INTERNET-DRAFT Tom Yu Common Authentication Technology WG MIT draft-ietf-cat-krb5gss-mech2-03.txt 04 March 2000 The Kerberos Version 5 GSSAPI Mechanism, Version 2 Status of This Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Comments on this document should be sent to "ietf-cat-wg@lists.stanford.edu", the IETF Common Authentication Technology WG discussion list. Abstract This document defines protocols, procedures, and conventions to be employed by peers implementing the Generic Security Service Application Program Interface (as specified in RFC 2743) when using Kerberos Version 5 technology (as specified in RFC 1510). This obsoletes RFC 1964. Acknowledgements Much of the material in this specification is based on work done for Cygnus Solutions by Marc Horowitz. Table of Contents Status of This Memo ............................................ 1 Abstract ....................................................... 1 Acknowledgements ............................................... 1 Table of Contents .............................................. 1 1. Introduction ............................................... 3 2. Token Formats .............................................. 3 2.1. Packet Notation ....................................... 3 Yu Document Expiration: 04 Sep 2000 [Page 1] Internet-Draft krb5-gss-mech2-03 March 2000 2.2. Mechanism OID ......................................... 4 2.3. Context Establishment ................................. 4 2.3.1. Option Format .................................... 4 2.3.1.1. Delegated Credentials Option ................ 5 2.3.1.2. Null Option ................................. 5 2.3.2. Initial Token .................................... 6 2.3.2.1. Data to be Checksummed in APREQ ............. 8 2.3.3. Response Token ................................... 10 2.4. Per-message Tokens .................................... 12 2.4.1. Sequence Number Usage ............................ 12 2.4.2. MIC Token ........................................ 12 2.4.2.1. Data to be Checksummed in MIC Token ......... 13 2.4.3. Wrap Token ....................................... 14 2.4.3.1. Wrap Token With Integrity Only .............. 14 2.4.3.2. Wrap Token With Integrity and Encryption ............................................. 15 2.4.3.2.1. Data to be Encrypted in Wrap Token ..... 16 3. ASN.1 Encoding of Octet Strings ............................ 17 4. Name Types ................................................. 18 4.1. Mandatory Name Forms .................................. 18 4.1.1. Kerberos Principal Name Form ..................... 18 4.1.2. Exported Name Object Form for Kerberos5 Mechanism ........................................ 19 5. Credentials ................................................ 20 6. Parameter Definitions ...................................... 20 6.1. Minor Status Codes .................................... 20 6.1.1. Non-Kerberos-specific codes ...................... 21 6.1.2. Kerberos-specific-codes .......................... 21 7. Kerberos Protocol Dependencies ............................. 22 8. Security Considerations .................................... 22 9. References ................................................. 22 10. Author's Address .......................................... 23 Yu Document Expiration: 04 Sep 2000 [Page 2] Internet-Draft krb5-gss-mech2-03 March 2000 1. Introduction The original Kerberos 5 GSSAPI mechanism[RFC1964] has a number of shortcomings. This document attempts to remedy them by defining a completely new Kerberos 5 GSSAPI mechanism. The context establishment token format requires that the authenticator of AP-REQ messages contain a cleartext data structure in its checksum field, which is a needless and potentially confusing overloading of that field. This is implemented by a special checksum algorithm whose purpose is to copy the input data directly into the checksum field of the authenticator. The number assignments for checksum algorithms and for encryption types are inconsistent between the Kerberos protocol and the original GSSAPI mechanism. If new encryption or checksum algorithms are added to the Kerberos protocol at some point, the GSSAPI mechanism will need to be separately updated to use these new algorithms. The original mechanism specifies a crude method of key derivation (by using the XOR of the context key with a fixed constant), which is incompatible with newer cryptosystems which specify key derivation procedures themselves. The original mechanism also assumes that both checksums and cryptosystem blocksizes are eight bytes. Defining all GSSAPI tokens for the new Kerberos 5 mechanism in terms of the Kerberos protocol specification ensures that new encryption types and checksum types may be automatically used as they are defined for the Kerberos protocol. 2. Token Formats All tokens, not just the initial token, are framed as the InitialContextToken described in RFC 2743 section 3.1. The innerContextToken element of the token will not itself be encoded in ASN.1, with the exception of caller-provided application data. One rationale for avoiding the use of ASN.1 in the inner token is that some implementors may wish to implement this mechanism in a kernel or other similarly constrained application where handling of full ASN.1 encoding may be cumbersome. Also, due to the poor availability of the relevant standards documents, ASN.1 encoders and decoders are difficult to implement completely correctly, so keeping ASN.1 usage to a minimum decreases the probability of bugs in the implementation of the mechanism. In particular, bit strings need to be transferred at certain points in this mechanism. There are many conflicting common misunderstandings of how to encode and decode ASN.1 bit strings, which have led difficulties in the implementaion of the Kerberos protocol. Yu Document Expiration: 04 Sep 2000 [Page 3] Internet-Draft krb5-gss-mech2-03 March 2000 2.1. Packet Notation The order of transmission of this protocol is described at the octet level. Packet diagrams depict bits in the order of transmission, assuming that individual octets are transmitted with the most significant bit (MSB) first. The diagrams read from left to right and from top to bottom, as in printed English. In each octet, bit number 7 is the MSB and bit number 0 is the LSB. Numbers prefixed by the characters "0x" are in hexadecimal notation, as in the C programming language. Even though packet diagrams are drawn 16 bits wide, no padding should be used to align the ends of variable-length fields to a 32-bit or 16-bit boundary. All integer fields are in network byte order. All other fields have the size shown in the diagrams, with the exception of variable length fields. 2.2. Mechanism OID The Object Identifier (OID) of the new krb5 v2 mechanism is: {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5v2(3)} 2.3. Context Establishment 2.3.1. Option Format Context establishment tokens, i.e., the initial ones that the GSS_Init_sec_context() and the GSS_Accept_sec_context() calls emit while a security context is being set up, may contain options that influence the subsequent behavior of the context. This document describes only a small set of options, but additional types may be added by documents intended to supplement this one. The generic format is as follows: bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | option type | +-------------------------------+-------------------------------+ 2 | | +-- option length (32 bits) --+ 4 | | +-------------------------------+-------------------------------+ 6 | . | / option data (variable length) / | . | +-------------------------------+-------------------------------+ Yu Document Expiration: 04 Sep 2000 [Page 4] Internet-Draft krb5-gss-mech2-03 March 2000 option type (16 bits) The type identifier of the following option. option length (32 bits) The length in bytes of the following option. option data (variable length) The actual option data. Any number of options may appear in an initator or acceptor token. The final option in a token must be the null option, in order to mark the end of the list. Option type 0xffff is reserved. The initiator and acceptor shall ignore any options that they do not understand. 2.3.1.1. Delegated Credentials Option Only the initiator may use this option. The format of the delegated credentials option is as follows: bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | option type = 0x00001 | +-------------------------------+-------------------------------+ 2 | | +-- KRB-CRED length --+ 4 | | +-------------------------------+-------------------------------+ 6 | . | / KRB-CRED message / | . | +-------------------------------+-------------------------------+ option type (16 bits) The option type for this option shall be 0x0001. KRB-CRED length (32 bits) The length in bytes of the following KRB-CRED message. KRB-CRED message (variable length) The option data for this option shall be the KRB-CRED message that contains the credentials being delegated (forwarded) to the context acceptor. Only the initiator may use this option. 2.3.1.2. Null Option The Null option terminates the option list, and must be used by both the initiator and the acceptor. Its format is as follows: Yu Document Expiration: 04 Sep 2000 [Page 5] Internet-Draft krb5-gss-mech2-03 March 2000 bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | option type = 0 | +-------------------------------+-------------------------------+ 2 | | +-- length = 0 --+ 4 | | +-------------------------------+-------------------------------+ option type (16 bits) The option type of this option must be zero. option length (32 bits) The length of this option must be zero. 2.3.2. Initial Token This is the initial token sent by the context initiator, generated by GSS_Init_sec_context(). bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | initial token id = 0x0101 | +-------------------------------+-------------------------------+ 2 | | +-- reserved flag bits +-----------------------+ 4 | | I | C | S | R | M | D | +-------------------------------+-------------------------------+ 6 | checksum type count | +-------------------------------+-------------------------------+ 8 | . | / checksum type list / | . | +-------------------------------+-------------------------------+ n | . | / options / | . | +-------------------------------+-------------------------------+ m | | +-- AP-REQ length --+ m+2 | | +-------------------------------+-------------------------------+ m+4 | . | / AP-REQ data / | . | +-------------------------------+-------------------------------+ initial token ID (16 bits) Contains the integer 0x0101, which identifies this as the initial token in the context setup. Yu Document Expiration: 04 Sep 2000 [Page 6] Internet-Draft krb5-gss-mech2-03 March 2000 reserved flag bits (26 bits) These bits are reserved for future expansion. They must be set to zero by the initiator and be ignored by the acceptor. I flag (1 bit) 0x00000020 -- GSS_C_INTEG_FLAG C flag (1 bit) 0x00000010 -- GSS_C_CONF_FLAG S flag (1 bit) 0x00000008 -- GSS_C_SEQUENCE_FLAG R flag (1 bit) 0x00000004 -- GSS_C_REPLAY_FLAG M flag (1 bit) 0x00000002 -- GSS_C_MUTUAL_FLAG D flag (1 bit) 0x00000001 -- GSS_C_DELEG_FLAG; This flag must be set if the "delegated credentials" option is included. checksum type count (16 bits) The number of checksum types supported by the initiator. checksum type list (variable length) A list of Kerberos checksum types, as defined in RFC 1510 section 6.4. These checksum types must be collision-proof and keyed with the context key; no checksum types that are incompatible with the encryption key shall be used. Each checksum type number shall be 32 bits wide. This list should contain all the checksum types supported by the initiator. If mutual authentication is not used, then this list shall contain only one checksum type. options (variable length) The context initiation options, described in section 2.3.1. AP-REQ length (32 bits) The length of the following KRB_AP_REQ message. AP-REQ data (variable length) The AP-REQ message as described in RFC 1510. The checksum in the authenticator will be computed over the items listed in the next section. The optional sequence number field shall be used in the AP-REQ. The initiator should generate a subkey in the authenticator, and the acceptor should generate a subkey in the AP-REP. The key used for the per-message tokens will be the AP-REP subkey, or if that is not present, the authenticator subkey, or if that is not present, the session key. When subkeys are generated, it is strongly recommended Yu Document Expiration: 04 Sep 2000 [Page 7] Internet-Draft krb5-gss-mech2-03 March 2000 that they be of the same type as the associated session key. XXX The above is not secure. There should be an algorithmic process to arrive at a subsession key which both sides of the authentication exchange can perform based on the ticket sessions key and data known to both parties, and this should probably be part of the revised Kerberos protocol rather than bound to the GSSAPI mechanism. 2.3.2.1. Data to be Checksummed in AP-REQ The checksum in the AP-REQ message is calculated over the following items. Like in the actual tokens, no padding should be added to force integer fields to align on 32 bit boundaries. This particular set of data should not be sent as a part of any token; it merely specifies what is to be checksummed in the AP-REQ. The items in this encoding that precede the initial token ID correspond to the channel bindings passed to GSS_Init_sec_context(). Yu Document Expiration: 04 Sep 2000 [Page 8] Internet-Draft krb5-gss-mech2-03 March 2000 bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | | +-- initiator address type --+ 2 | | +-------------------------------+-------------------------------+ 4 | initiator address length | +-------------------------------+-------------------------------+ 6 | . | / initiator address / | . | +-------------------------------+-------------------------------+ n | | +-- acceptor address type --+ | | +-------------------------------+-------------------------------+ n+4 | acceptor address length | +-------------------------------+-------------------------------+ n+6 | . | / acceptor address / | . | +-------------------------------+-------------------------------+ m | . | / application data / | . | +-------------------------------+-------------------------------+ k | initial token id = 0x0101 | +-------------------------------+-------------------------------+ k+2 | | +-- flags --+ k+4 | | +-------------------------------+-------------------------------+ k+6 | checksum type count | +-------------------------------+-------------------------------+ k+8 | . | / checksum type list / | . | +-------------------------------+-------------------------------+ j | . | / options / | . | +-------------------------------+-------------------------------+ initiator address type (32 bits) The initiator address type, as defined in the Kerberos protocol specification. If no initiator address is provided, this must be zero. initiator address length (16 bits) The length in bytes of the following initiator address. If there is no inititator address provided, this must be zero. Yu Document Expiration: 04 Sep 2000 [Page 9] Internet-Draft krb5-gss-mech2-03 March 2000 initiator address (variable length) The actual initiator address, in network byte order. acceptor address type (32 bits) The acceptor address type, as defined in the Kerberos protocol specification. If no acceptor address is provided, this must be zero. acceptor address length (16 bits) The length in bytes of the following acceptor address. This must be zero is there is no acceptor address provided. initiator address (variable length) The actual acceptor address, in network byte order. applicatation data (variable length) The application data, if provided, encoded as a ASN.1 octet string using DER. If no application data are passed as input channel bindings, this shall be a zero-length ASN.1 octet string. initial token ID (16 bits) The initial token ID from the initial token. flags (32 bits) The context establishment flags from the initial token. checksum type count (16 bits) The number of checksum types supported by the initiator. checksum type list (variable length) The same list of checksum types contained in the initial token. options (variable length) The options list from the initial token. 2.3.3. Response Token This is the reponse token sent by the context acceptor, if mutual authentication is enabled. Yu Document Expiration: 04 Sep 2000 [Page 10] Internet-Draft krb5-gss-mech2-03 March 2000 bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | response token id = 0x0202 | +-------------------------------+-------------------------------+ 2 | | +-- reserved flag bits +-------+ 4 | | D | E | +-------------------------------+-------------------------------+ 6 | | +-- checksum type --+ 8 | | +-------------------------------+-------------------------------+ 10 | . | / options / | . | +-------------------------------+-------------------------------+ n | | +-- AP-REP or KRB-ERROR length --+ n+2 | | +-------------------------------+-------------------------------+ n+4 | . | / AP-REP or KRB-ERROR data / | . | +-------------------------------+-------------------------------+ m | . | / MIC data / | . | +-------------------------------+-------------------------------+ response token id (16 bits) Contains the integer 0x0202, which identifies this as the response token in the context setup. reserved flag bits (30 bits) These bits are reserved for future expansion. They must be set to zero by the acceptor and be ignored by the initiator. D flag -- delegated creds accepted (1 bit) 0x00000002 -- If this flag is set, the acceptor processed the delegated credentials, and GSS_C_DELEG_FLAG should be returned to the caller. E flag -- error (1 bit) 0x00000001 -- If this flag is set, a KRB-ERROR message shall be present, rather than an AP-REP message. If this flag is not set, an AP-REP message shall be present. checksum type count (16 bits) The number of checksum types supported by both the initiator and the acceptor. Yu Document Expiration: 04 Sep 2000 [Page 11] Internet-Draft krb5-gss-mech2-03 March 2000 checksum type (32 bits) A Kerberos checksum type, as defined in RFC 1510 section 6.4. This checksum type must be among the types listed by the initiator, and will be used in for subsequent checksums generated during this security context. options (variable length) The option list, as described earlier. At this time, no options are defined for the acceptor, but an implementation might make use of these options to acknowledge an option from the initial token. After all the options are specified, a null option must be used to terminate the list. AP-REP or KRB-ERROR length (32 bits) Depending on the value of the error flag, length in bytes of the AP-REP or KRB-ERROR message. AP-REP or KRB-ERROR data (variable length) Depending on the value of the error flag, the AP-REP or KRB-ERROR message as described in RFC 1510. If this field contains an AP-REP message, the sequence number field in the AP-REP shall be filled. If this is a KRB-ERROR message, no further fields will be in this message. MIC data (variable length) A MIC token, as described in section 2.4.2, computed over the concatentation of the response token ID, flags, checksum length and type fields, and all option fields. This field and the preceding length field must not be present if the error flag is set. 2.4. Per-message Tokens 2.4.1. Sequence Number Usage Sequence numbers for per-message tokens are 31 bit unsigned integers, which are incremented by 1 after each token. An overflow condition should result in a wraparound of the sequence number to zero. The initiator and acceptor each keep their own sequence numbers per connection. The intial sequence number for tokens sent from the initiator to the acceptor shall be the least significant 31 bits of sequence number in the AP-REQ message. The initial sequence number for tokens sent from the acceptor to the initiator shall be the least significant 31 bits of the sequence number in the AP-REP message if mutual authentication is used; if mutual authentication is not used, the initial sequence number from acceptor to initiator shall be the least significant 31 bits of the sequence number in the AP-REQ message. Yu Document Expiration: 04 Sep 2000 [Page 12] Internet-Draft krb5-gss-mech2-03 March 2000 2.4.2. MIC Token Use of the GSS_GetMIC() call yields a token, separate from the user data being protected, which can be used to verify the integrity of that data when it is received. The MIC token has the following format: bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | MIC token id = 0x0303 | +-------------------------------+-------------------------------+ 2 | D | | +---+ sequence number --+ 4 | | +-------------------------------+-------------------------------+ 6 | checksum length | +-------------------------------+-------------------------------+ 8 | . | / checksum data / | . | +-------------------------------+-------------------------------+ MIC token id (16 bits) Contains the integer 0x0303, which identifies this as a MIC token. D -- direction bit (1 bit) This bit shall be zero if the message is sent from the context initiator. If the message is sent from the context acceptor, this bit shall be one. sequence number (31 bits) The sequence number. checksum length (16 bits) The number of bytes in the following checksum data field. checksum data (variable length) The checksum itself, as defined in RFC 1510 section 6.4. The checksum is calculated over the encoding described in the following section. The key usage GSS_TOK_MIC -- 22 [XXX need to register this] shall be used in cryptosystems that support key derivation. The mechanism implementation shall only use the checksum type returned by the acceptor in the case of mutual authentication. If mutual authentication is not requested, then only the checksum type in the initiator token shall be used. Yu Document Expiration: 04 Sep 2000 [Page 13] Internet-Draft krb5-gss-mech2-03 March 2000 2.4.2.1. Data to be Checksummed in MIC Token The checksum in the MIC token shall be calculated over the following elements. This set of data is not actually included in the token as is; the description only appears for the purpose of specifying the method of calculating the checksum. bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | MIC token id = 0x0303 | +-------------------------------+-------------------------------+ 2 | D | | +---+ sequence number --+ 4 | | +-------------------------------+-------------------------------+ 6 | . | / application data / | . | +-------------------------------+-------------------------------+ MIC token ID (16 bits) The MIC token ID from the MIC message. D -- direction bit (1 bit) This bit shall be zero if the message is sent from the context initiator. If the message is sent from the context acceptor, this bit shall be one. sequence number (31 bits) The sequence number. application data (variable length) The application-supplied data, encoded as an ASN.1 octet string using DER. 2.4.3. Wrap Token Use of the GSS_Wrap() call yields a token which encapsulates the input user data (optionally encrypted) along with associated integrity check quantities. 2.4.3.1. Wrap Token With Integrity Only Yu Document Expiration: 04 Sep 2000 [Page 14] Internet-Draft krb5-gss-mech2-03 March 2000 bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | integrity wrap token id = 0x0404 | +-------------------------------+-------------------------------+ 2 | D | | +---+ sequence number --+ 4 | | +-------------------------------+-------------------------------+ 6 | . | / application data / | . | +-------------------------------+-------------------------------+ n | checksum length | +-------------------------------+-------------------------------+ n+2 | . | / checksum data / | . | +-------------------------------+-------------------------------+ integrity wrap token id (16 bits) Contains the integer 0x0404, which identifies this as a Wrap token with integrity only. D -- direction bit (1 bit) This bit shall be zero if the message is sent from the context initiator. If the message is sent from the context acceptor, this bit shall be one. sequence number (31 bits) The sequence number. application data (variable length) The application-supplied data, encoded as an ASN.1 octet string using DER. checksum length (16 bits) The number of bytes in the following checksum data field. checksum data (variable length) The checksum itself, as defined in RFC 1510 section 6.4, computed over the concatenation of the token ID, sequence number, direction field, application data length, and application data, as in the MIC token checksum in the previous section. The key usage GSS_TOK_WRAP_INTEG -- 23 [XXX need to register this] shall be used in cryptosystems that support key derivation. The mechanism implementation should only use checksum types which it knows to be valid for both peers, as described for MIC tokens. Yu Document Expiration: 04 Sep 2000 [Page 15] Internet-Draft krb5-gss-mech2-03 March 2000 2.4.3.2. Wrap Token With Integrity and Encryption bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ | encrypted wrap token id = 0x0505 | +-------------------------------+-------------------------------+ 2 | . | / encrypted data / | . | +-------------------------------+-------------------------------+ encrypted wrap token id (16 bits) Contains the integer 0x0505, which identifies this as a Wrap token with integrity and encryption. encrypted data (variable length) The encrypted data itself, as defined in RFC 1510 section 6.3, encoded as an ASN.1 octet string using DER. Note that this is not the ASN.1 type EncryptedData as defined in RFC 1510 section 6.1, but rather the ciphertext without encryption type or kvno information. The encryption is performed using the key/enctype exchanged during context setup. The confounder and checksum are as specified in the Kerberos protocol specification. The key usage GSS_TOK_WRAP_PRIV -- 24 [XXX need to register this] shall be used in cryptosystems that support key derivation. The actual data to be encrypted are specified below. 2.4.3.2.1. Data to be Encrypted in Wrap Token bit| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | byte +-------------------------------+-------------------------------+ 0 | D | | +---+ sequence number --+ 2 | | +-------------------------------+-------------------------------+ 4 | . | / application data / | . | +-------------------------------+-------------------------------+ D -- direction bit (1 bit) This bit shall be zero if the message is sent from the context initiator. If the message is sent from the context acceptor, this bit shall be one. sequence number (31 bits) The sequence number. application data (variable length) The application-supplied data, encoded as an ASN.1 octet string Yu Document Expiration: 04 Sep 2000 [Page 16] Internet-Draft krb5-gss-mech2-03 March 2000 using DER. 3. ASN.1 Encoding of Octet Strings In order to encode arbitirarly-sized application data, ASN.1 octet string encoding is in this protocol. The Distinguished Encoding Rules (DER) shall always be used in such cases. For reference purposes, the DER encoding of an ASN.1 octet string, adapted from ITU-T X.690, follows: +--------+-------//-------+-------//-------+ |00000100| length octets |contents octets | +--------+-------//-------+-------//-------+ | +-- identifier octet = 0x04 = [UNIVERSAL 4] In this section only, the bits in each octet shall be numbered as in the ASN.1 specification, from 8 to 1, with bit 8 being the MSB of the octet, and with bit 1 being the LSB of the octet. identifier octet (8 bits) Contains the constant 0x04, the tag for primitive encoding of an octet string with the default (UNIVERSAL 4) tag. length octets (variable length) Contains the length of the contents octets, in definite form (since this encoding uses DER). contents octets (variable length) The contents of the octet string. The length octets shall consist of either a short form (one byte only), which is to be used only if the number of octets in the contents octets is less than or equal to 127, or a long form, which is to be used in all other cases. The short form shall consist of a single octet with bit 8 (the MSB) equal to zero, and the remaining bits encoding the number of contents octets (which may be zero) as an unsigned binary integer. The long form shall consist of an initial octet and one or more subsequent octets. The first octet shall have bit 8 (the MSB) set to one, and the remaining bits shall encode the number of subsequent octets in the length encoding as an unsigned binary integer. The length must be encoded in the minimum number of octets. An initial octet of 0xFF is reserved by the ASN.1 specification. Bits 8 to 1 of the first subsequent octet, followed by bits 8 to 1 of each subsequent octet in order, shall be the encoding of an unsigned binary integer, with bit 8 of the first octet being the most significant bit. Thus, the length encoding within is in network byte order. Yu Document Expiration: 04 Sep 2000 [Page 17] Internet-Draft krb5-gss-mech2-03 March 2000 An initial length octet of 0x80 shall not be used, as that is reserved by the ASN.1 specification for indefinite lengths in conjunction with constructed contents encodings, which are not to be used with DER. 4. Name Types This section discusses the name types which may be passed as input to the Kerberos 5 GSSAPI mechanism's GSS_Import_name() call, and their associated identifier values. It defines interface elements in support of portability, and assumes use of C language bindings per RFC 2744. In addition to specifying OID values for name type identifiers, symbolic names are included and recommended to GSSAPI implementors in the interests of convenience to callers. It is understood that not all implementations of the Kerberos 5 GSSAPI mechanism need support all name types in this list, and that additional name forms will likely be added to this list over time. Further, the definitions of some or all name types may later migrate to other, mechanism-independent, specifications. The occurrence of a name type in this specification is specifically not intended to suggest that the type may be supported only by an implementation of the Kerberos 5 mechanism. In particular, the occurrence of the string "_KRB5_" in the symbolic name strings constitutes a means to unambiguously register the name strings, avoiding collision with other documents; it is not meant to limit the name types' usage or applicability. For purposes of clarification to GSSAPI implementors, this section's discussion of some name forms describes means through which those forms can be supported with existing Kerberos technology. These discussions are not intended to preclude alternative implementation strategies for support of the name forms within Kerberos mechanisms or mechanisms based on other technologies. To enhance application portability, implementors of mechanisms are encouraged to support name forms as defined in this section, even if their mechanisms are independent of Kerberos 5. 4.1. Mandatory Name Forms This section discusses name forms which are to be supported by all conformant implementations of the Kerberos 5 GSSAPI mechanism. 4.1.1. Kerberos Principal Name Form This name form shall be represented by the Object Identifier {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5(2) krb5_name(1)}. The recommended symbolic name for this type is "GSS_KRB5_NT_PRINCIPAL_NAME". This name type corresponds to the single-string representation of a Kerberos name. (Within the MIT Kerberos 5 implementation, such names are parseable with the krb5_parse_name() function.) The elements included within this name representation are as follows, proceeding Yu Document Expiration: 04 Sep 2000 [Page 18] Internet-Draft krb5-gss-mech2-03 March 2000 from the beginning of the string: (1) One or more principal name components; if more than one principal name component is included, the components are separated by '/'. Arbitrary octets may be included within principal name components, with the following constraints and special considerations: (1a) Any occurrence of the characters '@' or '/' within a name component must be immediately preceded by the '\' quoting character, to prevent interpretation as a component or realm separator. (1b) The ASCII newline, tab, backspace, and null characters may occur directly within the component or may be represented, respectively, by '\n', '\t', '\b', or '\0'. (1c) If the '\' quoting character occurs outside the contexts described in (1a) and (1b) above, the following character is interpreted literally. As a special case, this allows the doubled representation '\\' to represent a single occurrence of the quoting character. (1d) An occurrence of the '\' quoting character as the last character of a component is illegal. (2) Optionally, a '@' character, signifying that a realm name immediately follows. If no realm name element is included, the local realm name is assumed. The '/' , ':', and null characters may not occur within a realm name; the '@', newline, tab, and backspace characters may be included using the quoting conventions described in (1a), (1b), and (1c) above. 4.1.2. Exported Name Object Form for Kerberos 5 Mechanism When generated by the Kerberos 5 mechanism, the Mechanism OID within the exportable name shall be that of the original Kerberos 5 mechanism[RFC1964]. The Mechanism OID for the original Kerberos 5 mechanism is: {iso(1) member-body(2) us(840) mit(113554) infosys(1) gssapi(2) krb5(2)} The name component within the exportable name shall be a contiguous string with structure as defined for the Kerberos Principal Name Form. In order to achieve a distinguished encoding for comparison purposes, the following additional constraints are imposed on the export operation: (1) all occurrences of the characters '@', '/', and '\' within principal components or realm names shall be quoted with an Yu Document Expiration: 04 Sep 2000 [Page 19] Internet-Draft krb5-gss-mech2-03 March 2000 immediately-preceding '\'. (2) all occurrences of the null, backspace, tab, or newline characters within principal components or realm names will be represented, respectively, with '\0', '\b', '\t', or '\n'. (3) the '\' quoting character shall not be emitted within an exported name except to accomodate cases (1) and (2). 5. Credentials The Kerberos 5 protocol uses different credentials (in the GSSAPI sense) for initiating and accepting security contexts. Normal clients receive a ticket-granting ticket (TGT) and an associated session key at "login" time; the pair of a TGT and its corresponding session key forms a credential which is suitable for initiating security contexts. A ticket-granting ticket, its session key, and any other (ticket, key) pairs obtained through use of the ticket-granting-ticket, are typically stored in a Kerberos 5 credentials cache, sometimes known as a ticket file. The encryption key used by the Kerberos server to seal tickets for a particular application service forms the credentials suitable for accepting security contexts. These service keys are typically stored in a Kerberos 5 key table (keytab), or srvtab file (the Kerberos 4 terminology). In addition to their use as accepting credentials, these service keys may also be used to obtain initiating credentials for their service principal. The Kerberos 5 mechanism's credential handle may contain references to either or both types of credentials. It is a local matter how the Kerberos 5 mechanism implementation finds the appropriate Kerberos 5 credentials cache or key table. However, when the Kerberos 5 mechanism attempts to obtain initiating credentials for a service principal which are not available in a credentials cache, and the key for that service principal is available in a Kerberos 5 key table, the mechanism should use the service key to obtain initiating credentials for that service. This should be accomplished by requesting a ticket-granting-ticket from the Kerberos Key Distribution Center (KDC), and decrypting the KDC's reply using the service key. 6. Parameter Definitions This section defines parameter values used by the Kerberos V5 GSSAPI mechanism. It defines interface elements in support of portability, and assumes use of C language bindings per RFC 2744. 6.1. Minor Status Codes This section recommends common symbolic names for minor_status values to be returned by the Kerberos 5 GSSAPI mechanism. Use of these Yu Document Expiration: 04 Sep 2000 [Page 20] Internet-Draft krb5-gss-mech2-03 March 2000 definitions will enable independent implementors to enhance application portability across different implementations of the mechanism defined in this specification. (In all cases, implementations of GSS_Display_status() will enable callers to convert minor_status indicators to text representations.) Each implementation should make available, through include files or other means, a facility to translate these symbolic names into the concrete values which a particular GSSAPI implementation uses to represent the minor_status values specified in this section. It is recognized that this list may grow over time, and that the need for additional minor_status codes specific to particular implementations may arise. It is recommended, however, that implementations should return a minor_status value as defined on a mechanism-wide basis within this section when that code is accurately representative of reportable status rather than using a separate, implementation-defined code. 6.1.1. Non-Kerberos-specific codes These symbols should likely be incorporated into the generic GSSAPI C-bindings document, since they really are more general. GSS_KRB5_S_G_BAD_SERVICE_NAME /* "No @ in SERVICE-NAME name string" */ GSS_KRB5_S_G_BAD_STRING_UID /* "STRING-UID-NAME contains nondigits" */ GSS_KRB5_S_G_NOUSER /* "UID does not resolve to username" */ GSS_KRB5_S_G_VALIDATE_FAILED /* "Validation error" */ GSS_KRB5_S_G_BUFFER_ALLOC /* "Couldn't allocate gss_buffer_t data" */ GSS_KRB5_S_G_BAD_MSG_CTX /* "Message context invalid" */ GSS_KRB5_S_G_WRONG_SIZE /* "Buffer is the wrong size" */ GSS_KRB5_S_G_BAD_USAGE /* "Credential usage type is unknown" */ GSS_KRB5_S_G_UNKNOWN_QOP /* "Unknown quality of protection specified" */ 6.1.2. Kerberos-specific-codes Yu Document Expiration: 04 Sep 2000 [Page 21] Internet-Draft krb5-gss-mech2-03 March 2000 GSS_KRB5_S_KG_CCACHE_NOMATCH /* "Principal in credential cache does not match desired name" */ GSS_KRB5_S_KG_KEYTAB_NOMATCH /* "No principal in keytab matches desired name" */ GSS_KRB5_S_KG_TGT_MISSING /* "Credential cache has no TGT" */ GSS_KRB5_S_KG_NO_SUBKEY /* "Authenticator has no subkey" */ GSS_KRB5_S_KG_CONTEXT_ESTABLISHED /* "Context is already fully established" */ GSS_KRB5_S_KG_BAD_SIGN_TYPE /* "Unknown signature type in token" */ GSS_KRB5_S_KG_BAD_LENGTH /* "Invalid field length in token" */ GSS_KRB5_S_KG_CTX_INCOMPLETE /* "Attempt to use incomplete security context" */ 7. Kerberos Protocol Dependencies This protocol makes several assumptions about the Kerberos protocol, which may require changes to the successor of RFC 1510. Sequence numbers, checksum types, and address types are assumed to be no wider than 32 bits. The Kerberos protocol specification might need to be modified to accomodate this. This obviously requires some further discussion. Key usages need to be registered within the Kerberos protocol for use with GSSAPI per-message tokens. The current specification of the Kerberos protocol does not include descriptions of key derivations or key usages, but planned revisions to the protocol will include them. This protocol also makes the assumption that any cryptosystem used with the session key will include integrity protection, i.e., it assumes that no "raw" cryptosystems will be used. 8. Security Considerations The GSSAPI is a security protocol; therefore, security considerations are discussed throughout this document. The original Kerberos 5 GSSAPI mechanism's constraints on possible cryptosystems and checksum types do not permit it to be readily extended to accomodate more secure cryptographic technologies with larger checksums or encryption block sizes. Sites are strongly encouraged to adopt the mechanism specified in this document in the light of recent publicity about the deficiencies of DES. 9. References [X.680] ISO/IEC, "Information technology -- Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T X.680 (1997) | ISO/IEC 8824-1:1998 Yu Document Expiration: 04 Sep 2000 [Page 22] Internet-Draft krb5-gss-mech2-03 March 2000 [X.690] ISO/IEC, "Information technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T X.690 (1997) | ISO/IEC 8825-1:1998. [RFC1510] Kohl, J., Neumann, C., "The Kerberos Network Authentication Service (V5)", RFC 1510. [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964. [RFC2743] Linn, J., "Generic Security Service Application Program Interface, Version 2, Update 1", RFC 2743. [RFC2744] Wray, J., "Generic Security Service API Version 2: C-bindings", RFC 2744. 10. Author's Address Tom Yu Massachusetts Institute of Technology Room E40-345 77 Massachusetts Avenue Cambridge, MA 02139 USA email: tlyu@mit.edu phone: +1 617 253 1753 Yu Document Expiration: 04 Sep 2000 [Page 23]