summaryrefslogtreecommitdiff
path: root/doc/standardisation/draft-ietf-cat-kerberos-pk-init-34.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/standardisation/draft-ietf-cat-kerberos-pk-init-34.txt')
-rw-r--r--doc/standardisation/draft-ietf-cat-kerberos-pk-init-34.txt2346
1 files changed, 0 insertions, 2346 deletions
diff --git a/doc/standardisation/draft-ietf-cat-kerberos-pk-init-34.txt b/doc/standardisation/draft-ietf-cat-kerberos-pk-init-34.txt
deleted file mode 100644
index af84a08ff..000000000
--- a/doc/standardisation/draft-ietf-cat-kerberos-pk-init-34.txt
+++ /dev/null
@@ -1,2346 +0,0 @@
-NETWORK WORKING GROUP L. Zhu
-Internet-Draft Microsoft Corporation
-Expires: August 11, 2006 B. Tung
- USC Information Sciences Institute
- February 7, 2006
-
-
- Public Key Cryptography for Initial Authentication in Kerberos
- draft-ietf-cat-kerberos-pk-init-34
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on August 11, 2006.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document describes protocol extensions (hereafter called PKINIT)
- to the Kerberos protocol specification. These extensions provide a
- method for integrating public key cryptography into the initial
- authentication exchange, by using asymmetric-key signature and/or
- encryption algorithms in pre-authentication data fields.
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 1]
-
-Internet-Draft PKINIT February 2006
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Conventions Used in This Document . . . . . . . . . . . . . . 5
- 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6
- 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6
- 3.1.2. Recommended Algorithms . . . . . . . . . . . . . . . . 6
- 3.1.3. Defined Message and Encryption Types . . . . . . . . . 7
- 3.1.4. Kerberos Encryption Types Defined for CMS
- Algorithm Identifiers . . . . . . . . . . . . . . . . 8
- 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9
- 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9
- 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 14
- 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 18
- 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 25
- 3.3. Interoperability Requirements . . . . . . . . . . . . . . 26
- 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 27
- 4. Security Considerations . . . . . . . . . . . . . . . . . . . 27
- 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30
- 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
- 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
- 7.1. Normative References . . . . . . . . . . . . . . . . . . . 30
- 7.2. Informative References . . . . . . . . . . . . . . . . . . 32
- Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 32
- Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 38
- Appendix C. Miscellaneous Information about Microsoft Windows
- PKINIT Implementations . . . . . . . . . . . . . . . 40
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
- Intellectual Property and Copyright Statements . . . . . . . . . . 42
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 2]
-
-Internet-Draft PKINIT February 2006
-
-
-1. Introduction
-
- The Kerberos V5 protocol [RFC4120] involves use of a trusted third
- party known as the Key Distribution Center (KDC) to negotiate shared
- session keys between clients and services and provide mutual
- authentication between them.
-
- The corner-stone of Kerberos V5 is the Ticket and the Authenticator.
- A Ticket encapsulates a symmetric key (the ticket session key) in an
- envelope (a public message) intended for a specific service. The
- contents of the Ticket are encrypted with a symmetric key shared
- between the service principal and the issuing KDC. The encrypted
- part of the Ticket contains the client principal name, amongst other
- items. An Authenticator is a record that can be shown to have been
- recently generated using the ticket session key in the associated
- Ticket. The ticket session key is known by the client who requested
- the ticket. The contents of the Authenticator are encrypted with the
- associated ticket session key. The encrypted part of an
- Authenticator contains a timestamp and the client principal name,
- amongst other items.
-
- As shown in Figure 1 below, the Kerberos V5 protocol consists of the
- following message exchanges between the client and the KDC, and the
- client and the application service:
-
- - The Authentication Service (AS) Exchange
-
- The client obtains an "initial" ticket from the Kerberos
- authentication server (AS), typically a Ticket Granting Ticket
- (TGT). The AS-REQ message and the AS-REP message are the request
- and the reply message respectively between the client and the AS.
-
- - The Ticket Granting Service (TGS) Exchange
-
- The client subsequently uses the TGT to authenticate and request a
- service ticket for a particular service, from the Kerberos ticket-
- granting server (TGS). The TGS-REQ message and the TGS-REP
- message are the request and the reply message respectively between
- the client and the TGS.
-
- - The Client/Server Authentication Protocol (AP) Exchange
-
- The client then makes a request with an AP-REQ message, consisting
- of a service ticket and an authenticator that certifies the
- client's possession of the ticket session key. The server may
- optionally reply with an AP-REP message. AP exchanges typically
- negotiate session specific symmetric keys.
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 3]
-
-Internet-Draft PKINIT February 2006
-
-
- Usually, the AS and TGS are integrated in a single device also known
- as the KDC.
-
- Figure 1: The Message Exchanges in the Kerberos V5 Protocol
-
- +--------------+
- +--------->| KDC |
- AS-REQ / +-------| |
- / / +--------------+
- / / ^ |
- / |AS-REP / |
- | | / TGS-REQ + TGS-REP
- | | / /
- | | / /
- | | / +---------+
- | | / /
- | | / /
- | | / /
- | v / v
- ++-------+------+ +-----------------+
- | Client +------------>| Application |
- | | AP-REQ | Server |
- | |<------------| |
- +---------------+ AP-REP +-----------------+
-
- In the AS exchange, the KDC reply contains the ticket session key,
- amongst other items, that is encrypted using a key (the AS reply key)
- shared between the client and the KDC. The AS reply key is typically
- derived from the client's password for human users. Therefore for
- human users the attack resistance strength of the Kerberos protocol
- is no stronger than the strength of their passwords.
-
- The use of asymmetric cryptography in the form of X.509 certificates
- [RFC3280] is popular for facilitating data origin authentication and
- perfect secrecy. An established Public Key Infrastructure (PKI)
- provides key management and key distribution mechanisms that can be
- used to establish authentication and secure communication. Adding
- public-key cryptography to Kerberos provides a nice congruence to
- public-key protocols, obviates the human users' burden to manage
- strong passwords, and allows Kerberized applications to take
- advantage of existing key services and identity management.
-
- The advantage afforded by the Kerberos TGT is that the client exposes
- his long-term secrets only once. The TGT and its associated session
- key can then be used for any subsequent service ticket requests. One
- result of this is that all further authentication is independent of
- the method by which the initial authentication was performed.
- Consequently, initial authentication provides a convenient place to
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 4]
-
-Internet-Draft PKINIT February 2006
-
-
- integrate public-key cryptography into Kerberos authentication. In
- addition, the use of symmetric cryptography after the initial
- exchange is preferred for performance.
-
- This document describes the methods and data formats using which the
- client and the KDC can use public and private key pairs to mutually
- authenticate in the AS exchange and negotiate the AS reply key, known
- only by the client and the KDC, to encrypt the AS-REP sent by the
- KDC.
-
-
-2. Conventions Used in This Document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
-
- In this protocol, both the client and the KDC have a public-private
- key pair in order to prove their identities to each other over the
- open network. The term "signature key" is used to refer to the
- private key of the key pair being used.
-
- The encryption key used to encrypt the enc-part field of the KDC-REP
- in the AS-REP [RFC4120] is referred to as the AS reply key.
-
- An empty sequence in an optional field can be either included or
- omitted: both encodings are permitted and considered equivalent.
-
- The term "Modular Exponential Diffie-Hellman" is used to refer to the
- Diffie-Hellman key exchange as described in [RFC2631], in order to
- differentiate it from other equivalent representations of the same
- key agreement algorithm.
-
-
-3. Extensions
-
- This section describes extensions to [RFC4120] for supporting the use
- of public-key cryptography in the initial request for a ticket.
-
- Briefly, this document defines the following extensions to [RFC4120]:
-
- 1. The client indicates the use of public-key authentication by
- including a special preauthenticator in the initial request. This
- preauthenticator contains the client's public-key data and a
- signature.
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 5]
-
-Internet-Draft PKINIT February 2006
-
-
- 2. The KDC tests the client's request against its authentication
- policy and trusted Certification Authorities (CAs).
-
- 3. If the request passes the verification tests, the KDC replies as
- usual, but the reply is encrypted using either:
-
- a. a key generated through a Diffie-Hellman (DH) key exchange
- [RFC2631] [IEEE1363] with the client, signed using the KDC's
- signature key; or
-
- b. a symmetric encryption key, signed using the KDC's signature
- key and encrypted using the client's public key.
-
- Any keying material required by the client to obtain the
- encryption key for decrypting the KDC reply is returned in a pre-
- authentication field accompanying the usual reply.
-
- 4. The client validates the KDC's signature, obtains the encryption
- key, decrypts the reply, and then proceeds as usual.
-
- Section 3.1 of this document enumerates the required algorithms and
- necessary extension message types. Section 3.2 describes the
- extension messages in greater detail.
-
-3.1. Definitions, Requirements, and Constants
-
-3.1.1. Required Algorithms
-
- All PKINIT implementations MUST support the following algorithms:
-
- o AS reply key enctype(s): aes128-cts-hmac-sha1-96 and aes256-cts-
- hmac-sha1-96 [RFC3962].
-
- o Signature algorithm(s): sha-1WithRSAEncryption [RFC3370].
-
- o AS reply key delivery method(s): the Diffie-Hellman key delivery
- method as described in Section 3.2.3.1.
-
- In addition, implementations of this specification MUST be capable of
- processing the Extended Key Usage (EKU) extension and the id-pkinit-
- san (as defined in Section 3.2.2) otherName of the Subject
- Alternative Name (SAN) extension in X.509 certificates [RFC3280].
-
-3.1.2. Recommended Algorithms
-
- All PKINIT implementations SHOULD support the following algorithms:
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 6]
-
-Internet-Draft PKINIT February 2006
-
-
- o AS reply key delivery method(s): the public key encryption key
- delivery method as described in Section 3.2.3.2.
-
- For implementations that support the public key encryption key
- delivery method, the following algorithms MUST be supported:
-
- a) Key transport algorithm(s) identified in the
- keyEncryptionAlgorithm field of the type KeyTransRecipientInfo
- [RFC3852] for encrypting the temporary key in the encryptedKey
- field [RFC3852] with a public key, as described in
- Section 3.2.3.2: rsaEncryption (this is the RSAES-PKCS1-v1_5
- encryption scheme) [RFC3370] [RFC3447].
-
- b) Content encryption algorithm(s) identified in the
- contentEncryptionAlgorithm field of the type EncryptedContentInfo
- [RFC3852] for encrypting the AS reply key with the temporary key
- contained in the encryptedKey field of the type
- KeyTransRecipientInfo [RFC3852], as described in Section 3.2.3.2:
- des-ede3-cbc (three-key 3DES, CBC mode) [RFC3370].
-
-3.1.3. Defined Message and Encryption Types
-
- PKINIT makes use of the following new pre-authentication types:
-
- PA_PK_AS_REQ 16
- PA_PK_AS_REP 17
-
- PKINIT also makes use of the following new authorization data type:
-
- AD_INITIAL_VERIFIED_CAS 9
-
- PKINIT introduces the following new error codes:
-
- KDC_ERR_CLIENT_NOT_TRUSTED 62
- KDC_ERR_INVALID_SIG 64
- KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65
- KDC_ERR_CANT_VERIFY_CERTIFICATE 70
- KDC_ERR_INVALID_CERTIFICATE 71
- KDC_ERR_REVOKED_CERTIFICATE 72
- KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
- KDC_ERR_CLIENT_NAME_MISMATCH 75
- KDC_ERR_INCONSISTENT_KEY_PURPOSE 77
- KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78
- KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79
- KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80
- KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
-
- PKINIT uses the following typed data types for errors:
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 7]
-
-Internet-Draft PKINIT February 2006
-
-
- TD_TRUSTED_CERTIFIERS 104
- TD_INVALID_CERTIFICATES 105
- TD_DH_PARAMETERS 109
-
- The ASN.1 module for all structures defined in this document (plus
- IMPORT statements for all imported structures) is given in
- Appendix A.
-
- All structures defined in or imported into this document MUST be
- encoded using Distinguished Encoding Rules (DER) [X680] [X690]
- (unless otherwise noted). All data structures carried in OCTET
- STRINGs must be encoded according to the rules specified in
- corresponding specifications.
-
- Interoperability note: Some implementations may not be able to decode
- wrapped Cryptographic Message Syntax (CMS) [RFC3852] objects encoded
- with BER; specifically, they may not be able to decode indefinite
- length encodings. To maximize interoperability, implementers SHOULD
- encode CMS objects used in PKINIT with DER.
-
-3.1.4. Kerberos Encryption Types Defined for CMS Algorithm Identifiers
-
- PKINIT defines the following Kerberos encryption type numbers
- [RFC3961], which can be used in the etype field of the AS-REQ
- [RFC4120] message to indicate to the KDC the client's acceptance of
- the corresponding algorithms (including key transport algorithms
- [RFC3370], content encryption algorithms [RFC3370], and signature
- algorithms) for use with Cryptographic Message Syntax (CMS) [RFC3852]
- [RFC3370].
-
- Per [RFC4120], the encryption types in the etype field are in the
- decreasing preference order of the client. Note that there is no
- significance in the relative order between any two of different types
- of algorithms: key transport algorithms, content encryption
- algorithms and signature algorithms.
-
- The presence of each of these encryption types in the etype field is
- equivalent to the presence of the corresponding algorithm Object
- Identifier (OID) in the supportedCMSTypes field as described in
- Section 3.2.1. And the preference order expressed in the
- supportedCMSTypes field would override the preference order listed in
- the etype field.
-
-
-
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 8]
-
-Internet-Draft PKINIT February 2006
-
-
- Kerberos Encryption Type Name Num Corresponding Algorithm OID
- ============================== === ===============================
- id-dsa-with-sha1-CmsOID 9 id-dsa-with-sha1 [RFC3370]
- md5WithRSAEncryption-CmsOID 10 md5WithRSAEncryption [RFC3370]
- sha-1WithRSAEncryption-CmsOID 11 sha-1WithRSAEncryption [RFC3370]
- rc2-cbc-EnvOID 12 rc2-cbc [RFC3370]
- rsaEncryption-EnvOID 13 rsaEncryption [RFC3447][RFC3370]
- id-RSAES-OAEP-EnvOID 14 id-RSAES-OAEP [RFC3447][RFC3560]
- des-ede3-cbc-EnvOID 15 des-ede3-cbc [RFC3370]
-
- The above encryption type numbers are used only to indicate support
- for the use of the corresponding algorithms in PKINIT; they do not
- correspond to actual Kerberos encryption types [RFC3961] and MUST NOT
- be used in the etype field of the Kerberos EncryptedData type
- [RFC4120]. The practice of assigning Kerberos encryption type
- numbers to indicate support for CMS algorithms is considered
- deprecated, and new numbers should not be assigned for this purpose.
- Instead, the supportedCMSTypes field should be used to identify the
- algorithms supported by the client and the preference order of the
- client.
-
- For maximum interoperability, however, PKINIT clients wishing to
- indicate to the KDC the support for one or more of the algorithms
- listed above SHOULD include the corresponding encryption type
- number(s) in the etype field of the AS-REQ.
-
-3.2. PKINIT Pre-authentication Syntax and Use
-
- This section defines the syntax and use of the various pre-
- authentication fields employed by PKINIT.
-
-3.2.1. Generation of Client Request
-
- The initial authentication request (AS-REQ) is sent as per [RFC4120];
- in addition, a pre-authentication data element, whose padata-type is
- PA_PK_AS_REQ and whose padata-value contains the DER encoding of the
- type PA-PK-AS-REQ, is included.
-
- PA-PK-AS-REQ ::= SEQUENCE {
- signedAuthPack [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo
- -- is id-signedData (1.2.840.113549.1.7.2),
- -- and the content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
- -- eContent field contains the DER encoding of the
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 9]
-
-Internet-Draft PKINIT February 2006
-
-
- -- type AuthPack.
- -- AuthPack is defined below.
- trustedCertifiers [1] SEQUENCE OF
- ExternalPrincipalIdentifier OPTIONAL,
- -- Contains a list of CAs, trusted by the client,
- -- that can be used to certify the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
- -- The information contained in the
- -- trustedCertifiers SHOULD be used by the KDC as
- -- hints to guide its selection of an appropriate
- -- certificate chain to return to the client.
- kdcPkId [2] IMPLICIT OCTET STRING
- OPTIONAL,
- -- Contains a CMS type SignerIdentifier encoded
- -- according to [RFC3852].
- -- Identifies, if present, a particular KDC
- -- public key that the client already has.
- ...
- }
-
- DHNonce ::= OCTET STRING
-
- ExternalPrincipalIdentifier ::= SEQUENCE {
- subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a PKIX type Name encoded according to
- -- [RFC3280].
- -- Identifies the certificate subject by the
- -- distinguished subject name.
- -- REQUIRED when there is a distinguished subject
- -- name present in the certificate.
- issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a CMS type IssuerAndSerialNumber encoded
- -- according to [RFC3852].
- -- Identifies a certificate of the subject.
- -- REQUIRED for TD-INVALID-CERTIFICATES and
- -- TD-TRUSTED-CERTIFIERS.
- subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
- -- Identifies the subject's public key by a key
- -- identifier. When an X.509 certificate is
- -- referenced, this key identifier matches the X.509
- -- subjectKeyIdentifier extension value. When other
- -- certificate formats are referenced, the documents
- -- that specify the certificate format and their use
- -- with the CMS must include details on matching the
- -- key identifier to the appropriate certificate
- -- field.
- -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 10]
-
-Internet-Draft PKINIT February 2006
-
-
- ...
- }
-
- AuthPack ::= SEQUENCE {
- pkAuthenticator [0] PKAuthenticator,
- clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
- -- Type SubjectPublicKeyInfo is defined in
- -- [RFC3280].
- -- Specifies Diffie-Hellman domain parameters
- -- and the client's public key value [IEEE1363].
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- -- This field is present only if the client wishes
- -- to use the Diffie-Hellman key agreement method.
- supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- -- Type AlgorithmIdentifier is defined in
- -- [RFC3280].
- -- List of CMS algorithm [RFC3370] identifiers
- -- that identify key transport algorithms, or
- -- content encryption algorithms, or signature
- -- algorithms supported by the client in order of
- -- (decreasing) preference.
- clientDHNonce [3] DHNonce OPTIONAL,
- -- Present only if the client indicates that it
- -- wishes to reuse DH keys or to allow the KDC to
- -- do so (see Section 3.2.3.1).
- ...
- }
-
- PKAuthenticator ::= SEQUENCE {
- cusec [0] INTEGER (0..999999),
- ctime [1] KerberosTime,
- -- cusec and ctime are used as in [RFC4120], for
- -- replay prevention.
- nonce [2] INTEGER (0..4294967295),
- -- Chosen randomly; This nonce does not need to
- -- match with the nonce in the KDC-REQ-BODY.
- paChecksum [3] OCTET STRING OPTIONAL,
- -- MUST be present.
- -- Contains the SHA1 checksum, performed over
- -- KDC-REQ-BODY.
- ...
- }
-
- The ContentInfo [RFC3852] structure contained in the signedAuthPack
- field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and
- is filled out as follows:
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 11]
-
-Internet-Draft PKINIT February 2006
-
-
- 1. The contentType field of the type ContentInfo is id-signedData
- (as defined in [RFC3852]), and the content field is a SignedData
- (as defined in [RFC3852]).
-
- 2. The eContentType field for the type SignedData is id-pkinit-
- authData: { iso(1) org(3) dod(6) internet(1) security(5)
- kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS
- implementers: the signed attribute content-type MUST be present
- in this SignedData instance and its value is id-pkinit-authData
- according to [RFC3852].
-
- 3. The eContent field for the type SignedData contains the DER
- encoding of the type AuthPack.
-
- 4. The signerInfos field of the type SignedData contains a single
- signerInfo, which contains the signature over the type AuthPack.
-
- 5. The AuthPack structure contains a PKAuthenticator, the client
- public key information, the CMS encryption types supported by the
- client and a DHNonce. The pkAuthenticator field certifies to the
- KDC that the client has recent knowledge of the signing key that
- authenticates the client. The clientPublicValue field specifies
- Diffie-Hellman domain parameters and the client's public key
- value. The DH public key value is encoded as a BIT STRING
- according to [RFC3279]. The clientPublicValue field is present
- only if the client wishes to use the Diffie-Hellman key agreement
- method. The supportedCMSTypes field specifies the list of CMS
- algorithm identifiers that are supported by the client in order
- of (decreasing) preference, and can be used to identify a
- signature algorithm or a key transport algorithm [RFC3370] in the
- keyEncryptionAlgorithm field of the type KeyTransRecipientInfo or
- a content encryption algorithm [RFC3370] in the
- contentEncryptionAlgorithm field of the type EncryptedContentInfo
- [RFC3852] when encrypting the AS reply key as described in
- Section 3.2.3.2. However, there is no significance in the
- relative order between any two of different types of algorithms:
- key transport algorithms, content encryption algorithms, and
- signature algorithms. The clientDHNonce field is described later
- in this section.
-
- 6. The ctime field in the PKAuthenticator structure contains the
- current time on the client's host, and the cusec field contains
- the microsecond part of the client's timestamp. The ctime and
- cusec fields are used together to specify a reasonably accurate
- timestamp [RFC4120]. The nonce field is chosen randomly. The
- paChecksum field MUST be present and it contains a SHA1 checksum
- that is performed over the KDC-REQ-BODY [RFC4120]. In order to
- ease future migration from the use of SHA1, the paChecksum field
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 12]
-
-Internet-Draft PKINIT February 2006
-
-
- is made optional syntactically: when the request is extended to
- negotiate hash algorithms, the new client wishing not to use SHA1
- will send the request in the extended message syntax without the
- paChecksum field. The KDC conforming to this specification MUST
- return a KRB-ERROR [RFC4120] message with the code
- KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (see Section 3.2.3). That
- will allow a new client to retry with SHA1 if allowed by the
- local policy.
-
- 7. The certificates field of the type SignedData contains
- certificates intended to facilitate certification path
- construction, so that the KDC can verify the signature over the
- type AuthPack. For path validation, these certificates SHOULD be
- sufficient to construct at least one certification path from the
- client certificate to one trust anchor acceptable by the KDC
- [RFC4158]. The client MUST be capable of including such a set of
- certificates if configured to do so. The certificates field MUST
- NOT contain "root" CA certificates.
-
- 8. The client's Diffie-Hellman public value (clientPublicValue) is
- included if and only if the client wishes to use the Diffie-
- Hellman key agreement method. The Diffie-Hellman domain
- parameters [IEEE1363] for the client's public key are specified
- in the algorithm field of the type SubjectPublicKeyInfo [RFC3279]
- and the client's Diffie-Hellman public key value is mapped to a
- subjectPublicKey (a BIT STRING) according to [RFC3279]. When
- using the Diffie-Hellman key agreement method, implementations
- MUST support Oakley 1024-bit Modular Exponential (MODP) well-
- known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group
- 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known
- group 16 [RFC3526].
-
- The Diffie-Hellman field size should be chosen so as to provide
- sufficient cryptographic security [RFC3766].
-
- When MODP Diffie-Hellman is used, the exponents should have at
- least twice as many bits as the symmetric keys that will be
- derived from them [ODL99].
-
- 9. The client may wish to reuse DH keys or to allow the KDC to do so
- (see Section 3.2.3.1). If so, then the client includes the
- clientDHNonce field. This nonce string MUST be as long as the
- longest key length of the symmetric key types that the client
- supports. This nonce MUST be chosen randomly.
-
- The ExternalPrincipalIdentifier structure is used in this document to
- identify the subject's public key thereby the subject principal.
- This structure is filled out as follows:
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 13]
-
-Internet-Draft PKINIT February 2006
-
-
- 1. The subjectName field contains a PKIX type Name encoded according
- to [RFC3280]. This field identifies the certificate subject by
- the distinguished subject name. This field is REQUIRED when
- there is a distinguished subject name present in the certificate
- being used.
-
- 2. The issuerAndSerialNumber field contains a CMS type
- IssuerAndSerialNumber encoded according to [RFC3852]. This field
- identifies a certificate of the subject. This field is REQUIRED
- for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both
- structures are defined in Section 3.2.2).
-
- 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's
- public key by a key identifier. When an X.509 certificate is
- referenced, this key identifier matches the X.509
- subjectKeyIdentifier extension value. When other certificate
- formats are referenced, the documents that specify the
- certificate format and their use with the CMS must include
- details on matching the key identifier to the appropriate
- certificate field. This field is RECOMMENDED for TD-TRUSTED-
- CERTIFIERS (as defined in Section 3.2.2).
-
- The trustedCertifiers field of the type PA-PK-AS-REQ contains a list
- of CAs, trusted by the client, that can be used to certify the KDC.
- Each ExternalPrincipalIdentifier identifies a CA or a CA certificate
- (thereby its public key).
-
- The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type
- SignerIdentifier encoded according to [RFC3852]. This field
- identifies, if present, a particular KDC public key that the client
- already has.
-
-3.2.2. Receipt of Client Request
-
- Upon receiving the client's request, the KDC validates it. This
- section describes the steps that the KDC MUST (unless otherwise
- noted) take in validating the request.
-
- The KDC verifies the client's signature in the signedAuthPack field
- according to [RFC3852].
-
- If, while validating the client's X.509 certificate [RFC3280], the
- KDC cannot build a certification path to validate the client's
- certificate, it sends back a KRB-ERROR [RFC4120] message with the
- code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for
- this error message is a TYPED-DATA (as defined in [RFC4120]) that
- contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and
- whose data-value contains the DER encoding of the type TD-TRUSTED-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 14]
-
-Internet-Draft PKINIT February 2006
-
-
- CERTIFIERS:
-
- TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies a list of CAs trusted by the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
- Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
- TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate
- (thereby its public key) trusted by the KDC.
-
- Upon receiving this error message, the client SHOULD retry only if it
- has a different set of certificates (from those of the previous
- requests) that form a certification path (or a partial path) from one
- of the trust anchors acceptable by the KDC to its own certificate.
-
- If, while processing the certification path, the KDC determines that
- the signature on one of the certificates in the signedAuthPack field
- is invalid, it returns a KRB-ERROR [RFC4120] message with the code
- KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error
- message is a TYPED-DATA that contains an element whose data-type is
- TD_INVALID_CERTIFICATES, and whose data-value contains the DER
- encoding of the type TD-INVALID-CERTIFICATES:
-
- TD-INVALID-CERTIFICATES ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Each ExternalPrincipalIdentifier identifies a
- -- certificate (sent by the client) with an invalid
- -- signature.
-
- Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
- TD-INVALID-CERTIFICATES structure identifies a certificate (that was
- sent by the client) with an invalid signature.
-
- If more than one X.509 certificate signature is invalid, the KDC MAY
- include one IssuerAndSerialNumber per invalid signature within the
- TD-INVALID-CERTIFICATES.
-
- The client's X.509 certificate is validated according to [RFC3280].
-
- Based on local policy, the KDC may also check whether any X.509
- certificates in the certification path validating the client's
- certificate have been revoked. If any of them have been revoked, the
- KDC MUST return an error message with the code
- KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the
- revocation status but is unable to do so, it SHOULD return an error
- message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 15]
-
-Internet-Draft PKINIT February 2006
-
-
- certificate or certificates affected are identified exactly as for
- the error code KDC_ERR_INVALID_CERTIFICATE (see above).
-
- Note that the TD_INVALID_CERTIFICATES error data is only used to
- identify invalid certificates sent by the client in the request.
-
- The client's public key is then used to verify the signature. If the
- signature fails to verify, the KDC MUST return an error message with
- the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for
- this error message.
-
- In addition to validating the client's signature, the KDC MUST also
- check that the client's public key used to verify the client's
- signature is bound to the client's principal name as specified in the
- AS-REQ as follows:
-
- 1. If the KDC has its own binding between either the client's
- signature-verification public key or the client's certificate and
- the client's Kerberos principal name, it uses that binding.
-
- 2. Otherwise, if the client's X.509 certificate contains a Subject
- Alternative Name (SAN) extension carrying a KRB5PrincipalName
- (defined below) in the otherName field of the type GeneralName
- [RFC3280], it binds the client's X.509 certificate to that name.
-
- The type of the otherName field is AnotherName. The type-id field
- of the type AnotherName is id-pkinit-san:
-
- id-pkinit-san OBJECT IDENTIFIER ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
- x509SanAN (2) }
-
- And the value field of the type AnotherName is a
- KRB5PrincipalName.
-
- KRB5PrincipalName ::= SEQUENCE {
- realm [0] Realm,
- principalName [1] PrincipalName
- }
-
- If the Kerberos client name in the AS-REQ does not match a name bound
- by the KDC (the binding can be in the certificate, for example as
- described above), or if there is no binding found by the KDC, the KDC
- MUST return an error message with the code
- KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for
- this error message.
-
- Even if the certification path is validated and the certificate is
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 16]
-
-Internet-Draft PKINIT February 2006
-
-
- mapped to the client's principal name, the KDC may decide not to
- accept the client's certificate, depending on local policy.
-
- The KDC MAY require the presence of an Extended Key Usage (EKU)
- KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field
- of the client's X.509 certificate:
-
- id-pkinit-KPClientAuth OBJECT IDENTIFIER ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
- pkinit(3) keyPurposeClientAuth(4) }
- -- PKINIT client authentication.
- -- Key usage bits that MUST be consistent:
- -- digitalSignature.
-
- The digitalSignature key usage bit [RFC3280] MUST be asserted when
- the intended purpose of the client's X.509 certificate is restricted
- with the id-pkinit-KPClientAuth EKU.
-
- If this EKU KeyPurposeId is required but it is not present or if the
- client certificate is restricted not to be used for PKINIT client
- authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return
- an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There
- is no accompanying e-data for this error message. KDCs implementing
- this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc-
- logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there
- are a large number of X.509 client certificates deployed for use with
- PKINIT which have this EKU.
-
- As a matter of local policy, the KDC MAY decide to reject requests on
- the basis of the absence or presence of other specific EKU OID's.
-
- If the digest algorithm used in generating the CA signature for the
- public key in any certificate of the request is not acceptable by the
- KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code
- KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be
- encoded in TYPED-DATA although none is defined at this point.
-
- If the client's public key is not accepted with reasons other than
- what were specified above, the KDC returns a KRB-ERROR [RFC4120]
- message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no
- accompanying e-data currently defined for this error message.
-
- The KDC MUST check the timestamp to ensure that the request is not a
- replay, and that the time skew falls within acceptable limits. The
- recommendations for clock skew times in [RFC4120] apply here. If the
- check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or
- KRB_AP_ERR_SKEW, respectively.
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 17]
-
-Internet-Draft PKINIT February 2006
-
-
- If the clientPublicValue is filled in, indicating that the client
- wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD
- check to see if the key parameters satisfy its policy. If they do
- not, it MUST return an error message with the code
- KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a
- TYPED-DATA that contains an element whose data-type is
- TD_DH_PARAMETERS, and whose data-value contains the DER encoding of
- the type TD-DH-PARAMETERS:
-
- TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
- -- Each AlgorithmIdentifier specifies a set of
- -- Diffie-Hellman domain parameters [IEEE1363].
- -- This list is in decreasing preference order.
-
- TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters
- that the KDC supports in decreasing preference order, from which the
- client SHOULD pick one to retry the request.
-
- The AlgorithmIdentifier structure is defined in [RFC3280] and is
- filled in according to [RFC3279]. More specifically Section 2.3.3 of
- [RFC3279] describes how to fill in the AlgorithmIdentifier structure
- in the case where MODP Diffie-Hellman key exchange is used.
-
- If the client included a kdcPkId field in the PA-PK-AS-REQ and the
- KDC does not possess the corresponding key, the KDC MUST ignore the
- kdcPkId field as if the client did not include one.
-
- If the digest algorithm used by the id-pkinit-authData is not
- acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120]
- message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
- The accompanying e-data MUST be encoded in TYPED-DATA although none
- is defined at this point.
-
-3.2.3. Generation of KDC Reply
-
- If the paChecksum filed in the request is not present, the KDC
- conforming to this specification MUST return a KRB-ERROR [RFC4120]
- message with the code KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED. The
- accompanying e-data MUST be encoded in TYPED-DATA (no error data is
- defined by this specification).
-
- Assuming that the client's request has been properly validated, the
- KDC proceeds as per [RFC4120], except as follows.
-
- The KDC MUST set the initial flag and include an authorization data
- element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued
- ticket. The ad-data [RFC4120] field contains the DER encoding of the
- type AD-INITIAL-VERIFIED-CAS:
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 18]
-
-Internet-Draft PKINIT February 2006
-
-
- AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies the certification path based on which
- -- the client certificate was validated.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
- The AD-INITIAL-VERIFIED-CAS structure identifies the certification
- path based on which the client certificate was validated. Each
- ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
- INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
- (thereby its public key).
-
- Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization
- data does permit empty SEQUENCEs to be encoded. Such empty sequences
- may only be used if the KDC itself vouches for the user's
- certificate.
-
- The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
- containers if the list of CAs satisfies the AS' realm's local policy
- (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag
- [RFC4120]). Furthermore, any TGS MUST copy such authorization data
- from tickets used within a PA-TGS-REQ of the TGS-REQ into the
- resulting ticket. If the list of CAs satisfies the local KDC's
- realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT
- container, otherwise it MAY unwrap the authorization data out of the
- AD-IF-RELEVANT container.
-
- Application servers that understand this authorization data type
- SHOULD apply local policy to determine whether a given ticket bearing
- such a type *not* contained within an AD-IF-RELEVANT container is
- acceptable. (This corresponds to the AP server checking the
- transited field when the TRANSITED-POLICY-CHECKED flag has not been
- set [RFC4120].) If such a data type is contained within an AD-IF-
- RELEVANT container, AP servers MAY apply local policy to determine
- whether the authorization data is acceptable.
-
- A pre-authentication data element, whose padata-type is PA_PK_AS_REP
- and whose padata-value contains the DER encoding of the type PA-PK-
- AS-REP (defined below), is included in the AS-REP [RFC4120].
-
- PA-PK-AS-REP ::= CHOICE {
- dhInfo [0] DHRepInfo,
- -- Selected when Diffie-Hellman key exchange is
- -- used.
- encKeyPack [1] IMPLICIT OCTET STRING,
- -- Selected when public key encryption is used.
- -- Contains a CMS type ContentInfo encoded
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 19]
-
-Internet-Draft PKINIT February 2006
-
-
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-envelopedData (1.2.840.113549.1.7.3).
- -- The content field is an EnvelopedData.
- -- The contentType field for the type EnvelopedData
- -- is id-signedData (1.2.840.113549.1.7.2).
- -- The eContentType field for the inner type
- -- SignedData (when unencrypted) is
- -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
- -- eContent field contains the DER encoding of the
- -- type ReplyKeyPack.
- -- ReplyKeyPack is defined in Section 3.2.3.2.
- ...
- }
-
- DHRepInfo ::= SEQUENCE {
- dhSignedData [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded according
- -- to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-signedData (1.2.840.113549.1.7.2), and the
- -- content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
- -- eContent field contains the DER encoding of the
- -- type KDCDHKeyInfo.
- -- KDCDHKeyInfo is defined below.
- serverDHNonce [1] DHNonce OPTIONAL,
- -- Present if and only if dhKeyExpiration is
- -- present in the KDCDHKeyInfo.
- ...
- }
-
- KDCDHKeyInfo ::= SEQUENCE {
- subjectPublicKey [0] BIT STRING,
- -- The KDC's DH public key.
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- nonce [1] INTEGER (0..4294967295),
- -- Contains the nonce in the pkAuthenticator field
- -- in the request if the DH keys are NOT reused,
- -- 0 otherwise.
- dhKeyExpiration [2] KerberosTime OPTIONAL,
- -- Expiration time for KDC's key pair,
- -- present if and only if the DH keys are reused.
- -- If present, the KDC's DH public key MUST not be
- -- used past the point of this expiration time.
- -- If this field is omitted then the serverDHNonce
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 20]
-
-Internet-Draft PKINIT February 2006
-
-
- -- field MUST also be omitted.
- ...
- }
-
- The content of the AS-REP is otherwise unchanged from [RFC4120]. The
- KDC encrypts the reply as usual, but not with the client's long-term
- key. Instead, it encrypts it with either a shared key derived from a
- Diffie-Hellman exchange, or a generated encryption key. The contents
- of the PA-PK-AS-REP indicate which key delivery method is used.
-
- If the client does not wish to use the Diffie-Hellman key delivery
- method (the clientPublicValue field is not present in the request)
- and the KDC does not support the public key encryption key delivery
- method, the KDC MUST return an error message with the code
- KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED. There is no
- accompanying e-data for this error message.
-
- In addition, the lifetime of the ticket returned by the KDC MUST NOT
- exceed that of the client's public-private key pair. The ticket
- lifetime, however, can be shorter than that of the client's public-
- private key pair. For the implementations of this specification, the
- lifetime of the client's public-private key pair is the validity
- period in X.509 certificates [RFC3280], unless configured otherwise.
-
-3.2.3.1. Using Diffie-Hellman Key Exchange
-
- In this case, the PA-PK-AS-REP contains a DHRepInfo structure.
-
- The ContentInfo [RFC3852] structure for the dhSignedData field is
- filled in as follows:
-
- 1. The contentType field of the type ContentInfo is id-signedData
- (as defined in [RFC3852]), and the content field is a SignedData
- (as defined in [RFC3852]).
-
- 2. The eContentType field for the type SignedData is the OID value
- for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1)
- security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS
- implementers: the signed attribute content-type MUST be present
- in this SignedData instance and its value is id-pkinit-DHKeyData
- according to [RFC3852].
-
- 3. The eContent field for the type SignedData contains the DER
- encoding of the type KDCDHKeyInfo.
-
- 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce
- and optionally the expiration time of the KDC's DH key being
- reused. The subjectPublicKey field of the type KDCDHKeyInfo
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 21]
-
-Internet-Draft PKINIT February 2006
-
-
- field identifies KDC's DH public key. This DH public key value
- is encoded as a BIT STRING according to [RFC3279]. The nonce
- field contains the nonce in the pkAuthenticator field in the
- request if the DH keys are NOT reused. The value of this nonce
- field is 0 if the DH keys are reused. The dhKeyExpiration field
- is present if and only if the DH keys are reused. If the
- dhKeyExpiration field is present, the KDC's public key in this
- KDCDHKeyInfo structure MUST NOT be used past the point of this
- expiration time. If this field is omitted then the serverDHNonce
- field MUST also be omitted.
-
- 5. The signerInfos field of the type SignedData contains a single
- signerInfo, which contains the signature over the type
- KDCDHKeyInfo.
-
- 6. The certificates field of the type SignedData contains
- certificates intended to facilitate certification path
- construction, so that the client can verify the KDC's signature
- over the type KDCDHKeyInfo. The information contained in the
- trustedCertifiers in the request SHOULD be used by the KDC as
- hints to guide its selection of an appropriate certificate chain
- to return to the client. This field may be left empty if the KDC
- public key specified by the kdcPkId field in the PA-PK-AS-REQ was
- used for signing. Otherwise, for path validation, these
- certificates SHOULD be sufficient to construct at least one
- certification path from the KDC certificate to one trust anchor
- acceptable by the client [RFC4158]. The KDC MUST be capable of
- including such a set of certificates if configured to do so. The
- certificates field MUST NOT contain "root" CA certificates.
-
- 7. If the client included the clientDHNonce field, then the KDC may
- choose to reuse its DH keys. If the server reuses DH keys then
- it MUST include an expiration time in the dhKeyExpiration field.
- Past the point of the expiration time, the signature over the
- type DHRepInfo is considered expired/invalid. When the server
- reuses DH keys then it MUST include a serverDHNonce at least as
- long as the length of keys for the symmetric encryption system
- used to encrypt the AS reply. Note that including the
- serverDHNonce changes how the client and server calculate the key
- to use to encrypt the reply; see below for details. The KDC
- SHOULD NOT reuse DH keys unless the clientDHNonce field is
- present in the request.
-
- The AS reply key is derived as follows:
-
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 22]
-
-Internet-Draft PKINIT February 2006
-
-
- 1. Both the KDC and the client calculate the shared secret value as
- follows:
-
- a) When MODP Diffie-Hellman is used, let DHSharedSecret be the
- shared secret value. DHSharedSecret is the value ZZ as
- described in Section 2.1.1 of [RFC2631].
-
- DHSharedSecret is first padded with leading zeros such that the
- size of DHSharedSecret in octets is the same as that of the
- modulus, then represented as a string of octets in big-endian
- order.
-
- Implementation note: Both the client and the KDC can cache the
- triple (ya, yb, DHSharedSecret), where ya is the client's public
- key and yb is the KDC's public key. If both ya and yb are the
- same in a later exchange, the cached DHSharedSecret can be used.
-
- 2. Let K be the key-generation seed length [RFC3961] of the AS reply
- key whose enctype is selected according to [RFC4120].
-
- 3. Define the function octetstring2key() as follows:
-
- octetstring2key(x) == random-to-key(K-truncate(
- SHA1(0x00 | x) |
- SHA1(0x01 | x) |
- SHA1(0x02 | x) |
- ...
- ))
-
- where x is an octet string; | is the concatenation operator; 0x00,
- 0x01, 0x02, etc., are each represented as a single octet; random-
- to-key() is an operation that generates a protocol key from a
- bitstring of length K; and K-truncate truncates its input to the
- first K bits. Both K and random-to-key() are as defined in the
- kcrypto profile [RFC3961] for the enctype of the AS reply key.
-
- 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be
- the serverDHNonce; otherwise, let both n_c and n_k be empty octet
- strings.
-
- 5. The AS reply key k is:
-
- k = octetstring2key(DHSharedSecret | n_c | n_k)
-
-3.2.3.2. Using Public Key Encryption
-
- In this case, the PA-PK-AS-REP contains the encKeyPack field where
- the AS reply key is encrypted.
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 23]
-
-Internet-Draft PKINIT February 2006
-
-
- The ContentInfo [RFC3852] structure for the encKeyPack field is
- filled in as follows:
-
- 1. The contentType field of the type ContentInfo is id-envelopedData
- (as defined in [RFC3852]), and the content field is an
- EnvelopedData (as defined in [RFC3852]).
-
- 2. The contentType field for the type EnvelopedData is id-
- signedData: { iso (1) member-body (2) us (840) rsadsi (113549)
- pkcs (1) pkcs7 (7) signedData (2) }.
-
- 3. The eContentType field for the inner type SignedData (when
- decrypted from the encryptedContent field for the type
- EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6)
- internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }.
- Notes to CMS implementers: the signed attribute content-type MUST
- be present in this SignedData instance and its value is id-
- pkinit-rkeyData according to [RFC3852].
-
- 4. The eContent field for the inner type SignedData contains the DER
- encoding of the type ReplyKeyPack (as described below).
-
- 5. The signerInfos field of the inner type SignedData contains a
- single signerInfo, which contains the signature for the type
- ReplyKeyPack.
-
- 6. The certificates field of the inner type SignedData contains
- certificates intended to facilitate certification path
- construction, so that the client can verify the KDC's signature
- for the type ReplyKeyPack. The information contained in the
- trustedCertifiers in the request SHOULD be used by the KDC as
- hints to guide its selection of an appropriate certificate chain
- to return to the client. This field may be left empty if the KDC
- public key specified by the kdcPkId field in the PA-PK-AS-REQ was
- used for signing. Otherwise, for path validation, these
- certificates SHOULD be sufficient to construct at least one
- certification path from the KDC certificate to one trust anchor
- acceptable by the client [RFC4158]. The KDC MUST be capable of
- including such a set of certificates if configured to do so. The
- certificates field MUST NOT contain "root" CA certificates.
-
- 7. The recipientInfos field of the type EnvelopedData is a SET which
- MUST contain exactly one member of type KeyTransRecipientInfo.
- The encryptedKey of this member contains the temporary key which
- is encrypted using the client's public key.
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 24]
-
-Internet-Draft PKINIT February 2006
-
-
- 8. The unprotectedAttrs or originatorInfo fields of the type
- EnvelopedData MAY be present.
-
- If there is a supportedCMSTypes field in the AuthPack, the KDC must
- check to see if it supports any of the listed types. If it supports
- more than one of the types, the KDC SHOULD use the one listed first.
- If it does not support any of them, it MUST return an error message
- with the code KDC_ERR_ETYPE_NOSUPP [RFC4120].
-
- Furthermore the KDC computes the checksum of the AS-REQ in the client
- request. This checksum is performed over the type AS-REQ and the
- protocol key [RFC3961] of the checksum operation is the replyKey and
- the key usage number is 6. If the replyKey's enctype is "newer"
- [RFC4120] [RFC4121], the checksum operation is the required checksum
- operation [RFC3961] of that enctype.
-
- ReplyKeyPack ::= SEQUENCE {
- replyKey [0] EncryptionKey,
- -- Contains the session key used to encrypt the
- -- enc-part field in the AS-REP, i.e. the
- -- AS reply key.
- asChecksum [1] Checksum,
- -- Contains the checksum of the AS-REQ
- -- corresponding to the containing AS-REP.
- -- The checksum is performed over the type AS-REQ.
- -- The protocol key [RFC3961] of the checksum is the
- -- replyKey and the key usage number is 6.
- -- If the replyKey's enctype is "newer" [RFC4120]
- -- [RFC4121], the checksum is the required
- -- checksum operation [RFC3961] for that enctype.
- -- The client MUST verify this checksum upon receipt
- -- of the AS-REP.
- ...
- }
-
- Implementations of this RSA encryption key delivery method are
- RECOMMENDED to support RSA keys at least 2048 bits in size.
-
-3.2.4. Receipt of KDC Reply
-
- Upon receipt of the KDC's reply, the client proceeds as follows. If
- the PA-PK-AS-REP contains the dhSignedData field, the client derives
- the AS reply key using the same procedure used by the KDC as defined
- in Section 3.2.3.1. Otherwise, the message contains the encKeyPack
- field, and the client decrypts and extracts the temporary key in the
- encryptedKey field of the member KeyTransRecipientInfo, and then uses
- that as the AS reply key.
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 25]
-
-Internet-Draft PKINIT February 2006
-
-
- If the public key encryption method is used, the client MUST verify
- the asChecksum contained in the ReplyKeyPack.
-
- In either case, the client MUST verify the signature in the
- SignedData according to [RFC3852]. The KDC's X.509 certificate MUST
- be validated according to [RFC3280]. In addition, unless the client
- can otherwise verify that the public key used to verify the KDC's
- signature is bound to the KDC of the target realm, the KDC's X.509
- certificate MUST contain a Subject Alternative Name extension
- [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as
- defined in Section 3.2.2) and whose value is a KRB5PrincipalName that
- matches the name of the TGS of the target realm (as defined in
- Section 7.3 of [RFC4120]).
-
- Unless the client knows by some other means that the KDC certificate
- is intended for a Kerberos KDC, the client MUST require that the KDC
- certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc:
-
- id-pkinit-KPKdc OBJECT IDENTIFIER ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
- pkinit(3) keyPurposeKdc(5) }
- -- Signing KDC responses.
- -- Key usage bits that MUST be consistent:
- -- digitalSignature.
-
- The digitalSignature key usage bit [RFC3280] MUST be asserted when
- the intended purpose of the KDC's X.509 certificate is restricted
- with the id-pkinit-KPKdc EKU.
-
- If the KDC certificate contains the Kerberos TGS name encoded as an
- id-pkinit-san SAN, this certificate is certified by the issuing CA as
- a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required.
-
- If all applicable checks are satisfied, the client then decrypts the
- enc-part field of the KDC-REP in the AS-REP using the AS reply key,
- and then proceeds as described in [RFC4120].
-
-3.3. Interoperability Requirements
-
- The client MUST be capable of sending a set of certificates
- sufficient to allow the KDC to construct a certification path for the
- client's certificate, if the correct set of certificates is provided
- through configuration or policy.
-
- If the client sends all the X.509 certificates on a certification
- path to a trust anchor acceptable by the KDC, and the KDC can not
- verify the client's public key otherwise, the KDC MUST be able to
- process path validation for the client's certificate based on the
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 26]
-
-Internet-Draft PKINIT February 2006
-
-
- certificates in the request.
-
- The KDC MUST be capable of sending a set of certificates sufficient
- to allow the client to construct a certification path for the KDC's
- certificate, if the correct set of certificates is provided through
- configuration or policy.
-
- If the KDC sends all the X.509 certificates on a certification path
- to a trust anchor acceptable by the client, and the client can not
- verify the KDC's public key otherwise, the client MUST be able to
- process path validation for the KDC's certificate based on the
- certificates in the reply.
-
-3.4. KDC Indication of PKINIT Support
-
- If pre-authentication is required, but was not present in the
- request, per [RFC4120] an error message with the code
- KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be
- stored in the e-data field of the KRB-ERROR message to specify which
- pre-authentication mechanisms are acceptable. The KDC can then
- indicate the support of PKINIT by including an empty element whose
- padata-type is PA_PK_AS_REQ in that METHOD-DATA object.
-
- Otherwise if it is required by the KDC's local policy that the client
- must be pre-authenticated using the pre-authentication mechanism
- specified in this document, but no PKINIT pre-authentication was
- present in the request, an error message with the code
- KDC_ERR_PREAUTH_FAILED SHOULD be returned.
-
- KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in
- the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET
- STRING), and clients MUST ignore this and any other value. Future
- extensions to this protocol may specify other data to send instead of
- an empty OCTET STRING.
-
-
-4. Security Considerations
-
- The security of cryptographic algorithms is dependent on generating
- secret quantities [RFC4086]. The number of truly random bits is
- extremely important to determining the attack resistance strength of
- the cryptosystem, for example, the secret Diffie-Hellman exponents
- must be chosen based on n truly random bits (where n is the system
- security requirement). The security of the overall system is
- significantly weakened by using insufficient random inputs: a
- sophisticated attacker may find it easier to reproduce the
- environment that produced the secret quantities and to search the
- resulting small set of possibilities than to locate the quantities in
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 27]
-
-Internet-Draft PKINIT February 2006
-
-
- the whole of the potential number space.
-
- Kerberos error messages are not integrity protected, as a result, the
- domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered
- with by an attacker so that the set of domain parameters selected
- could be either weaker or not mutually preferred. Local policy can
- configure sets of domain parameters acceptable locally, or disallow
- the negotiation of DH domain parameters.
-
- The symmetric reply key size and Diffie-Hellman field size or RSA
- modulus size should be chosen so as to provide sufficient
- cryptographic security [RFC3766].
-
- When MODP Diffie-Hellman is used, the exponents should have at least
- twice as many bits as the symmetric keys that will be derived from
- them [ODL99].
-
- PKINIT raises certain security considerations beyond those that can
- be regulated strictly in protocol definitions. We will address them
- in this section.
-
- PKINIT extends the cross-realm model to the public-key
- infrastructure. Users of PKINIT must understand security policies
- and procedures appropriate to the use of Public Key Infrastructures
- [RFC3280].
-
- In order to trust a KDC certificate that is certified by a CA as a
- KDC certificate for a target realm (for example, by asserting the TGS
- name of that Kerberos realm as an id-pkinit-san SAN and/or
- restricting the certificate usage by using the id-pkinit-KPKdc EKU,
- as described in Section 3.2.4), the client MUST verify that the KDC
- certificate's issuing CA is authorized to issue KDC certificates for
- that target realm. Otherwise, the binding between the KDC
- certificate and the KDC of the target realm is not established.
-
- How to validate this authorization is a matter of local policy. A
- way to achieve this is the configuration of specific sets of
- intermediary CAs and trust anchors, one of which must be on the KDC
- certificate's certification path [RFC3280]; and for each CA or trust
- anchor the realms for which it is allowed to issue certificates.
-
- In addition, if any CA is trusted to issue KDC certificates can also
- issue other kinds of certificates, then local policy must be able to
- distinguish between them: for example, it could require that KDC
- certificates contain the id-pkinit-KPKdc EKU or that the realm be
- specified with the id-pkinit-san SAN.
-
- It is the responsibility of the PKI administrators for an
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 28]
-
-Internet-Draft PKINIT February 2006
-
-
- organization to ensure that KDC certificates are only issued to KDCs,
- and that clients can ascertain this using their local policy.
-
- Standard Kerberos allows the possibility of interactions between
- cryptosystems of varying strengths; this document adds interactions
- with public-key cryptosystems to Kerberos. Some administrative
- policies may allow the use of relatively weak public keys. When
- using such weak asymmetric keys to protect/exchange stronger
- symmetric Keys, the attack resistant strength of the overall system
- is no better than that of these weak keys [RFC3766].
-
- PKINIT requires keys for symmetric cryptosystems to be generated.
- Some such systems contain "weak" keys. For recommendations regarding
- these weak keys, see [RFC4120].
-
- PKINIT allows the use of the same RSA key pair for encryption and
- signing when doing RSA encryption based key delivery. This is not
- recommended usage of RSA keys [RFC3447], by using DH based key
- delivery this is avoided.
-
- Care should be taken in how certificates are chosen for the purposes
- of authentication using PKINIT. Some local policies may require that
- key escrow be used for certain certificate types. Deployers of
- PKINIT should be aware of the implications of using certificates that
- have escrowed keys for the purposes of authentication. Because
- signing only certificates are normally not escrowed, by using DH
- based key delivery this is avoided.
-
- PKINIT does not provide for a "return routability" test to prevent
- attackers from mounting a denial-of-service attack on the KDC by
- causing it to perform unnecessary and expensive public-key
- operations. Strictly speaking, this is also true of standard
- Kerberos, although the potential cost is not as great, because
- standard Kerberos does not make use of public-key cryptography. By
- using DH based key delivery and reusing DH keys, the necessary crypto
- processing cost per request can be minimized.
-
- When the Diffie-Hellman key exchange method is used, additional pre-
- authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as
- defined in this specification) is not bound to the AS_REQ by the
- mechanisms discussed in this specification (meaning it may be dropped
- or added by attackers without being detected by either the client or
- the KDC). Designers of additional pre-authentication data should
- take that into consideration if such additional pre-authentication
- data can be used in conjunction with the PA_PK_AS_REQ. The future
- work of the Kerberos working group is expected to update the hash
- algorithms specified in this document and provide a generic mechanism
- to bind additional pre-authentication data with the accompanying
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 29]
-
-Internet-Draft PKINIT February 2006
-
-
- AS_REQ.
-
-
-5. Acknowledgements
-
- The following people have made significant contributions to this
- draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist
- Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey
- Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M
- Grundman and Jeffrey Altman.
-
- Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and
- Chris Walstad discovered a binding issue between the AS-REQ and AS-
- REP in draft -26, the asChecksum field was added as the result.
-
- Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and
- Jonathan Trostle who wrote earlier versions of this document.
-
- The authors are indebted to the Kerberos working group chair Jeffrey
- Hutzelman who kept track of various issues and was enormously helpful
- during the creation of this document.
-
- Some of the ideas on which this document is based arose during
- discussions over several years between members of the SAAG, the IETF
- CAT working group, and the PSRG, regarding integration of Kerberos
- and SPX. Some ideas have also been drawn from the DASS system.
- These changes are by no means endorsed by these groups. This is an
- attempt to revive some of the goals of those groups, and this
- document approaches those goals primarily from the Kerberos
- perspective.
-
- Lastly, comments from groups working on similar ideas in DCE have
- been invaluable.
-
-
-6. IANA Considerations
-
- This document has no actions for IANA.
-
-
-7. References
-
-7.1. Normative References
-
- [IEEE1363]
- IEEE, "Standard Specifications for Public Key
- Cryptography", IEEE 1363, 2000.
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 30]
-
-Internet-Draft PKINIT February 2006
-
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol",
- RFC 2412, November 1998.
-
- [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
- RFC 2631, June 1999.
-
- [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
- Identifiers for the Internet X.509 Public Key
- Infrastructure Certificate and Certificate Revocation List
- (CRL) Profile", RFC 3279, April 2002.
-
- [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
- X.509 Public Key Infrastructure Certificate and
- Certificate Revocation List (CRL) Profile", RFC 3280,
- April 2002.
-
- [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
- Algorithms", RFC 3370, August 2002.
-
- [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
- Standards (PKCS) #1: RSA Cryptography Specifications
- Version 2.1", RFC 3447, February 2003.
-
- [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
- Diffie-Hellman groups for Internet Key Exchange (IKE)",
- RFC 3526, May 2003.
-
- [RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport
- Algorithm in Cryptographic Message Syntax (CMS)",
- RFC 3560, July 2003.
-
- [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
- Encryption Algorithm in Cryptographic Message Syntax
- (CMS)", RFC 3565, July 2003.
-
- [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
- Public Keys Used For Exchanging Symmetric Keys", BCP 86,
- RFC 3766, April 2004.
-
- [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
- RFC 3852, July 2004.
-
- [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
- Kerberos 5", RFC 3961, February 2005.
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 31]
-
-Internet-Draft PKINIT February 2006
-
-
- [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
- Encryption for Kerberos 5", RFC 3962, February 2005.
-
- [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
- Requirements for Security", BCP 106, RFC 4086, June 2005.
-
- [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
- Kerberos Network Authentication Service (V5)", RFC 4120,
- July 2005.
-
- [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
- Information technology - Abstract Syntax Notation One
- (ASN.1): Specification of basic notation.
-
- [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
- Information technology - ASN.1 encoding Rules: Specification
- of Basic Encoding Rules (BER), Canonical Encoding Rules
- (CER) and Distinguished Encoding Rules (DER).
-
-7.2. Informative References
-
- [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
- Sizes", Journal of Cryptology 14 (2001) 255-293.
-
- [ODL99] Odlyzko, A., "Discrete logarithms: The past and the
- future, Designs, Codes, and Cryptography (1999)".
- April 1999.
-
- [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
- Version 5 Generic Security Service Application Program
- Interface (GSS-API) Mechanism: Version 2", RFC 4121,
- July 2005.
-
- [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
- Nicholas, "Internet X.509 Public Key Infrastructure:
- Certification Path Building", RFC 4158, September 2005.
-
-
-Appendix A. PKINIT ASN.1 Module
-
- KerberosV5-PK-INIT-SPEC {
- iso(1) identified-organization(3) dod(6) internet(1)
- security(5) kerberosV5(2) modules(4) pkinit(5)
- } DEFINITIONS EXPLICIT TAGS ::= BEGIN
-
- IMPORTS
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 32]
-
-Internet-Draft PKINIT February 2006
-
-
- SubjectPublicKeyInfo, AlgorithmIdentifier
- FROM PKIX1Explicit88 { iso (1)
- identified-organization (3) dod (6) internet (1)
- security (5) mechanisms (5) pkix (7) id-mod (0)
- id-pkix1-explicit (18) }
- -- As defined in RFC 3280.
-
- KerberosTime, PrincipalName, Realm, EncryptionKey
- FROM KerberosV5Spec2 { iso(1) identified-organization(3)
- dod(6) internet(1) security(5) kerberosV5(2)
- modules(4) krb5spec2(2) } ;
-
- id-pkinit OBJECT IDENTIFIER ::=
- { iso (1) org (3) dod (6) internet (1) security (5)
- kerberosv5 (2) pkinit (3) }
-
- id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
- id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
- id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
- id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 }
- id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 }
-
- id-pkinit-san OBJECT IDENTIFIER ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
- x509SanAN (2) }
-
- pa-pk-as-req INTEGER ::= 16
- pa-pk-as-rep INTEGER ::= 17
-
- ad-initial-verified-cas INTEGER ::= 9
-
- td-trusted-certifiers INTEGER ::= 104
- td-invalid-certificates INTEGER ::= 105
- td-dh-parameters INTEGER ::= 109
-
- PA-PK-AS-REQ ::= SEQUENCE {
- signedAuthPack [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo
- -- is id-signedData (1.2.840.113549.1.7.2),
- -- and the content field is a SignedData.
- -- The eContentType field for the type SignedData is
- -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
- -- eContent field contains the DER encoding of the
- -- type AuthPack.
- -- AuthPack is defined below.
- trustedCertifiers [1] SEQUENCE OF
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 33]
-
-Internet-Draft PKINIT February 2006
-
-
- ExternalPrincipalIdentifier OPTIONAL,
- -- Contains a list of CAs, trusted by the client,
- -- that can be used to certify the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
- -- The information contained in the
- -- trustedCertifiers SHOULD be used by the KDC as
- -- hints to guide its selection of an appropriate
- -- certificate chain to return to the client.
- kdcPkId [2] IMPLICIT OCTET STRING
- OPTIONAL,
- -- Contains a CMS type SignerIdentifier encoded
- -- according to [RFC3852].
- -- Identifies, if present, a particular KDC
- -- public key that the client already has.
- ...
- }
-
- DHNonce ::= OCTET STRING
-
- ExternalPrincipalIdentifier ::= SEQUENCE {
- subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a PKIX type Name encoded according to
- -- [RFC3280].
- -- Identifies the certificate subject by the
- -- distinguished subject name.
- -- REQUIRED when there is a distinguished subject
- -- name present in the certificate.
- issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
- -- Contains a CMS type IssuerAndSerialNumber encoded
- -- according to [RFC3852].
- -- Identifies a certificate of the subject.
- -- REQUIRED for TD-INVALID-CERTIFICATES and
- -- TD-TRUSTED-CERTIFIERS.
- subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
- -- Identifies the subject's public key by a key
- -- identifier. When an X.509 certificate is
- -- referenced, this key identifier matches the X.509
- -- subjectKeyIdentifier extension value. When other
- -- certificate formats are referenced, the documents
- -- that specify the certificate format and their use
- -- with the CMS must include details on matching the
- -- key identifier to the appropriate certificate
- -- field.
- -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
- ...
- }
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 34]
-
-Internet-Draft PKINIT February 2006
-
-
- AuthPack ::= SEQUENCE {
- pkAuthenticator [0] PKAuthenticator,
- clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
- -- Type SubjectPublicKeyInfo is defined in
- -- [RFC3280].
- -- Specifies Diffie-Hellman domain parameters
- -- and the client's public key value [IEEE1363].
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- -- This field is present only if the client wishes
- -- to use the Diffie-Hellman key agreement method.
- supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
- OPTIONAL,
- -- Type AlgorithmIdentifier is defined in
- -- [RFC3280].
- -- List of CMS algorithm [RFC3370] identifiers
- -- that identify key transport algorithms, or
- -- content encryption algorithms, or signature
- -- algorithms supported by the client in order of
- -- (decreasing) preference.
- clientDHNonce [3] DHNonce OPTIONAL,
- -- Present only if the client indicates that it
- -- wishes to reuse DH keys or to allow the KDC to
- -- do so.
- ...
- }
-
- PKAuthenticator ::= SEQUENCE {
- cusec [0] INTEGER (0..999999),
- ctime [1] KerberosTime,
- -- cusec and ctime are used as in [RFC4120], for
- -- replay prevention.
- nonce [2] INTEGER (0..4294967295),
- -- Chosen randomly; This nonce does not need to
- -- match with the nonce in the KDC-REQ-BODY.
- paChecksum [3] OCTET STRING OPTIONAL,
- -- MUST be present.
- -- Contains the SHA1 checksum, performed over
- -- KDC-REQ-BODY.
- ...
- }
-
- TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies a list of CAs trusted by the KDC.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 35]
-
-Internet-Draft PKINIT February 2006
-
-
- TD-INVALID-CERTIFICATES ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Each ExternalPrincipalIdentifier identifies a
- -- certificate (sent by the client) with an invalid
- -- signature.
-
- KRB5PrincipalName ::= SEQUENCE {
- realm [0] Realm,
- principalName [1] PrincipalName
- }
-
- AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
- ExternalPrincipalIdentifier
- -- Identifies the certification path based on which
- -- the client certificate was validated.
- -- Each ExternalPrincipalIdentifier identifies a CA
- -- or a CA certificate (thereby its public key).
-
- PA-PK-AS-REP ::= CHOICE {
- dhInfo [0] DHRepInfo,
- -- Selected when Diffie-Hellman key exchange is
- -- used.
- encKeyPack [1] IMPLICIT OCTET STRING,
- -- Selected when public key encryption is used.
- -- Contains a CMS type ContentInfo encoded
- -- according to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-envelopedData (1.2.840.113549.1.7.3).
- -- The content field is an EnvelopedData.
- -- The contentType field for the type EnvelopedData
- -- is id-signedData (1.2.840.113549.1.7.2).
- -- The eContentType field for the inner type
- -- SignedData (when unencrypted) is
- -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
- -- eContent field contains the DER encoding of the
- -- type ReplyKeyPack.
- -- ReplyKeyPack is defined below.
- ...
- }
-
- DHRepInfo ::= SEQUENCE {
- dhSignedData [0] IMPLICIT OCTET STRING,
- -- Contains a CMS type ContentInfo encoded according
- -- to [RFC3852].
- -- The contentType field of the type ContentInfo is
- -- id-signedData (1.2.840.113549.1.7.2), and the
- -- content field is a SignedData.
- -- The eContentType field for the type SignedData is
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 36]
-
-Internet-Draft PKINIT February 2006
-
-
- -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
- -- eContent field contains the DER encoding of the
- -- type KDCDHKeyInfo.
- -- KDCDHKeyInfo is defined below.
- serverDHNonce [1] DHNonce OPTIONAL,
- -- Present if and only if dhKeyExpiration is
- -- present.
- ...
- }
-
- KDCDHKeyInfo ::= SEQUENCE {
- subjectPublicKey [0] BIT STRING,
- -- The KDC's DH public key.
- -- The DH public key value is encoded as a BIT
- -- STRING according to [RFC3279].
- nonce [1] INTEGER (0..4294967295),
- -- Contains the nonce in the pkAuthenticator field
- -- in the request if the DH keys are NOT reused,
- -- 0 otherwise.
- dhKeyExpiration [2] KerberosTime OPTIONAL,
- -- Expiration time for KDC's key pair,
- -- present if and only if the DH keys are reused.
- -- If present, the KDC's DH public key MUST not be
- -- used past the point of this expiration time.
- -- If this field is omitted then the serverDHNonce
- -- field MUST also be omitted.
- ...
- }
-
- ReplyKeyPack ::= SEQUENCE {
- replyKey [0] EncryptionKey,
- -- Contains the session key used to encrypt the
- -- enc-part field in the AS-REP, i.e. the
- -- AS reply key.
- asChecksum [1] Checksum,
- -- Contains the checksum of the AS-REQ
- -- corresponding to the containing AS-REP.
- -- The checksum is performed over the type AS-REQ.
- -- The protocol key [RFC3961] of the checksum is the
- -- replyKey and the key usage number is 6.
- -- If the replyKey's enctype is "newer" [RFC4120]
- -- [RFC4121], the checksum is the required
- -- checksum operation [RFC3961] for that enctype.
- -- The client MUST verify this checksum upon receipt
- -- of the AS-REP.
- ...
- }
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 37]
-
-Internet-Draft PKINIT February 2006
-
-
- TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
- -- Each AlgorithmIdentifier specifies a set of
- -- Diffie-Hellman domain parameters [IEEE1363].
- -- This list is in decreasing preference order.
- END
-
-
-Appendix B. Test Vectors
-
- Function octetstring2key() is defined in Section 3.2.3.1. This
- section describes a few sets of test vectors that would be useful for
- implementers of octetstring2key().
-
-
- Set 1
- =====
- Input octet string x is:
-
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-
- Output of K-truncate() when the key size is 32 octets:
-
- 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83
- 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41
-
-
- Set 2:
- =====
- Input octet string x is:
-
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 38]
-
-Internet-Draft PKINIT February 2006
-
-
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-
- Output of K-truncate() when the key size is 32 octets:
-
- ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb
- a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e
-
-
- Set 3:
- ======
- Input octet string x is:
-
- 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
- 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
- 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
- 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
- 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b
- 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a
- 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09
- 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
-
- Output of K-truncate() when the key size is 32 octets:
-
- c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3
- 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e
-
-
- Set 4:
- =====
- Input octet string x is:
-
- 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
- 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
- 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
- 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
- 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
-
- Output of K-truncate() when the key size is 32 octets:
-
- 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a
- 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 39]
-
-Internet-Draft PKINIT February 2006
-
-
-Appendix C. Miscellaneous Information about Microsoft Windows PKINIT
- Implementations
-
- Earlier revisions of the PKINIT I-D were implemented in various
- releases of Microsoft Windows and deployed in fairly large numbers.
- To enable the community to better interoperate with systems running
- those releases, the following information may be useful.
-
- KDC certificates issued by Windows 2000 Enterprise CAs contain a
- dNSName SAN with the DNS name of the host running the KDC, and the
- id-kp-serverAuth EKU [RFC3280].
-
- KDC certificates issued by Windows 2003 Enterprise CAs contain a
- dNSName SAN with the DNS name of the host running the KDC, the id-kp-
- serverAuth EKU and the id-ms-kp-sc-logon EKU.
-
- It is anticipated that the next release of Windows is already too far
- along to allow it to support the issuing KDC certificates with id-
- pkinit-san SAN as specified in this RFC. Instead, they will have a
- dNSName SAN containing the domain name of the KDC and the intended
- purpose of these KDC certificates be restricted by the presence of
- the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU.
-
- In addition to checking that the above are present in a KDC
- certificate, Windows clients verify that the issuer of the KDC
- certificate is one of a set of allowed issuers of such certificates,
- so those wishing to issue KDC certificates need to configure their
- Windows clients appropriately.
-
- Client certificates accepted by Windows 2000 and Windows 2003 Server
- KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3)
- SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN
- contains a UTF8 encoded string whose value is that of the Directory
- Service attribute UserPrincipalName of the client account object, and
- the purpose of including the id-ms-san-sc-logon-upn SAN in the client
- certificate is to validate the client mapping (in other words, the
- client's public key is bound to the account that has this
- UserPrincipalName value).
-
- It should be noted that all Microsoft Kerberos realm names are domain
- style realm names and strictly in upper case. In addition, the
- UserPrincipalName attribute is globally unique in Windows 2000 and
- Windows 2003.
-
-
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 40]
-
-Internet-Draft PKINIT February 2006
-
-
-Authors' Addresses
-
- Larry Zhu
- Microsoft Corporation
- One Microsoft Way
- Redmond, WA 98052
- US
-
- Email: lzhu@microsoft.com
-
-
- Brian Tung
- USC Information Sciences Institute
- 4676 Admiralty Way Suite 1001
- Marina del Rey, CA 90292
- US
-
- Email: brian@isi.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 41]
-
-Internet-Draft PKINIT February 2006
-
-
-Intellectual Property Statement
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
- Copyright (C) The Internet Society (2006). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-Zhu & Tung Expires August 11, 2006 [Page 42]
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 18:19:00 +0000