view Side-By-Side changes
INTERNET-DRAFT Clifford Neumandraft-ietf-cat-kerberos-pk-init-02.txtdraft-ietf-cat-kerberos-pk-init-03.txt Brian Tung Updates: RFC 1510 ISI expiresApril 19,September 30, 1997 John Wray Digital Equipment CorporationJonathan TrostleAri Medvinsky Matthew Hur CyberSafe Corporation Jonathan Trostle Novell Public Key Cryptography for Initial Authentication in Kerberos 0. Status Of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by otherdocu- mentsdocuments at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as``work"work inpro- gress.''progress." To learn the current status of any Internet-Draft, please check the``1id-abstracts.txt''"1id-abstracts.txt" listing contained in the Internet-DraftsSha- dowShadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). The distribution of this memo is unlimited. It is filed asdraft-ietf-cat-kerberos-pk-init-02.txt,draft-ietf-cat-kerberos-pk-init-03.txt, and expiresApril 19,September 30, 1997. Please send comments to the authors. 1. Abstract This document defines extensions (PKINIT) to the Kerberos protocol specification (RFC1510, "The Kerberos Network Authentication Service (V5)", September 1993)1510 [1]) to provide a method for using public key cryptography during initial authentication. Themethodmethods definedspecifiesspecify thewayways in which preauthentication data fields and error data fields in Kerberos messages are to be used to transport public key data. 2.Motivation PublicIntroduction The popularity of public key cryptographypresentshas produced ameansdesire for its support in Kerberos [2]. The advantages provided bywhich a principal may demonstrate possession of a key, without ever having divulged thispublic keyto anyone else. In conventional cryptography, the encryptioncryptography include simplified key management (from the Kerberos perspective) anddecryption key are either identical or can easily be derived from one another. In public key cryptography, however, neitherthe ability to leverage existing and developing public keynor the privatecertification infrastructures. Public key cryptography can bederived from the other (although the privateintegrated into Kerberos in a number of ways. One is to to associate a keyRECORD may includepair with each realm, which can then be used to facilitate cross-realm authentication; this is theinformation requiredtopic of another draft proposal. Another way is togenerate BOTH keys). Hence, a message encryptedallow users withapublic key certificates to use them in initial authentication. This isprivate, since onlytheperson possessingconcern of theprivate key can decrypt it; similarly, someone possessingcurrent document. One of theprivate key can also encrypt a message, thus providing a digital signature. Furthermore, conventional keys are often derived from passwords, so messages encrypted with these keys are susceptible to dictionary attacks, whereas public key pairs are generated from a pseudo-random number sequence. While itguiding principles in the design of PKINIT istruethatmessages encrypted using public key cryptography are actually encrypted withchanges should be as minimal as possible. As aconventional secret key, which is in turn encrypted using the public key pair,result, thesecret keybasic mechanism of PKINIT isalso randomly generated andas follows: The user sends a request to the KDC as before, except that if that user ishence not vulnerabletoa dictionary attack. The advantages provided byuse public key cryptographyhave produced a demand for its integration intoin theKerberosinitial authenticationprotocol. The public key integration into Kerberos described in this document has three goals. First, by allowing users to register public keys with the KDC, the KDC can be recovered much more easilystep, his certificate accompanies the initial request, in theevent it is compromised. With Kerberos as it currently stands, compromisepreauthentication fields. Upon receipt of this request, the KDCis disastrous. All keys become known byverifies theattackercertificate andall keys must be changed. Second, we allow users that have public key certificates signed by outside authorities to obtain Kerberos credentials for access to Kerberized services. Third, we obtain the above benefits while maintaining the performance advantages of Kerberos over protocols that use only public key authentication. If users register public keys, compromise of the KDC does not divulge their private key. Compromise of security on the KDC is still a problem, since an attacker can impersonate any user by creatingissues a ticket granting ticketfor the user. When(TGT) as before, except that instead of being encrypted in thecompromiseuser's long-term key (which isdetected, the KDC can be cleaned up and restoredderived frombackup media and loaded with a backup private/public key pair. Keys for application servers are conventional symmetric keys and must be changed. Note: Ifauser stores his private key, in an encrypted form, on the KDC, thenpassword), itmay be desirable to change the key pair, since the private keyis encryptedusingin asymmetricrandomly-generated key. This random keyderived from a password (as described below), and can therefore be vulnerable to dictionary attack if a good password policyisnot used. Alternatively, ifin turn encrypted using theencrypting symmetricpublic keyhas 56 bits, then it may also be desirable to changecertificate that came with thekey pair after a short period due torequest and signed using theshort key length. The KDC does not have access toKDC's signature key, and accompanies theuser's unencrypted private key. There are two important areas where public key cryptography will have immediate use:reply, in theinitial authentication ofpreauthentication fields. PKINIT also allows for usersregisteredwiththe KDC oronly digital signature keys to authenticate usingpublic key certificates from outside authorities,those keys, and for users toestablish inter-realmstore and retrieve private keys on the KDC. The PKINIT specification may also be used forcross-realm authentication. This memo describes a method by which the first of these can be done. The second case will be the topic fordirect peer to peer authentication without contacting aseparate proposal. Somecentral KDC. This application ofthe ideas on which this proposalPKINIT is described in PKTAPP [4] and is basedarose during discussions over several years between members of the SAAG,on concepts introduced in [5, 6]. For direct client-to-server authentication, theIETF-CAT working group, andclient uses PKINIT to authenticate to thePSRG, regarding integrationend server (instead ofKerberos and SPX. Some ideas are drawn from the DASS system, and similar extensions have been discusseda central KDC), which then issues a ticket foruse in DCE. These changes are by no means endorsed by these groups.itself. Thisisapproach has anattempt to revive some of the goals ofadvantage over SSL [7] in thatgroup, and the proposal approaches those goals primarily fromthe server does not need to save state (cache session keys). Furthermore, an additional benefit is that Kerberosperspective.tickets can facilitate delegation (see [8]). 3.Initial authentication of users with public keysProposed Extensions This section describestheextensions toVersion 5 of the Kerberos protocol that will supportRFC 1510 for supporting the use of public key cryptographyby usersin the initial request for a ticket grantingticket. Roughly speaking,ticket (TGT). In summary, the following changes to RFC 1510 are proposed: --> Userscan initiallymay authenticate using either a public key pair orconventional (symmetric key) cryptography. AfteraKDC compromise, the KDC replies with an error message that informs the client of the new KDC public backupconventional (symmetric) key.Users must authenticate usingIf public key cryptographyin response to the error message. If applicable, the client generates the new user secret key at this point as well. Public key initial authenticationisperformed using either the RSA encryption or Diffie Hellmanused, public keyalgorithms. Theredata isalso an option to allow the usertransported in preauthentication data fields to help establish identity. --> Users may storehis/herprivatekey encrypted in the user password inkeys on the KDCdatabase; this option solves the problem of transporting the user private key to different workstations. The combination of this option and the provision for conventional symmetric key authentication allows organizations to smoothly migrate to public key cryptography. This proposal will allow users either to use keys registered directly with the KDC, or to use keys already registered for use with X.509, PEM, or PGP, to obtain Kerberos credentials. These credentials can then be used, as before, with application servers supporting Kerberos. Use of public key cryptography will not be a requirementforKerberos, but if one's organization runs a KDC supporting public key, then users may choose to be registered with a public key pair, instead of or in addition to the current secret key. The application request and response between Kerberos clients and application servers will continue to be based on conventional cryptography, or will be converted to use user-to-user authentication. There are performance issues and other reasons that servers may be better off using conventional cryptography. For this proposal, we feel that 80 percent of the benefits of integrating public key withretrieval during Kerberoscan be attained for 20 percent of the effort, by addressing onlyinitial authentication. This proposaldoes not preclude separate extensions. With these changes, users will be able to register public keys, only in realms that support public key, but they will still be able to perform initial authentication from a client that does not support public key. They will be able to use services registered in any realm. Furthermore, users registered with conventional keys will be able to use any client. This proposaladdressesthreetwo waysin whichthat users may use public key cryptography for initialauthentication with Kerberos, with minimal change to the existing protocol.authentication. Users mayregister keys directly with the KDC,present public key certificates, or they maypresent certificates by outside certification authorities (or certificationsgenerate their own session key, signed byother users) attesting to the association of the public key with the named user.their digital signature key. Inboth cases,either case, the end result is that the user obtainsa conventional ticket granting ticket or conventional server ticketan ordinary TGT that may be used for subsequent authentication, with suchsubsequentauthentication using only conventional cryptography.Additionally, users may also register a digital signature verification key withSection 3.1 provides definitions to help specify message formats. Section 3.2 and 3.3 describe theKDC. We provide this optionextensions for thelicensing benefits, as well as a simpler variant of thetwo initial authenticationexchange. However, this option relies onmethods. Section 3.3 describes a way for theclientuser togenerate random keys. We first consider the case where the user'sstore and retrieve his private keyis registered withon the KDC.3.13.1. DefinitionsBefore we proceed, we will lay some groundwork definitions for encryptionHash andsignatures. Weencryption types will be specified using ENCTYPE tags; we propose thefollowing definitionsaddition ofsignature and encryption modes (and their corresponding values onthewire):following types: #defineENCTYPE_SIGN_MD5_RSAENCTYPE_SIGN_DSA_GENERATE 0x0011 #define ENCTYPE_SIGN_DSA_VERIFY 0x0012 #define ENCTYPE_ENCRYPT_RSA_PRIV 0x0021 #define ENCTYPE_ENCRYPT_RSA_PUB 0x0022 allowing furthermodessignature types to be defined in the range 0x0011 through 0x001f, and further encryption types to be definedaccordingly.in the range 0x0021 through 0x002f. The extensions involve new preauthentication fields. The preauthentication data types are in the range 17 through 21. These values are also specified along with their corresponding ASN.1 definition. #define PA-PK-AS-REQ 17 #define PA-PK-AS-REP 18 #define PA-PK-AS-SIGN 19 #define PA-PK-KEY-REQ 20 #define PA-PK-KEY-REP 21 The extensions also involve new error types. The new error types are in the range 227 through 229. They are: #define KDC_ERROR_CLIENT_NOT_TRUSTED 227 #define KDC_ERROR_KDC_NOT_TRUSTED 228 #define KDC_ERROR_INVALID_SIG 229 In the exposition below, wewilluse thenotation E (T, K) to denote thefollowing terms: encryption key, decryption key, signature key, verification key. It should be understood that encryption and verification keys are essentially public keys, and decryption and signature keys are essentially private keys. The fact that they are logically distinct does not preclude the assignment ofdata T, with key (or parameters) K. If E is ENCTYPE_SIGN_MD5_RSA, then E (T, K) = {T, RSAEncryptPrivate (MD5Hash (T), K)} If E is ENCTYPE_ENCRYPT_RSA_PRIV, then E (T, K) = RSAEncryptPrivate (T, K) Correspondingly, if Ebitwise identical keys. 3.2. Standard Public Key Authentication Implementation of the changes in this section isENCTYPE_ENCRYPT_RSA_PUB, then E (T, K) = RSAEncryptPublic (T, K) 3.2 Initial requestREQUIRED foruser registeredcompliance withpublic key on KDC In this scenario itpk-init. It is assumed thatthe user is registered with aall publickey on the KDC. The user's private key may be heldkeys are signed bythe user, or it may be stored on the KDC, encrypted sosome certification authority (CA). The initial authentication request is sent as per RFC 1510, except thatit cannot be useda preauthentication field containing data signed by theKDC. 3.2.1 User's privateuser's signature keyis stored locally Implementation ofaccompanies thechanges in this section is REQUIRED. In this section, we presentrequest: PA-PK-AS-REQ ::- SEQUENCE { -- PA TYPE 17 signedPKAuth [0] SignedPKAuthenticator, userCert [1] SEQUENCE OF Certificate OPTIONAL, -- thebasic Kerberos V5 pk-init protocoluser's certificate -- optionally followed by that -- certificate's certifier chain trustedCertifiers [2] SEQUENCE OF PrincipalName OPTIONAL -- CAs thatall conforming implementations must support. The key features of the protocol are: (1) easy, automatic (for the clients) recovery after a KDC compromise, (2) the ability for a realm to support a mix of old and new Kerberos V5 clients withthenew clients being a mixclient trusts } SignedPKAuthenticator ::= SEQUENCE { pkAuth [0] PKAuthenticator, pkAuthSig [1] Signature, -- ofboth public key and symmetricpkAuth -- using user's signature keyconfigured clients, and (3) support} PKAuthenticator ::= SEQUENCE { cusec [0] INTEGER, -- for replay prevention ctime [1] KerberosTime, -- for replay prevention nonce [2] INTEGER, -- binds response to this request kdcName [3] PrincipalName, clientPubValue [4] SubjectPublicKeyInfo OPTIONAL, -- for Diffie-Hellman(DH) key exchange as well as RSA public key encryption. The benefitalgorithm } Signature ::= SEQUENCE { signedHash [0] EncryptedData -- ofhaving new clients being able to use either symmetric key or publictype Checksum -- encrypted under signature keyinitial authentication is that it allows an organization to roll out the new clients} Checksum ::= SEQUENCE { cksumtype [0] INTEGER, checksum [1] OCTET STRING } -- asrapidlyspecified by RFC 1510 SubjectPublicKeyInfo ::= SEQUENCE { algorithm [0] algorithmIdentifier, subjectPublicKey [1] BIT STRING } -- aspossible without having to be concerned about the need to purchase additional hardware to support the CPU intensive public key cryptographic operations. In order to give a brief overview of the four protocols in this section, we now give diagrams of the protocols. We denote encryption of message M with key Kspecified by{M}K andthesignatureX.509 recommendation [9] Certificate ::= SEQUENCE { CertType [0] INTEGER, -- type ofmessage M with key K by [M]K. All messages from the KDC to the client are AS_REP messages unless denoted otherwise; similarly, all messages from the client to the KDC are AS_REQ messages unless denoted otherwise. Since only the padata fields are affected by this specification in the AS_REQ and AS_REP messages, we do not show the other fields. We first show the RSA encryption option in normal mode: certifier list, [cksum, time, nonce, kdcRealm, kdcName]User PrivateKey C ------------------------------------------------------> KDC list of cert's, {[encReplyKey, nonce]KDC privkey} EncReplyTmpKey, {EncReplyTmpKey}Userpubkey C <------------------------------------------------------ KDC We now show RSA encryption in recovery mode: certifier list, [cksum, time, nonce, kdcRealm, kdcName]User PrivateKey C ------------------------------------------------------> KDC KRB_ERROR (error code KDC_RECOVERY_NEEDED) error data: [nonce, algID (RSA), KDC PublicKey Kvno and PublicKey, KDC Salt] Signed with KDC PrivateKey C <------------------------------------------------------ KDC certifier list, [cksum, time, nonce, kdcRealm, kdcName, {newUserSymmKey, nonce}KDC public key]User PrivateKey C ------------------------------------------------------> KDC list of cert's, {[encReplyKey, nonce]KDC privkey} EncReplyTmpKey, {EncReplyTmpKey}Userpubkey C <------------------------------------------------------ KDC Next, we show Diffie Hellman in normal mode: certifier list, [cksum, time, nonce, kdcRealm, kdcName, User DH public parameter]User PrivateKey C ------------------------------------------------------> KDC list of cert's, {encReplyKey, nonce}DH shared symmetric key, [KDC DH public parameter]KDC Private Key C <------------------------------------------------------ KDC Finally, we show Diffie Hellman in recovery mode: certifier list, [cksum, time, nonce, kdcRealm, kdcName, User DH public parameter]User PrivateKey C ------------------------------------------------------> KDC KRB_ERROR (error code KDC_RECOVERY_NEEDED) error data: [nonce, algID (DH), KDC DH public parameter, KDC DH ID, KDC PublicKey Kvno and PublicKey, KDC Salt] Signed with KDC PrivateKey C <------------------------------------------------------ KDC certifier list, [cksum, time, nonce, kdcRealm, kdcName, User DH public parameter, {newUserSymmKey, nonce}DH shared key, KDC DH ID]User PrivateKey C ------------------------------------------------------> KDC list of cert's, {encReplyKey, nonce}DH shared symmetric key C <------------------------------------------------------ KDC If the user stores his private key locally, the initial request to the KDC for a ticket granting ticket proceeds according to RFC 1510, except that a preauthentication field containing a nonce signed by the user's private key is included. The preauthentication field may also include a list of the root certifiers trusted by the user. PA-PK-AS-ROOT ::= SEQUENCE { rootCert[0] SEQUENCE OF OCTET STRING, signedAuth[1] SignedPKAuthenticator } SignedPKAuthenticator ::= SEQUENCE { authent[0] PKAuthenticator, authentSig[1] Signature } PKAuthenticator ::= SEQUENCE { cksum[0] Checksum OPTIONAL, cusec[1] INTEGER, ctime[2] KerberosTime, nonce[3] INTEGER, kdcRealm[4] Realm, kdcName[5] PrincipalName, clientPubValue[6] SubjectPublicKeyInfo OPTIONAL, -- DH algorithm recoveryData[7] RecoveryData OPTIONAL -- Recovery Alg. } RecoveryData ::= SEQUENCE { clientRecovData[0] ClientRecovData, kdcPubValueId[1] INTEGER OPTIONAL -- DH algorithm, copied -- from KDC response } ClientRecovData ::= CHOICE { newPrincKey[0] EncryptedData, -- EncPaPkAsRoot -- encrypted with -- either KDC -- public key or -- DH shared key recovDoneFlag[1] INTEGER -- let KDC know that -- recovery is done -- when user uses a -- mix of clients or -- does not want to -- keep a symmetric -- key in the database } EncPaPkAsRoot ::= SEQUENCE { newSymmKey[0] EncryptionKey -- the principal's newcertificate --symmetric key nonce[1] INTEGER1 = X.509v3 (DER encoding) --the same nonce as -- the one in the -- PKAuthenticator } Signature ::= SEQUENCE { sigType[0] INTEGER, kvno[1] INTEGER OPTIONAL, sigHash[2]2 = PGP (per PGP draft) CertData [1] OCTETSTRING } Notationally, sigHash is then sigType (authent, userPrivateKey) where userPrivateKey is the user's private key (corresponding to the public key held in the user's database record). Valid sigTypes are thus far limited to the above-listed ENCTYPE_SIGN_MD5_RSA; we expect that other types may be listed (and given on-the-wire values between 0x0011 and 0x001f). The format of each certificate depends on the particular service used. (Alternatively, the KDC could send, with its reply, a sequence of certifications (see below), but since the KDC is likely to have more certifications than users have trusted root certifiers, we have chosen the first method.) In the event that the client believes it already possesses the current public key of the KDC, a zero-length root-cert field is sent. The fields in the signed authenticator are the same as those in the Kerberos authenticator; in addition, we include a client-generated nonce, and the name of the KDC. The structure is itself signed using the user's private key corresponding to the public key registered with the KDC. We include the newSymmKey field so clients can generate a new symmetric key (for users, this key is based on a password and a salt value generated by the KDC) and confidentially send this key to the KDC during the recovery phase. We now describe the recovery phase of the protocol. There is a bit associated with each principal in the database indicating whether recovery for that principal is necessary. After a KDC compromise, the KDC software is reloaded from backup media and a new backup KDC public/private pair is generated. The public half of this pair is then either made available to the KDC, or given to the appropriate certification authorities for certification. The private half is not made available to the KDC until after the next compromise clean-up. If clients are maintaining a copy of the KDC public key, they also have a copy of the backup public key. After the reload of KDC software, the bits associated with recovery of each principal are all set. The KDC clears the bit for each principal that undergoes the recovery phase. In addition, there is a bit associated with each principal to indicate whether there is a valid symmetric key in the database for the principal. These bits are all cleared after the reload of the KDC software (the old symmetric keys are no longer valid). Finally, there is a bit associated with each principal indicating whether that principal still uses non-public key capable clients. If a user principal falls into this category, a public key capable client cannot transparently re-establish a symmetric key for that user, since the older clients would not be able to compute the new symmetric key that includes hashing the password with a KDC supplied salt value. The re-establishment of the symmetric key in this case is outside the scope of this protocol. One method of re-establishing a symmetric key for public key capable clients is to generate a hash of the user password and a KDC supplied salt value. The KDC salt is changed after every compromise of the KDC. In the recovery protocol, if the principal does not still use old clients, the KDC supplied salt is sent to the client principal in a KRB_ERROR message with error code KDC_RECOVERY_NEEDED. The error data field of the message contains the following structure which is encoded into an octet string. PA-PK-KDC-ERR ::= CHOICE { recoveryDhErr SignedDHError, -- Used during recovery -- when algorithm is DH -- based recoveryPKEncErr SignedPKEncError -- Used during recovery -- for PK encryption -- (RSA,...) } SignedDHError ::= SEQUENCE { dhErr DHError, dhErrSig Signature } SignedPKEncError ::= SEQUENCE { pkEncErr PKEncryptError, pkEncErrSig Signature } DHError ::= SEQUENCE { nonce INTEGER, -- From AS_REQ algorithmId INTEGER, -- DH algorithm kdcPubValue SubjectPublicKeyInfo, -- DH algorithm kdcPubValueId INTEGER, -- DH algorithm kdcPublicKeyKvno INTEGER OPTIONAL, -- New KDC public -- key kvno kdcPublicKey OCTET STRING OPTIONAL, -- New KDC pubkey kdcSalt OCTET STRING OPTIONAL -- If user uses -- only new -- clients } PKEncryptError ::= SEQUENCE { nonce INTEGER, -- From AS_REQ algorithmId INTEGER, -- Public Key -- encryption alg kdcPublicKeyKvno INTEGER OPTIONAL, -- New KDC public -- key kvno kdcPublicKey OCTET STRING OPTIONAL, -- New KDC public -- key kdcSalt OCTET STRING OPTIONAL -- If user uses -- only new -- clients } The KDC_RECOVERY_NEEDED error message is sent in response to a client AS_REQ message if the client principal needs to be recovered, unless the client AS_REQ contains the PKAuthenticator with a nonempty RecoveryData field (in this case the client has already received the KDC_RECOVERY_NEEDED error message. We will also see in section 3.2.2 that a different error response is sent by the KDC if the encrypted user private key is stored in the KDC database.) If the client principal uses only new clients, then the kdcSalt field is returned; otherwise, the kdcSalt field is absent. If the client uses the Diffie Hellman algorithm during the recovery phase then the DHError field contains the public Diffie Hellman parameter (kdcPubValue) for the KDC along with an identifier (kdcPubValueID). The client will then send this identifier to the KDC in an AS_REQ message; the identifier allows the KDC to look up the Diffie Hellman private value corresponding to the identifier. Depending on how often the KDC updates its private Diffie Hellman parameters, it will have to store anywhere between a handful and several dozen of these identifiers and their parameters. The KDC must send its Diffie Hellman public value to the client first so the client can encrypt its new symmetric key. In the case where the user principal does not need to be recovered and the user still uses old clients as well as new clients, the KDC_ERR_NULL_KEY error is sent in response to symmetric AS_REQ messages when there is no valid symmetric key in the KDC database. This situation can occur if the user principal has been recovered but no new symmetric key has been established in the database. In addition, the two error messages with error codes KDC_ERR_PREAUTH_FAILED and KDC_ERR_PREAUTH_REQUIRED are modified so the error data contains the kdcSalt encoded as an OCTET STRING. The reason for the modification is to allow principals that use new clients only to have their symmetric key transparently updated by the client software during the recovery phase. The kdcSalt is used to create the new symmetric key. As a performance optimization, the kdcSalt is stored in the /krb5/salt file along with the realm. Thus the /krb5/salt file consists of realm-salt pairs. If the file is missing, or the salt is not correct, the above error messages allow the client to find out the correct salt. New clients which are configured for symmetric key authentication attempt to preauthenticate with the salt from the /krb5/salt file as an input into their key, and if the file is not present, the new client does not use preauthentication. The error messages above return either the correct salt to use, or no salt at all which indicates that the principal is still using old clients (the client software should use the existing mapping from the user password to the symmetric key). In order to assure interoperability between clients from different vendors and organizations, a standard algorithm is needed for creating the symmetric key from the principal password and kdcSalt. The algorithm for creating the symmetric key is as follows: take the SHA-1 hash of the kdcSalt concatenated with the principal password and use the 20 byte output as the input into the existing key generation process (string to key function). After a compromise, the KDC changes the kdcSalt; thus, the recovery algorithm allows users to obtain a new symmetric key without actually changing their password. The response from the KDC would be identical to the response in RFC 1510, except that instead of being encrypted in the secret key shared by the client and the KDC, it is encrypted in a random key freshly generated by the KDC (of type ENCTYPE_ENC_CBC_CRC). A preauthentication field (specified below) accompanies the response, optionally containing a certificate with the public key for the KDC (since we do not assume that the client knows this public key), and a package containing the secret key in which the rest of the response is encrypted, along with the same nonce used in the rest of the response, in order to prevent replays. This package is itself signed with the private key of the KDC, then encrypted with the symmetric key that is returned encrypted in the public key of the user (or for Diffie Hellman, encrypted in the shared secret Diffie Hellman symmetric key). Pictorially, in the public key encryption case we have: kdcCert, {[encReplyKey, nonce] Sig w/KDC privkey}EncReplyTmpKey, {EncReplyTmpKey}Userpubkey Pictorially, in the Diffie Hellman case we have: kdcCert, {encReplyKey, nonce}DH shared symmetric key, [DH public value]Sig w/KDC privkey PA-PK-AS-REP ::= SEQUENCE { kdcCert[0] SEQUENCE OF Certificate, encryptShell[1] EncryptedData, -- EncPaPkAsRepPartShell -- encrypted by -- encReplyTmpKey or DH -- shared symmetric key pubKeyExchange[2] PubKeyExchange OPTIONAL, -- a choice between -- a KDC signed DH -- value and a public -- key encrypted -- symmetric key. -- Not needed after -- recovery when -- DH is used. } PubKeyExchange ::= CHOICE { signedDHPubVal SignedDHPublicValue, encryptKey EncryptedData -- EncPaPkAsRepTmpKey -- encrypted by -- userPublicKey } SignedDHPublicValue ::= SEQUENCE { dhPublic[0] SubjectPublicKeyInfo, dhPublicSig[1] Signature } EncPaPkAsRepPartShell ::= SEQUENCE { encReplyPart[0] EncPaPkAsRepPart, encReplyPartSig[1] Signature OPTIONAL -- encReplyPart -- signed by kdcPrivateKey -- except not present in -- DH case } EncPaPkAsRepPart ::= SEQUENCE { encReplyKey[0] EncryptionKey, nonce[1] INTEGER, } EncPaPkAsRepTmpKey ::= SEQUENCE { encReplyTmpKey[0] EncryptionKey } The kdc-cert specification is lifted, with slight modifications, from v3 of the X.509 certificate specification: Certificate ::= SEQUENCE { version[0] Version DEFAULT v1 (1), serialNumber[1] CertificateSerialNumber, signature[2] AlgorithmIdentifier, issuer[3] PrincipalName, validity[4] Validity, subjectRealm[5] Realm, subject[6] PrincipalName, subjectPublicKeyInfo[7] SubjectPublicKeyInfo, issuerUniqueID[8] IMPLICIT UniqueIdentifier OPTIONAL, subjectUniqueID[9] IMPLICIT UniqueIdentifier OPTIONAL, authentSig[10] Signature } The kdc-cert must have as its root certification one of the certifiers sent to the KDC with the original request. If the KDC has no such certification, then it will instead reply with a KRB_ERROR of type KDC_ERROR_PREAUTH_FAILED. If a zero-length root-cert was sent by the client as part of the PA-PK-AS-ROOT, then a correspondingly zero-length kdc-cert may be absent, in which case the client uses its copy of the KDC's public key. In the case of recovery, the client uses its copy of the backup KDC public key. Upon receipt of the response from the KDC, the client will verify the public key for the KDC from PA-PK-AS-REP preauthentication data field. The certificate must certify the key as belonging to a principal whose name can be derived from the realm name. If the certificate checks out, the client then decrypts the EncPaPkAsRepPart and verifies the signature of the KDC. It then uses the random key contained therein to decrypt the rest of the response, and continues as per RFC 1510. Because there is direct trust between the user and the KDC, the transited field of the ticket returned by the KDC should remain empty. (Cf. Section 3.3.) Examples We now give several examples illustrating the protocols in this section. Encryption of message M with key K is denoted {M}K and the signature of message M with key K is denoted [M]K. Example 1: The requesting user principal needs to be recovered and uses only new clients. The recovery algorithm is Diffie Hellman (DH). Then the exchange sequence between the user principal and the KDC is: Client --------> AS_REQ (with or without preauth) --------> KDC Client <--- KRB_ERROR (error code KDC_RECOVERY_NEEDED) <--- KDC error data: [nonce, algID (DH), KDC DH public parameter, KDC DH ID, KDC PublicKey Kvno and PublicKey, KDC Salt]Signed with KDC PrivateKey At this point, the client validates the KDC signature, checks to see if the nonce is the same as the one in the AS_REQ, and stores the new KDC public key and public key version number. The client then generates a Diffie Hellman private parameter and computes the corresponding Diffie Hellman public parameter; the client also computes the shared Diffie Hellman symmetric key using the KDC Diffie Hellman public parameter and its own Diffie Hellman private parameter. Next, the client prompts the user for his/her password (if it does not already have the password). The password is concatenated with the KDC Salt and then SHA1 hashed; the result is fed into the string to key function to obtain the new user DES key. The new user DES key will be encrypted (along with the AS_REQ nonce) using the Diffie Hellman symmetric key and sent to the KDC in the new AS_REQ message: Client -> AS_REQ with preauth: rootCert, [PKAuthenticator with user DH public parameter, {newUser DES key, nonce}DH symmetric key, KDC DH ID]Signed with User PrivateKey -> KDC The KDC DH ID is copied by the client from the KDC_ERROR message received above. Upon receipt and validation of this message, the KDC first uses the KDC DH ID as an index to locate its private Diffie Hellman parameter; it uses this parameter in combination with the user public Diffie Hellman parameter to compute the symmetric Diffie Hellman key. The KDC checks if the encrypted nonce is the same as the one in the PKAuthenticator and the AS_REQ part. The KDC then enters the new user DES key into the database, resets the recovery needed bit, and sets the valid symmetric key in database bit. The KDC then creates the AS_REP message: Client <-- AS_REP with preauth: kdcCert, {encReplyKey, nonce}DH symmetric key <-------------------- KDC The AS_REP encrypted part is encrypted with the encReplyKey that is generated on the KDC. The nonces are copied from the client AS_REQ. The kdcCert is a sequence of certificates that have been certified by certifiers listed in the client rootCert field, unless a zero length rootCert field was sent. In the last case, the kdcCert will also have zero length. 3.2.2. Private key held by KDC Implementation of the changes in this section is RECOMMENDED. When the user's private key is not carried with the user, the user may encrypt the private key using conventional cryptography, and register the encrypted private key with the KDC. As described in the previous section, the SHA1 hash of the password concatenated with the kdcSalt is also stored in the KDC database if the user only uses new clients. We restrict users of this protocol to using new clients only. The reason for this restriction is that it is not secure to store both the user private key encrypted in the user's password and the user password on the KDC simultaneously. There are several options for storing private keys.STRING -- actual certificate -- type determined by CertType } Note: If theuser stores their private key on a removable disk,signature uses RSA keys, then it isless convenient since they needtoalways carrybe performed as per PKCS #1. The PKAuthenticator carries information to foil replay attacks, to bind thedisk around with them; in addition,request and response, and to optionally pass theproceduresclient's Diffie-Hellman public value (i.e. forextractingusing DSA in combination with Diffie-Hellman). The PKAuthenticator is signed with the private keymay vary between different operating systems. Alternatively,corresponding to theuser can store a privatepublic keyonin thehard disks of systems that he/she uses; besides limitingcertificate found in userCert (or cached by thesystems thatKDC). In theuser can login from there is also a greater security risk toPKAuthenticator, theprivate key. If smart card readers or slots are deployed in an organization, thenclient may specify theuser can store his/her private key onKDC name in one of two ways: 1) asmart card. Finally,Kerberos principal name, or 2) theuser can store his/her private key encryptedname in the KDC's certificate (e.g., an X.500 name, or apassword onPGP name). Note that case #1 requires that theKDC. This last option is probablycertificate name and themost practical option currently; itKerberos principal name be bound together (e.g., via an X.509v3 extension). The userCert field isimportant thatagood password policysequence of certificates, the first of which must beused. Whenthe user'sprivatepublic keyis stored oncertificate. Any subsequent certificates will be certificates of theKDC, preauthentication is required. There are two cases depending on whethercertifiers of therequesting user principal needs touser's certificate. These cerificates may berecovered. In order to obtain its private key, a user principal includesused by thepadata type PA-PK-AS-REQ inKDC to verify thepreauthentication datauser's public key. This fieldofis empty if theAS_REQ message.KDC already has the user's certifcate. Theaccompanying pa-datatrustedCertifiers fieldis: PA-PK-AS-REQ ::= SEQUENCE { algorithmId[0] INTEGER, -- Public Key Alg. encClientPubVal[1] EncryptedData -- EncPaPkAsReqDH -- (encrypted with key -- K1) } EncPaPkAsReqDH ::= SEQUENCE { clientPubValue[0] SubjectPublicKeyInfo } Pictorially, PA-PK-AS-REQ is algorithmID, {clientPubValue}K1. The user principal sends its Diffie-Hellman public value encryptedcontains a list of certification authorities trusted by the client, in thekey K1. The key K1 is derived by performing string to key oncase that theSHA1 hashclient does not possess the KDC's public key certificate. Upon receipt of theuser password concatenatedAS_REQ with PA-PK-AS-REQ pre-authentication type, thekdcSalt which is stored in the /krb5/salt file. If the file is absent,KDC attempts to verify theconcatenation stepuser's certificate chain (userCert), if one isskippedprovided in theabove algorithm. The Diffie Hellman parameters g and p are impliedrequest. This is done by verifying thealgorithmID field. By choosing g and p correctly, dictionary attackscertification path against thekey K1 canKDC's policy of legitimate certifiers. This may be based on a certification hierarchy, or it may bemade more difficult [Jaspan].simply a list of recognized certifiers in a system like PGP. If therequesting user principal needs recovery,certification path does not match one of theencrypted user private key is stored inKDC's trusted certifiers, the KDCdatabase,sends back an error message of type KDC_ERROR_CLIENT_NOT_TRUSTED, and it includes in theAS_REQ RecoveryDataerror data field a list of its own trusted certifiers, upon which the client resends the request. If trustedCertifiers isnot presentprovided in thePKAuthenticator, thenPA-PK-AS-REQ, the KDCreplies withverifies that it has aKRB_ERROR message, with msg-type set to KDC_ERR_PREAUTH_REQUIRED, and e-data set to: PA-PK-AS-INFO ::= SEQUENCE { signedDHErr SignedDHError, -- signedcertificate issued byKDC encUserKey OCTET STRING OPTIONAL -- encryptedone of the certifiers trusted by-- user password -- key; (recovery -- response) } The user principal should then continue withthesection 3.2.1.1 protocol usingclient. If it does not have a suitable certificate, theDiffie Hellman algorithm. We now assumeKDC returns an error message of type KDC_ERROR_KDC_NOT_TRUSTED to the client. If a trust relationship exists, the KDC then verifies the client's signature on PKAuthenticator. If that fails, therequesting user principal does not need recovery. Upon receiptKDC returns an error message of type KDC_ERROR_INVALID_SIG. Otherwise, theauthentication request withKDC uses thePA-PK-AS-REQ,timestamp in the PKAuthenticator to assure that the request is not a replay. The KDCgeneratesalso verifies that its name is specified in PKAuthenticator. Assuming no errors, theAS responseKDC replies asdefined inper RFC 1510, except that it encrypts the reply not with the user's key, butadditionally includeswith a random key generated only for this particular response. This random key is sealed in the preauthenticationfield of type PA-PK-USER-KEY. PA-PK-USER-KEYfield: PA-PK-AS-REP ::= SEQUENCE { -- PA TYPE 18 kdcCert [0] SEQUENCE OFCertificate, encUserKeyPart EncryptedData,Certificate OPTIONAL, --EncPaPkUserKeyPart kdcPrivKey KDCPrivKey, kdcPrivKeySig Signature } The kdc-cert field is identical tothe KDC's certificate -- optionally followed by thatin-- certificate's certifier chain encPaReply [1] EncryptedData, -- of type PaReply -- using either thePA-PK-AS-REP preauthentication data field returned withclient public -- key or theKDC response, and must be validated as belongingDiffie-Hellman key -- specified by SignedDHPublicValue signedDHPublicValue [2] SignedDHPublicValue OPTIONAL } PaReply ::= SEQUENCE { replyEncKeyPack [0] ReplyEncKeyPack, replyEncKeyPackSig [1] Signature, -- of replyEncKeyPack -- using KDC's signature key } ReplyEncKeyPack ::= SEQUENCE { replyEncKey [0] EncryptionKey, -- used to encrypt main reply nonce [1] INTEGER -- binds response to theKDCrequest -- passed in thesame manner. KDCPrivKeyPKAuthenticator } SignedDHPublicValue ::= SEQUENCE {nonce INTEGER, -- From AS_REQ algorithmId INTEGER, -- DH algorithm kdcPubValuedhPublicValue [0] SubjectPublicKeyInfo, dhPublicValueSig [1] Signature --DH algorithm kdcSalt OCTET STRING -- Since user -- uses only newof dhPublicValue --clientsusing KDC's signature key } TheKDCPrivKeykdcCert field issigned usinga sequence of certificates, theKDC private key. The encrypted partfirst of which must have as its root certifier one of theAS_REP message is encrypted usingcertifiers sent to theDiffie Hellman derived symmetric key, as isKDC in theEncPaPkUserKeyPart. EncPaPkUserKeyPart ::= SEQUENCE { encUserKey OCTET STRING, nonce INTEGER -- From AS_REQ } Notationally, if encryption algorithm A is used, then enc-key-part is A ({encUserKey, nonce}, Diffie-Hellman-symmetric-key). IfPA-PK-AS-REQ. Any subsequent certificates will be certificates of theclient has used an incorrect kdcSalt to computecertifiers of thekey K1, thenKDC's certificate. These cerificates may be used by the clientneedstoresubmit the above AS_REQ message using the correct kdcSalt field fromverify theKDCPrivKey field.KDC's public key. Thismessage containsfield is empty if theencrypted private key that has been registered withclient did not send to the KDCby the user, as encrypted by the user, super-encrypted witha list of trusted certifiers (the trustedCertifiers field was empty). Since each certifier in theDiffie Hellman derived symmetric key. Because therecertification path of a user's certificate isdirect trust between the user andessentially a separate realm, theKDC,name of each certifier shall be added to the transited field of theticket returned by the KDC should remain empty. (Cf. Section 3.3.) Examples We now give several examples illustratingticket. The format of these realm names shall follow theprotocolsnaming constraints set forth in RFC 1510 (sections 7.1 and 3.3.3.1). Note that thissection. Example 1: The requesting user principal needswill require new nametypes to berecovered and stores his/her encrypted private key on the KDC. Then the exchange sequence between the user principaldefined for PGP certifiers and other types of realms as they arise. The KDC's certificate must bind theKDC is: Client --------> AS_REQ (with or without preauth) -----> KDC Client <--- KRB_ERROR (error code KDC_ERR_PREAUTH_REQUIRED) error data: [nonce, algID (DH), KDC DHpublicparameter, KDC DH ID, KDC PublicKey Kvno and PublicKey, KDC Salt]Signed with KDC PrivateKey, {user private key}user password <------------- KDC The protocol now continues withkey to a name derivable from thesecond AS_REQ as in Example 1name ofsection 3.2.1.1. Example 2: The requesting user principal does not need to be recovered and stores his/her encrypted private key onthe realm for that KDC.Then the exchange sequence between the user principal and the KDC whenThe client then extracts theuser principal wantsrandom key used toobtain his/her privateencrypt the main reply. This random keyis: Client -> AS_REQ(in encPaReply) is encrypted withpreauth: algID, {DHeither the client's publicparameter}K1 -> KDC ThekeyK1 is generated by using the string toor with a keyfunction on the SHA1 hash ofderived from thepassword concatenated withDH values exchanged between thekdcSalt fromclient and the/krb5/salt file. IfKDC. 3.3. Digital Signature Implementation of thefile is absent, thenchanges in this section are OPTIONAL for compliance with pk-init. We offer this option with theconcatenation step is skipped, andwarning that it requires the clientwill learnto generate a random key; thecorrect kdcSalt inclient may not be able to guarantee thefollowing AS_REP message fromsame level of randomness as the KDC.The algID should indicate some type of Diffie Hellman algorithm. The KDC replies withIf theAS_REP message withuser registered apreauthentication data field: Client <-- AS_REPdigital signature key withpreauth: kdcCert, {encUserKey, <--the KDCnonce}DH symmetricinstead of an encryption key,[nonce, algID, DH public parameter, kdcSalt]KDC privateKeythen a separate exchange must be used. The clientvalidates the KDC's signature and checkssends a request for a TGT as usual, except thatthe nonce matches the nonce in its AS_REQ message. If the kdcSalt does not match what the client used,itstarts(rather than theprotocol over. The client then usesKDC) generates theKDC Diffie Hellman public parameter along with its own Diffie Hellman private parameterrandom key that will be used tocomputeencrypt theDiffie Hellman symmetric key.KDC response. This key isusedsent todecrypttheencUserKey field;KDC along with theclient checks ifrequest in a preauthentication field: PA-PK-AS-SIGN ::= SEQUENCE { -- PA TYPE 19 encSignedKeyPack [0] EncryptedData -- of SignedKeyPack -- using the KDC's public key } SignedKeyPack ::= SEQUENCE { signedKey [0] KeyPack, signedKeyAuth [1] PKAuthenticator, signedKeySig [2] Signature -- of signedKey.signedKeyAuth -- using user's signature key } KeyPack ::= SEQUENCE { randomKey [0] EncryptionKey, -- will be used to encrypt reply noncematches its AS_REQ nonce. At this point,[1] INTEGER } where theinitial authentication protocolnonce iscomplete. Example 3: The requesting user principal does not need to be recovered and stores his/her encrypted private key oncopied from theKDC. In this example,request. Upon receipt of theuser principal usesPA-PK-AS-SIGN, theconventional symmetric key Kerberos V5 initial authentication protocol exchange. We note thatKDC decrypts then verifies theconventional protocol exposesrandomKey. It then replies as per RFC 1510, except that the reply is encrypted not with a password-derived userpassword to dictionary attacks; therefore,key, but with theuser password must be changed more often. An example of whenrandomKey sent in the request. Since the client already knows thisprotocol would be usedkey, there iswhen new clients have been installed but an organization has not phased in public key authentication for all clients dueno need toperformance concerns. Client ----> AS_REQaccompany the reply withpreauthentication: {time}K1 --> KDC Client <-------------------- AS_REP <------------------ KDCan extra preauthentication field. Thekey K1 is derivedtransited field of the ticket should specify the certification path as described in Section 3.2. 3.4. Retrieving thepreceding two examples. 3.3. Clients with a public key certified by an outside authorityPrivate Key From the KDC Implementation of the changes in this section isOPTIONAL. In the case whereRECOMMENDED for compliance with pk-init. When theclientuser's private key is notregistered with the current KDC,stored local to theclient is responsible for obtaininguser, he may choose to store the private key (normally encrypted using a password-derived key) onits own. The client will request initial tickets fromtheKDC usingKDC. We provide this option to present theTGS exchange, but instead of performing preauthentication using a Kerberos ticket granting ticket, oruser with an alternative to storing thePA-PK-AS-REQ that is used when the publicprivate keyis knownon local disk at each machine where he expects tothe KDC, the client performs preauthenticationauthenticate himself using pk-init. It should be noted that it replaces thepreauthentication data fieldadded risk oftype PA-PK-AS-EXT-CERT: PA-PK-AS-EXT-CERT ::= SEQUENCE { userCert[0] SEQUENCE OF OCTET STRING, signedAuth[1] SignedPKAuthenticator } where the user-cert specification depends on the typelong-term storage ofcertificate that the user possesses. In cases wheretheservice has separateprivate keypairs for digital signature and for encryption, we recommend that the signature keys be used foron possibly many workstations with thepurposesadded risk ofsending the preauthentication (and deciphering the response). The authenticator is the one used from the exchange in section 3.2.1, except that it is signed usingstoring the private keycorresponding to the public key inon theuser-cert. TheKDCwill verifyin a form vulnerable to brute-force attack. In order to obtain a private key, the client includes a preauthenticationauthenticator, and checkfield with thecertification path against its own policy of legitimate certifiers. This may be based on a certification hierarchy, or simplyAS-REQ message: PA-PK-KEY-REQ ::= SEQUENCE { -- PA TYPE 20 patimestamp [0] KerberosTime OPTIONAL, -- used to address replay attacks. pausec [1] INTEGER OPTIONAL, -- used to address replay attacks. nonce [2] INTEGER, -- binds the reply to this request privkeyID [3] SEQUENCE OF KeyID OPTIONAL -- constructed as alisthash ofrecognized certifiers in-- public key corresponding to -- desired private key } KeyID ::= SEQUENCE { KeyIdentifier [0] OCTET STRING } The client may request asystem like PGP.specific private key by sending the corresponding ID. If this field is left empty, then all private keys are returned. If all checks out, the KDCwill issue Kerberos credentials,responds as described in3.2, but with the names of all the certifiers in the certification path added tothetransited field of the ticket, with a principal name taken fromabove sections, except that an additional preauthentication field, containing thecertificate (this might be a long path for X.509, or a string like "John Q. Public <jqpublic@company.com>" ifuser's private key, accompanies thecertificate was a PGP certificate. The realm will identifyreply: PA-PK-KEY-REP ::= SEQUENCE { -- PA TYPE 21 nonce [0] INTEGER, -- binds thekind of certificate andreply to thefinal certifier as follows: cert_type/final_certifier as in PGP/<endorser@company.com>. 3.4. Digital Signature Implementationrequest KeyData [1] SEQUENCE OF KeyPair } KeyPair ::= SEQUENCE { privKeyID [0] OCTET STRING, -- corresponding to encPrivKey encPrivKey [1] OCTET STRING } 3.4.1. Additional Protection ofthe changes in this section is OPTIONAL.Retrieved Private Keys Weoffer this option withsolicit discussion on thewarningfollowing proposal: thatit requiresthe clientprocess to generate a random DES key; this generation may not be able to guarantee the same level of randomness as the KDC. If a user registered a digital signature key pair with the KDC, a separate exchangemaybe used. The client sends a KRB_AS_REQ as describedoptionally include insection 3.2.2. Ifits request additional data to encrypt theuser's database record indicates that a digital signature keyprivate key, which isto be used, thencurrently only protected by theKDC sends back a KRB_ERROR as in section 3.2.2. Ituser's password. One possibility isassumed herethat thesignature key is stored on local disk. Theclientgeneratesmight generate a randomkeystring ofenctype ENCTYPE_DES_CBC_CRC, signs it using the signature key (otherwise the signature is performed as described in section 3.2.1), then encrypts the wholebits, encrypt it with the public key of theKDC. This is returnedKDC (as in the SignedKeyPack, but witha separate KRB_AS_REQan ordinary OCTET STRING ina preauthenticationplace oftype PA-PK-AS-SIGNED ::= SEQUENCE { signedKey[0] EncryptedData -- PaPkAsSignedData } PaPkAsSignedData ::= SEQUENCE { signedKeyPart[0] SignedKeyPart, signedKeyAuth[1] PKAuthenticator, sig[2] Signature } SignedKeyPart ::= SEQUENCE { encSignedKey[0] EncryptionKey, nonce[1] INTEGER } where the nonce is the one froman EncryptionKey), and include this with the request.Upon receipt of the request, theThe KDCdecrypts,thenverifies the random key. It then replies as per RFC 1510, except that instead of being encryptedXORs each returned key with this random bit string. (If thepassword-derived DES key, the replybit string isencrypted usingtoo short, therandomKey sent byKDC could either return an error, or XOR theclient. Sincereturned key with a repetition of theclient already knowsbit string.) In order to make thiskey, there is nowork, additional means of preauthentication need toaccompany the reply with an extra preauthentication field. Because therebe devised in order to prevent attackers from simply inserting their own bit string. One way to do this isdirect trust between the user and the KDC, the transited fieldto store a hash of theticket returned bypassword-derived key (the one used to encrypt theKDC should remain empty. (Cf. Section 3.3.) Inprivate key). This hash is then used in turn to derive a second key (called theevent thathash-key); theKDC database indicates thathash-key is used to encrypt an ASN.1 structure containing theuser principal must be recovered,generated bit string and a nonce value that binds it to thePKAuthenticator does not contain the RecoveryData field,request. Since the KDCwill reply with the KDC_RECOVERY_NEEDED error. The user principal then sends another AS_REQ message that includespossesses theRecoveryData field inhash, it can generate thePKAuthenticator. The AS_REP message ishash-key and verify this (weaker) preauthentication, and yet cannot reproduce thesame as inprivate key itself, since thebasic Kerberos V5 protocol.hash is a one-way function. 4.Preauthentication Data TypesLogistics and Policy Issues Wepropose that the following preauthentication typessolicit discussion on how clients and KDCs should beallocated forconfigured in order to determine which of thepreauthentication data packagesoptions describedin this draft: #define KRB5_PADATA_ROOT_CERT 17 /* PA-PK-AS-ROOT */ #define KRB5_PADATA_PUBLIC_REP 18 /* PA-PK-AS-REP */ #define KRB5_PADATA_PUBLIC_REQ 19 /* PA-PK-AS-REQ */ #define KRB5_PADATA_PRIVATE_REP 20 /* PA-PK-USER-KEY */ #define KRB5_PADATA_PUBLIC_EXT 21 /* PA-PK-AS-EXT-CERT */ #define KRB5_PADATA_PUBLIC_SIGN 22 /* PA-PK-AS-SIGNED */ 5. Encryption Information Forabove (if any) should be used. One possibility is to set the user's database record to indicate that authentication is to use public keycryptography usedcryptography; this will not work, however, indirect registration, we used (in our implementation) the RSAREF library supplied with the PGP 2.6.2 release. Encryption and decryption functions were implemented directly on top oftheprimitives made available therein, rather thanevent that thefully sealing operations inclient needs to know before making theAPI. 6.initial request. 5. Compatibility with One-Time Passcodes We solicit discussion on how theuse of public key cryptography for initial authenticationprotocol changes proposed in this draft will interact with the proposed use ofone time passwordsone-time passcodes discussed inInternet Draft <draft-ietf-cat-kerberos-passwords-00.txt>. 7.draft-ietf-cat-kerberos-passwords-00.txt. 6. Strength ofEncryption and Signature MechanismsCryptographic Schemes In light of recent findings on thestrengthsstrength of MD5 andvarious DES modes,DES, we solicit discussion on whichmodesencryption types to incorporate into the protocol changes. 7. Bibliography [1] J. Kohl, C. Neuman. The Kerberos Network Authentication Service (V5). Request for Comments: 1510 [2] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9):33-38. September 1994. [3] A. Medvinsky, M. Hur. Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). draft-ietf-tls-kerb-cipher-suites-00.txt [4] A. Medvinsky, M. Hur, B. Clifford Neuman. Public Key Utilizing Tickets for Application Servers (PKTAPP). draft-ietf-cat-pktapp-00.txt [5] M. Sirbu, J. Chuang. Distributed Authentication in Kerberos Using Public Key Cryptography. Symposium On Network and Distributed System Security, 1997. [6] B. Cox, J.D. Tygar, M. Sirbu. NetBill Security and Transaction Protocol. In Proceedings of the USENIX Workshop on Electronic Commerce, July 1995. [7] Alan O. Freier, Philip Karlton and Paul C. Kocher. The SSL Protocol, Version 3.0 - IETF Draft. [8] B.C. Neuman, Proxy-Based Authorization and Accounting for Distributed Systems. In Proceedings of the 13th International Conference on Distributed Computing Systems, May 1993 [9] ITU-T (formerly CCITT) Information technology - Open Systems Interconnection - The Directory: Authentication Framework Recommendation X.509 ISO/IEC 9594-8 8. Acknowledgements Some of the ideas on which this proposal is based arose during discussions over several years between members of the SAAG, the IETF CAT working group, and the PSRG, regarding integration of Kerberos and SPX. Some ideas have also been drawn from the DASS system. These changes are by no means endorsed by these groups. This is an attempt to revive some of the goals of those groups, and this proposal approaches those goals primarily from the Kerberos perspective. Lastly, comments from groups working on similar ideas in DCE have been invaluable. 9. Expiration Date ThisInternet-Draftdraft expireson April 19,September 30, 1997.9. Authors' Addresses B.10. Authors Clifford NeumanUSC/Information Sciences Institute 4676 Admiralty Way Suite 1001 Marina del Rey, CA 90292-6695 Phone: 310-822-1511 EMail: bcn@isi.eduBrian TungUSC/InformationUSC Information Sciences Institute 4676 Admiralty Way Suite 1001 Marina delRey,Rey CA 90292-6695 Phone:310-822-1511 EMail: brian@isi.edu+1 310 822 1511 E-mail: {bcn, brian}@isi.edu John Wray Digital Equipment Corporation 550 King Street, LKG2-2/Z7 Littleton, MA 01460 Phone:508-486-5210 EMail:+1 508 486 5210 E-mail: wray@tuxedo.enet.dec.comJonathan TrostleAri Medvinsky Matthew Hur CyberSafe Corporation 1605 NW SammamishRd.,Road Suite 310Issaquah,Issaquah WA 98027-5378 Phone:206-391-6000 EMail: jonathan.trostle@cybersafe.com+1 206 391 6000 E-mail: {ari.medvinsky, matt.hur}@cybersafe.com Jonathan Trostle Novell E-mail: jonathan.trostle@novell.com ----