draft-josefsson-kerberos5-starttls-02.txt | draft-josefsson-kerberos5-starttls-03.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
Internet-Draft SJD | Internet-Draft SJD | |||
Intended status: Standards Track October 21, 2006 | Intended status: Standards Track December 3, 2007 | |||
Expires: April 24, 2007 | Expires: June 5, 2008 | |||
Using Kerberos V5 over the Transport Layer Security (TLS) protocol | Using Kerberos V5 over the Transport Layer Security (TLS) protocol | |||
draft-josefsson-kerberos5-starttls-02 | draft-josefsson-kerberos5-starttls-03 | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on April 24, 2007. | This Internet-Draft will expire on June 5, 2008. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The Internet Society (2006). | Copyright (C) The IETF Trust (2007). | |||
Abstract | Abstract | |||
This document specify how the Kerberos V5 protocol can be transported | This document specify how the Kerberos V5 protocol can be transported | |||
over the Transport Layer Security (TLS) protocol, to provide | over the Transport Layer Security (TLS) protocol, to provide | |||
additional security features. | additional security features. | |||
Table of Contents | Table of Contents | |||
1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | 1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | |||
2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5 | 2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5 | |||
3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Channel Binding Pre-Authentication Data . . . . . . . . . . . 6 | |||
4. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 7 | 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 5. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 8 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
7.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
Intellectual Property and Copyright Statements . . . . . . . . . . 12 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
Intellectual Property and Copyright Statements . . . . . . . . . . 13 | ||||
1. Introduction and Background | 1. Introduction and Background | |||
This document describe how a Kerberos V5 [2] implementation may | This document describe how a Kerberos V5 [3] implementation may | |||
upgrade communication between clients and Key Distribution Centers | upgrade communication between clients and Key Distribution Centers | |||
(KDCs) to use the Transport Layer Security (TLS) [4] protocol. | (KDCs) to use the Transport Layer Security (TLS) [4] protocol. | |||
The TLS protocol offer integrity and privacy protected exchanges that | The TLS protocol offer integrity and privacy protected exchanges that | |||
can be authentication using X.509 certificates, OpenPGP keys [7], and | can be authentication using X.509 certificates, OpenPGP keys [8], and | |||
user name and passwords via SRP [6]. | user name and passwords via SRP [7]. | |||
There are several reasons to use Kerberos V5 over TLS. | There are several reasons to use Kerberos V5 over TLS. | |||
o Prevents downgrade attacks affecting, e.g., encryption types and | o Prevents downgrade attacks affecting, e.g., encryption types and | |||
pre-auth data negotiation. The encryption type field in KDC-REQ, | pre-auth data negotiation. The encryption type field in KDC-REQ, | |||
and the METHOD-DATA field with the requested pre-auth types from | and the METHOD-DATA field with the requested pre-auth types from | |||
the server in KDC_ERR_PREAUTH_REQUIRED errors in KDC-REP, are sent | the server in KDC_ERR_PREAUTH_REQUIRED errors in KDC-REP, are sent | |||
without integrity or privacy protection in Kerberos 5. This | without integrity or privacy protection in Kerberos 5. This | |||
allows an attacker to replace the encryption type with a | allows an attacker to replace the encryption type with a | |||
compromised encryption type, e.g., 56-bit DES, or request that | compromised encryption type, e.g., 56-bit DES, or request that | |||
skipping to change at page 5, line 8 | skipping to change at page 5, line 8 | |||
side effect that the KDC knows your encryption key (i.e., your | side effect that the KDC knows your encryption key (i.e., your | |||
password). | password). | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [1]. | document are to be interpreted as described in RFC 2119 [1]. | |||
2. Kerberos V5 STARTTLS Extension | 2. Kerberos V5 STARTTLS Extension | |||
The STARTTLS extension uses the Kerberos V5 TCP extension mechanism | The STARTTLS extension uses the Kerberos V5 TCP extension mechanism | |||
[3]. The extension uses bit #TBD in the extension bitmask. | [5]. The extension uses bit #TBD in the extension bitmask. | |||
The protocol is as follows. After the server has sent the 4-octet | The protocol is as follows. After the server has sent the 4-octet | |||
value 0x00000000 to indicate support of this extension, the stream | value 0x00000000 to indicate support of this extension, the stream | |||
will be controlled by the TLS protocol and its framing. The TLS | will be controlled by the TLS protocol and its framing. The TLS | |||
protocol is initiated by the client. | protocol is initiated by the client. | |||
Typically, the client initiate the TLS handshake protocol by sending | Typically, the client initiate the TLS handshake protocol by sending | |||
a client hello, and the server responds, and the handshake continues | a client hello, and the server responds, and the handshake continues | |||
until it either succeed or fails. | until it either succeed or fails. | |||
If for any reason the handshake fails, the STARTTLS protocol will | If for any reason the handshake fails, the STARTTLS protocol will | |||
also fail, and the TLS error is used as the error indication. | also fail, and the TLS error is used as the error indication. | |||
If the handshake succeeds, the Kerberos V5 authentication protocol is | If the handshake succeeds, the Kerberos V5 authentication protocol is | |||
performed within the protected TLS channel, like a normal TCP | performed within the protected TLS channel, like a normal TCP | |||
Kerberos V5 exchange. In particular, this means that every Kerberos | Kerberos V5 exchange. In particular, this means that every Kerberos | |||
V5 packet will be prefixed by a 4-octet length field, that indicate | V5 packet will be prefixed by a 4-octet length field, that indicate | |||
the length of the Kerberos V5 packet. | the length of the Kerberos V5 packet. However, to conform with this | |||
specification, any KDC-REQ (AS-REQ or TGS-REQ) message MUST contain | ||||
the "pa-channel-binding" pre-authentication data. | ||||
3. Examples | 3. Channel Binding Pre-Authentication Data | |||
The pre-authentication structure is defined in RFC 4120 as: | ||||
PA-DATA ::= SEQUENCE { | ||||
-- NOTE: first tag is [1], not [0] | ||||
padata-type [1] Int32, | ||||
padata-value [2] OCTET STRING -- might be encoded AP-REQ | ||||
} | ||||
Here we define a new pre-authentication data, called "pa-channel- | ||||
binding". It has a padata-type integer value of #TBD. The contents | ||||
of the padata-value field is the channel binding data, as discussed | ||||
in [6]. | ||||
4. Examples | ||||
A complete packet flow for a successful AS-REQ/REP exchange protected | A complete packet flow for a successful AS-REQ/REP exchange protected | |||
by this mechanism will be as follows. The "STARTTLS-bit" is a | by this mechanism will be as follows. The "STARTTLS-bit" is a | |||
4-octet value with only the bit allocated for this extension set. | 4-octet value with only the bit allocated for this extension set. | |||
Client Server | Client Server | |||
[ Kerberos V5 TCP extension mechanism negotiation starts ] | [ Kerberos V5 TCP extension mechanism negotiation starts ] | |||
[0x70000000 & STARTTLS-bit] --------> | [0x70000000 & STARTTLS-bit] --------> | |||
skipping to change at page 7, line 5 | skipping to change at page 8, line 5 | |||
4 octet length field | 4 octet length field | |||
Kerberos V5 AS-REQ --------> | Kerberos V5 AS-REQ --------> | |||
4 octet length field | 4 octet length field | |||
Kerberos V5 AS-REP | Kerberos V5 AS-REP | |||
<-------- | <-------- | |||
* Indicates optional or situation-dependent messages that are not | * Indicates optional or situation-dependent messages that are not | |||
always sent. | always sent. | |||
4. STARTTLS aware KDC Discovery | 5. STARTTLS aware KDC Discovery | |||
Section 7.2.3 of Kerberos V5 [2] describe how Domain Name System | Section 7.2.3 of Kerberos V5 [3] describe how Domain Name System | |||
(DNS) SRV records [5] can be used to find the address of an KDC. | (DNS) SRV records [2] can be used to find the address of an KDC. | |||
Using the terminology of Section 7.2.3 of RFC 4120, we define a new | Using the terminology of Section 7.2.3 of RFC 4120, we define a new | |||
Proto of "tls" to indicate that the particular KDC is intended to | Proto of "tls" to indicate that the particular KDC is intended to | |||
support this STARTTLS extension. The Service, Realm, TTL, Class, | support this STARTTLS extension. The Service, Realm, TTL, Class, | |||
SRV, Priority, Weight, Port and Target have the same meaning as in | SRV, Priority, Weight, Port and Target have the same meaning as in | |||
RFC 4120. | RFC 4120. | |||
For example: | For example: | |||
_kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | |||
_kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | |||
5. IANA Considerations | 6. IANA Considerations | |||
The IANA is requested to allocate a bit in the "Kerberos TCP | The IANA is requested to allocate a bit in the "Kerberos TCP | |||
Extensions" registry for the extension described in this document, as | Extensions" registry for the extension described in this document, as | |||
per [3]. | per [5]. | |||
6. Security Considerations | 7. Security Considerations | |||
The security considerations in Kerberos V5, TLS, and the extension | The security considerations in Kerberos V5, TLS, and the extension | |||
mechanism framework are inherited. | mechanism framework are inherited. | |||
To protect against the inherent downgrade attack in the extension | To protect against the inherent downgrade attack in the extension | |||
framework, it is suggested that implementations offer a policy to | framework, it is suggested that implementations offer a policy to | |||
require that this extension is successfully negotiated. For | require that this extension is successfully negotiated. For | |||
interoperability with implementations that do not support this | interoperability with implementations that do not support this | |||
extension, it is suggested that the policy is disabled by default. | extension, it is suggested that the policy is disabled by default. | |||
7. References | 8. References | |||
7.1. Normative References | 8.1. Normative References | |||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
Levels", BCP 14, RFC 2119, March 1997. | Levels", BCP 14, RFC 2119, March 1997. | |||
[2] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos | [2] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |||
Network Authentication Service (V5)", RFC 4120, July 2005. | specifying the location of services (DNS SRV)", RFC 2782, | |||
February 2000. | ||||
[3] Josefsson, S., "Extended Kerberos Version 5 Key Distribution | [3] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos | |||
Center (KDC) Exchanges Over TCP", | Network Authentication Service (V5)", RFC 4120, July 2005. | |||
draft-ietf-krb-wg-tcp-expansion-01 (work in progress), | ||||
September 2006. | ||||
[4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | [4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | |||
Protocol Version 1.1", RFC 4346, April 2006. | Protocol Version 1.1", RFC 4346, April 2006. | |||
[5] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | [5] Josefsson, S., "Extended Kerberos Version 5 Key Distribution | |||
specifying the location of services (DNS SRV)", RFC 2782, | Center (KDC) Exchanges over TCP", RFC 5021, August 2007. | |||
February 2000. | ||||
7.2. Informative References | [6] Williams, N., "On the Use of Channel Bindings to Secure | |||
Channels", RFC 5056, November 2007. | ||||
[6] Taylor, D., "Using SRP for TLS Authentication", | 8.2. Informative References | |||
draft-ietf-tls-srp-12 (work in progress), June 2006. | ||||
[7] Mavroyanopoulos, N., "Using OpenPGP keys for TLS | [7] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, "Using | |||
authentication", draft-ietf-tls-openpgp-keys-10 (work in | the Secure Remote Password (SRP) Protocol for TLS | |||
progress), June 2006. | Authentication", RFC 5054, November 2007. | |||
[8] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport Layer | ||||
Security (TLS) Authentication", RFC 5081, November 2007. | ||||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
SJD | SJD | |||
Email: [email protected] | Email: [email protected] | |||
Full Copyright Statement | Full Copyright Statement | |||
Copyright (C) The Internet Society (2006). | Copyright (C) The IETF Trust (2007). | |||
This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
retain all their rights. | retain all their rights. | |||
This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | |||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | |||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | |||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
Intellectual Property | Intellectual Property | |||
The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
End of changes. 25 change blocks. | ||||
48 lines changed or deleted | 67 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |