7 INTERNET-DRAFT S.Sakane
8 Expires: April 16, 2007 N.Okabe
10 Yokogawa Electric Corp.
18 Problem statement on the cross-realm operation
19 of Kerberos in a specific system
20 draft-sakane-krb-cross-problem-statement-00.txt
27 By submitting this Internet-Draft, each author represents that any
28 applicable patent or other IPR claims of which he or she is aware
29 have been or will be disclosed, and any of which he or she becomes
30 aware will be disclosed, in accordance with Section 6 of BCP 79.
32 Internet-Drafts are working documents of the Internet Engineering
33 Task Force (IETF), its areas, and its working groups. Note that
34 other groups may also distribute working documents as Internet-
37 Internet-Drafts are draft documents valid for a maximum of six months
38 and may be updated, replaced, or obsoleted by other documents at any
39 time. It is inappropriate to use Internet-Drafts as reference
40 material or to cite them other than as "work in progress".
42 The list of current Internet-Drafts can be accessed at
43 http://www.ietf.org/ietf/1id-abstracts.txt
45 The list of Internet-Draft Shadow Directories can be accessed at
46 http://www.ietf.org/shadow.html
48 This Internet-Draft expires in April 16, 2007.
53 Copyright (C) The Internet Society (2006).
58 S.Sakane, et al. [Page 1]
60 Internet-Draft October 2006
65 There are some issues when the cross-realm operation of the Kerberos
66 Version 5 [RFC4120] is employed into the specific systems. This
67 document describes some manners of the real example, and lists
68 requirements of the operation in such real system. Then it clarifies
69 issues when we apply the cross-realm operation to such specific
74 Conventions used in this document
76 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
77 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
78 document are to be interpreted as described in RFC 2119 [RFC2119].
80 It is assumed that the readers are familiar with the terms and
81 concepts described in the Kerberos Version 5 [RFC4120].
114 S.Sakane, et al. [Page 2]
116 Internet-Draft October 2006
121 1. Introduction ................................................. 4
122 2. Kerberos system .............................................. 4
123 2.1. Kerberos basic operation ................................ 4
124 2.2. Cross-realm operation ................................... 5
125 3. Manner of operations in the real environment ................. 6
126 4. Requirement .................................................. 7
127 5. Issues ....................................................... 8
128 5.1. Scalability of the direct trust model ................... 8
129 5.2. Exposure to DoS Attacks ................................. 8
130 5.3. No PFS in case of the indirect trust model .............. 9
131 5.4. Unreliability of authentication chain ................... 9
132 5.5. Client's performance .................................... 10
133 5.6. Pre-authentication problem in roaming scenarios ......... 10
134 6. Implementation consideration ................................. 10
135 7. IANA Considerations .......................................... 11
136 8. Security Considerations ...................................... 11
137 9. Acknowledgments .............................................. 11
138 10. References ................................................... 11
139 10.1. Normative References ................................... 11
140 10.2. Informative References ................................. 11
141 Authors' Addresses ............................................... 12
142 Full Copyright Statement ......................................... 13
143 Intellectual Property Statement .................................. 13
170 S.Sakane, et al. [Page 3]
172 Internet-Draft October 2006
177 The Kerberos Version 5 is a widely deployed mechanism that a server
178 can authenticate a client access. Each client belongs to a managed
179 domain called realm. Kerberos supports the authentication in case of
180 situation that a client and a server belong to different realms.
181 This is called the cross-realm operation.
183 Meanwhile, there are lots of manners of operation in the real system,
184 where Kerberos could be applied. Sometimes, there are several
185 managed domain in such system. and it requires the authentication
186 mechanism over the different managed domains. When the cross-realm
187 operation of Kerberos is applied to such specific systems, some
190 This document briefly describes the Kerberos Version 5 system and the
191 cross-realm operation. Then, it describes some manners of the real
192 system, and describes its requirements in term of management and
193 operation in order to understand issues. Finally, it lists the
194 issues of the cross-realm operation.
196 This document is assumed that the readers are familiar with the terms
197 and concepts described in the Kerberos Version 5 [RFC4120].
205 2.1. Kerberos basic operation
207 Kerberos [RFC4120] is a widely deployed authentication system. The
208 authentication process in Kerberos involves principals and a Key
209 Distribution Center (KDC). The principals can be users or services.
210 Each KDC maintains a principals database and shares a secret key with
211 each registered principal.
213 The authentication process allows a user to acquire the needed
214 credentials from the KDC. These credentials allow services to
215 authenticate the users before granting them access to the resources.
216 An important part of the credentials are called Tickets. There are
217 two kind of tickets: Ticket Granting Ticket (TGT) and Service Ticket.
218 The TGT is obtained periodically from the KDC and has a limited limit
219 after which it expires and the user must renew it. The TGT is used
220 to obtain the other kind of tickets, Service Tickets. The user
221 obtains a TGT from the Authentication Service (AS), a logical
222 component of the KDC. The process of obtaining a TGT is referred to
226 S.Sakane, et al. [Page 4]
228 Internet-Draft October 2006
231 as 'AS exchange'. When a TGT request is issued by an user, the AS
232 responds by sending a reply packet containing the credentials which
233 consists of the TGT along with a random key called 'TGS Session Key'.
234 The TGT contains a set of information encrypted using a secret key
235 associated with a special service referred to as TGS (Ticket Granting
236 Service). The TGS session key is encrypted using the user's key so
237 that the user can obtain the TGS session key only if she knows the
238 secret key shared with the KDC. The TGT then is used to obtain
239 Service Tickets from the Ticket Granting Service (TGS)- the second
240 component of the KDC. The process of obtaining service tickets is
241 referred to as 'TGS exchange'. The request for a service ticket
242 consists on a packet containing a TGT and an 'Authenticator'. The
243 Authenticator is encrypted using the TGS session key and contains the
244 identity of the user as well as time stamps (for protection against
245 replay attacks). After decrypting the TGT (which was encrypted by
246 the AS using the TGS's secret key), the TGS extracts the TGS session
247 key. Using that session key, it decrypts the Authenticator and
248 authenticates the user. Then, the TGS issues credentials requested
249 by the user. These credentials consist on a service ticket and a
250 session key that will be used to authenticate the user with the
251 desired application service.
255 2.2. Cross-realm operation
257 The Kerberos protocol provides the cross-realm authentication
258 capabilities. This allows users to obtain service tickets to access
259 services in foreign realms. In order to access such services, the
260 users first contact their home KDC asking for a TGT that will be used
261 with the TGS of the foreign realm. If the home realm and the foreign
262 realm share keys and have an established trust relationship, the home
263 KDC delivers the requested TGT.
265 However, if the home realm does not share cross-realm keys with the
266 foreign realm, the home KDC will provide a TGT that can be used with
267 an intermediary foreign realm that is likely to be sharing cross-
268 realm keys with the target realm. The client can use this
269 'intermediary TGT' to communicate with the intermediary KDC which
270 will iterate the actions taken by the home KDC: If the intermediary
271 KDC does not share cross-realm keys with the target foreign realm it
272 will point the user to another intermediary KDC (just as in the first
273 exchange between the user and its home KDC). However, in the other
274 case (when it shares cross- realm keys with the target realm), the
275 intermediary KDC will issue a TGT that can be used with the KDC of
276 the target realm. After obtaining a TGT for the desired foreign
277 realm, the client uses it to obtain service tickets from the TGS of
278 the foreign realm. Finally, the user access the service using the
282 S.Sakane, et al. [Page 5]
284 Internet-Draft October 2006
289 When the realms belong to the same institution, a chain of trust can
290 be determined by the client or the KDC by following the DNS domain
291 hierarchy and supposing that the parent domains share keys with all
292 its child sub-domains. However, because the inter-realm trust model
293 is not necessarily constructing the hierarchic approach anytime, the
294 trust path must be specified manually. When intermediary realms are
295 involved, the success of the cross-realm operation completely depends
296 on the realms that are part of the authentication path.
300 3. Manner of operations in the real environment
302 This section describes examples of operation in the real environment.
303 And it also describes its requirement in term of both management and
304 operation. These requirements make the issues easier understanding.
305 We refers to the world's largest petrochemical company [SHELLCHEM].
306 It produces bulk petrochemicals and their delivery to large
307 industrial customers. There are 43 typical plants of the company all
308 over the world. They are managed by the operation sites placed in 35
309 countries. This section shows two examples of them.
311 One is the CSPC (CNOOC and Shell Petrochemical Company Limited)
312 [CSPC], an example of the centralized plant. The CSPC is a joint
313 enterprise of CNOOC and SHELL. Its plant is one of the hugest
314 systems of a petrochemical industry placed in the area of 3.4 square
315 meters in the north coast of Daya Bay, Guangdong, which is at the
316 southeast of China. 3,000 network segments are established in the
317 system. 16,000 control devices are connected to the local area
318 network. These devices belong to different 9 sub systems, A control
319 device has some control points, which are controlled and monitored by
320 other devices remotely. There are 200,000 control points in all.
321 They are controlled by 3 different control center.
323 Another is the NAM (Nederlandse Aardolie Maatschappij), an example of
324 the distributed plant system. The NAM is a partnership enterprise of
325 Shell and Exxon. It is a plant system group that geographically
326 distributes to scatter in the area of 863 square meters of
327 Netherlands. 26 plants, each is named "cluster", are scattered in
328 the area. They are connected each other by a private ATM WAN. Each
329 cluster has approximately 500-1,000 control devices. These devices
330 are managed by each local control center in each cluster. In the
331 entire system of the NAM, there are one million control points.
333 The end control devices in the both of the systems are basically
334 connected to a local network by a twisted pair cable, which is a low
338 S.Sakane, et al. [Page 6]
340 Internet-Draft October 2006
343 band-width of 32 kbps. Every system supposes that no ad-hoc device
344 is never connected to the system since they are well designed before
345 they are implemented. Low clock CPU, for example H8 [RNSS-H8] and
346 M16C [RNSS-M16C], are employed by many control devices. Furthermore,
347 to suppress power consumption, these CPU may be lowered the number of
348 clocks. A part of the operation, like control of these system,
349 maintenance, and the environmental monitoring, is consigned to an
350 external organization. Agants who are consigned walk around the
351 plant to get their information, or watch the plant from a remote
352 site. Currently, each plant is independently operated. However, it
353 is not impossible to monitor and control all of plants distributed in
360 This section listed requirements derived from the previous section.
361 There are seven requirements in term of management domain separation.
365 It is necessary to allow different independent management domains
366 to coexist because two or more organizations enter to the system.
369 It is necessary to allow a management domain to delegate its
370 management authority to its subdomains or another management
371 domain because the plants are distributed to the wide area.
374 It is necessary to observe and to control the device from
375 remoteness because the plants are distributed to the wide area.
376 Each realm may connect with a private WAN, or with the Internet.
379 The device must be observed, and be controlled from another
383 Agents who are consigned must observe and control the device from
387 Agents who are consigned must also observe and control the device
388 at the plant, which is different domain from the agents' one.
394 S.Sakane, et al. [Page 7]
396 Internet-Draft October 2006
399 Because of above requirements, the cross-realm operation of Kerberos
400 seems suitable for this system. The requirements derived from other
401 viewpoints is listed as follows.
405 It is demanded to reduce the management cost as much as possible.
408 The communication for observing and controlling devices must have
409 confidentiality and integrity. And, it is necessary to think
410 about the threat of other security like the DoS attack.
413 It is necessary to consider the processing performance of the
414 device. And, it is necessary to suppress the power consumption of
418 It is necessary to consider bandwidth of the communication.
424 This section lists the issues when we consider the above
428 5.1. Scalability of the direct trust model
430 In the direct relationship of trust between each realm, the realms
431 involved in the cross-realm operation share keys and their respective
432 TGS principals are registered in each other's KDC. When direct trust
433 relationships are used, the KDC of each realm must maintain keys with
434 all foreign realms. This can become a cumbersome task when the
435 number of realms increase. This also increases maintenance cost.
437 This issue will happen as a by-product of a result meeting the
438 requirements A-1 and A-2, and is related to B-1.
442 5.2. Exposure to DoS Attacks
444 One of the assumption made when allowing the cross-realm operation in
445 Kerberos is that users can communicate with KDCs located in remote
446 realms. This practice introduces security threats because KDCs are
450 S.Sakane, et al. [Page 8]
452 Internet-Draft October 2006
455 open to the public network. Administrators may think of restricting
456 the access to the KDC to the trusted realms only. However, this
457 approach is not scalable and does not really protect the KDC.
458 Indeed, when the remote realms have several IP prefixes (e.g. control
459 centers or outsourcing companies, located world wide), then the
460 administrator of the local KDC must collect the list of prefixes that
461 belong to these organization. The filtering rules must then
462 explicitly allow the incoming traffic from any host that belongs to
463 one of these prefixes. This makes the administrator's tasks more
464 complicated and prone to human errors. And also, the maintenance
465 cost increases. On the other hand, when ranges of external IP
466 addresses are allowed to communicate with the KDC, the risk of
467 becoming target to attacks from remote malicious users increases.
469 This issue will happen as a result meeting the requirements A-3, A-4
470 and A-5. And it is related to B-1 and B-2.
474 5.3. No PFS in case of the indirect trust model
476 In [SPECCROSS], any KDC in the authentication path can learn the
477 session key that will be used between the client and the desired
478 service. This means that any intermediary realm is able to spoof the
479 identity either of the service or the client as well as to eavesdrop
480 on the communication between the client and the server.
482 This issue will happen as a by-product of a result meeting the
483 requirements A-1 and A-2, and is related to B-2.
487 5.4. Unreliability of authentication chain
489 When the relationship of trust is constructed like a chain or
490 hierarchical, the authentication path is not dependable since it
491 strongly depends on intermediary realms that might not be under the
492 same authority. If any of the realms in the authentication path is
493 not available, then the principals of the end-realms can not perform
494 the cross-realm operation.
496 The end-point realms do not have full control and responsibility of
497 the success of the operations even if their respective KDCs are fully
498 functional. Dependability of a system decreases if the system relies
499 on uncontrolled components. We can not be sure at 100% about the
500 result of the authentication since we do not know how is it going in
506 S.Sakane, et al. [Page 9]
508 Internet-Draft October 2006
511 This issue will happen as a by-product of a result meeting the
512 requirements A-1 and A-2, and is related to B-2.
516 5.5. Client's performance
518 In the cross-realm operation, Kerberos clients have to perform TGS
519 exchanges with all the KDCs in the trust path, including the home KDC
522 In some cases where the client has limited computational
523 capabilities, which is used in the above process automation system,
524 the overhead of these cross-realm exchanges may grow into
525 unacceptable delays. TGS exchange requires cryptographic operations,
526 and it demands important processing time especially when small
529 This issue will happen as a by-product of a result meeting the
530 requirements A-1 and A-2, and is related to B-3.
534 5.6. Pre-authentication problem in roaming scenarios
536 In roaming scenarios, the client needs to contact her home KDC to
537 obtain a cross-realm TGT for the local (or visited) realm. However,
538 the policy of the network access providers or the gateway in the
539 local network usually does not allow clients to communicate with
540 hosts in the Internet unless they provide valid authentication
541 credentials. In this manner, the client encounters a chicken-and-egg
542 problem where two resources are interdependent; the Internet
543 connection is needed to contact the home KDC and for obtaining
544 credentials, and on the other hand, the Internet connection is only
545 granted for clients who have valid credentials. As a result, the
546 Kerberos protocol can not be used as it is for authenticating roaming
547 clients requesting network access.
549 This issue will happen as a result meeting the requirements A-6.
553 6. Implementation consideration
555 This document just describes issues of the cross-realm operation in
556 the specific systems. However, there are important matters to be
557 considered, when we solve these issues and implement solution.
558 Solution must not introduce new problem. Solution should use
562 S.Sakane, et al. [Page 10]
564 Internet-Draft October 2006
567 existing components or protocols as much as possible, should not
568 introduce any definition of new component. Solution must not require
569 a KDC to have any additional process. You must not forget that there
570 would be a trade-off matter anytime. So an implementation may not
571 solve all of the problems stated in this document.
575 7. IANA Considerations
577 This document makes no request of IANA.
581 8. Security Considerations
583 This document just clarifies some issues of the cross-realm operation
584 of the Kerberos V system. There is especially not describing
585 security. Some troubles might be caused to your system by malicious
586 user who misuses the description of this document if it dares to say.
597 10.1. Normative References
599 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
600 Kerberos Network Authentication Service (V5)", RFC
605 10.2. Informative References
607 [CSPC] http://www.shellchemicals.com/news/1,1098,72-news_id=
611 [RNSS-H8] http://www.renesas.com/fmwk.jsp?cnt=h8_family_landing.
612 jsp&fp=/products/mpumcu/h8_family/
618 S.Sakane, et al. [Page 11]
620 Internet-Draft October 2006
623 [RNSS-M16C] http://www.renesas.com/fmwk.jsp?cnt=m16c_family_landi
624 ng.jsp&fp=/products/mpumcu/m16c_family/
627 [RFC2119] S.Bradner, "Key words for use in RFCs to Indicate
628 Requirement Levels", RFC 2119, March 1997.
631 [SHELLCHEM] http://www.shellchemicals.com/home/1,1098,-1,00.html
634 [SPECCROSS] I. Cervesato and A. Jaggard and A. Scedrov and C.
635 Walstad, "Specifying Kerberos 5 Cross-Realm
636 Authentication", Fifth Workshop on Issues in the Theory
637 of Security, Jan 2005.
645 Yokogawa Electric Corporation
647 Musashino-shi, Tokyo 180-8750
649 E-mail: Shouichi.Sakane@jp.yokogawa.com,
650 Nobuo.Okabe@jp.yokogawa.com,
651 Kazunori.Miyazawa@jp.yokogawa.com
655 Japan Advanced Institute of Science and Technology
657 Nomi, Ishikawa 923-1292
659 E-mail: zrelli@jaist.ac.jp
664 1, komukai-toshiba-cho
665 Saiwai-ku, Kawasaki 212-8582
667 E-mail: masahiro@isl.rdc.toshiba.co.jp
674 S.Sakane, et al. [Page 12]
676 Internet-Draft October 2006
679 Full Copyright Statement
681 Copyright (C) The Internet Society (2006).
683 This document is subject to the rights, licenses and restrictions
684 contained in BCP 78, and except as set forth therein, the authors
685 retain all their rights.
687 This document and the information contained herein are provided on an
688 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
689 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
690 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
691 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
692 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
693 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
695 Intellectual Property Statement
697 The IETF takes no position regarding the validity or scope of any
698 Intellectual Property Rights or other rights that might be claimed to
699 pertain to the implementation or use of the technology described in
700 this document or the extent to which any license under such rights
701 might or might not be available; nor does it represent that it has
702 made any independent effort to identify any such rights. Information
703 on the procedures with respect to rights in RFC documents can be
704 found in BCP 78 and BCP 79.
706 Copies of IPR disclosures made to the IETF Secretariat and any
707 assurances of licenses to be made available, or the result of an
708 attempt made to obtain a general license or permission for the use of
709 such proprietary rights by implementers or users of this
710 specification can be obtained from the IETF on-line IPR repository at
711 http://www.ietf.org/ipr.
713 The IETF invites any interested party to bring to its attention any
714 copyrights, patents or patent applications, or other proprietary
715 rights that may cover technology that may be required to implement
716 this standard. Please address the information to the IETF at ietf-
730 S.Sakane, et al. [Page 13]