7 Network Working Group Ken'ichi Kamada
8 INTERNET-DRAFT Shoichi Sakane
9 Expires: September 6, 2007 Yokogawa Electric Corporation
13 Client-Friendly Cross-Realm Model for Kerberos 5
14 draft-kamada-krb-client-friendly-cross-01.txt
21 By submitting this Internet-Draft, each author represents that any
22 applicable patent or other IPR claims of which he or she is aware
23 have been or will be disclosed, and any of which he or she becomes
24 aware will be disclosed, in accordance with Section 6 of BCP 79.
26 Internet-Drafts are working documents of the Internet Engineering
27 Task Force (IETF), its areas, and its working groups. Note that
28 other groups may also distribute working documents as Internet-
31 Internet-Drafts are draft documents valid for a maximum of six months
32 and may be updated, replaced, or obsoleted by other documents at any
33 time. It is inappropriate to use Internet-Drafts as reference
34 material or to cite them other than as "work in progress."
36 The list of current Internet-Drafts can be accessed at
37 http://www.ietf.org/1id-abstracts.html
39 The list of Internet-Draft Shadow Directories can be accessed at
40 http://www.ietf.org/shadow.html
42 This Internet-Draft expires on September 6, 2007.
47 Copyright (C) The IETF Trust (2007).
58 Kamada and Sakane [Page 1]
60 Internet-Draft Client-Friendly Cross-Realm March 2007
65 This document proposes a cross-realm transition model, which is
66 friendly to resource-limited clients, for Kerberos Version 5. This
67 model provides a way to move the cost of consecutive Ticket-Granting
68 Service (TGS) exchanges from the clients to the Key Distribution
69 Center (KDC) and a way to reduce the transition cost by generating a
70 direct inter-realm relationship between two realms. The document
71 itself does not specify any protocols, which need to be specified
77 1. Introduction ................................................. 3
78 2. Problems on Client Performance ............................... 3
79 2.1. Long Authentication Path ................................ 4
80 2.2. Client-Centric Ticketing ................................ 4
81 3. Proposal of Client-Friendly Cross-Realm Model ................ 4
82 3.1. Temporary Inter-Realm Relationship Generation Mode ...... 5
83 3.2. Attorney Ticketing Mode ................................. 6
84 3.3. Combination of the Two Modes ............................ 7
85 4. Generality and Orthogonality of These Modes .................. 8
86 5. Related Protocols Currently Proposed ......................... 9
87 5.1. PKCROSS ................................................. 9
88 5.2. XTGS .................................................... 9
89 6. Interoperability Considerations .............................. 9
90 7. Security Considerations ...................................... 10
91 7.1. Denial of Service (DoS) ................................. 10
92 7.2. Ticketing Policy ........................................ 10
93 8. IANA Considerations .......................................... 11
94 9. Acknowledgments .............................................. 11
95 10. References ................................................... 11
96 Authors' Addresses ............................................... 12
97 Full Copyright Statement ......................................... 12
98 Intellectual Property Statement .................................. 12
114 Kamada and Sakane [Page 2]
116 Internet-Draft Client-Friendly Cross-Realm March 2007
121 Kerberos Version 5 [RFC4120] has a concept of cross-realm
122 authentication so that principals in different realms can
123 authenticate each other. However in the current cross-realm model,
124 each client has to traverse the authentication path, and the burden
125 of the traversal is not negligible for clients with limited
126 resources, e.g., computational speed or power supply [CRPS].
128 In the current cross-realm operation, a client obtains a service
129 ticket for a remote principal in the following steps:
131 1) N TGSes to get cross-realm TGTs in order to traverse the
132 intermediate realms, where N is the number of transits, and
134 2) One TGS to get the final service ticket.
136 That is, a client needs to perform N + 1 transactions to obtain a
137 ticket for a remote service.
139 This document proposes a new cross-realm model, which consists of
140 "temporary inter-realm relationship generation mode" and "attorney
141 ticketing mode". The former is intended to reduce the transition
142 cost itself, and the latter is to move the cost from clients to KDCs.
143 The document does not specify any protocols, which need to be
144 specified separately.
146 Terms defined in section 1.7 of RFC 4120 are used throughout this
150 2. Problems on Client Performance
152 In the current model of cross-realm operation, a client has to
153 transit all realms on the path to the destination realm. When the
154 source realm and the destination realm have a direct inter-realm
155 relationship, a client is able to obtain a service ticket with two
156 TGS transactions (one for a cross-realm TGT and another for the
157 service ticket). When the realms have a multi-hop relationship, a
158 client must transit the intermediate realm before it obtains the
159 service ticket. That is, the client's task increases in proportion
160 to the distance of the relationship.
162 Two issues can be observed here behind the client load, which are
163 described in the following subsections.
170 Kamada and Sakane [Page 3]
172 Internet-Draft Client-Friendly Cross-Realm March 2007
175 2.1. Long Authentication Path
177 When a client wants to get a service ticket for a remote realm, it
178 must transit to the remote realm by traversing the intermediate
179 realms on the authentication path to the remote realm. The result of
180 a transition is cached as a cross-realm TGT, but it is nothing more
181 than a per-client optimization. Thus all clients accessing a remote
182 realm must pay the cost separately, even if their resources are
183 limited. For a long authentication path, the cost of the whole
184 system becomes large.
187 2.2. Client-Centric Ticketing
189 In Kerberos, any service tickets or cross-realm TGTs are issued via
190 TGS, where a client present a ticket for the TGS and obtains a next
191 ticket. Currently, all TGS transactions are initiated by the client
192 and it needs to get all necessary cross-realm TGTs iteratively before
193 the final service ticket. This process is a burden to a resource-
197 3. Proposal of Client-Friendly Cross-Realm Model
199 In this section, two modes of operation are introduced, "Temporary
200 Inter-Realm Relationship Generation Mode" and "Attorney Ticketing
201 Mode", to solve the issues described in the previous section.
203 Temporary Inter-Realm Relationship Generation Mode
204 This is introduced to solve the issue of the long authentication
205 path. In this mode, if the source realm and the destination realm
206 do not have a direct inter-realm relationship, the source KDC
207 traverses the authentication path by itself, contacts with the
208 remote KDC, and generates a direct inter-realm relationship
209 between them. After that, the source KDC can issue direct inter-
210 realm TGTs for the destination realm. The purpose of this mode is
211 to reduce the transition cost itself.
213 Attorney Ticketing Mode
214 This is introduced to solve the issue of the client-centric
215 ticketing. Consecutive TGS transactions to get cross-realm TGTs
216 and/or a final service ticket are initiated by a client in the
217 traditional Kerberos, whereas a KDC undertake that process in this
218 mode. The purpose of this mode is to shift the cost of TGSes from
219 a client to a KDC. This does not reduce the cost itself.
221 These two modes are designed to be independent, that is, can be used
222 separately or in combination.
226 Kamada and Sakane [Page 4]
228 Internet-Draft Client-Friendly Cross-Realm March 2007
231 3.1. Temporary Inter-Realm Relationship Generation Mode
233 Temporary inter-realm relationship generation mode enables a KDC to
234 issue an inter-realm TGT directly to a remote KDC with which the KDC
235 doesn't preshare an inter-realm key. To issue an inter-realm TGT
236 directly, a temporary inter-realm key needs to be provided somehow.
237 To achieve that, the local KDC obtains a special ticket for the
238 remote KDC and uses its session key as an inter-realm key. This
239 methodology was introduced by PKCROSS [PKCROSS]. In this document,
240 that special ticket is called as an "inter-KDC ticket", and an inter-
241 realm TGT generated using an inter-KDC ticket as a "direct inter-
244 How does the local KDC reach the remote KDC is out of scope of this
245 model, but we can easily come up with 1) traversing a long
246 authentication path if available or 2) using PKINIT. That is,
247 PKCROSS is interpreted as a combination of this model and PKINIT.
249 This document does not standardize a specific protocol, but an inter-
250 KDC ticket will have the following form:
252 - its sname has a special form (PKCROSS proposes
253 "pkcross/realm@REALM", but it would be better to use a more
254 general name than "pkcross"),
256 and a direct inter-realm TGT will have the following form:
258 - its TicketExtensions field [KRBEXT] contains the inter-KDC ticket,
261 - it is protected by the session key (or the sub-session key) of the
282 Kamada and Sakane [Page 5]
284 Internet-Draft Client-Friendly Cross-Realm March 2007
287 client C KDC-L KDC-I KDC-R
288 -------- ----- ----- -----
290 1. --------TGS-REQ-------->
291 2. [Reach to KDC-R in any way.]
292 [Below is an example of PKCROSS.]
293 ------------PKINIT------------>
294 <----------XTKT(L,R)-----------
295 3. <--TKT(C,R)w/XTKT(L,R)--
296 4. ----------------------TGS-REQ------------------------>
297 5. <---------------------TKT(C,S)------------------------
299 [Note: TKT(x,y) means a ticket whose cname is x and sname is y. ]
300 [ XTKT is an inter-KDC ticket. See PKCROSS. ]
301 [ The client C and KDC-L belong to the local realm L. ]
302 [ The KDC-I is a KDC of an intermediate realm I. ]
303 [ The KDC-R is a KDC of the remote realm R. ]
305 1. The client C sends a normal TGS-REQ to KDC-L, requesting
306 a cross-realm TGT to KDC-R.
307 2. KDC-L reaches KDC-R in any way and obtains a XTKT.
308 There is no standardized way to achieve this step yet.
309 PKCROSS is one candidate. We could also standardize a way
310 in which KDC-L normally transits to KDC-R and obtains an XTKT.
311 3. KDC-L generates a cross-realm TGT that is from C to KDC-R
312 and returns to it to C.
313 4. The same with the traditional cross-realm TGS.
314 5. The same with the traditional cross-realm TGS.
316 Figure 1: Message Flow of Temporary Inter-Realm Relationship
320 3.2. Attorney Ticketing Mode
322 Traditionally, a Kerberos client repeats TGS transactions until it
323 gets the final ticket. For example, it has a TGT for its own realm
324 and wants to get a ticket for a service in 3-hop neighbor realm, then
327 1) Present the TGT and get a cross-realm TGT for the next realm,
329 2) Present the 1st cross-realm TGT and get a cross-realm TGT for the
332 3) Present the 2nd cross-realm TGT and get a cross-realm TGT for the
338 Kamada and Sakane [Page 6]
340 Internet-Draft Client-Friendly Cross-Realm March 2007
343 4) Present the final cross-realm TGT and get a service ticket.
345 Attorney ticketing mode enables the client to delegate the KDC to
346 perform all transactions listed above on behalf of the client. An
347 example message flow is shown in Figure 2. The client entrust the
348 KDC with its TGT (step 1). The KDC "impersonates" the client and
349 performs all necessary TGS transactions (steps 2 to 4), and returns
350 the final ticket to the client (step 5).
352 client C KDC-L KDC-I KDC-R
353 -------- ----- ----- -----
355 1. --------TGS-REQ-------->
359 4. ------------TGS-REQ----------->
360 <-----------TKT(C,S)-----------
361 5. <-------TKT(C,S)--------
363 1. The client C sends a special TGS-REQ, which indicates attorney
364 ticketing mode requesting a service ticket for S instead of a
365 cross-realm TGT, to KDC-L.
366 2. KDC-L internally generates a cross-realm TGT that is from C
367 to KDC-I, but does not return it to C.
368 3. KDC-L uses the generated cross-realm TGT by itself, and sends
369 a TGS-REQ to KDC-I, which requests a cross-realm TGT from C
371 4. KDC-L use the obtained cross-realm TGT by itself, and sends
372 a TGS-REQ to KDC-R, which requests a service ticket from C
374 5. KDC-L returns the final service ticket to C.
376 Figure 2: Message Flow of Attorney Ticketing Mode
379 3.3. Combination of the Two Modes
381 Figure 3 shows a typical message flow when the temporary inter-realm
382 relationship generation mode and the attorney ticketing mode are used
383 in combination. The figure shows the case of the initial contact, so
384 a transaction to obtain an inter-KDC ticket is shown (step 2), but it
385 is infrequently used because the XTKT is cached. Usually, only two
386 round-trips do all the work.
394 Kamada and Sakane [Page 7]
396 Internet-Draft Client-Friendly Cross-Realm March 2007
399 client C KDC-L KDC-I KDC-R
400 -------- ----- ----- -----
402 1. --------TGS-REQ-------->
403 2. [Temporary inter-realm relationship
404 generation mode runs here.]
405 ------------PKINIT------------>
406 <----------XTKT(L,R)-----------
407 3. [Attorney ticketing mode runs here.]
409 4. ------------TGS-REQ----------->
410 <-----------TKT(C,S)-----------
411 5. <-------TKT(C,S)--------
413 Figure 3: Message Flow When Temporary Inter-Realm
414 Relationship Generation Mode and Attorney Ticketing
418 4. Generality and Orthogonality of These Modes
420 Compatibility with Traditional Kerberos Deployment
422 Temporary inter-realm relationship generation involves only KDCs.
423 From the viewpoint of a client (and a server), it seems that there
424 is a direct inter-realm relationship between two realms.
426 In short, temporary inter-realm relationship generation mode needs
427 to be deployed only in KDCs. The merit of this property is large,
428 because it does not affect large installed base of clients.
430 Attorney ticketing mode involves only a client and the local KDC.
431 From the viewpoint of the remote KDC, TGS-REQs from a KDC as an
432 attorney cannot be distinguished from those from a "genuine"
433 client (except caddr; see the Interoperability Considerations
434 section). Resulting service ticket is identical to the
435 traditional one, so the remote server has nothing to do this mode.
437 In short, attorney ticketing mode can be deployed in local realm,
438 independently of the remote deployment. The merit of this
439 property is large, because remote realms are often in different
442 Orthogonality of Temporary Inter-Realm Relationship Generation Mode
443 and Attorney Ticketing Mode
445 Temporary inter-realm relationship generation mode and attorney
446 ticketing mode are independent concepts. Both can be implemented
450 Kamada and Sakane [Page 8]
452 Internet-Draft Client-Friendly Cross-Realm March 2007
455 separately or can be used in combination. When they are combined,
456 the load of clients are shifted to KDCs and additional load of
457 KDCs are minimized, thus efficient cross-realm environment is
461 5. Related Protocols Currently Proposed
466 PKCROSS will be usable as a protocol for temporary inter-realm
467 relationship generation mode.
472 The purpose of XTGS protocol is similar to that of this model, but
473 the behavior is somewhat different [XTGS]. If XTGS is viewed from
474 the perspective of this model, it blends the two modes indivisibly to
475 reduce the number of messages between KDCs as far as possible at the
476 price of the abstraction of cross-realm TGTs and inter-KDC tickets.
478 Once a front-end (i.e., between a client and a KDC) protocol to
479 request attorney ticketing mode is standardized, XTGS can be used as
483 6. Interoperability Considerations
486 The protocol for the attorney mode should be able to indicate
487 user-to-user authentication.
489 The addresses field in TGS-REQ
490 This field is copied into the caddr field in EncTicketPart, so if
491 this field is used in a TGS-REQ, the resulting ticket can be used
492 only from the specified addresses. When the local KDC receives a
493 TGS-REQ requesting attorney mode, it should copy the addresses
494 field only into the final TGS-REQ in the attorney process. It
495 must not copy the field into TGS-REQs to intermediate KDCs,
496 because resulting tickets are to be used by the local KDC instead
499 [[negotiation of various parameters]]
501 [[If there are multiple authentication paths and a client has enough
502 knowledge, it could choose which path to take. With attorney
506 Kamada and Sakane [Page 9]
508 Internet-Draft Client-Friendly Cross-Realm March 2007
511 ticketing mode, it cannot because it is up to the KDC to select the
512 path. Is this a problem? With temporary inter-realm relationship
513 generation mode, it can as before.]]
515 [[co-existence with the plain Kerberos; attorney ticketing mode
516 client vs. non-attorney KDC; inter-realm generating local KDC vs.
517 non-generating remote KDC]]
519 [[anything to do with referral?]]
521 [[when a KDC in attorney mode receives a KRB-ERROR?]]
524 7. Security Considerations
527 7.1. Denial of Service (DoS)
529 A KDC that implements attorney ticketing mode needs to initiate
530 multiple TGS-REQ upon a request from a client. This means that the
531 KDC will have some states in it and may suffer from DoS attacks.
533 Fortunately, attorney ticketing mode can be requested in TGS-REQ,
534 which is only available to authenticated clients, thus, any untrusted
535 party cannot exploit this statefulness.
538 7.2. Ticketing Policy
540 Attorney ticketing mode changes nothing about the messages sent to
541 the intermediate and remote KDCs. Those KDCs will not notice the
542 difference and their ticketing process have nothing to be changed.
544 Temporary inter-realm relationship generation mode dynamically
545 generates new authentication paths. This means that KDCs that will
546 be involved in the transition of a client will be different ones.
548 - Parameters of cross-realm TGTs (lifetime and flags) for a new
549 relationship need to be dynamically negotiated (a la PKCROSS).
551 - How to handle the transited fields in inter-KDC tickets, direct
552 inter-realm tickets, and service tickets?
554 - Where the remote KDC adds AuthorizationData and the end-server
555 checks it: there is no problem because it is a local matter of the
562 Kamada and Sakane [Page 10]
564 Internet-Draft Client-Friendly Cross-Realm March 2007
567 - Where an intermediate KDC adds AuthorizationData: traditionally it
568 is added in a cross-realm TGT and propagated to the service
569 ticket; now it will be propagated to the inter-KDC ticket. Should
570 AuthorizationData in an inter-KDC ticket be copied into a cross-
571 realm TGT or not? Even if it is copied, AuthorizationData on
572 inter-KDC ticket cannot represent per-client information, so if it
573 is necessary, temporary inter-realm relationship generation mode
577 8. IANA Considerations
579 This document has no actions for IANA.
584 The authors would like to acknowledge Saber Zrelli, Masahiro
585 Ishiyama, Atsushi Inoue, Kazunori Miyazawa, and Nobuo Okabe for
586 contributions to this document.
591 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
592 Kerberos Network Authentication Service (V5)", RFC
595 [CRPS] Sakane, S., Zrelli, S., M. Ishiyama, "Problem statement
596 on the cross-realm operation of Kerberos in a specific
597 system", draft-sakane-krb-cross-problem-statement-01,
598 Work in Progress, October 2006.
600 [KRBEXT] Yu, T., "The Kerberos Network Authentication Service
601 (Version 5)", draft-ietf-krb-wg-rfc1510ter-03, Work in
602 Progress, October 2006.
604 [PKCROSS] Hur, M. et al., "Public Key Cryptography for Cross-
605 Realm Authentication in Kerberos", draft-ietf-cat-
606 kerberos-pk-cross-08 (expired), Work in Progress,
609 [XTGS] Zrelli, S. et al., "XTGSP, the Inter-TGS protocol for
610 cross-realm operations in Kerberos", draft-zrelli-krb-
611 xtgsp-00, Work in Progress, November 2006.
618 Kamada and Sakane [Page 11]
620 Internet-Draft Client-Friendly Cross-Realm March 2007
627 Yokogawa Electric Corporation
628 2-9-32 Nakacho, Musashino-shi,
630 E-mail: Ken-ichi.Kamada@jp.yokogawa.com,
631 Shouichi.Sakane@jp.yokogawa.com
634 Full Copyright Statement
636 Copyright (C) The IETF Trust (2007).
638 This document is subject to the rights, licenses and restrictions
639 contained in BCP 78, and except as set forth therein, the authors
640 retain all their rights.
642 This document and the information contained herein are provided on an
643 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
644 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
645 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
646 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
647 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
648 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
650 Intellectual Property Statement
652 The IETF takes no position regarding the validity or scope of any
653 Intellectual Property Rights or other rights that might be claimed to
654 pertain to the implementation or use of the technology described in
655 this document or the extent to which any license under such rights
656 might or might not be available; nor does it represent that it has
657 made any independent effort to identify any such rights. Information
658 on the procedures with respect to rights in RFC documents can be
659 found in BCP 78 and BCP 79.
661 Copies of IPR disclosures made to the IETF Secretariat and any
662 assurances of licenses to be made available, or the result of an
663 attempt made to obtain a general license or permission for the use of
664 such proprietary rights by implementers or users of this
665 specification can be obtained from the IETF on-line IPR repository at
666 http://www.ietf.org/ipr.
668 The IETF invites any interested party to bring to its attention any
669 copyrights, patents or patent applications, or other proprietary
670 rights that may cover technology that may be required to implement
674 Kamada and Sakane [Page 12]
676 Internet-Draft Client-Friendly Cross-Realm March 2007
679 this standard. Please address the information to the IETF at ietf-
730 Kamada and Sakane [Page 13]