draft-josefsson-kerberos5-starttls-03.txt | draft-josefsson-kerberos5-starttls-04.txt | |||
---|---|---|---|---|
Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
Internet-Draft SJD | Internet-Draft SJD | |||
Intended status: Standards Track December 3, 2007 | Intended status: Informational December 5, 2008 | |||
Expires: June 5, 2008 | Expires: June 8, 2009 | |||
Using Kerberos V5 over the Transport Layer Security (TLS) protocol | Using Kerberos V5 over the Transport Layer Security (TLS) protocol | |||
draft-josefsson-kerberos5-starttls-03 | draft-josefsson-kerberos5-starttls-04 | |||
Status of this Memo | Status of this Memo | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on June 5, 2008. | This Internet-Draft will expire on June 8, 2009. | |||
Copyright Notice | ||||
Copyright (C) The IETF Trust (2007). | ||||
Abstract | Abstract | |||
This document specify how the Kerberos V5 protocol can be transported | This document specify how the Kerberos V5 protocol can be transported | |||
over the Transport Layer Security (TLS) protocol, to provide | over the Transport Layer Security (TLS) protocol, to provide | |||
additional security features. | additional security features. This document updates RFC 4120. | |||
Table of Contents | Table of Contents | |||
1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | 1. Introduction and Background . . . . . . . . . . . . . . . . . 3 | |||
2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5 | 2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5 | |||
3. Channel Binding Pre-Authentication Data . . . . . . . . . . . 6 | 3. Channel Binding Pre-Authentication Data . . . . . . . . . . . 6 | |||
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
5. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 8 | 5. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 8 | |||
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 9.1. Normative References . . . . . . . . . . . . . . . . . . . 12 | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 9.2. Informative References . . . . . . . . . . . . . . . . . . 12 | |||
Intellectual Property and Copyright Statements . . . . . . . . . . 13 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
Intellectual Property and Copyright Statements . . . . . . . . . . 14 | ||||
1. Introduction and Background | 1. Introduction and Background | |||
This document describe how a Kerberos V5 [3] implementation may | This document describe how a Kerberos V5 [RFC4120] implementation may | |||
upgrade communication between clients and Key Distribution Centers | upgrade communication between clients and Key Distribution Centers | |||
(KDCs) to use the Transport Layer Security (TLS) [4] protocol. | (KDCs) to use the Transport Layer Security (TLS) [RFC5246] protocol. | |||
The TLS protocol offer integrity and privacy protected exchanges that | The TLS protocol offer integrity and privacy protected exchanges that | |||
can be authentication using X.509 certificates, OpenPGP keys [8], and | can be authentication using X.509 certificates, OpenPGP keys | |||
user name and passwords via SRP [7]. | [RFC5081], and user name and passwords via SRP [RFC5054]. | |||
There are several reasons to use Kerberos V5 over TLS. | There are several reasons to use Kerberos V5 over TLS. | |||
o Prevents downgrade attacks affecting, e.g., encryption types and | o Prevents downgrade attacks affecting, e.g., encryption types and | |||
pre-auth data negotiation. The encryption type field in KDC-REQ, | pre-auth data negotiation. The encryption type field in KDC-REQ, | |||
and the METHOD-DATA field with the requested pre-auth types from | and the METHOD-DATA field with the requested pre-auth types from | |||
the server in KDC_ERR_PREAUTH_REQUIRED errors in KDC-REP, are sent | the server in KDC_ERR_PREAUTH_REQUIRED errors in KDC-REP, are sent | |||
without integrity or privacy protection in Kerberos 5. This | without integrity or privacy protection in Kerberos 5. This | |||
allows an attacker to replace the encryption type with a | allows an attacker to replace the encryption type with a | |||
compromised encryption type, e.g., 56-bit DES, or request that | compromised encryption type, e.g., 56-bit DES, or request that | |||
skipping to change at page 4, line 8 | skipping to change at page 4, line 5 | |||
models, the designer prefer to reduce the number of protocols that | models, the designer prefer to reduce the number of protocols that | |||
can hurt the overall system security if they are compromised. | can hurt the overall system security if they are compromised. | |||
o Explicit server authentication of the KDC to the client. In | o Explicit server authentication of the KDC to the client. In | |||
traditional Kerberos 5, authentication of the KDC is proved as a | traditional Kerberos 5, authentication of the KDC is proved as a | |||
side effect that the KDC knows your encryption key (i.e., your | side effect that the KDC knows your encryption key (i.e., your | |||
password). | password). | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
document are to be interpreted as described in RFC 2119 [1]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
2. Kerberos V5 STARTTLS Extension | 2. Kerberos V5 STARTTLS Extension | |||
The STARTTLS extension uses the Kerberos V5 TCP extension mechanism | The STARTTLS extension uses the Kerberos V5 TCP extension mechanism | |||
[5]. The extension uses bit #TBD in the extension bitmask. | [RFC5021]. The extension uses bit #TBD in the extension bitmask. | |||
The protocol is as follows. After the server has sent the 4-octet | The protocol is as follows. After the server has sent the 4-octet | |||
value 0x00000000 to indicate support of this extension, the stream | value 0x00000000 to indicate support of this extension, the stream | |||
will be controlled by the TLS protocol and its framing. The TLS | will be controlled by the TLS protocol and its framing. The TLS | |||
protocol is initiated by the client. | protocol is initiated by the client. | |||
Typically, the client initiate the TLS handshake protocol by sending | Typically, the client initiate the TLS handshake protocol by sending | |||
a client hello, and the server responds, and the handshake continues | a client hello, and the server responds, and the handshake continues | |||
until it either succeed or fails. | until it either succeed or fails. | |||
If for any reason the handshake fails, the STARTTLS protocol will | If for any reason the handshake fails, the STARTTLS protocol will | |||
also fail, and the TLS error is used as the error indication. | also fail, and the TLS error is used as the error indication. In | |||
this case, no further messages can be exchanged over the same TCP | ||||
session. | ||||
If the handshake succeeds, the Kerberos V5 authentication protocol is | If the handshake succeeds, the Kerberos V5 authentication protocol is | |||
performed within the protected TLS channel, like a normal TCP | performed within the protected TLS channel, like a normal TCP | |||
Kerberos V5 exchange. In particular, this means that every Kerberos | Kerberos V5 exchange. In particular, this means that every Kerberos | |||
V5 packet will be prefixed by a 4-octet length field, that indicate | V5 packet will be prefixed by a 4-octet length field, that indicate | |||
the length of the Kerberos V5 packet. However, to conform with this | the length of the Kerberos V5 packet. However, to conform with this | |||
specification, any KDC-REQ (AS-REQ or TGS-REQ) message MUST contain | specification, any KDC-REQ (AS-REQ or TGS-REQ) message MUST contain | |||
the "pa-channel-binding" pre-authentication data. | the "pa-channel-binding" pre-authentication data. | |||
When no further Kerberos V5 messages needs to be transferred in the | ||||
TLS session, the TLS session MUST be shut down properly using the | ||||
close_notify alert. When the TLS session is shut down, the TCP | ||||
connection cannot be re-used to send any furhter data and MUST be | ||||
closed. | ||||
3. Channel Binding Pre-Authentication Data | 3. Channel Binding Pre-Authentication Data | |||
The pre-authentication structure is defined in RFC 4120 as: | The pre-authentication structure is defined in RFC 4120 as: | |||
PA-DATA ::= SEQUENCE { | PA-DATA ::= SEQUENCE { | |||
-- NOTE: first tag is [1], not [0] | -- NOTE: first tag is [1], not [0] | |||
padata-type [1] Int32, | padata-type [1] Int32, | |||
padata-value [2] OCTET STRING -- might be encoded AP-REQ | padata-value [2] OCTET STRING -- might be encoded AP-REQ | |||
} | } | |||
Here we define a new pre-authentication data, called "pa-channel- | Here we define a new pre-authentication data, called "pa-channel- | |||
binding". It has a padata-type integer value of #TBD. The contents | binding". It has a padata-type integer value of #TBD. The contents | |||
of the padata-value field is the channel binding data, as discussed | of the padata-value field is the channel binding data, as discussed | |||
in [6]. | in [RFC5056]. | |||
4. Examples | 4. Examples | |||
A complete packet flow for a successful AS-REQ/REP exchange protected | A complete packet flow for a successful AS-REQ/REP exchange protected | |||
by this mechanism will be as follows. The "STARTTLS-bit" is a | by this mechanism will be as follows. The "STARTTLS-bit" is a | |||
4-octet value with only the bit allocated for this extension set. | 4-octet value with only the bit allocated for this extension set. | |||
Client Server | Client Server | |||
[ Kerberos V5 TCP extension mechanism negotiation starts ] | [ Kerberos V5 TCP extension mechanism negotiation starts ] | |||
skipping to change at page 8, line 7 | skipping to change at page 8, line 7 | |||
Kerberos V5 AS-REQ --------> | Kerberos V5 AS-REQ --------> | |||
4 octet length field | 4 octet length field | |||
Kerberos V5 AS-REP | Kerberos V5 AS-REP | |||
<-------- | <-------- | |||
* Indicates optional or situation-dependent messages that are not | * Indicates optional or situation-dependent messages that are not | |||
always sent. | always sent. | |||
5. STARTTLS aware KDC Discovery | 5. STARTTLS aware KDC Discovery | |||
Section 7.2.3 of Kerberos V5 [3] describe how Domain Name System | Section 7.2.3 of Kerberos V5 [RFC4120] describe how Domain Name | |||
(DNS) SRV records [2] can be used to find the address of an KDC. | System (DNS) SRV records [RFC2782] can be used to find the address of | |||
Using the terminology of Section 7.2.3 of RFC 4120, we define a new | an KDC. We define a new Proto of "tls" to indicate that the | |||
Proto of "tls" to indicate that the particular KDC is intended to | particular KDC is intended to support this STARTTLS extension. The | |||
support this STARTTLS extension. The Service, Realm, TTL, Class, | Service, Realm, TTL, Class, SRV, Priority, Weight, Port and Target | |||
SRV, Priority, Weight, Port and Target have the same meaning as in | have the same meaning as in RFC 4120. | |||
RFC 4120. | ||||
For example: | For example: | |||
_kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | |||
_kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | |||
6. IANA Considerations | 6. IANA Considerations | |||
The IANA is requested to allocate a bit in the "Kerberos TCP | The IANA is requested to allocate a bit in the "Kerberos TCP | |||
Extensions" registry for the extension described in this document, as | Extensions" registry for the extension described in this document, as | |||
per [5]. | per [RFC5021]. | |||
7. Security Considerations | 7. Acknowledgements | |||
Jeffrey Hutzelman provided comments that improved the protocol and | ||||
document. | ||||
8. Security Considerations | ||||
The security considerations in Kerberos V5, TLS, and the extension | The security considerations in Kerberos V5, TLS, and the extension | |||
mechanism framework are inherited. | mechanism framework are inherited. | |||
Note that TLS does not protect against Man-In-The-Middle (MITM) | ||||
attacks unless clients verify the KDC's credentials (X.509 | ||||
certificate, OpenPGP key, etc) correctly. | ||||
To protect against the inherent downgrade attack in the extension | To protect against the inherent downgrade attack in the extension | |||
framework, it is suggested that implementations offer a policy to | framework, implementations SHOULD offer a policy mode that requires | |||
require that this extension is successfully negotiated. For | this extension to always be successfully negotiated, for a particular | |||
interoperability with implementations that do not support this | realm, or generally. For interoperability with implementations that | |||
extension, it is suggested that the policy is disabled by default. | do not support this extension, the policy mode SHOULD be disabled by | |||
default. | ||||
8. References | 9. References | |||
8.1. Normative References | 9.1. Normative References | |||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
[2] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for | |||
specifying the location of services (DNS SRV)", RFC 2782, | specifying the location of services (DNS SRV)", RFC 2782, | |||
February 2000. | February 2000. | |||
[3] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos | [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The | |||
Network Authentication Service (V5)", RFC 4120, July 2005. | Kerberos Network Authentication Service (V5)", RFC 4120, | |||
July 2005. | ||||
[4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
Protocol Version 1.1", RFC 4346, April 2006. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
[5] Josefsson, S., "Extended Kerberos Version 5 Key Distribution | [RFC5021] Josefsson, S., "Extended Kerberos Version 5 Key | |||
Center (KDC) Exchanges over TCP", RFC 5021, August 2007. | Distribution Center (KDC) Exchanges over TCP", RFC 5021, | |||
August 2007. | ||||
[6] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||
Channels", RFC 5056, November 2007. | Channels", RFC 5056, November 2007. | |||
8.2. Informative References | 9.2. Informative References | |||
[7] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, "Using | [RFC5054] Taylor, D., Wu, T., Mavrogiannopoulos, N., and T. Perrin, | |||
the Secure Remote Password (SRP) Protocol for TLS | "Using the Secure Remote Password (SRP) Protocol for TLS | |||
Authentication", RFC 5054, November 2007. | Authentication", RFC 5054, November 2007. | |||
[8] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport Layer | [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport | |||
Security (TLS) Authentication", RFC 5081, November 2007. | Layer Security (TLS) Authentication", RFC 5081, | |||
November 2007. | ||||
Author's Address | Author's Address | |||
Simon Josefsson | Simon Josefsson | |||
SJD | Simon Josefsson Datakonsult AB | |||
Hagagatan 24 | ||||
Stockholm 113 47 | ||||
Sweden | ||||
Email: [email protected] | Email: [email protected] | |||
URI: http://josefsson.org/ | ||||
Full Copyright Statement | Full Copyright Statement | |||
Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2008). | |||
This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
retain all their rights. | retain all their rights. | |||
This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND | |||
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS | |||
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF | |||
skipping to change at page 13, line 44 | skipping to change at line 323 | |||
attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at | |||
[email protected]. | [email protected]. | |||
Acknowledgment | ||||
Funding for the RFC Editor function is provided by the IETF | ||||
Administrative Support Activity (IASA). | ||||
End of changes. 33 change blocks. | ||||
55 lines changed or deleted | 76 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |