that the KDC
1470 certificate's issuing CA is authorized to issue KDC certificates for
1471 that target realm. Otherwise, the binding between the KDC
1472 certificate and the KDC of the target realm is not established.
1474 How to validate this authorization is a matter of local policy. A
1475 way to achieve this is the configuration of specific sets of
1476 intermediary CAs and trust anchors, one of which must be on the KDC
1477 certificate's certification path [RFC3280]; and for each CA or trust
1478 anchor the realms for which it is allowed to issue certificates.
1480 In addition, if any CA is trusted to issue KDC certificates can also
1481 issue other kinds of certificates, then local policy must be able to
1482 distinguish between them: for example, it could require that KDC
1483 certificates contain the id-pkinit-KPKdc EKU or that the realm be
1484 specified with the id-pkinit-san SAN.
1486 It is the responsibility of the PKI administrators for an
1487 organization to ensure that KDC certificates are only issued to KDCs,
1488 and that clients can ascertain this using their local policy.
1490 Standard Kerberos allows the possibility of interactions between
1491 cryptosystems of varying strengths; this document adds interactions
1492 with public-key cryptosystems to Kerberos. Some administrative
1493 policies may allow the use of relatively weak public keys. Using
1494 such keys to wrap data encrypted under stronger conventional
1495 cryptosystems may be inappropriate.
1497 PKINIT requires keys for symmetric cryptosystems to be generated.
1498 Some such systems contain "weak" keys. For recommendations regarding
1499 these weak keys, see [RFC4120].
1501 PKINIT allows the use of the same RSA key pair for encryption and
1502 signing when doing RSA encryption based key delivery. This is not
1503 recommended usage of RSA keys [RFC3447], by using DH based key
1504 delivery this is avoided.
1506 Care should be taken in how certificates are chosen for the purposes
1507 of authentication using PKINIT. Some local policies may require that
1511 Zhu & Tung Expires June 24, 2006 [Page 27]
1513 Internet-Draft PKINIT December 2005
1516 key escrow be used for certain certificate types. Deployers of
1517 PKINIT should be aware of the implications of using certificates that
1518 have escrowed keys for the purposes of authentication. Because
1519 signing only certificates are normally not escrowed, by using DH
1520 based key delivery this is avoided.
1522 PKINIT does not provide for a "return routability" test to prevent
1523 attackers from mounting a denial-of-service attack on the KDC by
1524 causing it to perform unnecessary and expensive public-key
1525 operations. Strictly speaking, this is also true of standard
1526 Kerberos, although the potential cost is not as great, because
1527 standard Kerberos does not make use of public-key cryptography. By
1528 using DH based key delivery and reusing DH keys, the necessary crypto
1529 processing cost per request can be minimized.
1531 The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does
1532 permit empty SEQUENCEs to be encoded. Such empty sequences may only
1533 be used if the KDC itself vouches for the user's certificate.
1535 When the Diffie-Hellman key exchange method is used, additional pre-
1536 authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as
1537 defined in this specification) is not bound to the AS_REQ by the
1538 mechanisms discussed in this specification (meaning it may be dropped
1539 or added by attackers without being detected by either the client or
1540 the KDC). Designers of additional pre-authentication data should
1541 take that into consideration if such additional pre-authentication
1542 data can be used in conjunction with the PA_PK_AS_REQ. The future
1543 work of the Kerberos working group is expected to update the hash
1544 algorithms specified in this document and provide a generic mechanism
1545 to bind additional pre-authentication data with the accompanying
1551 The following people have made significant contributions to this
1552 draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist
1553 Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey
1554 Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M
1555 Grundman and Jeffrey Altman.
1557 Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and
1558 Chris Walstad discovered a binding issue between the AS-REQ and AS-
1559 REP in draft -26, the asChecksum field was added as the result.
1561 Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and
1562 Jonathan Trostle who wrote earlier versions of this document.
1567 Zhu & Tung Expires June 24, 2006 [Page 28]
1569 Internet-Draft PKINIT December 2005
1572 The authors are indebted to the Kerberos working group chair Jeffrey
1573 Hutzelman who kept track of various issues and was enormously helpful
1574 during the creation of this document.
1576 Some of the ideas on which this document is based arose during
1577 discussions over several years between members of the SAAG, the IETF
1578 CAT working group, and the PSRG, regarding integration of Kerberos
1579 and SPX. Some ideas have also been drawn from the DASS system.
1580 These changes are by no means endorsed by these groups. This is an
1581 attempt to revive some of the goals of those groups, and this
1582 document approaches those goals primarily from the Kerberos
1585 Lastly, comments from groups working on similar ideas in DCE have
1589 6. IANA Considerations
1591 This document has no actions for IANA.
1596 7.1. Normative References
1599 IEEE, "Standard Specifications for Public Key
1600 Cryptography", IEEE 1363, 2000.
1602 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1603 Requirement Levels", BCP 14, RFC 2119, March 1997.
1605 [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol",
1606 RFC 2412, November 1998.
1608 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
1609 RFC 2631, June 1999.
1611 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
1612 Identifiers for the Internet X.509 Public Key
1613 Infrastructure Certificate and Certificate Revocation List
1614 (CRL) Profile", RFC 3279, April 2002.
1616 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
1617 X.509 Public Key Infrastructure Certificate and
1618 Certificate Revocation List (CRL) Profile", RFC 3280,
1623 Zhu & Tung Expires June 24, 2006 [Page 29]
1625 Internet-Draft PKINIT December 2005
1628 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
1629 Algorithms", RFC 3370, August 2002.
1631 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
1632 Standards (PKCS) #1: RSA Cryptography Specifications
1633 Version 2.1", RFC 3447, February 2003.
1635 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
1636 Diffie-Hellman groups for Internet Key Exchange (IKE)",
1639 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
1640 Encryption Algorithm in Cryptographic Message Syntax
1641 (CMS)", RFC 3565, July 2003.
1643 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
1644 Public Keys Used For Exchanging Symmetric Keys", BCP 86,
1645 RFC 3766, April 2004.
1647 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
1648 RFC 3852, July 2004.
1650 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
1651 Kerberos 5", RFC 3961, February 2005.
1653 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
1654 Encryption for Kerberos 5", RFC 3962, February 2005.
1656 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
1657 Kerberos Network Authentication Service (V5)", RFC 4120,
1660 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
1661 Version 5 Generic Security Service Application Program
1662 Interface (GSS-API) Mechanism: Version 2", RFC 4121,
1665 [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
1666 Information technology - Abstract Syntax Notation One
1667 (ASN.1): Specification of basic notation.
1669 [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
1670 Information technology - ASN.1 encoding Rules: Specification
1671 of Basic Encoding Rules (BER), Canonical Encoding Rules
1672 (CER) and Distinguished Encoding Rules (DER).
1679 Zhu & Tung Expires June 24, 2006 [Page 30]
1681 Internet-Draft PKINIT December 2005
1684 7.2. Informative References
1686 [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
1687 Sizes", Journal of Cryptology 14 (2001) 255-293.
1689 [ODL99] Odlyzko, A., "Discrete logarithms: The past and the
1690 future, Designs, Codes, and Cryptography (1999)".
1692 [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
1693 Nicholas, "Internet X.509 Public Key Infrastructure:
1694 Certification Path Building", RFC 4158, September 2005.
1697 Appendix A. PKINIT ASN.1 Module
1699 KerberosV5-PK-INIT-SPEC {
1700 iso(1) identified-organization(3) dod(6) internet(1)
1701 security(5) kerberosV5(2) modules(4) pkinit(5)
1702 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
1705 SubjectPublicKeyInfo, AlgorithmIdentifier
1706 FROM PKIX1Explicit88 { iso (1)
1707 identified-organization (3) dod (6) internet (1)
1708 security (5) mechanisms (5) pkix (7) id-mod (0)
1709 id-pkix1-explicit (18) }
1710 -- As defined in RFC 3280.
1712 KerberosTime, PrincipalName, Realm, EncryptionKey
1713 FROM KerberosV5Spec2 { iso(1) identified-organization(3)
1714 dod(6) internet(1) security(5) kerberosV5(2)
1715 modules(4) krb5spec2(2) } ;
1717 id-pkinit OBJECT IDENTIFIER ::=
1718 { iso (1) org (3) dod (6) internet (1) security (5)
1719 kerberosv5 (2) pkinit (3) }
1721 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
1722 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
1723 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
1724 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 }
1725 id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 }
1727 id-pkinit-san OBJECT IDENTIFIER ::=
1728 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
1733 Zhu & Tung Expires June 24, 2006 [Page 31]
1735 Internet-Draft PKINIT December 2005
1738 pa-pk-as-req INTEGER ::= 16
1739 pa-pk-as-rep INTEGER ::= 17
1741 ad-initial-verified-cas INTEGER ::= 9
1743 td-trusted-certifiers INTEGER ::= 104
1744 td-invalid-certificates INTEGER ::= 105
1745 td-dh-parameters INTEGER ::= 109
1747 PA-PK-AS-REQ ::= SEQUENCE {
1748 signedAuthPack [0] IMPLICIT OCTET STRING,
1749 -- Contains a CMS type ContentInfo encoded
1750 -- according to [RFC3852].
1751 -- The contentType field of the type ContentInfo
1752 -- is id-signedData (1.2.840.113549.1.7.2),
1753 -- and the content field is a SignedData.
1754 -- The eContentType field for the type SignedData is
1755 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
1756 -- eContent field contains the DER encoding of the
1758 -- AuthPack is defined below.
1759 trustedCertifiers [1] SEQUENCE OF
1760 ExternalPrincipalIdentifier OPTIONAL,
1761 -- Contains a list of CAs, trusted by the client,
1762 -- that can be used to certify the KDC.
1763 -- Each ExternalPrincipalIdentifier identifies a CA
1764 -- or a CA certificate (thereby its public key).
1765 -- The information contained in the
1766 -- trustedCertifiers SHOULD be used by the KDC as
1767 -- hints to guide its selection of an appropriate
1768 -- certificate chain to return to the client.
1769 kdcPkId [2] IMPLICIT OCTET STRING
1771 -- Contains a CMS type SignerIdentifier encoded
1772 -- according to [RFC3852].
1773 -- Identifies, if present, a particular KDC
1774 -- public key that the client already has.
1778 DHNonce ::= OCTET STRING
1780 ExternalPrincipalIdentifier ::= SEQUENCE {
1781 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
1782 -- Contains a PKIX type Name encoded according to
1784 -- Identifies the certificate subject by the
1785 -- distinguished subject name.
1789 Zhu & Tung Expires June 24, 2006 [Page 32]
1791 Internet-Draft PKINIT December 2005
1794 -- REQUIRED when there is a distinguished subject
1795 -- name present in the certificate.
1796 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
1797 -- Contains a CMS type IssuerAndSerialNumber encoded
1798 -- according to [RFC3852].
1799 -- Identifies a certificate of the subject.
1800 -- REQUIRED for TD-INVALID-CERTIFICATES and
1801 -- TD-TRUSTED-CERTIFIERS.
1802 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
1803 -- Identifies the subject's public key by a key
1804 -- identifier. When an X.509 certificate is
1805 -- referenced, this key identifier matches the X.509
1806 -- subjectKeyIdentifier extension value. When other
1807 -- certificate formats are referenced, the documents
1808 -- that specify the certificate format and their use
1809 -- with the CMS must include details on matching the
1810 -- key identifier to the appropriate certificate
1812 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
1816 AuthPack ::= SEQUENCE {
1817 pkAuthenticator [0] PKAuthenticator,
1818 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
1819 -- Type SubjectPublicKeyInfo is defined in
1821 -- Specifies Diffie-Hellman domain parameters
1822 -- and the client's public key value [IEEE1363].
1823 -- The DH public key value is encoded as a BIT
1824 -- STRING according to [RFC3279].
1825 -- This field is present only if the client wishes
1826 -- to use the Diffie-Hellman key agreement method.
1827 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
1829 -- Type AlgorithmIdentifier is defined in
1831 -- List of CMS encryption types supported by the
1832 -- client in order of (decreasing) preference.
1833 clientDHNonce [3] DHNonce OPTIONAL,
1834 -- Present only if the client indicates that it
1835 -- wishes to reuse DH keys or to allow the KDC to
1840 PKAuthenticator ::= SEQUENCE {
1841 cusec [0] INTEGER (0..999999),
1845 Zhu & Tung Expires June 24, 2006 [Page 33]
1847 Internet-Draft PKINIT December 2005
1850 ctime [1] KerberosTime,
1851 -- cusec and ctime are used as in [RFC4120], for
1852 -- replay prevention.
1853 nonce [2] INTEGER (0..4294967295),
1854 -- Chosen randomly; This nonce does not need to
1855 -- match with the nonce in the KDC-REQ-BODY.
1856 paChecksum [3] OCTET STRING,
1857 -- Contains the SHA1 checksum, performed over
1862 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
1863 ExternalPrincipalIdentifier
1864 -- Identifies a list of CAs trusted by the KDC.
1865 -- Each ExternalPrincipalIdentifier identifies a CA
1866 -- or a CA certificate (thereby its public key).
1868 TD-INVALID-CERTIFICATES ::= SEQUENCE OF
1869 ExternalPrincipalIdentifier
1870 -- Each ExternalPrincipalIdentifier identifies a
1871 -- certificate (sent by the client) with an invalid
1874 KRB5PrincipalName ::= SEQUENCE {
1876 principalName [1] PrincipalName
1879 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
1880 ExternalPrincipalIdentifier
1881 -- Identifies the certification path based on which
1882 -- the client certificate was validated.
1883 -- Each ExternalPrincipalIdentifier identifies a CA
1884 -- or a CA certificate (thereby its public key).
1886 PA-PK-AS-REP ::= CHOICE {
1887 dhInfo [0] DHRepInfo,
1888 -- Selected when Diffie-Hellman key exchange is
1890 encKeyPack [1] IMPLICIT OCTET STRING,
1891 -- Selected when public key encryption is used.
1892 -- Contains a CMS type ContentInfo encoded
1893 -- according to [RFC3852].
1894 -- The contentType field of the type ContentInfo is
1895 -- id-envelopedData (1.2.840.113549.1.7.3).
1896 -- The content field is an EnvelopedData.
1897 -- The contentType field for the type EnvelopedData
1901 Zhu & Tung Expires June 24, 2006 [Page 34]
1903 Internet-Draft PKINIT December 2005
1906 -- is id-signedData (1.2.840.113549.1.7.2).
1907 -- The eContentType field for the inner type
1908 -- SignedData (when unencrypted) is
1909 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
1910 -- eContent field contains the DER encoding of the
1911 -- type ReplyKeyPack.
1912 -- ReplyKeyPack is defined below.
1916 DHRepInfo ::= SEQUENCE {
1917 dhSignedData [0] IMPLICIT OCTET STRING,
1918 -- Contains a CMS type ContentInfo encoded according
1920 -- The contentType field of the type ContentInfo is
1921 -- id-signedData (1.2.840.113549.1.7.2), and the
1922 -- content field is a SignedData.
1923 -- The eContentType field for the type SignedData is
1924 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
1925 -- eContent field contains the DER encoding of the
1926 -- type KDCDHKeyInfo.
1927 -- KDCDHKeyInfo is defined below.
1928 serverDHNonce [1] DHNonce OPTIONAL,
1929 -- Present if and only if dhKeyExpiration is
1934 KDCDHKeyInfo ::= SEQUENCE {
1935 subjectPublicKey [0] BIT STRING,
1936 -- The KDC's DH public key.
1937 -- The DH public key value is encoded as a BIT
1938 -- STRING according to [RFC3279].
1939 nonce [1] INTEGER (0..4294967295),
1940 -- Contains the nonce in the pkAuthenticator field
1941 -- in the request if the DH keys are NOT reused,
1943 dhKeyExpiration [2] KerberosTime OPTIONAL,
1944 -- Expiration time for KDC's key pair,
1945 -- present if and only if the DH keys are reused.
1946 -- If present, the KDC's DH public key MUST not be
1947 -- used past the point of this expiration time.
1948 -- If this field is omitted then the serverDHNonce
1949 -- field MUST also be omitted.
1953 ReplyKeyPack ::= SEQUENCE {
1957 Zhu & Tung Expires June 24, 2006 [Page 35]
1959 Internet-Draft PKINIT December 2005
1962 replyKey [0] EncryptionKey,
1963 -- Contains the session key used to encrypt the
1964 -- enc-part field in the AS-REP, i.e. the
1966 asChecksum [1] Checksum,
1967 -- Contains the checksum of the AS-REQ
1968 -- corresponding to the containing AS-REP.
1969 -- The checksum is performed over the type AS-REQ.
1970 -- The protocol key [RFC3961] of the checksum is the
1971 -- replyKey and the key usage number is 6.
1972 -- If the replyKey's enctype is "newer" [RFC4120]
1973 -- [RFC4121], the checksum is the required
1974 -- checksum operation [RFC3961] for that enctype.
1975 -- The client MUST verify this checksum upon receipt
1980 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
1981 -- Each AlgorithmIdentifier specifies a set of
1982 -- Diffie-Hellman domain parameters [IEEE1363].
1983 -- This list is in decreasing preference order.
1987 Appendix B. Test Vectors
1989 Function octetstring2key() is defined in Section 3.2.3.1. This
1990 section describes a few sets of test vectors that would be useful for
1991 implementers of octetstring2key().
1996 Input octet string x is:
1998 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1999 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2001 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2003 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2004 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2005 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2006 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2007 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2008 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2009 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2013 Zhu & Tung Expires June 24, 2006 [Page 36]
2015 Internet-Draft PKINIT December 2005
2018 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2021 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2023 Output of K-truncate() when the key size is 32 octets:
2025 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83
2026 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41
2031 Input octet string x is:
2033 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2034 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2035 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2036 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2037 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2038 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2039 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2042 Output of K-truncate() when the key size is 32 octets:
2044 ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb
2045 a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e
2050 Input octet string x is:
2052 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
2053 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
2054 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
2055 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
2056 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b
2057 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a
2058 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09
2059 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
2061 Output of K-truncate() when the key size is 32 octets:
2063 c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3
2064 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e
2069 Zhu & Tung Expires June 24, 2006 [Page 37]
2071 Internet-Draft PKINIT December 2005
2076 Input octet string x is:
2078 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
2079 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
2080 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
2081 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
2082 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
2084 Output of K-truncate() when the key size is 32 octets:
2086 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a
2087 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc
2090 Appendix C. Miscellaneous Information about Microsoft Windows PKINIT
2093 Earlier revisions of the PKINIT I-D were implemented in various
2094 releases of Microsoft Windows and deployed in fairly large numbers.
2095 To enable the community to better interoperate with systems running
2096 those releases, the following information may be useful.
2098 KDC certificates issued by Windows 2000 Enterprise CAs contain a
2099 dNSName SAN with the DNS name of the host running the KDC, and the
2100 id-kp-serverAuth EKU [RFC3280].
2102 KDC certificates issued by Windows 2003 Enterprise CAs contain a
2103 dNSName SAN with the DNS name of the host running the KDC, the id-kp-
2104 serverAuth EKU and the id-ms-kp-sc-logon EKU.
2106 It is anticipated that the next release of Windows is already too far
2107 along to allow it to support the issuing KDC certificates with id-
2108 pkinit-san SAN as specified in this RFC. Instead, they will have a
2109 dNSName SAN containing the domain name of the KDC and the intended
2110 purpose of these KDC certificates be restricted by the presence of
2111 the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU.
2113 In addition to checking that the above are present in a KDC
2114 certificate, Windows clients verify that the issuer of the KDC
2115 certificate is one of a set of allowed issuers of such certificates,
2116 so those wishing to issue KDC certificates need to configure their
2117 Windows clients appropriately.
2119 Client certificates accepted by Windows 2000 and Windows 2003 Server
2120 KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3)
2121 SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN
2125 Zhu & Tung Expires June 24, 2006 [Page 38]
2127 Internet-Draft PKINIT December 2005
2130 contains a UTF8 encoded string whose value is that of the Directory
2131 Service attribute UserPrincipalName of the client account object, and
2132 the purpose of including the id-ms-san-sc-logon-upn SAN in the client
2133 certificate is to validate the client mapping (in other words, the
2134 client's public key is bound to the account that has this
2135 UserPrincipalName value).
2137 It should be noted that all Microsoft Kerberos realm names are domain
2138 style realm names and strictly in upper case. In addition, the
2139 UserPrincipalName attribute is globally unique in Windows 2000 and
2181 Zhu & Tung Expires June 24, 2006 [Page 39]
2183 Internet-Draft PKINIT December 2005
2189 Microsoft Corporation
2194 Email: lzhu@microsoft.com
2198 USC Information Sciences Institute
2199 4676 Admiralty Way Suite 1001
2200 Marina del Rey, CA 90292
2203 Email: brian@isi.edu
2237 Zhu & Tung Expires June 24, 2006 [Page 40]
2239 Internet-Draft PKINIT December 2005
2242 Intellectual Property Statement
2244 The IETF takes no position regarding the validity or scope of any
2245 Intellectual Property Rights or other rights that might be claimed to
2246 pertain to the implementation or use of the technology described in
2247 this document or the extent to which any license under such rights
2248 might or might not be available; nor does it represent that it has
2249 made any independent effort to identify any such rights. Information
2250 on the procedures with respect to rights in RFC documents can be
2251 found in BCP 78 and BCP 79.
2253 Copies of IPR disclosures made to the IETF Secretariat and any
2254 assurances of licenses to be made available, or the result of an
2255 attempt made to obtain a general license or permission for the use of
2256 such proprietary rights by implementers or users of this
2257 specification can be obtained from the IETF on-line IPR repository at
2258 http://www.ietf.org/ipr.
2260 The IETF invites any interested party to bring to its attention any
2261 copyrights, patents or patent applications, or other proprietary
2262 rights that may cover technology that may be required to implement
2263 this standard. Please address the information to the IETF at
2267 Disclaimer of Validity
2269 This document and the information contained herein are provided on an
2270 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2271 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2272 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2273 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2274 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2275 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2280 Copyright (C) The Internet Society (2005). This document is subject
2281 to the rights, licenses and restrictions contained in BCP 78, and
2282 except as set forth therein, the authors retain all their rights.
2287 Funding for the RFC Editor function is currently provided by the
2293 Zhu & Tung Expires June 24, 2006 [Page 41]