summaryrefslogtreecommitdiff
path: root/doc/standardisation/draft-zhu-ws-kerb-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/standardisation/draft-zhu-ws-kerb-01.txt')
-rw-r--r--doc/standardisation/draft-zhu-ws-kerb-01.txt505
1 files changed, 0 insertions, 505 deletions
diff --git a/doc/standardisation/draft-zhu-ws-kerb-01.txt b/doc/standardisation/draft-zhu-ws-kerb-01.txt
deleted file mode 100644
index 7fa7075d3..000000000
--- a/doc/standardisation/draft-zhu-ws-kerb-01.txt
+++ /dev/null
@@ -1,505 +0,0 @@
-
-
-NETWORK WORKING GROUP L. Zhu
-Internet-Draft Microsoft Corporation
-Updates: 4120 (if approved) October 2006
-Intended status: Standards Track
-Expires: April 4, 2007
-
-
- Kerberos for Web Services
- draft-zhu-ws-kerb-01
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on April 4, 2007.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006).
-
-Abstract
-
- This document defines extensions to the Kerberos protocol and the
- GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to
- exchange messages with the KDC using the GSS-API acceptor as the
- proxy, by encapsulating the Kerberos messages inside GSS-API tokens.
- With these extensions, Kerberos is suitable for securing
- communication between the client and web services over the Internet.
-
-
-
-
-Zhu Expires April 4, 2007 [Page 1]
-
-Internet-Draft WS-KERB October 2006
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Conventions Used in This Document . . . . . . . . . . . . . . . 3
- 3. GSS-API Encapsulation . . . . . . . . . . . . . . . . . . . . . 3
- 4. Addresses in Tickets . . . . . . . . . . . . . . . . . . . . . 6
- 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
- 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
- 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
- 8. Normative References . . . . . . . . . . . . . . . . . . . . . 7
- Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
- Intellectual Property and Copyright Statements . . . . . . . . . . 9
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu Expires April 4, 2007 [Page 2]
-
-Internet-Draft WS-KERB October 2006
-
-
-1. Introduction
-
- The Kerberos [RFC4120] pre-authentication framework [KRB-PAFW]
- promises minimal or no exposure of weak client keys and strong client
- authentication. The Kerberos support of anonymity [KRB-ANON]
- provides for privacy. These advancements make Kerberos suitable over
- the Internet.
-
- The traditional client-push Kerberos protocol does not work well in
- the Web services environments where the KDC is not accessible to the
- client, but is accessible to the web server. For example, the KDC is
- commonly placed behind a firewall together with the application
- server. The lack of accessibility to the KDC by the client could
- also occur are when the client does not have an IP address prior to
- authenticating to an access point.
-
- Generic Security Service Application Program Interface (GSS-API)
- [RFC2743] allows security mechanisms exchange arbitrary messages
- between the initiator and the acceptor via the application traffic,
- independent of the underlying transports. A protocol based on
- [RFC4121] is thus defined to allow the GSS-API initiator to exchange
- Kerberos messages with the KDC by using the GSS-API acceptor as the
- proxy. The acceptor-pull model defined in this specification is
- benefical for initiators with limited processing power such as mobile
- devices, or when the transport layer between the initiator and the
- acceptor has high network latency.
-
- Client --------- WS-KERB proxy ---------- KDC
-
- The Kerberos client MUST avoid exposure of long term client keys to
- the GSS-API acceptor, before and after the Kerberos server is
- authenticated. This can be accomplished by using Kerberos-FAST [KRB-
- PAFW]. Furthermore, the initiator can use the anonymous option as
- defined in Section 6.5.2 of [KRB-PAFW], to hide the client identity
- from adversary who can eavesdrop the application traffic.
-
-
-2. Conventions Used in This Document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
-
-
-3. GSS-API Encapsulation
-
- The mechanism Objection Identifier (OID) for GSS-API WS-KERB, in
- accordance with the mechanism proposed by [RFC4178] for negotiating
-
-
-
-Zhu Expires April 4, 2007 [Page 3]
-
-Internet-Draft WS-KERB October 2006
-
-
- protocol variations, is id-kerberos-ws.
-
- id-kerberos-ws ::=
- { iso(1) org(3) dod(6) internet(1) security(5) kerberosV5(2)
- webService(6) }
-
- The first token of the GSS-API WS-KERB mechanism MUST have the
- generic token framing described in section 3.1 of [RFC2743] with the
- mechanism OID being id-kerberos-ws, and any subsequent GSS-API WS-
- KERB token MUST NOT have this framing.
-
- The GSS-API WS-KERB mechanism MUST always provide mutual
- authentication, even if the initiator does not ask for it. When
- mutual-authentication is performed, the GSS-API acceptor will always
- send back an AP-REP, and as described later in this section this
- mechanism provides integrity protection for all initiator-acceptor
- proxy message exchanges.
-
- The innerToken described in section 3.1 of [RFC2743] and subsequent
- GSS-API tokens have the following formats: it starts with a two-octet
- token-identifier (TOK_ID), followed by a WS-KERB message or a
- Kerberos message.
-
-
- Token/Message TOK_ID Value in Hex
- -----------------------------------------
- WS_KRB_PROXY 05 01
-
- Only one WS-KERB specific message, namely the WS_KRB_PROXY message,
- is defined in this document. The TOK_ID values for [RFC4120]
- Kerberos messages are the same as those defined for the GSS-API
- Kerberos mechanism [RFC4121].
-
- The message of the WS_KRB_PROXY type is defined as a WS-KRB-HEADER
- structure immediately followed by a Kerberos message. The Kerberos
- message can be an AS-REQ, an AS-REP, a TGS-REQ, a TGS-REP, or a KRB-
- ERROR as defined in [RFC4120].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Zhu Expires April 4, 2007 [Page 4]
-
-Internet-Draft WS-KERB October 2006
-
-
- WS-KRB-HEADER ::= SEQUENCE {
- proxy-data [1] ProxyData,
- ...
- }
-
- ProxyData :: = SEQUENCE {
- realm [1] Realm,
- cookie [3] OCTET STRING OPTIONAL,
- -- opaque data, if sent by the acceptor,
- -- MUST be copied by the client unchanged into
- -- the next WS-KERB message.
- ...
- }
-
-
- The WS-KRB-HEADER structure and all the Kerberos messages MUST be
- encoded using Abstract Syntax Notation One (ASN.1) Distinguished
- Encoding Rules (DER) [X680] [X690].
-
- The GSS-API initiator fills out the realm field in the ProxyData of
- the first request with the client realm. If the client does not know
- the client realm [REFERALS], it MUST fill it out using the client's
- default realm name such as the realm of the client host. Typically
- the Kerberos message in the first WS_KRB_PROXY message from the
- client is an AS-REQ message.
-
- Upon receipt of the WS_KRB_PROXY message, the GSS-API WS-KERB
- acceptor MUST use the proxy-data in the message from the client to
- locate the KDC and sends the encapsulated Kerberos message to that
- KDC. Unless otherwise specified, the acceptor can locate the KDC per
- Section 7.2.3.2 of [RFC4120].
-
- In order to reduce the number of roundtrips between the initiator and
- the acceptor, the acceptor SHOULD process any message exchange with
- the KDC if the exchange is unauthenticated, such as client-referral
- message exchange [REFERALS]. If the acceptor can not process the KDC
- response by itself, for example when the knowledge of the client keys
- is required, it sends back to the client the KDC reply message
- encapsulated in a WS_KRB_PROXY message. The acceptor MUST fill out
- the realm name whose KDC produced the response. The acceptor SHOULD
- use the kdc-referrals option described in Section 6.5.2 of [KRB-PAFW]
- to allow the KDC of the client's realm to obtain a service ticket
- addressed to the acceptor, thus further reduce the number of
- roundtrips between the GSS-API initiator and the GSS-API acceptor.
- The GSS-API acceptor can send opaque data in the cookie field of the
- WS-KRB-HEADER structure in the reply from the acceptor to the
- initiator, in order to, for example, to facilitate state managements
- on the GSS-API acceptor. The content and the encoding of the cookie
-
-
-
-Zhu Expires April 4, 2007 [Page 5]
-
-Internet-Draft WS-KERB October 2006
-
-
- field is a local matter of the acceptor. The initiator MUST copy the
- verbatim cookie from the previous acceptor response, when the cookie
- is present, whenever it sends an additional WS-KRB-PROXY message to
- the acceptor. The client processes the KDC response, and fills out
- the realm name it believes to whom the acceptor should send the
- encapsulated Kerberos message.
-
- When the client obtains a service ticket, the initiator then sends a
- KRB_AP_REQ message to the acceptor, and proceed as defined in
- [RFC4121]. A GSS-API authenticator extension [GSS-EXTS] MUST be sent
- by the initiator. The extension type is 2 and the content is the
- ASN.1 DER encoding of the type Checksum. The checksum is performed
- over all GSS-API messages as exchanged between the initiator and the
- acceptor before the KRB_AP_REQ message, and in the order of the
- exchange. The checksum type is the required checksum type for the
- enctype of the subkey in the authenticator, the protocol key is the
- authenticator subkey, and the key usage number is TBA-1. The
- acceptor MUST verify this checksum in the GSS-API authenticator
- extension, then respond with an AP-REP extension [GSS-EXTS]. The AP-
- REP extension type is 2 and the the content is the ASN.1 DER encoding
- of the type Checksum. This checksum is performed over all GSS-API
- messages as exchanged between the initiator and the acceptor before
- the KRB_AP_REQ message, and in the order of the exchange. The
- checksum type is the required checksum type for the enctype of the
- authenticator subkey in the request, and the protocol key is the
- authenticator subkey, and the key usage number is TBA-2. The
- initiator MUST then verify this checksum.
-
-
-4. Addresses in Tickets
-
- In WS-KERB, the machine sending requests to the KDC is the GSS-API
- acceptor and not the initiator. As a result, the initiator should
- not include its addresses in any KDC requests for two reasons.
- First, the KDC may reject the forwarded request as being from the
- wrong client. Second, in the case of initial authentication for a
- dial-up client, the client machine may not yet possess a network
- address. Hence, as allowed by [RFC4120], the addresses field of the
- AS-REQ and TGS-REQ requests SHOULD be blank and the caddr field of
- the ticket SHOULD similarly be left blank.
-
-
-5. Security Considerations
-
- Similar to other network access protocols, WS-KERB allows an
- unauthenticated client (possibly outside the security perimeter of an
- organization) to send messages that are proxied to interior servers.
-
-
-
-
-Zhu Expires April 4, 2007 [Page 6]
-
-Internet-Draft WS-KERB October 2006
-
-
- In a scenario where DNS SRV RR's are being used to locate the KDC,
- WS-KERB is being used, and an external attacker can modify DNS
- responses to the WS-KERB proxy, there are several countermeasures to
- prevent arbitrary messages from being sent to internal servers:
-
- 1. KDC port numbers can be statically configured on the WS-KERB
- proxy. In this case, the messages will always be sent to KDC's.
- For an organization that runs KDC's on a static port (usually
- port 88) and does not run any other servers on the same port,
- this countermeasure would be easy to administer and should be
- effective.
-
- 2. The proxy can do application level sanity checking and filtering.
- This countermeasure should eliminate many of the above attacks.
-
- 3. DNS security can be deployed. This countermeasure is probably
- overkill for this particular problem, but if an organization has
- already deployed DNS security for other reasons, then it might
- make sense to leverage it here. Note that Kerberos could be used
- to protect the DNS exchanges. The initial DNS SRV KDC lookup by
- the proxy will be unprotected, but an attack here is at most a
- denial of service (the initial lookup will be for the proxy's KDC
- to facilitate Kerberos protection of subsequent DNS exchanges
- between itself and the DNS server).
-
-
-6. Acknowledgements
-
- The acceptor-proxy idea is based on the early revisions of this
- document written by Jonathan Trostle, Michael Swift, Bernard Aboba
- and Glen Zorn.
-
- The rest of the ideas mostly came from hallway conversations between
- the author and Nicolas Williams.
-
-
-7. IANA Considerations
-
- There is no IANA action required for this document.
-
-
-8. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2743] Linn, J., "Generic Security Service Application Program
- Interface Version 2, Update 1", RFC 2743, January 2000.
-
-
-
-Zhu Expires April 4, 2007 [Page 7]
-
-Internet-Draft WS-KERB October 2006
-
-
- [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
- Kerberos Network Authentication Service (V5)", RFC 4120,
- July 2005.
-
- [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
- Version 5 Generic Security Service Application Program
- Interface (GSS-API) Mechanism: Version 2", RFC 4121,
- July 2005.
-
- [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
- Simple and Protected Generic Security Service Application
- Program Interface (GSS-API) Negotiation Mechanism",
- RFC 4178, October 2005.
-
- [KRB-ANON] Zhu, L., Leach, P. and Jaganathan, K., "Kerberos Anonymity
- Support", draft-ietf-krb-wg-anon, work in progress.
-
- [KRB-PAFW] Zhu, etl, "Kerberos Pre-Authentication framework",
- draft-ietf-krb-wg-preauth-framework, work in progress.
-
- [GSS-EXTS] Emery, S., draft-ietf-krb-wg-gss-cb-hash-agility, work in
- progess.
-
- [REFERALS] Raeburn, K., "Generating KDC Referrals to Locate Kerberos
- Realms", draft-ietf-krb-wg-kerberos-referrals, work in
- progress.
-
- [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
- Information technology - Abstract Syntax Notation One
- (ASN.1): Specification of basic notation.
-
- [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
- Information technology - ASN.1 encoding Rules:
- Specification of Basic Encoding Rules (BER), Canonical
- Encoding Rules (CER) and Distinguished Encoding Rules
- (DER).
-
-
-Author's Address
-
- Larry Zhu
- Microsoft Corporation
- One Microsoft Way
- Redmond, WA 98052
- US
-
- Email: lzhu@microsoft.com
-
-
-
-
-
-Zhu Expires April 4, 2007 [Page 8]
-
-Internet-Draft WS-KERB October 2006
-
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-
-Acknowledgment
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-Zhu Expires April 4, 2007 [Page 9]
-
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 18:29:27 +0000