| draft-josefsson-kerberos5-starttls-08.txt | draft-josefsson-kerberos5-starttls.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Internet-Draft SJD AB | Internet-Draft SJD AB | |||
| Intended status: Informational January 22, 2010 | Intended status: Informational August 14, 2010 | |||
| Expires: July 26, 2010 | Expires: February 15, 2011 | |||
| Using Kerberos V5 over the Transport Layer Security (TLS) protocol | Using Kerberos V5 over the Transport Layer Security (TLS) protocol | |||
| draft-josefsson-kerberos5-starttls-08 | draft-josefsson-kerberos5-starttls-09 | |||
| Abstract | Abstract | |||
| This document specify how the Kerberos V5 protocol can be transported | This document specify how the Kerberos V5 protocol can be transported | |||
| over the Transport Layer Security (TLS) protocol, to provide | over the Transport Layer Security (TLS) protocol, to provide | |||
| additional security features. | additional security features. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF). Note that other groups may also distribute | |||
| other groups may also distribute working documents as Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | This Internet-Draft will expire on February 15, 2011. | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | ||||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on July 26, 2010. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the BSD License. | described in the Simplified BSD License. | |||
| This document may contain material from IETF Documents or IETF | This document may contain material from IETF Documents or IETF | |||
| Contributions published or made publicly available before November | Contributions published or made publicly available before November | |||
| 10, 2008. The person(s) controlling the copyright in some of this | 10, 2008. The person(s) controlling the copyright in some of this | |||
| material may not have granted the IETF Trust the right to allow | material may not have granted the IETF Trust the right to allow | |||
| modifications of such material outside the IETF Standards Process. | modifications of such material outside the IETF Standards Process. | |||
| Without obtaining an adequate license from the person(s) controlling | Without obtaining an adequate license from the person(s) controlling | |||
| the copyright in such materials, this document may not be modified | the copyright in such materials, this document may not be modified | |||
| outside the IETF Standards Process, and derivative works of it may | outside the IETF Standards Process, and derivative works of it may | |||
| not be created outside the IETF Standards Process, except to format | not be created outside the IETF Standards Process, except to format | |||
| skipping to change at page 7, line 9 | skipping to change at page 6, line 9 | |||
| Kerberos V5 AS-REP | Kerberos V5 AS-REP | |||
| <-------- | <-------- | |||
| * Indicates optional or situation-dependent messages that are not | * Indicates optional or situation-dependent messages that are not | |||
| always sent. | always sent. | |||
| 4. STARTTLS aware KDC Discovery | 4. STARTTLS aware KDC Discovery | |||
| Section 7.2.3 of Kerberos V5 [RFC4120] describe how Domain Name | Section 7.2.3 of Kerberos V5 [RFC4120] describe how Domain Name | |||
| System (DNS) SRV records [RFC2782] can be used to find the address of | System (DNS) SRV records [RFC2782] can be used to find the address of | |||
| an KDC. We define a new Proto of "tls" to indicate that the | an KDC. We define a new Service of "kerberos-tls" to indicate that | |||
| particular KDC is intended to support this STARTTLS extension. The | the particular KDC is intended to support this STARTTLS extension. | |||
| Service, Realm, TTL, Class, SRV, Priority, Weight, Port and Target | The Proto (tcp), Realm, TTL, Class, SRV, Priority, Weight, Port and | |||
| have the same meaning as in RFC 4120. | Target have the same meaning as in RFC 4120. | |||
| For example: | For example: | |||
| _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | _kerberos-tls._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. | |||
| _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | _kerberos-tls._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. | |||
| 5. Server Certificates | 5. Server Certificates | |||
| The TLS protocol may be used in a mode that provides server | The TLS protocol may be used in a mode that provides server | |||
| authentication using, for example, X.509 and OpenPGP. | authentication using, for example, X.509 and OpenPGP. | |||
| The Kerberos V5 STARTTLS protocol do not require clients to verify | A goal for the protocol described in this memo is that it should be | |||
| the server certificate. The goal is that support for TLS in Kerberos | as easy to implement and deploy on clients as support for UDP/TCP. | |||
| V5 clients should be as easy to implement and deploy as support for | Since many client environments do not have access to long-term | |||
| UDP/TCP. Use of TLS, even without server certificate validation, | storage, or to long-term storage that is sufficiently secure to | |||
| protects against some attacks that Kerberos V5 over UDP/TCP do not. | enable validation of server certificates, the Kerberos V5 STARTTLS | |||
| (For example, passive network sniffing between the user and the KDC | protocol does not require clients to verify server certificates. If | |||
| to track which Kerberos services are used by the user.) To require | server certification had been required, then environments with | |||
| server certificates to be validated at all times would lead to | constrained clients such as those mentioned would be forced to | |||
| disabling of TLS when clients are unable to validate server | disable TLS; this would arguably be worse than TLS without server | |||
| certificates, and this may have worse security properties than using | certificate validation as use of TLS, even without server certificate | |||
| TLS and not validate the server certificate would have. | validation, protects against some attacks that Kerberos V5 over UDP/ | |||
| TCP do not. For example, even without server certificate validation, | ||||
| TLS does protect against passive network sniffing aimed at tracking | ||||
| Kerberos service usage by a given client. | ||||
| Many client environments do not have secure long-term storage, which | Note however that use of TLS without server certificate verification | |||
| is required to validate certificates. This makes it impossible to | opens up for a range of active attacks such as man-in-the-middle. | |||
| use server certificate validation on a large number of client | ||||
| systems. | ||||
| When clients have the ability, they MUST validate the server | When clients have the ability, they MUST validate the server | |||
| certificate. For this reason, if a KDC presents a X.509 server | certificate. For this reason, if a KDC presents a X.509 server | |||
| certificate over TLS, it MUST contain an otherName Subject | certificate over TLS, it MUST contain an otherName Subject | |||
| Alternative Name (SAN) identified using a type-id of id-krb5starttls- | Alternative Name (SAN) identified using a type-id of id-krb5starttls- | |||
| san. The intention is to bind the server certificate to the Kerberos | san. The intention is to bind the server certificate to the Kerberos | |||
| realm for the purpose of using Kerberos V5 STARTTLS. The value field | realm for the purpose of using Kerberos V5 STARTTLS. The value field | |||
| of the otherName should contain the realm as the "Realm" ASN.1 type. | of the otherName should contain the realm as the "Realm" ASN.1 type. | |||
| id-krb5starttls-san OBJECT IDENTIFIER ::= | id-krb5starttls-san OBJECT IDENTIFIER ::= | |||
| skipping to change at page 11, line 7 | skipping to change at page 10, line 7 | |||
| to the intended Kerberos realm. | to the intended Kerberos realm. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| The IANA is requested to allocate a bit in the "Kerberos TCP | The IANA is requested to allocate a bit in the "Kerberos TCP | |||
| Extensions" registry for the extension described in this document, as | Extensions" registry for the extension described in this document, as | |||
| per [RFC5021]. | per [RFC5021]. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| Miguel A. Garcia, Jeffrey Hutzelman, Sam Hartman, and Magnus Nystroem | Miguel A. Garcia, Jeffrey Hutzelman, Sam Hartman, Magnus Nystroem, | |||
| (in alphabetical order) provided comments that improved the protocol | and Peter Saint-Andre (in alphabetical order) provided comments that | |||
| and document. | improved the protocol and document. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The security considerations in Kerberos V5, TLS, and the Kerberos V5 | The security considerations in Kerberos V5, TLS, and the Kerberos V5 | |||
| TCP extension mechanism are inherited. | TCP extension mechanism are inherited. | |||
| Note that TLS does not protect against Man-In-The-Middle (MITM) | Note that TLS does not protect against Man-In-The-Middle (MITM) | |||
| attacks unless clients verify the KDC's credentials (X.509 | attacks unless clients verify the KDC's credentials (X.509 | |||
| certificate, OpenPGP key, etc) correctly. | certificate, OpenPGP key, etc) correctly. Although certificate | |||
| validation adds an extra layer of protection, that is not considered | ||||
| strictly necessary to improve the security profile of Kerberos V5 as | ||||
| outlined in this document. | ||||
| If server authentication is used, some information about the server | If server authentication is used, some information about the server | |||
| (such as its name) is visible to passive attackers. | (such as its name) is visible to passive attackers. | |||
| To protect against the inherent downgrade attack in the extension | To protect against the inherent downgrade attack in the extension | |||
| framework, implementations SHOULD offer a policy mode that requires | framework, implementations SHOULD offer a policy mode that requires | |||
| this extension to always be successfully negotiated, for a particular | this extension to always be successfully negotiated, for a particular | |||
| realm, or generally. For interoperability with implementations that | realm, or generally. For interoperability with implementations that | |||
| do not support this extension, the policy mode SHOULD be disabled by | do not support this extension, the policy mode SHOULD be disabled by | |||
| default. | default. | |||
| End of changes. 12 change blocks. | ||||
| 40 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||