draft-ietf-krb-wg-gssapi-cfx-07.txt   [plain text]



<Network Working Group>                                       Larry Zhu 
Internet Draft                                       Karthik Jaganathan 
Updates: 1964                                                 Microsoft 
Category: Standards Track                                   Sam Hartman 
draft-ietf-krb-wg-gssapi-cfx-07.txt                                 MIT 
                                                          March 9, 2004 
                                             Expires: September 9, 2004 
 
          The Kerberos Version 5 GSS-API Mechanism: Version 2 
 
Status of this Memo 
 
   This document is an Internet-Draft and is in full conformance with 
   all provisions of Section 10 of [RFC-2026].  
    
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups.  Note that 
   other groups may also distribute working documents as Internet-
   Drafts.  Internet-Drafts are draft documents valid for a maximum of 
   six months and may be updated, replaced, or obsoleted by other 
   documents at any time.  It is inappropriate to use Internet-Drafts 
   as reference material or to cite them other than as "work in 
   progress."  
    
   The list of current Internet-Drafts can be accessed at 
   http://www.ietf.org/ietf/1id-abstracts.txt.   
    
   The list of Internet-Draft Shadow Directories can be accessed at 
   http://www.ietf.org/shadow.html. 
    
   To learn the current status of any Internet-Draft, please check the 
   "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow 
   Directories on ftp.ietf.org (US East Coast), nic.nordu.net (Europe), 
   ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 
 
   The distribution of this memo is unlimited.  It is filed as  
   draft-ietf-krb-wg-gssapi-cfx-07.txt, and expires on September 9 
   2004.  Please send comments to: ietf-krb-wg@anl.gov. 
    
Abstract 
    
   This document defines protocols, procedures, and conventions to be 
   employed by peers implementing the Generic Security Service 
   Application Program Interface (GSS-API) when using the Kerberos 
   Version 5 mechanism. 
    
   RFC-1964 is updated and incremental changes are proposed in response 
   to recent developments such as the introduction of Kerberos 
   cryptosystem framework.  These changes support the inclusion of new 
   cryptosystems, by defining new per-message tokens along with their 
   encryption and checksum algorithms based on the cryptosystem 
   profiles.   
    
Conventions used in this document 
  
Zhu                                                                   1 
DRAFT             Kerberos Version 5 GSS-API     Expires September 2004 
 
    
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
   document are to be interpreted as described in [RFC-2119]. 
    
   The term "little endian order" is used for brevity to refer to the 
   least-significant-octet-first encoding, while the term "big endian 
   order" is for the most-significant-octet-first encoding. 
    
Table of Contents 

   1. Introduction ...............................................  2 
   2. Key Derivation for Per-Message Tokens ......................  3 
   3. Quality of Protection ......................................  4 
   4. Definitions and Token Formats ..............................  4 
   4.1. Context Establishment Tokens .............................  4 
   4.1.1. Authenticator Checksum .................................  5 
   4.2. Per-Message Tokens .......................................  8 
   4.2.1. Sequence Number ........................................  8 
   4.2.2. Flags Field ............................................  8 
   4.2.3. EC Field ...............................................  9 
   4.2.4. Encryption and Checksum Operations .....................  9 
   4.2.5. RRC Field .............................................. 10 
   4.2.6. Message Layouts ........................................ 10 
   4.3. Context Deletion Tokens .................................. 11 
   4.4. Token Identifier Assignment Considerations ............... 11 
   5. Parameter Definitions ...................................... 12 
   5.1. Minor Status Codes ....................................... 12 
   5.1.1. Non-Kerberos-specific codes ............................ 12 
   5.1.2. Kerberos-specific-codes ................................ 12 
   5.2. Buffer Sizes ............................................. 13 
   6. Backwards Compatibility Considerations ..................... 13 
   7. Security Considerations .................................... 13 
   8. Acknowledgments ............................................ 14 
   9. Intellectual Property Statement ............................ 15
   10. References ................................................ 15 
   10.1. Normative References .................................... 15 
   10.2. Informative References .................................. 15 
   11. Author's Address .......................................... 15
   Full Copyright Statement ...................................... 17  
   
1. Introduction 
    
   [KCRYPTO] defines a generic framework for describing encryption and 
   checksum types to be used with the Kerberos protocol and associated 
   protocols. 
    
   [RFC-1964] describes the GSS-API mechanism for Kerberos Version 5.  
   It defines the format of context establishment, per-message and 
   context deletion tokens and uses algorithm identifiers for each 
   cryptosystem in per message and context deletion tokens.   
    
   The approach taken in this document obviates the need for algorithm 
   identifiers.  This is accomplished by using the same encryption 
   algorithm, specified by the crypto profile [KCRYPTO] for the session 
   key or subkey that is created during context negotiation, and its 
   required checksum algorithm.  Message layouts of the per-message 
Zhu                                                                  2 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
   tokens are therefore revised to remove algorithm indicators and also 
   to add extra information to support the generic crypto framework 
   [KCRYPTO].  
    
   Tokens transferred between GSS-API peers for security context 
   establishment are also described in this document.  The data 
   elements exchanged between a GSS-API endpoint implementation and the 
   Kerberos Key Distribution Center (KDC) [KRBCLAR] are not specific to 
   GSS-API usage and are therefore defined within [KRBCLAR] rather than 
   within this specification. 
    
   The new token formats specified in this document MUST be used with 
   all "newer" encryption types [KRBCLAR] and MAY be used with "older" 
   encryption types, provided that the initiator and acceptor know, 
   from the context establishment, that they can both process these new 
   token formats. 
    
   "Newer" encryption types are those which have been specified along 
   with or since the new Kerberos cryptosystem specification [KCRYPTO], 
   as defined in section 3.1.3 of [KRBCLAR].  The list of not-newer 
   encryption types is as follows [KCRYPTO]: 
    
             Encryption Type             Assigned Number     
           ---------------------------------------------- 
            des-cbc-crc                        1              
            des-cbc-md4                        2              
            des-cbc-md5                        3              
            des3-cbc-md5                       5 
            des3-cbc-sha1                      7 
            dsaWithSHA1-CmsOID                 9            
            md5WithRSAEncryption-CmsOID       10            
            sha1WithRSAEncryption-CmsOID      11           
            rc2CBC-EnvOID                     12            
            rsaEncryption-EnvOID              13    
            rsaES-OAEP-ENV-OID                14    
            des-ede3-cbc-Env-OID              15            
            des3-cbc-sha1-kd                  16                       
            rc4-hmac                          23          
    
2. Key Derivation for Per-Message Tokens 
    
   To limit the exposure of a given key, [KCRYPTO] adopted "one-way" 
   "entropy-preserving" derived keys, for different purposes or key 
   usages, from a base key or protocol key.   
    
   This document defines four key usage values below that are used to 
   derive a specific key for signing and sealing messages, from the 
   session key or subkey [KRBCLAR] created during the context 
   establishment. 
    
        Name                         Value 
      ------------------------------------- 
       KG-USAGE-ACCEPTOR-SEAL         22 
       KG-USAGE-ACCEPTOR-SIGN         23 
       KG-USAGE-INITIATOR-SEAL        24 

Zhu                                                                  3 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
       KG-USAGE-INITIATOR-SIGN        25 
          
   When the sender is the context acceptor, KG-USAGE-ACCEPTOR-SIGN is 
   used as the usage number in the key derivation function for deriving 
   keys to be used in MIC tokens (as defined in section 4.2.6.1), and 
   KG-USAGE-ACCEPTOR-SEAL is used for Wrap tokens(as defined in section 
   4.2.6.2); similarly when the sender is the context initiator, KG-
   USAGE-INITIATOR-SIGN is used as the usage number in the key 
   derivation function for MIC tokens, KG-USAGE-INITIATOR-SEAL is used 
   for Wrap Tokens.  Even if the Wrap token does not provide for 
   confidentiality the same usage values specified above are used. 
    
   During the context initiation and acceptance sequence, the acceptor 
   MAY assert a subkey, and if so, subsequent messages MUST use this 
   subkey as the protocol key and these messages MUST be flagged as 
   "AcceptorSubkey" as described in section 4.2.2. 
 
3. Quality of Protection 
 
   The GSS-API specification [RFC-2743] provides for Quality of 
   Protection (QOP) values that can be used by applications to request 
   a certain type of encryption or signing.  A zero QOP value is used 
   to indicate the "default" protection; applications which do not use 
   the default QOP are not guaranteed to be portable across 
   implementations or even inter-operate with different deployment 
   configurations of the same implementation.  Using an algorithm that 
   is different from the one for which the key is defined may not be 
   appropriate.  Therefore, when the new method in this document is 
   used, the QOP value is ignored. 
    
   The encryption and checksum algorithms in per-message tokens are now 
   implicitly defined by the algorithms associated with the session key 
   or subkey.  Algorithms identifiers as described in [RFC-1964] are 
   therefore no longer needed and removed from the new token headers. 
 
4. Definitions and Token Formats 
    
   This section provides terms and definitions, as well as descriptions 
   for tokens specific to the Kerberos Version 5 GSS-API mechanism. 
                                    
4.1. Context Establishment Tokens 
    
   All context establishment tokens emitted by the Kerberos Version 5 
   GSS-API mechanism SHALL have the framing described in section 3.1 of 
   [RFC-2743], as illustrated by the following pseudo-ASN.1 structures: 
    
         GSS-API DEFINITIONS ::= 
    
         BEGIN 
    
         MechType ::= OBJECT IDENTIFIER 
         -- representing Kerberos V5 mechanism 
    
         GSSAPI-Token ::= 
         -- option indication (delegation, etc.) indicated within 
Zhu                                                                  4 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
         -- mechanism-specific token 
         [APPLICATION 0] IMPLICIT SEQUENCE { 
                 thisMech MechType, 
                 innerToken ANY DEFINED BY thisMech 
                    -- contents mechanism-specific 
                    -- ASN.1 structure not required 
                 } 
    
         END 
    
   Where the innerToken field starts with a two-octet token-identifier 
   (TOK_ID) expressed in big endian order, followed by a Kerberos 
   message.   
    
   Here are the TOK_ID values used in the context establishment tokens: 
    
         Token               TOK_ID Value in Hex  
        ----------------------------------------- 
         KRB_AP_REQ            01 00 
         KRB_AP_REP            02 00 
         KRB_ERROR             03 00 
             
   Where Kerberos message KRB_AP_REQUEST, KRB_AP_REPLY, and KRB_ERROR 
   are defined in [KRBCLAR].   
    
   If an unknown token identifier (TOK_ID) is received in the initial 
   context establishment token, the receiver MUST return 
   GSS_S_CONTINUE_NEEDED major status, and the returned output token 
   MUST contain a KRB_ERROR message with the error code 
   KRB_AP_ERR_MSG_TYPE [KRBCLAR]. 
    
4.1.1. Authenticator Checksum 
 
   The authenticator in the KRB_AP_REQ message MUST include the 
   optional sequence number and the checksum field.  The checksum field 
   is used to convey service flags, channel bindings, and optional 
   delegation information.   
    
   The checksum type MUST be 0x8003. When delegation is used, a ticket-
   granting ticket will be transferred in a KRB_CRED message.  This 
   ticket SHOULD have its forwardable flag set.  The EncryptedData 
   field of the KRB_CRED message [KRBCLAR] MUST be encrypted in the 
   session key of the ticket used to authenticate the context. 
    
   The authenticator checksum field SHALL have the following format: 
       
      Octet        Name      Description 
     ----------------------------------------------------------------- 
      0..3         Lgth    Number of octets in Bnd field;  Represented  
                           in little-endian order;  Currently contains   
                           hex value 10 00 00 00 (16). 
      4..19        Bnd     Channel binding information, as described in  
                           section 4.1.1.2. 
      20..23       Flags   Four-octet context-establishment flags in 
                           little-endian order as described in section  
Zhu                                                                  5 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
                           4.1.1.1.  
      24..25       DlgOpt  The delegation option identifier (=1) in  
                           little-endian order [optional].  This field  
                           and the next two fields are present if and  
                           only if GSS_C_DELEG_FLAG is set as described  
                           in section 4.1.1.1.   
      26..27       Dlgth   The length of the Deleg field in little- 
                           endian order [optional]. 
      28..(n-1)    Deleg   A KRB_CRED message (n = Dlgth + 28)  
                           [optional].  
      n..last      Exts    Extensions [optional]. 
    
   The length of the checksum field MUST be at least 24 octets when 
   GSS_C_DELEG_FLAG is not set (as described in section 4.1.1.1), and 
   at least 28 octets plus Dlgth octets when GSS_C_DELEG_FLAG is set.  
   When GSS_C_DELEG_FLAG is set, the DlgOpt, Dlgth and Deleg fields 
   of the checksum data MUST immediately follow the Flags field.  The 
   optional trailing octets (namely the "Exts" field) facilitate 
   future extensions to this mechanism.  When delegation is not used 
   but the Exts field is present, the Exts field starts at octet 24 
   (DlgOpt, Dlgth and Deleg are absent). 
    
   Initiators that do not support the extensions MUST NOT include more 
   than 24 octets in the checksum field, when GSS_C_DELEG_FLAG is not 
   set, or more than 28 octets plus the KRB_CRED in the Deleg field, 
   when GSS_C_DELEG_FLAG is set.  Acceptors that do not understand the 
   extensions MUST ignore any octets past the Deleg field of the 
   checksum data, when GSS_C_DELEG_FLAG is set, or past the Flags field 
   of the checksum data, when GSS_C_DELEG_FLAG is not set. 
 
4.1.1.1. Checksum Flags Field 
    
   The checksum "Flags" field is used to convey service options or 
   extension negotiation information. 
    
   The following context establishment flags are defined in [RFC-2744].   
    
        Flag Name              Value     
      --------------------------------- 
       GSS_C_DELEG_FLAG           1        
       GSS_C_MUTUAL_FLAG          2       
       GSS_C_REPLAY_FLAG          4       
       GSS_C_SEQUENCE_FLAG        8        
       GSS_C_CONF_FLAG           16      
       GSS_C_INTEG_FLAG          32     
        
   Context establishment flags are exposed to the calling application.  
   If the calling application desires a particular service option then 
   it requests that option via GSS_Init_sec_context() [RFC-2743].  If 
   the corresponding return state values [RFC-2743] indicate that any 
   of above optional context level services will be active on the 
   context, the corresponding flag values in the table above MUST be 
   set in the checksum Flags field. 
    

Zhu                                                                  6 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
   Flag values 4096..524288 (2^12, 2^13, ..., 2^19) are reserved for 
   use with legacy vendor-specific extensions to this mechanism. 
    
   All other flag values not specified herein are reserved for future 
   use.  Future revisions of this mechanism may use these reserved 
   flags and may rely on implementations of this version to not use 
   such flags in order to properly negotiate mechanism versions.  
   Undefined flag values MUST be cleared by the sender, and unknown 
   flags MUST be ignored by the receiver.   
    
4.1.1.2. Channel Binding Information 
    
   These tags are intended to be used to identify the particular 
   communications channel for which the GSS-API security context 
   establishment tokens are intended, thus limiting the scope within 
   which an intercepted context establishment token can be reused by an 
   attacker (see [RFC-2743], section 1.1.6). 
    
   When using C language bindings, channel bindings are communicated 
   to the GSS-API using the following structure [RFC-2744]: 
 
      typedef struct gss_channel_bindings_struct { 
         OM_uint32       initiator_addrtype; 
         gss_buffer_desc initiator_address; 
         OM_uint32       acceptor_addrtype; 
         gss_buffer_desc acceptor_address; 
         gss_buffer_desc application_data; 
      } *gss_channel_bindings_t; 
    
   The member fields and constants used for different address types 
   are defined in [RFC-2744]. 
    
   The "Bnd" field contains the MD5 hash of channel bindings, taken 
   over all non-null components of bindings, in order of declaration.  
   Integer fields within channel bindings are represented in little-
   endian order for the purposes of the MD5 calculation. 
    
   In computing the contents of the Bnd field, the following detailed 
   points apply:  
    
   (1) For purposes of MD5 hash computation, each integer field and 
   input length field SHALL be formatted into four octets, using 
   little endian octet ordering.  
    
   (2) All input length fields within gss_buffer_desc elements of a 
   gss_channel_bindings_struct even those which are zero-valued, SHALL 
   be included in the hash calculation; the value elements of 
   gss_buffer_desc elements SHALL be dereferenced, and the resulting 
   data SHALL be included within the hash computation, only for the 
   case of gss_buffer_desc elements having non-zero length specifiers.  
    
   (3) If the caller passes the value GSS_C_NO_BINDINGS instead of a 
   valid channel binding structure, the Bnd field SHALL be set to 16 
   zero-valued octets.  
 
Zhu                                                                  7 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
   If the caller to GSS_Accept_sec_context [RFC-2743] passes in 
   GSS_C_NO_CHANNEL_BINDINGS [RFC-2744] as the channel bindings then 
   the acceptor MAY ignore any channel bindings supplied by the 
   initiator, returning success even if the initiator did pass in 
   channel bindings. 
    
   If the application supply, in the channel bindings, a buffer with a 
   length field larger than 4294967295 (2^32 - 1), the implementation 
   of this mechanism MAY chose to reject the channel bindings 
   altogether, using major status GSS_S_BAD_BINDINGS [RFC-2743].  In 
   any case, the size of channel binding data buffers that can be used 
   (interoperable, without extensions) with this specification is 
   limited to 4294967295 octets. 
    
4.2. Per-Message Tokens 
    
   Two classes of tokens are defined in this section:  "MIC" tokens, 
   emitted by calls to GSS_GetMIC() and consumed by calls to 
   GSS_VerifyMIC(), "Wrap" tokens, emitted by calls to GSS_Wrap() and 
   consumed by calls to GSS_Unwrap(). 
    
   The new per-message tokens introduced here do not include the 
   generic GSS-API token framing used by the context establishment 
   tokens.  These new tokens are designed to be used with newer crypto 
   systems that can, for example, have variable-size checksums.   
    
4.2.1. Sequence Number 
 
   To distinguish intentionally-repeated messages from maliciously-
   replayed ones, per-message tokens contain a sequence number field, 
   which is a 64 bit integer expressed in big endian order.  After 
   sending a GSS_GetMIC() or GSS_Wrap() token, the sender's sequence 
   numbers SHALL be incremented by one. 
 
4.2.2. Flags Field 
 
   The "Flags" field is a one-octet integer used to indicate a set of 
   attributes for the protected message.  For example, one flag is 
   allocated as the direction-indicator, thus preventing an adversary 
   from sending back the same message in the reverse direction and 
   having it accepted.   
    
   The meanings of bits in this field (the least significant bit is 
   bit 0) are as follows: 
    
        Bit    Name             Description 
       --------------------------------------------------------------- 
        0   SentByAcceptor    When set, this flag indicates the sender  
                              is the context acceptor.  When not set, 
                              it indicates the sender is the context  
                              initiator. 
        1   Sealed            When set in Wrap tokens, this flag  
                              indicates confidentiality is provided  
                              for.  It SHALL NOT be set in MIC tokens. 
        2   AcceptorSubkey    A subkey asserted by the context acceptor 
Zhu                                                                  8 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
                              is used to protect the message. 
    
   The rest of available bits are reserved for future use and MUST be 
   cleared.  The receiver MUST ignore unknown flags. 
    
4.2.3. EC Field 
 
   The "EC" (Extra Count) field is a two-octet integer field expressed 
   in big endian order.   
    
   In Wrap tokens with confidentiality, the EC field SHALL be used to 
   encode the number of octets in the filler, as described in section 
   4.2.4. 
    
   In Wrap tokens without confidentiality, the EC field SHALL be used 
   to encode the number of octets in the trailing checksum, as 
   described in section 4.2.4.   
 
4.2.4. Encryption and Checksum Operations 
    
   The encryption algorithms defined by the crypto profiles provide for 
   integrity protection [KCRYPTO].  Therefore no separate checksum is 
   needed.  
    
   The result of decryption can be longer than the original plaintext 
   [KCRYPTO] and the extra trailing octets are called "crypto-system 
   residue" in this document.  However, given the size of any plaintext 
   data, one can always find a (possibly larger) size so that, when 
   padding the to-be-encrypted text to that size, there will be no 
   crypto-system residue added [KCRYPTO].  
 
   In Wrap tokens that provide for confidentiality, the first 16 octets 
   of the Wrap token (the "header", as defined in section 4.2.6), SHALL 
   be appended to the plaintext data before encryption.  Filler octets 
   MAY be inserted between the plaintext data and the "header", and the 
   values and size of the filler octets are chosen by implementations, 
   such that there SHALL be no crypto-system residue present after the 
   decryption.  The resulting Wrap token is {"header" | 
   encrypt(plaintext-data | filler | "header")}, where encrypt() is the 
   encryption operation (which provides for integrity protection) 
   defined in the crypto profile [KCRYPTO], and the RRC field (as 
   defined in section 4.2.5) in the to-be-encrypted header contain the 
   hex value 00 00.   
           
   In Wrap tokens that do not provide for confidentiality, the checksum 
   SHALL be calculated first over the to-be-signed plaintext data, and 
   then the first 16 octets of the Wrap token (the "header", as defined 
   in section 4.2.6).  Both the EC field and the RRC field in the token 
   header SHALL be filled with zeroes for the purpose of calculating 
   the checksum.  The resulting Wrap token is {"header" | plaintext-
   data | get_mic(plaintext-data | "header")},  where get_mic() is the 
   checksum operation for the required checksum mechanism of the chosen 
   encryption mechanism defined in the crypto profile [KCRYPTO].  
    

Zhu                                                                  9 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
   The parameters for the key and the cipher-state in the encrypt() and 
   get_mic() operations have been omitted for brevity.   
        
   For MIC tokens, the checksum SHALL be calculated as follows: the 
   checksum operation is calculated first over the to-be-signed 
   plaintext data, and then the first 16 octets of the MIC token, where 
   the checksum mechanism is the required checksum mechanism of the 
   chosen encryption mechanism defined in the crypto profile [KCRYPTO]. 
   
   The resulting Wrap and MIC tokens bind the data to the token header, 
   including the sequence number and the direction indicator.  
   
4.2.5. RRC Field 
 
   The "RRC" (Right Rotation Count) field in Wrap tokens is added to 
   allow the data to be encrypted in-place by existing SSPI (Security 
   Service Provider Interface) [SSPI] applications that do not provide 
   an additional buffer for the trailer (the cipher text after the in-
   place-encrypted data) in addition to the buffer for the header (the 
   cipher text before the in-place-encrypted data).  The resulting Wrap 
   token in the previous section, excluding the first 16 octets of the 
   token header, is rotated to the right by "RRC" octets.  The net 
   result is that "RRC" octets of trailing octets are moved toward the 
   header.  Consider the following as an example of this rotation 
   operation:  Assume that the RRC value is 3 and the token before the 
   rotation is {"header" | aa | bb | cc | dd | ee | ff | gg | hh}, the 
   token after rotation would be {"header" | ff | gg | hh | aa | bb | 
   cc | dd | ee }, where {aa | bb | cc |...| hh} is used to indicate 
   the octet sequence. 
  
   The RRC field is expressed as a two-octet integer in big endian 
   order. 
    
   The rotation count value is chosen by the sender based on 
   implementation details, and the receiver MUST be able to interpret 
   all possible rotation count values, including rotation counts 
   greater than the length of the token. 
 
4.2.6. Message Layouts 
    
   Per-message tokens start with a two-octet token identifier (TOK_ID) 
   field, expressed in big endian order.  These tokens are defined 
   separately in subsequent sub-sections. 
    
4.2.6.1. MIC Tokens 
    
   Use of the GSS_GetMIC() call yields a token (referred as the MIC 
   token in this document), separate from the user  
   data being protected, which can be used to verify the integrity of  
   that data as received.  The token has the following format: 
    
      Octet no   Name        Description 
      ----------------------------------------------------------------- 
       0..1     TOK_ID     Identification field.  Tokens emitted by  
                           GSS_GetMIC() contain the hex value 04 04  
Zhu                                                                 10 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
                           expressed in big endian order in this field. 
       2        Flags      Attributes field, as described in section  
                           4.2.2. 
       3..7     Filler     Contains five octets of hex value FF. 
       8..15    SND_SEQ    Sequence number field in clear text,  
                           expressed in big endian order.  
       16..last SGN_CKSUM  Checksum of the "to-be-signed" data and  
                           octet 0..15, as described in section 4.2.4. 
    
   The Filler field is included in the checksum calculation for 
   simplicity.   
    
4.2.6.2. Wrap Tokens 
    
   Use of the GSS_Wrap() call yields a token (referred as the Wrap 
   token in this document), which consists of a descriptive header, 
   followed by a body portion that contains either the input user data 
   in plaintext concatenated with the checksum, or the input user data 
   encrypted.  The GSS_Wrap() token SHALL have the following format: 
    
      Octet no   Name        Description 
      --------------------------------------------------------------- 
       0..1     TOK_ID     Identification field.  Tokens emitted by  
                           GSS_Wrap() contain the the hex value 05 04                 
                           expressed in big endian order in this field. 
       2        Flags      Attributes field, as described in section  
                           4.2.2. 
       3        Filler     Contains the hex value FF. 
       4..5     EC         Contains the "extra count" field, in big  
                           endian order as described in section 4.2.3. 
       6..7     RRC        Contains the "right rotation count" in big  
                           endian order, as described in section 4.2.5. 
       8..15    SND_SEQ    Sequence number field in clear text, 
                           expressed in big endian order. 
       16..last Data       Encrypted data for Wrap tokens with  
                           confidentiality, or plaintext data followed  
                           by the checksum for Wrap tokens without  
                           confidentiality, as described in section  
                           4.2.4.         
             
4.3. Context Deletion Tokens 
 
   Context deletion tokens are empty in this mechanism.  Both peers to 
   a security context invoke GSS_Delete_sec_context() [RFC-2743] 
   independently, passing a null output_context_token buffer to 
   indicate that no context_token is required.  Implementations of 
   GSS_Delete_sec_context() should delete relevant locally-stored 
   context information. 
        
4.4. Token Identifier Assignment Considerations 
    
   Token identifiers (TOK_ID) from 0x60 0x00 through 0x60 0xFF 
   inclusive are reserved and SHALL NOT be assigned.  Thus by examining 
   the first two octets of a token, one can tell unambiguously if it is 
   wrapped with the generic GSS-API token framing.   
Zhu                                                                 11 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
    
5. Parameter Definitions 
    
   This section defines parameter values used by the Kerberos V5 GSS-
   API mechanism.  It defines interface elements in support of 
   portability, and assumes use of C language bindings per [RFC-2744]. 
    
5.1. Minor Status Codes 
 
   This section recommends common symbolic names for minor_status 
   values to be returned by the Kerberos V5 GSS-API mechanism.  Use of 
   these definitions will enable independent implementers to enhance 
   application portability across different implementations of the 
   mechanism defined in this specification.  (In all cases, 
   implementations of GSS_Display_status() will enable callers to 
   convert minor_status indicators to text representations.)  Each 
   implementation should make available, through include files or other 
   means, a facility to translate these symbolic names into the 
   concrete values which a particular GSS-API implementation uses to 
   represent the minor_status values specified in this section.  
    
   It is recognized that this list may grow over time, and that the 
   need for additional minor_status codes specific to particular 
   implementations may arise.  It is recommended, however, that 
   implementations should return a minor_status value as defined on a 
   mechanism-wide basis within this section when that code is 
   accurately representative of reportable status rather than using a 
   separate, implementation-defined code.  
    
5.1.1. Non-Kerberos-specific codes 
 
      GSS_KRB5_S_G_BAD_SERVICE_NAME  
              /* "No @ in SERVICE-NAME name string" */ 
      GSS_KRB5_S_G_BAD_STRING_UID 
              /* "STRING-UID-NAME contains nondigits" */ 
      GSS_KRB5_S_G_NOUSER 
              /* "UID does not resolve to username" */ 
      GSS_KRB5_S_G_VALIDATE_FAILED 
              /* "Validation error" */ 
      GSS_KRB5_S_G_BUFFER_ALLOC 
              /* "Couldn't allocate gss_buffer_t data" */ 
      GSS_KRB5_S_G_BAD_MSG_CTX 
              /* "Message context invalid" */ 
      GSS_KRB5_S_G_WRONG_SIZE 
              /* "Buffer is the wrong size" */ 
      GSS_KRB5_S_G_BAD_USAGE 
              /* "Credential usage type is unknown" */ 
      GSS_KRB5_S_G_UNKNOWN_QOP 
              /* "Unknown quality of protection specified" */ 
    
5.1.2. Kerberos-specific-codes 
    
      GSS_KRB5_S_KG_CCACHE_NOMATCH  
              /* "Client principal in credentials does not match   
                 specified name" */ 
Zhu                                                                 12 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
      GSS_KRB5_S_KG_KEYTAB_NOMATCH 
              /* "No key available for specified service principal" */ 
      GSS_KRB5_S_KG_TGT_MISSING 
              /* "No Kerberos ticket-granting ticket available" */ 
      GSS_KRB5_S_KG_NO_SUBKEY 
              /* "Authenticator has no subkey" */ 
      GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 
              /* "Context is already fully established" */ 
      GSS_KRB5_S_KG_BAD_SIGN_TYPE 
              /* "Unknown signature type in token" */ 
      GSS_KRB5_S_KG_BAD_LENGTH 
              /* "Invalid field length in token" */ 
      GSS_KRB5_S_KG_CTX_INCOMPLETE 
              /* "Attempt to use incomplete security context" */ 
 
5.2. Buffer Sizes 
 
   All implementations of this specification MUST be capable of 
   accepting buffers of at least 16K octets as input to GSS_GetMIC(), 
   GSS_VerifyMIC(), and GSS_Wrap(), and MUST be capable of accepting 
   the output_token generated by GSS_Wrap() for a 16K octet input 
   buffer as input to GSS_Unwrap().  Implementations SHOULD support 64K 
   octet input buffers, and MAY support even larger input buffer sizes. 
 
6. Backwards Compatibility Considerations 
 
   The new token formats defined in this document will only be 
   recognized by new implementations.  To address this, implementations 
   can always use the explicit sign or seal algorithm in [RFC-1964] 
   when the key type corresponds to "older" enctypes.  An alternative 
   approach might be to retry sending the message with the sign or seal 
   algorithm explicitly defined as in [RFC-1964].  However this would 
   require either the use of a mechanism such as [RFC-2478] to securely 
   negotiate the method or the use out of band mechanism to choose 
   appropriate mechanism.  For this reason, it is RECOMMENDED that the 
   new token formats defined in this document SHOULD be used only if 
   both peers are known to support the new mechanism during context 
   negotiation because of, for example, the use of "new" enctypes. 
 
   GSS_Unwrap() or GSS_VerifyMIC() can process a message token as 
   follows: it can look at the first octet of the token header, if it 
   is 0x60 then the token must carry the generic GSS-API pseudo ASN.1 
   framing, otherwise the first two octets of the token contain the 
   TOK_ID that uniquely identify the token message format. 
    
7. Security Considerations 
    
   Channel bindings are validated by the acceptor.  The acceptor can 
   ignore the channel bindings restriction supplied by the initiator 
   and carried in the authenticator checksum, if channel bindings are 
   not used by GSS_Accept_sec_context [RFC-2743], and the acceptor does 
   not prove to the initiator that it has the same channel bindings as 
   the initiator, even if the client requested mutual authentication.  
   This limitation should be taken into consideration by designers of 
   applications that would use channel bindings, whether to limit the 
Zhu                                                                 13 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
   use of GSS-API contexts to nodes with specific network addresses, to 
   authenticate other established, secure channels using Kerberos 
   Version 5, or for any other purpose. 
    
   Session key types are selected by the KDC.  Under the current 
   mechanism, no negotiation of algorithm types occurs, so server-side 
   (acceptor) implementations cannot request that clients not use 
   algorithm types not understood by the server.  However, 
   administrators can control what enctypes can be used for session 
   keys for this mechanism by controlling the set of the ticket session 
   key enctypes which the KDC is willing to use in tickets for a given 
   acceptor principal.  The KDC could therefore be given the task of 
   limiting session keys for a given service to types actually 
   supported by the Kerberos and GSSAPI software on the server.  This 
   does have a drawback for cases where a service principal name is 
   used both for GSSAPI-based and non-GSSAPI-based communication (most 
   notably the "host" service key), if the GSSAPI implementation does 
   not understand (for example) AES [AES-KRB5] but the Kerberos 
   implementation does.  It means that AES session keys cannot be 
   issued for that service principal, which keeps the protection of 
   non-GSSAPI services weaker than necessary.  KDC administrators 
   desiring to limit the session key types to support interoperability 
   with such GSSAPI implementations should carefully weigh the 
   reduction in protection offered by such mechanisms against the 
   benefits of interoperability. 
    
8. Acknowledgments 
 
  Ken Raeburn and Nicolas Williams corrected many of our errors in the 
  use of generic profiles and were instrumental in the creation of 
  this document.  
   
  The text for security considerations was contributed by Nicolas 
  Williams and Ken Raeburn. 
   
  Sam Hartman and Ken Raeburn suggested the "floating trailer" idea, 
  namely the encoding of the RRC field.   
   
  Sam Hartman and Nicolas Williams recommended the replacing our 
  earlier key derivation function for directional keys with different 
  key usage numbers for each direction as well as retaining the 
  directional bit for maximum compatibility.   
   
  Paul Leach provided numerous suggestions and comments.  
   
  Scott Field, Richard Ward, Dan Simon, Kevin Damour, and Simon 
  Josefsson also provided valuable inputs on this document. 
   
  Jeffrey Hutzelman provided comments and clarifications for the text 
  related to the channel bindings.  
   
  Jeffrey Hutzelman and Russ Housley suggested many editorial changes. 
 


Zhu                                                                 14 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
  Luke Howard provided implementations of this document for the 
  Heimdal code base, and helped inter-operability testing with the 
  Microsoft code base, together with Love Hornquist Astrand.  These 
  experiments formed the basis of this document. 
   
  Martin Rex provided suggestions of TOK_ID assignment recommendations 
  thus the token tagging in this document is unambiguous if the token 
  is wrapped with the pseudo ASN.1 header.  
   
  John Linn wrote the original Kerberos Version 5 mechanism 
  specification [RFC-1964], of which some of the text has been retained
  in this document. 
   
9. Intellectual Property Statement 
 
   The IETF takes no position regarding the validity or scope of any 
   intellectual property or other rights that might be claimed to 
   pertain to the implementation or use of the technology described in 
   this document or the extent to which any license under such rights 
   might or might not be available; neither does it represent that it 
   has made any effort to identify any such rights.  Information on the 
   IETF's procedures with respect to rights in standards-track and 
   standards-related documentation can be found in BCP-11.  Copies of 
   claims of rights made available for publication and any assurances 
   of licenses to be made available, or the result of an attempt made 
   to obtain a general license or permission for the use of such 
   proprietary rights by implementers or users of this specification 
   can be obtained from the IETF Secretariat. 
    
   The IETF invites any interested party to bring to its attention any 
   copyrights, patents or patent applications, or other proprietary 
   rights which may cover technology that may be required to practice 
   this standard.  Please address the information to the IETF Executive 
   Director. 
   
10. References 
    
10.1. Normative References 
    
   [RFC-2026] Bradner, S., "The Internet Standards Process -- Revision 
   3", BCP 9, RFC 2026, October 1996.  
        
   [RFC-2119] Bradner, S., "Key words for use in RFCs to Indicate 
   Requirement Levels", BCP 14, RFC 2119, March 1997. 
    
   [RFC-2743] Linn, J., "Generic Security Service Application Program    
   Interface Version 2, Update 1", RFC 2743, January 2000. 
    
   [RFC-2744] Wray, J., "Generic Security Service API Version 2: C-
   bindings", RFC 2744, January 2000. 
    
   [RFC-1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",    
   RFC 1964, June 1996. 
    
Zhu                                                                 15 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
   [KCRYPTO] RFC-Editor: To be replaced by RFC number for draft-ietf-
   krb-wg-crypto.  Work in Progress. 
    
   [KRBCLAR] RFC-Editor: To be replaced by RFC number for draft-ietf-
   krb-wg-kerberos-clarifications.  Work in Progress. 
 
10.2. Informative References 
 
   [SSPI] Leach, P., "Security Service Provider Interface", Microsoft 
   Developer Network (MSDN), April 2003. 
    
   [AES-KRB5] RFC-Editor: To be replaced by RFC number for draft-
   raeburn-krb-rijndael-krb.  Work in Progress. 
    
   [RFC-2478] Baize, E., Pinkas D., "The Simple and Protected GSS-API 
   Negotiation Mechanism", RFC 2478, December 1998. 
    
11. Author's Address 
    
   Larry Zhu 
   One Microsoft Way 
   Redmond, WA 98052 - USA 
   EMail: LZhu@microsoft.com 
 
   Karthik Jaganathan 
   One Microsoft Way 
   Redmond, WA 98052 - USA 
   EMail: karthikj@microsoft.com 
 
   Sam Hartman 
   Massachusetts Institute of Technology 
   77 Massachusetts Avenue 
   Cambridge, MA 02139 - USA 
   Email: hartmans@MIT.EDU 



















Zhu                                                                 16 
DRAFT            Kerberos Version 5 GSS-API     Expires September 2004 
 
    
Full Copyright Statement 
    
   Copyright (C) The Internet Society (date). All Rights Reserved. 
    
   This document and translations of it may be copied and furnished to 
   others, and derivative works that comment on or otherwise explain it 
   or assist in its implementation may be prepared, copied, published 
   and distributed, in whole or in part, without restriction of any 
   kind, provided that the above copyright notice and this paragraph 
   are included on all such copies and derivative works.  However, this 
   document itself may not be modified in any way, such as by removing 
   the copyright notice or references to the Internet Society or other 
   Internet organizations, except as needed for the purpose of 
   developing Internet standards in which case the procedures for 
   copyrights defined in the Internet Standards process must be 
   followed, or as required to translate it into languages other than 
   English. 
    
   The limited permissions granted above are perpetual and will not be 
   revoked by the Internet Society or its successors or assigns. 
    
   This document and the information contained herein is provided on an 
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
    


























Zhu                                                                 17