1NETWORK WORKING GROUP L. Zhu
2Internet-Draft Microsoft Corporation
3Expires: July 15, 2006 B. Tung
4 USC Information Sciences Institute
5 January 11, 2006
6
7
8 Public Key Cryptography for Initial Authentication in Kerberos
9 draft-ietf-cat-kerberos-pk-init-32
10
11Status of this Memo
12
13 By submitting this Internet-Draft, each author represents that any
14 applicable patent or other IPR claims of which he or she is aware
15 have been or will be disclosed, and any of which he or she becomes
16 aware will be disclosed, in accordance with Section 6 of BCP 79.
17
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as Internet-
21 Drafts.
22
23 Internet-Drafts are draft documents valid for a maximum of six months
24 and may be updated, replaced, or obsoleted by other documents at any
25 time. It is inappropriate to use Internet-Drafts as reference
26 material or to cite them other than as "work in progress."
27
28 The list of current Internet-Drafts can be accessed at
29 http://www.ietf.org/ietf/1id-abstracts.txt.
30
31 The list of Internet-Draft Shadow Directories can be accessed at
32 http://www.ietf.org/shadow.html.
33
34 This Internet-Draft will expire on July 15, 2006.
35
36Copyright Notice
37
38 Copyright (C) The Internet Society (2006).
39
40Abstract
41
42 This document describes protocol extensions (hereafter called PKINIT)
43 to the Kerberos protocol specification. These extensions provide a
44 method for integrating public key cryptography into the initial
45 authentication exchange, by using asymmetric-key signature and/or
46 encryption algorithms in pre-authentication data fields.
47
48
49
50
51
52Zhu & Tung Expires July 15, 2006 [Page 1]
53�
54Internet-Draft PKINIT January 2006
55
56
57Table of Contents
58
59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
60 2. Conventions Used in This Document . . . . . . . . . . . . . . 5
61 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
62 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6
63 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6
64 3.1.2. Defined Message and Encryption Types . . . . . . . . . 6
65 3.1.3. Algorithm Identifiers . . . . . . . . . . . . . . . . 7
66 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9
67 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9
68 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 13
69 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 17
70 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 24
71 3.3. Interoperability Requirements . . . . . . . . . . . . . . 25
72 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 26
73 4. Security Considerations . . . . . . . . . . . . . . . . . . . 26
74 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
75 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
76 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
77 7.1. Normative References . . . . . . . . . . . . . . . . . . . 29
78 7.2. Informative References . . . . . . . . . . . . . . . . . . 31
79 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 31
80 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 36
81 Appendix C. Miscellaneous Information about Microsoft Windows
82 PKINIT Implementations . . . . . . . . . . . . . . . 38
83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
84 Intellectual Property and Copyright Statements . . . . . . . . . . 41
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108Zhu & Tung Expires July 15, 2006 [Page 2]
109�
110Internet-Draft PKINIT January 2006
111
112
1131. Introduction
114
115 The Kerberos V5 protocol [RFC4120] involves use of a trusted third
116 party known as the Key Distribution Center (KDC) to negotiate shared
117 session keys between clients and services and provide mutual
118 authentication between them.
119
120 The corner-stone of Kerberos V5 is the Ticket and the Authenticator.
121 A Ticket encapsulates a symmetric key (the ticket session key) in an
122 envelope (a public message) intended for a specific service. The
123 contents of the Ticket are encrypted with a symmetric key shared
124 between the service principal and the issuing KDC. The encrypted
125 part of the Ticket contains the client principal name, amongst other
126 items. An Authenticator is a record that can be shown to have been
127 recently generated using the ticket session key in the associated
128 Ticket. The ticket session key is known by the client who requested
129 the ticket. The contents of the Authenticator are encrypted with the
130 associated ticket session key. The encrypted part of an
131 Authenticator contains a timestamp and the client principal name,
132 amongst other items.
133
134 As shown in Figure 1 below, the Kerberos V5 protocol consists of the
135 following message exchanges between the client and the KDC, and the
136 client and the application service:
137
138 - The Authentication Service (AS) Exchange
139
140 The client obtains an "initial" ticket from the Kerberos
141 authentication server (AS), typically a Ticket Granting Ticket
142 (TGT). The AS-REQ message and the AS-REP message are the request
143 and the reply message respectively between the client and the AS.
144
145 - The Ticket Granting Service (TGS) Exchange
146
147 The client subsequently uses the TGT to authenticate and request a
148 service ticket for a particular service, from the Kerberos ticket-
149 granting server (TGS). The TGS-REQ message and the TGS-REP
150 message are the request and the reply message respectively between
151 the client and the TGS.
152
153 - The Client/Server Authentication Protocol (AP) Exchange
154
155 The client then makes a request with an AP-REQ message, consisting
156 of a service ticket and an authenticator that certifies the
157 client's possession of the ticket session key. The server may
158 optionally reply with an AP-REP message. AP exchanges typically
159 negotiate session specific symmetric keys.
160
161
162
163
164Zhu & Tung Expires July 15, 2006 [Page 3]
165�
166Internet-Draft PKINIT January 2006
167
168
169 Usually, the AS and TGS are integrated in a single device also known
170 as the KDC.
171
172 Figure 1: The Message Exchanges in the Kerberos V5 Protocol
173
174 +--------------+
175 +--------->| KDC |
176 AS-REQ / +-------| |
177 / / +--------------+
178 / / ^ |
179 / |AS-REP / |
180 | | / TGS-REQ + TGS-REP
181 | | / /
182 | | / /
183 | | / +---------+
184 | | / /
185 | | / /
186 | | / /
187 | v / v
188 ++-------+------+ +-----------------+
189 | Client +------------>| Application |
190 | | AP-REQ | Server |
191 | |<------------| |
192 +---------------+ AP-REP +-----------------+
193
194 In the AS exchange, the KDC reply contains the ticket session key,
195 amongst other items, that is encrypted using a key (the AS reply key)
196 shared between the client and the KDC. The AS reply key is typically
197 derived from the client's password for human users. Therefore for
198 human users the attack resistance strength of the Kerberos protocol
199 is no stronger than the strength of their passwords.
200
201 The use of asymmetric cryptography in the form of X.509 certificates
202 [RFC3280] is popular for facilitating non-repudiation and perfect
203 secrecy. An established Public Key Infrastructure (PKI) provides key
204 management and key distribution mechanisms that can be used to
205 establish authentication and secure communication. Adding public-key
206 cryptography to Kerberos provides a nice congruence to public-key
207 protocols, obviates the human users' burden to manage strong
208 passwords, and allows Kerberized applications to take advantage of
209 existing key services and identity management.
210
211 The advantage afforded by the Kerberos TGT is that the client exposes
212 his long-term secrets only once. The TGT and its associated session
213 key can then be used for any subsequent service ticket requests. One
214 result of this is that all further authentication is independent of
215 the method by which the initial authentication was performed.
216 Consequently, initial authentication provides a convenient place to
217
218
219
220Zhu & Tung Expires July 15, 2006 [Page 4]
221�
222Internet-Draft PKINIT January 2006
223
224
225 integrate public-key cryptography into Kerberos authentication. In
226 addition, the use of symmetric cryptography after the initial
227 exchange is preferred for performance.
228
229 This document describes the methods and data formats using which the
230 client and the KDC can use public and private key pairs to mutually
231 authenticate in the AS exchange and negotiate the AS reply key, known
232 only by the client and the KDC, to encrypt the AS-REP sent by the
233 KDC.
234
235
2362. Conventions Used in This Document
237
238 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
239 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
240 document are to be interpreted as described in [RFC2119].
241
242 In this protocol, both the client and the KDC have a public-private
243 key pair in order to prove their identities to each other over the
244 open network. The term "signature key" is used to refer to the
245 private key of the key pair being used.
246
247 The encryption key used to encrypt the enc-part field of the KDC-REP
248 in the AS-REP [RFC4120] is referred to as the AS reply key.
249
250 An empty sequence in an optional field can be either included or
251 omitted: both encodings are permitted and considered equivalent.
252
253 The term "Modular Exponential Diffie-Hellman" is used to refer to the
254 Diffie-Hellman key exchange as described in [RFC2631], in order to
255 differentiate it from other equivalent representations of the same
256 key agreement algorithm.
257
258
2593. Extensions
260
261 This section describes extensions to [RFC4120] for supporting the use
262 of public-key cryptography in the initial request for a ticket.
263
264 Briefly, this document defines the following extensions to [RFC4120]:
265
266 1. The client indicates the use of public-key authentication by
267 including a special preauthenticator in the initial request. This
268 preauthenticator contains the client's public-key data and a
269 signature.
270
271
272
273
274
275
276Zhu & Tung Expires July 15, 2006 [Page 5]
277�
278Internet-Draft PKINIT January 2006
279
280
281 2. The KDC tests the client's request against its authentication
282 policy and trusted Certification Authorities (CAs).
283
284 3. If the request passes the verification tests, the KDC replies as
285 usual, but the reply is encrypted using either:
286
287 a. a key generated through a Diffie-Hellman (DH) key exchange
288 [RFC2631] [IEEE1363] with the client, signed using the KDC's
289 signature key; or
290
291 b. a symmetric encryption key, signed using the KDC's signature
292 key and encrypted using the client's public key.
293
294 Any keying material required by the client to obtain the
295 encryption key for decrypting the KDC reply is returned in a pre-
296 authentication field accompanying the usual reply.
297
298 4. The client validates the KDC's signature, obtains the encryption
299 key, decrypts the reply, and then proceeds as usual.
300
301 Section 3.1 of this document enumerates the required algorithms and
302 necessary extension message types. Section 3.2 describes the
303 extension messages in greater detail.
304
3053.1. Definitions, Requirements, and Constants
306
3073.1.1. Required Algorithms
308
309 All PKINIT implementations MUST support the following algorithms:
310
311 o AS reply key enctype: aes128-cts-hmac-sha1-96 and aes256-cts-hmac-
312 sha1-96 [RFC3962].
313
314 o Signature algorithm: sha-1WithRSAEncryption [RFC3279].
315
316 o AS reply key delivery method: Diffie-Hellman key exchange
317 [RFC2631].
318
319 In addition, implementations of this specification MUST be capable of
320 processing the Extended Key Usage (EKU) extension and the id-pkinit-
321 san (as defined in Section 3.2.2) otherName of the Subject
322 Alternative Name (SAN) extension in X.509 certificates [RFC3280], if
323 present.
324
3253.1.2. Defined Message and Encryption Types
326
327 PKINIT makes use of the following new pre-authentication types:
328
329
330
331
332Zhu & Tung Expires July 15, 2006 [Page 6]
333�
334Internet-Draft PKINIT January 2006
335
336
337 PA_PK_AS_REQ 16
338 PA_PK_AS_REP 17
339
340 PKINIT also makes use of the following new authorization data type:
341
342 AD_INITIAL_VERIFIED_CAS 9
343
344 PKINIT introduces the following new error codes:
345
346 KDC_ERR_CLIENT_NOT_TRUSTED 62
347 KDC_ERR_INVALID_SIG 64
348 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65
349 KDC_ERR_CANT_VERIFY_CERTIFICATE 70
350 KDC_ERR_INVALID_CERTIFICATE 71
351 KDC_ERR_REVOKED_CERTIFICATE 72
352 KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
353 KDC_ERR_CLIENT_NAME_MISMATCH 75
354 KDC_ERR_INCONSISTENT_KEY_PURPOSE 77
355 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78
356 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79
357 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80
358
359 PKINIT uses the following typed data types for errors:
360
361 TD_TRUSTED_CERTIFIERS 104
362 TD_INVALID_CERTIFICATES 105
363 TD_DH_PARAMETERS 109
364
365 The ASN.1 module for all structures defined in this document (plus
366 IMPORT statements for all imported structures) is given in
367 Appendix A.
368
369 All structures defined in or imported into this document MUST be
370 encoded using Distinguished Encoding Rules (DER) [X680] [X690]
371 (unless otherwise noted). All data structures carried in OCTET
372 STRINGs must be encoded according to the rules specified in
373 corresponding specifications.
374
375 Interoperability note: Some implementations may not be able to decode
376 wrapped CMS objects encoded with BER; specifically, they may not be
377 able to decode indefinite length encodings. To maximize
378 interoperability, implementers SHOULD encode CMS objects used in
379 PKINIT with DER.
380
3813.1.3. Algorithm Identifiers
382
383 PKINIT does not define, but does make use of, the following algorithm
384 identifiers.
385
386
387
388Zhu & Tung Expires July 15, 2006 [Page 7]
389�
390Internet-Draft PKINIT January 2006
391
392
393 PKINIT uses the following algorithm identifier(s) for Modular
394 Exponential Diffie-Hellman key agreement [RFC2631] [RFC3279]:
395
396 dhpublicnumber (as described in [RFC3279])
397
398 PKINIT uses the following signature algorithm identifiers as defined
399 in [RFC3279]:
400
401 sha-1WithRSAEncryption (RSA with SHA1)
402 md5WithRSAEncryption (RSA with MD5)
403 id-dsa-with-sha1 (DSA with SHA1)
404
405 PKINIT uses the following encryption algorithm identifiers as defined
406 in [RFC3447] for encrypting the temporary key with a public key:
407
408 rsaEncryption
409 id-RSAES-OAEP
410
411 PKINIT uses the following algorithm identifiers [RFC3370] [RFC3565]
412 for encrypting the AS reply key with the temporary key:
413
414 des-ede3-cbc (three-key 3DES, CBC mode, as defined in [RFC3370])
415 rc2-cbc (RC2, CBC mode, as defined in [RFC3370])
416 id-aes256-CBC (AES-256, CBC mode, as defined in [RFC3565])
417
418 PKINIT defines the following encryption types, for use in the etype
419 field of the AS-REQ [RFC4120] message to indicate acceptance of the
420 corresponding algorithms that can used by Cryptographic Message
421 Syntax (CMS) [RFC3852] messages in the reply:
422
423 id-dsa-with-sha1-CmsOID 9
424 -- Indicates that the client supports id-dsa-with-sha1.
425 md5WithRSAEncryption-CmsOID 10
426 -- Indicates that the client supports md5WithRSAEncryption.
427 sha-1WithRSAEncryption-CmsOID 11
428 -- Indicates that the client supports sha-1WithRSAEncryption.
429 rc2-cbc-EnvOID 12
430 -- Indicates that the client supports rc2-cbc.
431 rsaEncryption-EnvOID 13
432 -- Indicates that the client supports rsaEncryption.
433 id-RSAES-OAEP-EnvOID 14
434 -- Indicates that the client supports id-RSAES-OAEP.
435 des-ede3-cbc-EnvOID 15
436 -- Indicates that the client supports des-ede3-cbc.
437
438
439
440
441
442
443
444Zhu & Tung Expires July 15, 2006 [Page 8]
445�
446Internet-Draft PKINIT January 2006
447
448
4493.2. PKINIT Pre-authentication Syntax and Use
450
451 This section defines the syntax and use of the various pre-
452 authentication fields employed by PKINIT.
453
4543.2.1. Generation of Client Request
455
456 The initial authentication request (AS-REQ) is sent as per [RFC4120];
457 in addition, a pre-authentication data element, whose padata-type is
458 PA_PK_AS_REQ and whose padata-value contains the DER encoding of the
459 type PA-PK-AS-REQ, is included.
460
461 PA-PK-AS-REQ ::= SEQUENCE {
462 signedAuthPack [0] IMPLICIT OCTET STRING,
463 -- Contains a CMS type ContentInfo encoded
464 -- according to [RFC3852].
465 -- The contentType field of the type ContentInfo
466 -- is id-signedData (1.2.840.113549.1.7.2),
467 -- and the content field is a SignedData.
468 -- The eContentType field for the type SignedData is
469 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
470 -- eContent field contains the DER encoding of the
471 -- type AuthPack.
472 -- AuthPack is defined below.
473 trustedCertifiers [1] SEQUENCE OF
474 ExternalPrincipalIdentifier OPTIONAL,
475 -- Contains a list of CAs, trusted by the client,
476 -- that can be used to certify the KDC.
477 -- Each ExternalPrincipalIdentifier identifies a CA
478 -- or a CA certificate (thereby its public key).
479 -- The information contained in the
480 -- trustedCertifiers SHOULD be used by the KDC as
481 -- hints to guide its selection of an appropriate
482 -- certificate chain to return to the client.
483 kdcPkId [2] IMPLICIT OCTET STRING
484 OPTIONAL,
485 -- Contains a CMS type SignerIdentifier encoded
486 -- according to [RFC3852].
487 -- Identifies, if present, a particular KDC
488 -- public key that the client already has.
489 ...
490 }
491
492 DHNonce ::= OCTET STRING
493
494 ExternalPrincipalIdentifier ::= SEQUENCE {
495 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
496 -- Contains a PKIX type Name encoded according to
497
498
499
500Zhu & Tung Expires July 15, 2006 [Page 9]
501�
502Internet-Draft PKINIT January 2006
503
504
505 -- [RFC3280].
506 -- Identifies the certificate subject by the
507 -- distinguished subject name.
508 -- REQUIRED when there is a distinguished subject
509 -- name present in the certificate.
510 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
511 -- Contains a CMS type IssuerAndSerialNumber encoded
512 -- according to [RFC3852].
513 -- Identifies a certificate of the subject.
514 -- REQUIRED for TD-INVALID-CERTIFICATES and
515 -- TD-TRUSTED-CERTIFIERS.
516 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
517 -- Identifies the subject's public key by a key
518 -- identifier. When an X.509 certificate is
519 -- referenced, this key identifier matches the X.509
520 -- subjectKeyIdentifier extension value. When other
521 -- certificate formats are referenced, the documents
522 -- that specify the certificate format and their use
523 -- with the CMS must include details on matching the
524 -- key identifier to the appropriate certificate
525 -- field.
526 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
527 ...
528 }
529
530 AuthPack ::= SEQUENCE {
531 pkAuthenticator [0] PKAuthenticator,
532 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
533 -- Type SubjectPublicKeyInfo is defined in
534 -- [RFC3280].
535 -- Specifies Diffie-Hellman domain parameters
536 -- and the client's public key value [IEEE1363].
537 -- The DH public key value is encoded as a BIT
538 -- STRING according to [RFC3279].
539 -- This field is present only if the client wishes
540 -- to use the Diffie-Hellman key agreement method.
541 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
542 OPTIONAL,
543 -- Type AlgorithmIdentifier is defined in
544 -- [RFC3280].
545 -- List of CMS encryption types supported by the
546 -- client in order of (decreasing) preference.
547 clientDHNonce [3] DHNonce OPTIONAL,
548 -- Present only if the client indicates that it
549 -- wishes to reuse DH keys or to allow the KDC to
550 -- do so (see Section 3.2.3.1).
551 ...
552 }
553
554
555
556Zhu & Tung Expires July 15, 2006 [Page 10]
557�
558Internet-Draft PKINIT January 2006
559
560
561 PKAuthenticator ::= SEQUENCE {
562 cusec [0] INTEGER (0..999999),
563 ctime [1] KerberosTime,
564 -- cusec and ctime are used as in [RFC4120], for
565 -- replay prevention.
566 nonce [2] INTEGER (0..4294967295),
567 -- Chosen randomly; This nonce does not need to
568 -- match with the nonce in the KDC-REQ-BODY.
569 paChecksum [3] OCTET STRING OPTIONAL,
570 -- MUST be present.
571 -- Contains the SHA1 checksum, performed over
572 -- KDC-REQ-BODY.
573 ...
574 }
575
576 The ContentInfo [RFC3852] structure contained in the signedAuthPack
577 field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and
578 is filled out as follows:
579
580 1. The contentType field of the type ContentInfo is id-signedData
581 (as defined in [RFC3852]), and the content field is a SignedData
582 (as defined in [RFC3852]).
583
584 2. The eContentType field for the type SignedData is id-pkinit-
585 authData: { iso(1) org(3) dod(6) internet(1) security(5)
586 kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS
587 implementers: the signed attribute content-type MUST be present
588 in this SignedData instance and its value is id-pkinit-authData
589 according to [RFC3852].
590
591 3. The eContent field for the type SignedData contains the DER
592 encoding of the type AuthPack.
593
594 4. The signerInfos field of the type SignedData contains a single
595 signerInfo, which contains the signature over the type AuthPack.
596
597 5. The AuthPack structure contains a PKAuthenticator, the client
598 public key information, the CMS encryption types supported by the
599 client and a DHNonce. The pkAuthenticator field certifies to the
600 KDC that the client has recent knowledge of the signing key that
601 authenticates the client. The clientPublicValue field specifies
602 Diffie-Hellman domain parameters and the client's public key
603 value. The DH public key value is encoded as a BIT STRING
604 according to [RFC3279]. The clientPublicValue field is present
605 only if the client wishes to use the Diffie-Hellman key agreement
606 method. The supportedCMSTypes field specifies the list of CMS
607 encryption types supported by the client in order of (decreasing)
608 preference. The clientDHNonce field is described later in this
609
610
611
612Zhu & Tung Expires July 15, 2006 [Page 11]
613�
614Internet-Draft PKINIT January 2006
615
616
617 section.
618
619 6. The ctime field in the PKAuthenticator structure contains the
620 current time on the client's host, and the cusec field contains
621 the microsecond part of the client's timestamp. The ctime and
622 cusec fields are used together to specify a reasonably accurate
623 timestamp [RFC4120]. The nonce field is chosen randomly. The
624 paChecksum field MUST be present and it contains a SHA1 checksum
625 that is performed over the KDC-REQ-BODY [RFC4120]. In order to
626 ease future migration from the use of SHA1, the paChecksum field
627 is made optional syntactically: when the request is extended to
628 negotiate hash algorithms, the new client wishing not to use SHA1
629 will send the request in the extended message syntax without the
630 paChecksum field. The KDC conforming to this specification MUST
631 return a KRB-ERROR [RFC4120] message with the code
632 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (see Section 3.2.3). That
633 will allow a new client to retry with SHA1 if allowed by the
634 local policy.
635
636 7. The certificates field of the type SignedData contains
637 certificates intended to facilitate certification path
638 construction, so that the KDC can verify the signature over the
639 type AuthPack. For path validation, these certificates SHOULD be
640 sufficient to construct at least one certification path from the
641 client certificate to one trust anchor acceptable by the KDC
642 [RFC4158]. The client MUST be capable of including such a set of
643 certificates if configured to do so. The certificates field MUST
644 NOT contain "root" CA certificates.
645
646 8. The client's Diffie-Hellman public value (clientPublicValue) is
647 included if and only if the client wishes to use the Diffie-
648 Hellman key agreement method. The Diffie-Hellman domain
649 parameters [IEEE1363] for the client's public key are specified
650 in the algorithm field of the type SubjectPublicKeyInfo [RFC3279]
651 and the client's Diffie-Hellman public key value is mapped to a
652 subjectPublicKey (a BIT STRING) according to [RFC3279]. When
653 using the Diffie-Hellman key agreement method, implementations
654 MUST support Oakley 1024-bit Modular Exponential (MODP) well-
655 known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group
656 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known
657 group 16 [RFC3526].
658
659 The Diffie-Hellman field size should be chosen so as to provide
660 sufficient cryptographic security [RFC3766].
661
662 When MODP Diffie-Hellman is used, the exponents should have at
663 least twice as many bits as the symmetric keys that will be
664 derived from them [ODL99].
665
666
667
668Zhu & Tung Expires July 15, 2006 [Page 12]
669�
670Internet-Draft PKINIT January 2006
671
672
673 9. The client may wish to reuse DH keys or to allow the KDC to do so
674 (see Section 3.2.3.1). If so, then the client includes the
675 clientDHNonce field. This nonce string MUST be as long as the
676 longest key length of the symmetric key types that the client
677 supports. This nonce MUST be chosen randomly.
678
679 The ExternalPrincipalIdentifier structure is used in this document to
680 identify the subject's public key thereby the subject principal.
681 This structure is filled out as follows:
682
683 1. The subjectName field contains a PKIX type Name encoded according
684 to [RFC3280]. This field identifies the certificate subject by
685 the distinguished subject name. This field is REQUIRED when
686 there is a distinguished subject name present in the certificate
687 being used.
688
689 2. The issuerAndSerialNumber field contains a CMS type
690 IssuerAndSerialNumber encoded according to [RFC3852]. This field
691 identifies a certificate of the subject. This field is REQUIRED
692 for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both
693 structures are defined in Section 3.2.2).
694
695 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's
696 public key by a key identifier. When an X.509 certificate is
697 referenced, this key identifier matches the X.509
698 subjectKeyIdentifier extension value. When other certificate
699 formats are referenced, the documents that specify the
700 certificate format and their use with the CMS must include
701 details on matching the key identifier to the appropriate
702 certificate field. This field is RECOMMENDED for TD-TRUSTED-
703 CERTIFIERS (as defined in Section 3.2.2).
704
705 The trustedCertifiers field of the type PA-PK-AS-REQ contains a list
706 of CAs, trusted by the client, that can be used to certify the KDC.
707 Each ExternalPrincipalIdentifier identifies a CA or a CA certificate
708 (thereby its public key).
709
710 The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type
711 SignerIdentifier encoded according to [RFC3852]. This field
712 identifies, if present, a particular KDC public key that the client
713 already has.
714
7153.2.2. Receipt of Client Request
716
717 Upon receiving the client's request, the KDC validates it. This
718 section describes the steps that the KDC MUST (unless otherwise
719 noted) take in validating the request.
720
721
722
723
724Zhu & Tung Expires July 15, 2006 [Page 13]
725�
726Internet-Draft PKINIT January 2006
727
728
729 The KDC verifies the client's signature in the signedAuthPack field
730 according to [RFC3852].
731
732 If, while validating the client's X.509 certificate [RFC3280], the
733 KDC cannot build a certification path to validate the client's
734 certificate, it sends back a KRB-ERROR [RFC4120] message with the
735 code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for
736 this error message is a TYPED-DATA (as defined in [RFC4120]) that
737 contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and
738 whose data-value contains the DER encoding of the type TD-TRUSTED-
739 CERTIFIERS:
740
741 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
742 ExternalPrincipalIdentifier
743 -- Identifies a list of CAs trusted by the KDC.
744 -- Each ExternalPrincipalIdentifier identifies a CA
745 -- or a CA certificate (thereby its public key).
746
747 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
748 TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate
749 (thereby its public key) trusted by the KDC.
750
751 Upon receiving this error message, the client SHOULD retry only if it
752 has a different set of certificates (from those of the previous
753 requests) that form a certification path (or a partial path) from one
754 of the trust anchors acceptable by the KDC to its own certificate.
755
756 If, while processing the certification path, the KDC determines that
757 the signature on one of the certificates in the signedAuthPack field
758 is invalid, it returns a KRB-ERROR [RFC4120] message with the code
759 KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error
760 message is a TYPED-DATA that contains an element whose data-type is
761 TD_INVALID_CERTIFICATES, and whose data-value contains the DER
762 encoding of the type TD-INVALID-CERTIFICATES:
763
764 TD-INVALID-CERTIFICATES ::= SEQUENCE OF
765 ExternalPrincipalIdentifier
766 -- Each ExternalPrincipalIdentifier identifies a
767 -- certificate (sent by the client) with an invalid
768 -- signature.
769
770 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
771 TD-INVALID-CERTIFICATES structure identifies a certificate (that was
772 sent by the client) with an invalid signature.
773
774 If more than one X.509 certificate signature is invalid, the KDC MAY
775 include one IssuerAndSerialNumber per invalid signature within the
776 TD-INVALID-CERTIFICATES.
777
778
779
780Zhu & Tung Expires July 15, 2006 [Page 14]
781�
782Internet-Draft PKINIT January 2006
783
784
785 The client's X.509 certificate is validated according to [RFC3280].
786
787 Based on local policy, the KDC may also check whether any X.509
788 certificates in the certification path validating the client's
789 certificate have been revoked. If any of them have been revoked, the
790 KDC MUST return an error message with the code
791 KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the
792 revocation status but is unable to do so, it SHOULD return an error
793 message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The
794 certificate or certificates affected are identified exactly as for
795 the error code KDC_ERR_INVALID_CERTIFICATE (see above).
796
797 Note that the TD_INVALID_CERTIFICATES error data is only used to
798 identify invalid certificates sent by the client in the request.
799
800 The client's public key is then used to verify the signature. If the
801 signature fails to verify, the KDC MUST return an error message with
802 the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for
803 this error message.
804
805 In addition to validating the client's signature, the KDC MUST also
806 check that the client's public key used to verify the client's
807 signature is bound to the client's principal name as specified in the
808 AS-REQ as follows:
809
810 1. If the KDC has its own binding between either the client's
811 signature-verification public key or the client's certificate and
812 the client's Kerberos principal name, it uses that binding.
813
814 2. Otherwise, if the client's X.509 certificate contains a Subject
815 Alternative Name (SAN) extension carrying a KRB5PrincipalName
816 (defined below) in the otherName field of the type GeneralName
817 [RFC3280], it binds the client's X.509 certificate to that name.
818
819 The type of the otherName field is AnotherName. The type-id field
820 of the type AnotherName is id-pkinit-san:
821
822 id-pkinit-san OBJECT IDENTIFIER ::=
823 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
824 x509SanAN (2) }
825
826 And the value field of the type AnotherName is a
827 KRB5PrincipalName.
828
829 KRB5PrincipalName ::= SEQUENCE {
830 realm [0] Realm,
831 principalName [1] PrincipalName
832 }
833
834
835
836Zhu & Tung Expires July 15, 2006 [Page 15]
837�
838Internet-Draft PKINIT January 2006
839
840
841 If the KDC does not have its own binding and there is no
842 KRB5PrincipalName name present in the client's X.509 certificate, or
843 if the Kerberos name in the request does not match the
844 KRB5PrincipalName in the client's X.509 certificate (including the
845 realm name), the KDC MUST return an error message with the code
846 KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for
847 this error message.
848
849 Even if the certification path is validated and the certificate is
850 mapped to the client's principal name, the KDC may decide not to
851 accept the client's certificate, depending on local policy.
852
853 The KDC MAY require the presence of an Extended Key Usage (EKU)
854 KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field
855 of the client's X.509 certificate:
856
857 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::=
858 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
859 pkinit(3) keyPurposeClientAuth(4) }
860 -- PKINIT client authentication.
861 -- Key usage bits that MUST be consistent:
862 -- digitalSignature.
863
864 The digitalSignature key usage bit [RFC3280] MUST be asserted when
865 the intended purpose of the client's X.509 certificate is restricted
866 with the id-pkinit-KPClientAuth EKU.
867
868 If this EKU KeyPurposeId is required but it is not present or if the
869 client certificate is restricted not to be used for PKINIT client
870 authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return
871 an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There
872 is no accompanying e-data for this error message. KDCs implementing
873 this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc-
874 logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there
875 are a large number of X.509 client certificates deployed for use with
876 PKINIT which have this EKU.
877
878 As a matter of local policy, the KDC MAY decide to reject requests on
879 the basis of the absence or presence of other specific EKU OID's.
880
881 If the digest algorithm used in generating the CA signature for the
882 public key in any certificate of the request is not acceptable by the
883 KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code
884 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be
885 encoded in TYPED-DATA although none is defined at this point.
886
887 If the client's public key is not accepted with reasons other than
888 what were specified above, the KDC returns a KRB-ERROR [RFC4120]
889
890
891
892Zhu & Tung Expires July 15, 2006 [Page 16]
893�
894Internet-Draft PKINIT January 2006
895
896
897 message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no
898 accompanying e-data currently defined for this error message.
899
900 The KDC MUST check the timestamp to ensure that the request is not a
901 replay, and that the time skew falls within acceptable limits. The
902 recommendations for clock skew times in [RFC4120] apply here. If the
903 check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or
904 KRB_AP_ERR_SKEW, respectively.
905
906 If the clientPublicValue is filled in, indicating that the client
907 wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD
908 check to see if the key parameters satisfy its policy. If they do
909 not, it MUST return an error message with the code
910 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a
911 TYPED-DATA that contains an element whose data-type is
912 TD_DH_PARAMETERS, and whose data-value contains the DER encoding of
913 the type TD-DH-PARAMETERS:
914
915 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
916 -- Each AlgorithmIdentifier specifies a set of
917 -- Diffie-Hellman domain parameters [IEEE1363].
918 -- This list is in decreasing preference order.
919
920 TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters
921 that the KDC supports in decreasing preference order, from which the
922 client SHOULD pick one to retry the request.
923
924 The AlgorithmIdentifier structure is defined in [RFC3280] and is
925 filled in according to [RFC3279]. More specifically Section 2.3.3 of
926 [RFC3279] describes how to fill in the AlgorithmIdentifier structure
927 in the case where MODP Diffie-Hellman key exchange is used.
928
929 If the client included a kdcPkId field in the PA-PK-AS-REQ and the
930 KDC does not possess the corresponding key, the KDC MUST ignore the
931 kdcPkId field as if the client did not include one.
932
933 If the digest algorithm used by the id-pkinit-authData is not
934 acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120]
935 message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
936 The accompanying e-data MUST be encoded in TYPED-DATA although none
937 is defined at this point.
938
9393.2.3. Generation of KDC Reply
940
941 If the paChecksum filed in the request is not present, the KDC
942 conforming to this specification MUST return a KRB-ERROR [RFC4120]
943 message with the code KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED. The
944 accompanying e-data MUST be encoded in TYPED-DATA (no error data is
945
946
947
948Zhu & Tung Expires July 15, 2006 [Page 17]
949�
950Internet-Draft PKINIT January 2006
951
952
953 defined by this specification).
954
955 Assuming that the client's request has been properly validated, the
956 KDC proceeds as per [RFC4120], except as follows.
957
958 The KDC MUST set the initial flag and include an authorization data
959 element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued
960 ticket. The ad-data [RFC4120] field contains the DER encoding of the
961 type AD-INITIAL-VERIFIED-CAS:
962
963 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
964 ExternalPrincipalIdentifier
965 -- Identifies the certification path based on which
966 -- the client certificate was validated.
967 -- Each ExternalPrincipalIdentifier identifies a CA
968 -- or a CA certificate (thereby its public key).
969
970 The AD-INITIAL-VERIFIED-CAS structure identifies the certification
971 path based on which the client certificate was validated. Each
972 ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
973 INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
974 (thereby its public key).
975
976 The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
977 containers if the list of CAs satisfies the AS' realm's local policy
978 (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag
979 [RFC4120]). Furthermore, any TGS MUST copy such authorization data
980 from tickets used within a PA-TGS-REQ of the TGS-REQ into the
981 resulting ticket. If the list of CAs satisfies the local KDC's
982 realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT
983 container, otherwise it MAY unwrap the authorization data out of the
984 AD-IF-RELEVANT container.
985
986 Application servers that understand this authorization data type
987 SHOULD apply local policy to determine whether a given ticket bearing
988 such a type *not* contained within an AD-IF-RELEVANT container is
989 acceptable. (This corresponds to the AP server checking the
990 transited field when the TRANSITED-POLICY-CHECKED flag has not been
991 set [RFC4120].) If such a data type is contained within an AD-IF-
992 RELEVANT container, AP servers MAY apply local policy to determine
993 whether the authorization data is acceptable.
994
995 A pre-authentication data element, whose padata-type is PA_PK_AS_REP
996 and whose padata-value contains the DER encoding of the type PA-PK-
997 AS-REP (defined below), is included in the AS-REP [RFC4120].
998
999 PA-PK-AS-REP ::= CHOICE {
1000 dhInfo [0] DHRepInfo,
1001
1002
1003
1004Zhu & Tung Expires July 15, 2006 [Page 18]
1005�
1006Internet-Draft PKINIT January 2006
1007
1008
1009 -- Selected when Diffie-Hellman key exchange is
1010 -- used.
1011 encKeyPack [1] IMPLICIT OCTET STRING,
1012 -- Selected when public key encryption is used.
1013 -- Contains a CMS type ContentInfo encoded
1014 -- according to [RFC3852].
1015 -- The contentType field of the type ContentInfo is
1016 -- id-envelopedData (1.2.840.113549.1.7.3).
1017 -- The content field is an EnvelopedData.
1018 -- The contentType field for the type EnvelopedData
1019 -- is id-signedData (1.2.840.113549.1.7.2).
1020 -- The eContentType field for the inner type
1021 -- SignedData (when unencrypted) is
1022 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
1023 -- eContent field contains the DER encoding of the
1024 -- type ReplyKeyPack.
1025 -- ReplyKeyPack is defined in Section 3.2.3.2.
1026 ...
1027 }
1028
1029 DHRepInfo ::= SEQUENCE {
1030 dhSignedData [0] IMPLICIT OCTET STRING,
1031 -- Contains a CMS type ContentInfo encoded according
1032 -- to [RFC3852].
1033 -- The contentType field of the type ContentInfo is
1034 -- id-signedData (1.2.840.113549.1.7.2), and the
1035 -- content field is a SignedData.
1036 -- The eContentType field for the type SignedData is
1037 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
1038 -- eContent field contains the DER encoding of the
1039 -- type KDCDHKeyInfo.
1040 -- KDCDHKeyInfo is defined below.
1041 serverDHNonce [1] DHNonce OPTIONAL,
1042 -- Present if and only if dhKeyExpiration is
1043 -- present in the KDCDHKeyInfo.
1044 ...
1045 }
1046
1047 KDCDHKeyInfo ::= SEQUENCE {
1048 subjectPublicKey [0] BIT STRING,
1049 -- The KDC's DH public key.
1050 -- The DH public key value is encoded as a BIT
1051 -- STRING according to [RFC3279].
1052 nonce [1] INTEGER (0..4294967295),
1053 -- Contains the nonce in the pkAuthenticator field
1054 -- in the request if the DH keys are NOT reused,
1055 -- 0 otherwise.
1056 dhKeyExpiration [2] KerberosTime OPTIONAL,
1057
1058
1059
1060Zhu & Tung Expires July 15, 2006 [Page 19]
1061�
1062Internet-Draft PKINIT January 2006
1063
1064
1065 -- Expiration time for KDC's key pair,
1066 -- present if and only if the DH keys are reused.
1067 -- If present, the KDC's DH public key MUST not be
1068 -- used past the point of this expiration time.
1069 -- If this field is omitted then the serverDHNonce
1070 -- field MUST also be omitted.
1071 ...
1072 }
1073
1074 The content of the AS-REP is otherwise unchanged from [RFC4120]. The
1075 KDC encrypts the reply as usual, but not with the client's long-term
1076 key. Instead, it encrypts it with either a shared key derived from a
1077 Diffie-Hellman exchange, or a generated encryption key. The contents
1078 of the PA-PK-AS-REP indicate which key delivery method is used.
1079
1080 In addition, the lifetime of the ticket returned by the KDC MUST NOT
1081 exceed that of the client's public-private key pair. The ticket
1082 lifetime, however, can be shorter than that of the client's public-
1083 private key pair. For the implementations of this specification, the
1084 lifetime of the client's public-private key pair is the validity
1085 period in X.509 certificates [RFC3280], unless configured otherwise.
1086
10873.2.3.1. Using Diffie-Hellman Key Exchange
1088
1089 In this case, the PA-PK-AS-REP contains a DHRepInfo structure.
1090
1091 The ContentInfo [RFC3852] structure for the dhSignedData field is
1092 filled in as follows:
1093
1094 1. The contentType field of the type ContentInfo is id-signedData
1095 (as defined in [RFC3852]), and the content field is a SignedData
1096 (as defined in [RFC3852]).
1097
1098 2. The eContentType field for the type SignedData is the OID value
1099 for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1)
1100 security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS
1101 implementers: the signed attribute content-type MUST be present
1102 in this SignedData instance and its value is id-pkinit-DHKeyData
1103 according to [RFC3852].
1104
1105 3. The eContent field for the type SignedData contains the DER
1106 encoding of the type KDCDHKeyInfo.
1107
1108 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce
1109 and optionally the expiration time of the KDC's DH key being
1110 reused. The subjectPublicKey field of the type KDCDHKeyInfo
1111 field identifies KDC's DH public key. This DH public key value
1112 is encoded as a BIT STRING according to [RFC3279]. The nonce
1113
1114
1115
1116Zhu & Tung Expires July 15, 2006 [Page 20]
1117�
1118Internet-Draft PKINIT January 2006
1119
1120
1121 field contains the nonce in the pkAuthenticator field in the
1122 request if the DH keys are NOT reused. The value of this nonce
1123 field is 0 if the DH keys are reused. The dhKeyExpiration field
1124 is present if and only if the DH keys are reused. If the
1125 dhKeyExpiration field is present, the KDC's public key in this
1126 KDCDHKeyInfo structure MUST NOT be used past the point of this
1127 expiration time. If this field is omitted then the serverDHNonce
1128 field MUST also be omitted.
1129
1130 5. The signerInfos field of the type SignedData contains a single
1131 signerInfo, which contains the signature over the type
1132 KDCDHKeyInfo.
1133
1134 6. The certificates field of the type SignedData contains
1135 certificates intended to facilitate certification path
1136 construction, so that the client can verify the KDC's signature
1137 over the type KDCDHKeyInfo. The information contained in the
1138 trustedCertifiers in the request SHOULD be used by the KDC as
1139 hints to guide its selection of an appropriate certificate chain
1140 to return to the client. This field may be left empty if the KDC
1141 public key specified by the kdcPkId field in the PA-PK-AS-REQ was
1142 used for signing. Otherwise, for path validation, these
1143 certificates SHOULD be sufficient to construct at least one
1144 certification path from the KDC certificate to one trust anchor
1145 acceptable by the client [RFC4158]. The KDC MUST be capable of
1146 including such a set of certificates if configured to do so. The
1147 certificates field MUST NOT contain "root" CA certificates.
1148
1149 7. If the client included the clientDHNonce field, then the KDC may
1150 choose to reuse its DH keys. If the server reuses DH keys then
1151 it MUST include an expiration time in the dhKeyExpiration field.
1152 Past the point of the expiration time, the signature over the
1153 type DHRepInfo is considered expired/invalid. When the server
1154 reuses DH keys then it MUST include a serverDHNonce at least as
1155 long as the length of keys for the symmetric encryption system
1156 used to encrypt the AS reply. Note that including the
1157 serverDHNonce changes how the client and server calculate the key
1158 to use to encrypt the reply; see below for details. The KDC
1159 SHOULD NOT reuse DH keys unless the clientDHNonce field is
1160 present in the request.
1161
1162 The AS reply key is derived as follows:
1163
1164 1. Both the KDC and the client calculate the shared secret value as
1165 follows:
1166
1167
1168
1169
1170
1171
1172Zhu & Tung Expires July 15, 2006 [Page 21]
1173�
1174Internet-Draft PKINIT January 2006
1175
1176
1177
1178 a) When MODP Diffie-Hellman is used, let DHSharedSecret be the
1179 shared secret value. DHSharedSecret is the value ZZ as
1180 described in Section 2.1.1 of [RFC2631].
1181
1182 DHSharedSecret is first padded with leading zeros such that the
1183 size of DHSharedSecret in octets is the same as that of the
1184 modulus, then represented as a string of octets in big-endian
1185 order.
1186
1187 Implementation note: Both the client and the KDC can cache the
1188 triple (ya, yb, DHSharedSecret), where ya is the client's public
1189 key and yb is the KDC's public key. If both ya and yb are the
1190 same in a later exchange, the cached DHSharedSecret can be used.
1191
1192 2. Let K be the key-generation seed length [RFC3961] of the AS reply
1193 key whose enctype is selected according to [RFC4120].
1194
1195 3. Define the function octetstring2key() as follows:
1196
1197 octetstring2key(x) == random-to-key(K-truncate(
1198 SHA1(0x00 | x) |
1199 SHA1(0x01 | x) |
1200 SHA1(0x02 | x) |
1201 ...
1202 ))
1203
1204 where x is an octet string; | is the concatenation operator; 0x00,
1205 0x01, 0x02, etc., are each represented as a single octet; random-
1206 to-key() is an operation that generates a protocol key from a
1207 bitstring of length K; and K-truncate truncates its input to the
1208 first K bits. Both K and random-to-key() are as defined in the
1209 kcrypto profile [RFC3961] for the enctype of the AS reply key.
1210
1211 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be
1212 the serverDHNonce; otherwise, let both n_c and n_k be empty octet
1213 strings.
1214
1215 5. The AS reply key k is:
1216
1217 k = octetstring2key(DHSharedSecret | n_c | n_k)
1218
12193.2.3.2. Using Public Key Encryption
1220
1221 In this case, the PA-PK-AS-REP contains the encKeyPack field where
1222 the AS reply key is encrypted.
1223
1224 The ContentInfo [RFC3852] structure for the encKeyPack field is
1225
1226
1227
1228Zhu & Tung Expires July 15, 2006 [Page 22]
1229�
1230Internet-Draft PKINIT January 2006
1231
1232
1233 filled in as follows:
1234
1235 1. The contentType field of the type ContentInfo is id-envelopedData
1236 (as defined in [RFC3852]), and the content field is an
1237 EnvelopedData (as defined in [RFC3852]).
1238
1239 2. The contentType field for the type EnvelopedData is id-
1240 signedData: { iso (1) member-body (2) us (840) rsadsi (113549)
1241 pkcs (1) pkcs7 (7) signedData (2) }.
1242
1243 3. The eContentType field for the inner type SignedData (when
1244 decrypted from the encryptedContent field for the type
1245 EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6)
1246 internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }.
1247 Notes to CMS implementers: the signed attribute content-type MUST
1248 be present in this SignedData instance and its value is id-
1249 pkinit-rkeyData according to [RFC3852].
1250
1251 4. The eContent field for the inner type SignedData contains the DER
1252 encoding of the type ReplyKeyPack (as described below).
1253
1254 5. The signerInfos field of the inner type SignedData contains a
1255 single signerInfo, which contains the signature for the type
1256 ReplyKeyPack.
1257
1258 6. The certificates field of the inner type SignedData contains
1259 certificates intended to facilitate certification path
1260 construction, so that the client can verify the KDC's signature
1261 for the type ReplyKeyPack. The information contained in the
1262 trustedCertifiers in the request SHOULD be used by the KDC as
1263 hints to guide its selection of an appropriate certificate chain
1264 to return to the client. This field may be left empty if the KDC
1265 public key specified by the kdcPkId field in the PA-PK-AS-REQ was
1266 used for signing. Otherwise, for path validation, these
1267 certificates SHOULD be sufficient to construct at least one
1268 certification path from the KDC certificate to one trust anchor
1269 acceptable by the client [RFC4158]. The KDC MUST be capable of
1270 including such a set of certificates if configured to do so. The
1271 certificates field MUST NOT contain "root" CA certificates.
1272
1273 7. The recipientInfos field of the type EnvelopedData is a SET which
1274 MUST contain exactly one member of type KeyTransRecipientInfo.
1275 The encryptedKey of this member contains the temporary key which
1276 is encrypted using the client's public key.
1277
1278 8. The unprotectedAttrs or originatorInfo fields of the type
1279 EnvelopedData MAY be present.
1280
1281
1282
1283
1284Zhu & Tung Expires July 15, 2006 [Page 23]
1285�
1286Internet-Draft PKINIT January 2006
1287
1288
1289 If there is a supportedCMSTypes field in the AuthPack, the KDC must
1290 check to see if it supports any of the listed types. If it supports
1291 more than one of the types, the KDC SHOULD use the one listed first.
1292 If it does not support any of them, it MUST return an error message
1293 with the code KDC_ERR_ETYPE_NOSUPP [RFC4120].
1294
1295 Furthermore the KDC computes the checksum of the AS-REQ in the client
1296 request. This checksum is performed over the type AS-REQ and the
1297 protocol key [RFC3961] of the checksum operation is the replyKey and
1298 the key usage number is 6. If the replyKey's enctype is "newer"
1299 [RFC4120] [RFC4121], the checksum operation is the required checksum
1300 operation [RFC3961] of that enctype.
1301
1302 ReplyKeyPack ::= SEQUENCE {
1303 replyKey [0] EncryptionKey,
1304 -- Contains the session key used to encrypt the
1305 -- enc-part field in the AS-REP, i.e. the
1306 -- AS reply key.
1307 asChecksum [1] Checksum,
1308 -- Contains the checksum of the AS-REQ
1309 -- corresponding to the containing AS-REP.
1310 -- The checksum is performed over the type AS-REQ.
1311 -- The protocol key [RFC3961] of the checksum is the
1312 -- replyKey and the key usage number is 6.
1313 -- If the replyKey's enctype is "newer" [RFC4120]
1314 -- [RFC4121], the checksum is the required
1315 -- checksum operation [RFC3961] for that enctype.
1316 -- The client MUST verify this checksum upon receipt
1317 -- of the AS-REP.
1318 ...
1319 }
1320
1321 Implementations of this RSA encryption key delivery method are
1322 RECOMMENDED to support RSA keys at least 2048 bits in size.
1323
13243.2.4. Receipt of KDC Reply
1325
1326 Upon receipt of the KDC's reply, the client proceeds as follows. If
1327 the PA-PK-AS-REP contains the dhSignedData field, the client derives
1328 the AS reply key using the same procedure used by the KDC as defined
1329 in Section 3.2.3.1. Otherwise, the message contains the encKeyPack
1330 field, and the client decrypts and extracts the temporary key in the
1331 encryptedKey field of the member KeyTransRecipientInfo, and then uses
1332 that as the AS reply key.
1333
1334 If the public key encryption method is used, the client MUST verify
1335 the asChecksum contained in the ReplyKeyPack.
1336
1337
1338
1339
1340Zhu & Tung Expires July 15, 2006 [Page 24]
1341�
1342Internet-Draft PKINIT January 2006
1343
1344
1345 In either case, the client MUST verify the signature in the
1346 SignedData according to [RFC3852]. The KDC's X.509 certificate MUST
1347 be validated according to [RFC3280]. In addition, unless the client
1348 can otherwise verify that the public key used to verify the KDC's
1349 signature is bound to the KDC of the target realm, the KDC's X.509
1350 certificate MUST contain a Subject Alternative Name extension
1351 [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as
1352 defined in Section 3.2.2) and whose value is a KRB5PrincipalName that
1353 matches the name of the TGS of the target realm (as defined in
1354 Section 7.3 of [RFC4120]).
1355
1356 Unless the client knows by some other means that the KDC certificate
1357 is intended for a Kerberos KDC, the client MUST require that the KDC
1358 certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc:
1359
1360 id-pkinit-KPKdc OBJECT IDENTIFIER ::=
1361 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
1362 pkinit(3) keyPurposeKdc(5) }
1363 -- Signing KDC responses.
1364 -- Key usage bits that MUST be consistent:
1365 -- digitalSignature.
1366
1367 The digitalSignature key usage bit [RFC3280] MUST be asserted when
1368 the intended purpose of the KDC's X.509 certificate is restricted
1369 with the id-pkinit-KPKdc EKU.
1370
1371 If the KDC certificate contains the Kerberos TGS name encoded as an
1372 id-pkinit-san SAN, this certificate is certified by the issuing CA as
1373 a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required.
1374
1375 If all applicable checks are satisfied, the client then decrypts the
1376 enc-part field of the KDC-REP in the AS-REP using the AS reply key,
1377 and then proceeds as described in [RFC4120].
1378
1379 Implementation note: CAs issuing KDC certificates SHOULD place all
1380 "short" and "fully-qualified" Kerberos realm names of the KDC (one
1381 per GeneralName [RFC3280]) into the KDC certificate to allow maximum
1382 flexibility.
1383
13843.3. Interoperability Requirements
1385
1386 The client MUST be capable of sending a set of certificates
1387 sufficient to allow the KDC to construct a certification path for the
1388 client's certificate, if the correct set of certificates is provided
1389 through configuration or policy.
1390
1391 If the client sends all the X.509 certificates on a certification
1392 path to a trust anchor acceptable by the KDC, and the KDC can not
1393
1394
1395
1396Zhu & Tung Expires July 15, 2006 [Page 25]
1397�
1398Internet-Draft PKINIT January 2006
1399
1400
1401 verify the client's public key otherwise, the KDC MUST be able to
1402 process path validation for the client's certificate based on the
1403 certificates in the request.
1404
1405 The KDC MUST be capable of sending a set of certificates sufficient
1406 to allow the client to construct a certification path for the KDC's
1407 certificate, if the correct set of certificates is provided through
1408 configuration or policy.
1409
1410 If the KDC sends all the X.509 certificates on a certification path
1411 to a trust anchor acceptable by the client, and the client can not
1412 verify the KDC's public key otherwise, the client MUST be able to
1413 process path validation for the KDC's certificate based on the
1414 certificates in the reply.
1415
14163.4. KDC Indication of PKINIT Support
1417
1418 If pre-authentication is required, but was not present in the
1419 request, per [RFC4120] an error message with the code
1420 KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be
1421 stored in the e-data field of the KRB-ERROR message to specify which
1422 pre-authentication mechanisms are acceptable. The KDC can then
1423 indicate the support of PKINIT by including an empty element whose
1424 padata-type is PA_PK_AS_REQ in that METHOD-DATA object.
1425
1426 Otherwise if it is required by the KDC's local policy that the client
1427 must be pre-authenticated using the pre-authentication mechanism
1428 specified in this document, but no PKINIT pre-authentication was
1429 present in the request, an error message with the code
1430 KDC_ERR_PREAUTH_FAILED SHOULD be returned.
1431
1432 KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in
1433 the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET
1434 STRING), and clients MUST ignore this and any other value. Future
1435 extensions to this protocol may specify other data to send instead of
1436 an empty OCTET STRING.
1437
1438
14394. Security Considerations
1440
1441 Kerberos error messages are not integrity protected, as a result, the
1442 domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered
1443 with by an attacker so that the set of domain parameters selected
1444 could be either weaker or not mutually preferred. Local policy can
1445 configure sets of domain parameters acceptable locally, or disallow
1446 the negotiation of DH domain parameters.
1447
1448 The symmetric reply key size and Diffie-Hellman field size or RSA
1449
1450
1451
1452Zhu & Tung Expires July 15, 2006 [Page 26]
1453�
1454Internet-Draft PKINIT January 2006
1455
1456
1457 modulus size should be chosen so as to provide sufficient
1458 cryptographic security [RFC3766].
1459
1460 When MODP Diffie-Hellman is used, the exponents should have at least
1461 twice as many bits as the symmetric keys that will be derived from
1462 them [ODL99].
1463
1464 PKINIT raises certain security considerations beyond those that can
1465 be regulated strictly in protocol definitions. We will address them
1466 in this section.
1467
1468 PKINIT extends the cross-realm model to the public-key
1469 infrastructure. Users of PKINIT must understand security policies
1470 and procedures appropriate to the use of Public Key Infrastructures
1471 [RFC3280].
1472
1473 In order to trust a KDC certificate that is certified by a CA as a
1474 KDC certificate for a target realm (for example, by asserting the TGS
1475 name of that Kerberos realm as an id-pkinit-san SAN and/or
1476 restricting the certificate usage by using the id-pkinit-KPKdc EKU,
1477 as described in Section 3.2.4), the client MUST verify that the KDC
1478 certificate's issuing CA is authorized to issue KDC certificates for
1479 that target realm. Otherwise, the binding between the KDC
1480 certificate and the KDC of the target realm is not established.
1481
1482 How to validate this authorization is a matter of local policy. A
1483 way to achieve this is the configuration of specific sets of
1484 intermediary CAs and trust anchors, one of which must be on the KDC
1485 certificate's certification path [RFC3280]; and for each CA or trust
1486 anchor the realms for which it is allowed to issue certificates.
1487
1488 In addition, if any CA is trusted to issue KDC certificates can also
1489 issue other kinds of certificates, then local policy must be able to
1490 distinguish between them: for example, it could require that KDC
1491 certificates contain the id-pkinit-KPKdc EKU or that the realm be
1492 specified with the id-pkinit-san SAN.
1493
1494 It is the responsibility of the PKI administrators for an
1495 organization to ensure that KDC certificates are only issued to KDCs,
1496 and that clients can ascertain this using their local policy.
1497
1498 Standard Kerberos allows the possibility of interactions between
1499 cryptosystems of varying strengths; this document adds interactions
1500 with public-key cryptosystems to Kerberos. Some administrative
1501 policies may allow the use of relatively weak public keys. Using
1502 such keys to wrap data encrypted under stronger conventional
1503 cryptosystems may be inappropriate.
1504
1505
1506
1507
1508Zhu & Tung Expires July 15, 2006 [Page 27]
1509�
1510Internet-Draft PKINIT January 2006
1511
1512
1513 PKINIT requires keys for symmetric cryptosystems to be generated.
1514 Some such systems contain "weak" keys. For recommendations regarding
1515 these weak keys, see [RFC4120].
1516
1517 PKINIT allows the use of the same RSA key pair for encryption and
1518 signing when doing RSA encryption based key delivery. This is not
1519 recommended usage of RSA keys [RFC3447], by using DH based key
1520 delivery this is avoided.
1521
1522 Care should be taken in how certificates are chosen for the purposes
1523 of authentication using PKINIT. Some local policies may require that
1524 key escrow be used for certain certificate types. Deployers of
1525 PKINIT should be aware of the implications of using certificates that
1526 have escrowed keys for the purposes of authentication. Because
1527 signing only certificates are normally not escrowed, by using DH
1528 based key delivery this is avoided.
1529
1530 PKINIT does not provide for a "return routability" test to prevent
1531 attackers from mounting a denial-of-service attack on the KDC by
1532 causing it to perform unnecessary and expensive public-key
1533 operations. Strictly speaking, this is also true of standard
1534 Kerberos, although the potential cost is not as great, because
1535 standard Kerberos does not make use of public-key cryptography. By
1536 using DH based key delivery and reusing DH keys, the necessary crypto
1537 processing cost per request can be minimized.
1538
1539 The syntax for the AD-INITIAL-VERIFIED-CAS authorization data does
1540 permit empty SEQUENCEs to be encoded. Such empty sequences may only
1541 be used if the KDC itself vouches for the user's certificate.
1542
1543 When the Diffie-Hellman key exchange method is used, additional pre-
1544 authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as
1545 defined in this specification) is not bound to the AS_REQ by the
1546 mechanisms discussed in this specification (meaning it may be dropped
1547 or added by attackers without being detected by either the client or
1548 the KDC). Designers of additional pre-authentication data should
1549 take that into consideration if such additional pre-authentication
1550 data can be used in conjunction with the PA_PK_AS_REQ. The future
1551 work of the Kerberos working group is expected to update the hash
1552 algorithms specified in this document and provide a generic mechanism
1553 to bind additional pre-authentication data with the accompanying
1554 AS_REQ.
1555
1556
15575. Acknowledgements
1558
1559 The following people have made significant contributions to this
1560 draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist
1561
1562
1563
1564Zhu & Tung Expires July 15, 2006 [Page 28]
1565�
1566Internet-Draft PKINIT January 2006
1567
1568
1569 Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey
1570 Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M
1571 Grundman and Jeffrey Altman.
1572
1573 Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and
1574 Chris Walstad discovered a binding issue between the AS-REQ and AS-
1575 REP in draft -26, the asChecksum field was added as the result.
1576
1577 Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and
1578 Jonathan Trostle who wrote earlier versions of this document.
1579
1580 The authors are indebted to the Kerberos working group chair Jeffrey
1581 Hutzelman who kept track of various issues and was enormously helpful
1582 during the creation of this document.
1583
1584 Some of the ideas on which this document is based arose during
1585 discussions over several years between members of the SAAG, the IETF
1586 CAT working group, and the PSRG, regarding integration of Kerberos
1587 and SPX. Some ideas have also been drawn from the DASS system.
1588 These changes are by no means endorsed by these groups. This is an
1589 attempt to revive some of the goals of those groups, and this
1590 document approaches those goals primarily from the Kerberos
1591 perspective.
1592
1593 Lastly, comments from groups working on similar ideas in DCE have
1594 been invaluable.
1595
1596
15976. IANA Considerations
1598
1599 This document has no actions for IANA.
1600
1601
16027. References
1603
16047.1. Normative References
1605
1606 [IEEE1363]
1607 IEEE, "Standard Specifications for Public Key
1608 Cryptography", IEEE 1363, 2000.
1609
1610 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1611 Requirement Levels", BCP 14, RFC 2119, March 1997.
1612
1613 [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol",
1614 RFC 2412, November 1998.
1615
1616 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
1617
1618
1619
1620Zhu & Tung Expires July 15, 2006 [Page 29]
1621�
1622Internet-Draft PKINIT January 2006
1623
1624
1625 RFC 2631, June 1999.
1626
1627 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
1628 Identifiers for the Internet X.509 Public Key
1629 Infrastructure Certificate and Certificate Revocation List
1630 (CRL) Profile", RFC 3279, April 2002.
1631
1632 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
1633 X.509 Public Key Infrastructure Certificate and
1634 Certificate Revocation List (CRL) Profile", RFC 3280,
1635 April 2002.
1636
1637 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
1638 Algorithms", RFC 3370, August 2002.
1639
1640 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
1641 Standards (PKCS) #1: RSA Cryptography Specifications
1642 Version 2.1", RFC 3447, February 2003.
1643
1644 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
1645 Diffie-Hellman groups for Internet Key Exchange (IKE)",
1646 RFC 3526, May 2003.
1647
1648 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
1649 Encryption Algorithm in Cryptographic Message Syntax
1650 (CMS)", RFC 3565, July 2003.
1651
1652 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
1653 Public Keys Used For Exchanging Symmetric Keys", BCP 86,
1654 RFC 3766, April 2004.
1655
1656 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
1657 RFC 3852, July 2004.
1658
1659 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
1660 Kerberos 5", RFC 3961, February 2005.
1661
1662 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
1663 Encryption for Kerberos 5", RFC 3962, February 2005.
1664
1665 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
1666 Kerberos Network Authentication Service (V5)", RFC 4120,
1667 July 2005.
1668
1669 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
1670 Version 5 Generic Security Service Application Program
1671 Interface (GSS-API) Mechanism: Version 2", RFC 4121,
1672 July 2005.
1673
1674
1675
1676Zhu & Tung Expires July 15, 2006 [Page 30]
1677�
1678Internet-Draft PKINIT January 2006
1679
1680 [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
1681 Information technology - Abstract Syntax Notation One
1682 (ASN.1): Specification of basic notation.
1683
1684 [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
1685 Information technology - ASN.1 encoding Rules: Specification
1686 of Basic Encoding Rules (BER), Canonical Encoding Rules
1687 (CER) and Distinguished Encoding Rules (DER).
1688
16897.2. Informative References
1690
1691 [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
1692 Sizes", Journal of Cryptology 14 (2001) 255-293.
1693
1694 [ODL99] Odlyzko, A., "Discrete logarithms: The past and the
1695 future, Designs, Codes, and Cryptography (1999)".
1696
1697 [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
1698 Nicholas, "Internet X.509 Public Key Infrastructure:
1699 Certification Path Building", RFC 4158, September 2005.
1700
1701
1702Appendix A. PKINIT ASN.1 Module
1703
1704 KerberosV5-PK-INIT-SPEC {
1705 iso(1) identified-organization(3) dod(6) internet(1)
1706 security(5) kerberosV5(2) modules(4) pkinit(5)
1707 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
1708
1709 IMPORTS
1710 SubjectPublicKeyInfo, AlgorithmIdentifier
1711 FROM PKIX1Explicit88 { iso (1)
1712 identified-organization (3) dod (6) internet (1)
1713 security (5) mechanisms (5) pkix (7) id-mod (0)
1714 id-pkix1-explicit (18) }
1715 -- As defined in RFC 3280.
1716
1717 KerberosTime, PrincipalName, Realm, EncryptionKey
1718 FROM KerberosV5Spec2 { iso(1) identified-organization(3)
1719 dod(6) internet(1) security(5) kerberosV5(2)
1720 modules(4) krb5spec2(2) } ;
1721
1722 id-pkinit OBJECT IDENTIFIER ::=
1723 { iso (1) org (3) dod (6) internet (1) security (5)
1724 kerberosv5 (2) pkinit (3) }
1725
1726
1727
1728Zhu & Tung Expires July 15, 2006 [Page 31]
1729�
1730Internet-Draft PKINIT January 2006
1731
1732
1733 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
1734 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
1735 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
1736 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 }
1737 id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 }
1738
1739 id-pkinit-san OBJECT IDENTIFIER ::=
1740 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
1741 x509SanAN (2) }
1742
1743 pa-pk-as-req INTEGER ::= 16
1744 pa-pk-as-rep INTEGER ::= 17
1745
1746 ad-initial-verified-cas INTEGER ::= 9
1747
1748 td-trusted-certifiers INTEGER ::= 104
1749 td-invalid-certificates INTEGER ::= 105
1750 td-dh-parameters INTEGER ::= 109
1751
1752 PA-PK-AS-REQ ::= SEQUENCE {
1753 signedAuthPack [0] IMPLICIT OCTET STRING,
1754 -- Contains a CMS type ContentInfo encoded
1755 -- according to [RFC3852].
1756 -- The contentType field of the type ContentInfo
1757 -- is id-signedData (1.2.840.113549.1.7.2),
1758 -- and the content field is a SignedData.
1759 -- The eContentType field for the type SignedData is
1760 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
1761 -- eContent field contains the DER encoding of the
1762 -- type AuthPack.
1763 -- AuthPack is defined below.
1764 trustedCertifiers [1] SEQUENCE OF
1765 ExternalPrincipalIdentifier OPTIONAL,
1766 -- Contains a list of CAs, trusted by the client,
1767 -- that can be used to certify the KDC.
1768 -- Each ExternalPrincipalIdentifier identifies a CA
1769 -- or a CA certificate (thereby its public key).
1770 -- The information contained in the
1771 -- trustedCertifiers SHOULD be used by the KDC as
1772 -- hints to guide its selection of an appropriate
1773 -- certificate chain to return to the client.
1774 kdcPkId [2] IMPLICIT OCTET STRING
1775 OPTIONAL,
1776 -- Contains a CMS type SignerIdentifier encoded
1777 -- according to [RFC3852].
1778 -- Identifies, if present, a particular KDC
1779 -- public key that the client already has.
1780 ...
1781
1782
1783
1784Zhu & Tung Expires July 15, 2006 [Page 32]
1785�
1786Internet-Draft PKINIT January 2006
1787
1788
1789 }
1790
1791 DHNonce ::= OCTET STRING
1792
1793 ExternalPrincipalIdentifier ::= SEQUENCE {
1794 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
1795 -- Contains a PKIX type Name encoded according to
1796 -- [RFC3280].
1797 -- Identifies the certificate subject by the
1798 -- distinguished subject name.
1799 -- REQUIRED when there is a distinguished subject
1800 -- name present in the certificate.
1801 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
1802 -- Contains a CMS type IssuerAndSerialNumber encoded
1803 -- according to [RFC3852].
1804 -- Identifies a certificate of the subject.
1805 -- REQUIRED for TD-INVALID-CERTIFICATES and
1806 -- TD-TRUSTED-CERTIFIERS.
1807 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
1808 -- Identifies the subject's public key by a key
1809 -- identifier. When an X.509 certificate is
1810 -- referenced, this key identifier matches the X.509
1811 -- subjectKeyIdentifier extension value. When other
1812 -- certificate formats are referenced, the documents
1813 -- that specify the certificate format and their use
1814 -- with the CMS must include details on matching the
1815 -- key identifier to the appropriate certificate
1816 -- field.
1817 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
1818 ...
1819 }
1820
1821 AuthPack ::= SEQUENCE {
1822 pkAuthenticator [0] PKAuthenticator,
1823 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
1824 -- Type SubjectPublicKeyInfo is defined in
1825 -- [RFC3280].
1826 -- Specifies Diffie-Hellman domain parameters
1827 -- and the client's public key value [IEEE1363].
1828 -- The DH public key value is encoded as a BIT
1829 -- STRING according to [RFC3279].
1830 -- This field is present only if the client wishes
1831 -- to use the Diffie-Hellman key agreement method.
1832 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
1833 OPTIONAL,
1834 -- Type AlgorithmIdentifier is defined in
1835 -- [RFC3280].
1836 -- List of CMS encryption types supported by the
1837
1838
1839
1840Zhu & Tung Expires July 15, 2006 [Page 33]
1841�
1842Internet-Draft PKINIT January 2006
1843
1844
1845 -- client in order of (decreasing) preference.
1846 clientDHNonce [3] DHNonce OPTIONAL,
1847 -- Present only if the client indicates that it
1848 -- wishes to reuse DH keys or to allow the KDC to
1849 -- do so.
1850 ...
1851 }
1852
1853 PKAuthenticator ::= SEQUENCE {
1854 cusec [0] INTEGER (0..999999),
1855 ctime [1] KerberosTime,
1856 -- cusec and ctime are used as in [RFC4120], for
1857 -- replay prevention.
1858 nonce [2] INTEGER (0..4294967295),
1859 -- Chosen randomly; This nonce does not need to
1860 -- match with the nonce in the KDC-REQ-BODY.
1861 paChecksum [3] OCTET STRING OPTIONAL,
1862 -- MUST be present.
1863 -- Contains the SHA1 checksum, performed over
1864 -- KDC-REQ-BODY.
1865 ...
1866 }
1867
1868 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
1869 ExternalPrincipalIdentifier
1870 -- Identifies a list of CAs trusted by the KDC.
1871 -- Each ExternalPrincipalIdentifier identifies a CA
1872 -- or a CA certificate (thereby its public key).
1873
1874 TD-INVALID-CERTIFICATES ::= SEQUENCE OF
1875 ExternalPrincipalIdentifier
1876 -- Each ExternalPrincipalIdentifier identifies a
1877 -- certificate (sent by the client) with an invalid
1878 -- signature.
1879
1880 KRB5PrincipalName ::= SEQUENCE {
1881 realm [0] Realm,
1882 principalName [1] PrincipalName
1883 }
1884
1885 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
1886 ExternalPrincipalIdentifier
1887 -- Identifies the certification path based on which
1888 -- the client certificate was validated.
1889 -- Each ExternalPrincipalIdentifier identifies a CA
1890 -- or a CA certificate (thereby its public key).
1891
1892 PA-PK-AS-REP ::= CHOICE {
1893
1894
1895
1896Zhu & Tung Expires July 15, 2006 [Page 34]
1897�
1898Internet-Draft PKINIT January 2006
1899
1900
1901 dhInfo [0] DHRepInfo,
1902 -- Selected when Diffie-Hellman key exchange is
1903 -- used.
1904 encKeyPack [1] IMPLICIT OCTET STRING,
1905 -- Selected when public key encryption is used.
1906 -- Contains a CMS type ContentInfo encoded
1907 -- according to [RFC3852].
1908 -- The contentType field of the type ContentInfo is
1909 -- id-envelopedData (1.2.840.113549.1.7.3).
1910 -- The content field is an EnvelopedData.
1911 -- The contentType field for the type EnvelopedData
1912 -- is id-signedData (1.2.840.113549.1.7.2).
1913 -- The eContentType field for the inner type
1914 -- SignedData (when unencrypted) is
1915 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
1916 -- eContent field contains the DER encoding of the
1917 -- type ReplyKeyPack.
1918 -- ReplyKeyPack is defined below.
1919 ...
1920 }
1921
1922 DHRepInfo ::= SEQUENCE {
1923 dhSignedData [0] IMPLICIT OCTET STRING,
1924 -- Contains a CMS type ContentInfo encoded according
1925 -- to [RFC3852].
1926 -- The contentType field of the type ContentInfo is
1927 -- id-signedData (1.2.840.113549.1.7.2), and the
1928 -- content field is a SignedData.
1929 -- The eContentType field for the type SignedData is
1930 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
1931 -- eContent field contains the DER encoding of the
1932 -- type KDCDHKeyInfo.
1933 -- KDCDHKeyInfo is defined below.
1934 serverDHNonce [1] DHNonce OPTIONAL,
1935 -- Present if and only if dhKeyExpiration is
1936 -- present.
1937 ...
1938 }
1939
1940 KDCDHKeyInfo ::= SEQUENCE {
1941 subjectPublicKey [0] BIT STRING,
1942 -- The KDC's DH public key.
1943 -- The DH public key value is encoded as a BIT
1944 -- STRING according to [RFC3279].
1945 nonce [1] INTEGER (0..4294967295),
1946 -- Contains the nonce in the pkAuthenticator field
1947 -- in the request if the DH keys are NOT reused,
1948 -- 0 otherwise.
1949
1950
1951
1952Zhu & Tung Expires July 15, 2006 [Page 35]
1953�
1954Internet-Draft PKINIT January 2006
1955
1956
1957 dhKeyExpiration [2] KerberosTime OPTIONAL,
1958 -- Expiration time for KDC's key pair,
1959 -- present if and only if the DH keys are reused.
1960 -- If present, the KDC's DH public key MUST not be
1961 -- used past the point of this expiration time.
1962 -- If this field is omitted then the serverDHNonce
1963 -- field MUST also be omitted.
1964 ...
1965 }
1966
1967 ReplyKeyPack ::= SEQUENCE {
1968 replyKey [0] EncryptionKey,
1969 -- Contains the session key used to encrypt the
1970 -- enc-part field in the AS-REP, i.e. the
1971 -- AS reply key.
1972 asChecksum [1] Checksum,
1973 -- Contains the checksum of the AS-REQ
1974 -- corresponding to the containing AS-REP.
1975 -- The checksum is performed over the type AS-REQ.
1976 -- The protocol key [RFC3961] of the checksum is the
1977 -- replyKey and the key usage number is 6.
1978 -- If the replyKey's enctype is "newer" [RFC4120]
1979 -- [RFC4121], the checksum is the required
1980 -- checksum operation [RFC3961] for that enctype.
1981 -- The client MUST verify this checksum upon receipt
1982 -- of the AS-REP.
1983 ...
1984 }
1985
1986 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
1987 -- Each AlgorithmIdentifier specifies a set of
1988 -- Diffie-Hellman domain parameters [IEEE1363].
1989 -- This list is in decreasing preference order.
1990 END
1991
1992
1993Appendix B. Test Vectors
1994
1995 Function octetstring2key() is defined in Section 3.2.3.1. This
1996 section describes a few sets of test vectors that would be useful for
1997 implementers of octetstring2key().
1998
1999
2000 Set 1
2001 =====
2002 Input octet string x is:
2003
2004 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2005
2006
2007
2008Zhu & Tung Expires July 15, 2006 [Page 36]
2009�
2010Internet-Draft PKINIT January 2006
2011
2012
2013 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2014 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2015 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2017 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2018 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2019 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2021 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2022 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2023 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2024 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2025 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2026 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2027 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2028
2029 Output of K-truncate() when the key size is 32 octets:
2030
2031 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83
2032 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41
2033
2034
2035 Set 2:
2036 =====
2037 Input octet string x is:
2038
2039 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2041 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2042 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2043 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2044 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2045 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2046 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2047
2048 Output of K-truncate() when the key size is 32 octets:
2049
2050 ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb
2051 a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e
2052
2053
2054 Set 3:
2055 ======
2056 Input octet string x is:
2057
2058 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
2059 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
2060 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
2061
2062
2063
2064Zhu & Tung Expires July 15, 2006 [Page 37]
2065�
2066Internet-Draft PKINIT January 2006
2067
2068
2069 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
2070 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b
2071 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a
2072 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09
2073 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
2074
2075 Output of K-truncate() when the key size is 32 octets:
2076
2077 c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3
2078 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e
2079
2080
2081 Set 4:
2082 =====
2083 Input octet string x is:
2084
2085 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
2086 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
2087 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
2088 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
2089 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
2090
2091 Output of K-truncate() when the key size is 32 octets:
2092
2093 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a
2094 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc
2095
2096
2097Appendix C. Miscellaneous Information about Microsoft Windows PKINIT
2098 Implementations
2099
2100 Earlier revisions of the PKINIT I-D were implemented in various
2101 releases of Microsoft Windows and deployed in fairly large numbers.
2102 To enable the community to better interoperate with systems running
2103 those releases, the following information may be useful.
2104
2105 KDC certificates issued by Windows 2000 Enterprise CAs contain a
2106 dNSName SAN with the DNS name of the host running the KDC, and the
2107 id-kp-serverAuth EKU [RFC3280].
2108
2109 KDC certificates issued by Windows 2003 Enterprise CAs contain a
2110 dNSName SAN with the DNS name of the host running the KDC, the id-kp-
2111 serverAuth EKU and the id-ms-kp-sc-logon EKU.
2112
2113 It is anticipated that the next release of Windows is already too far
2114 along to allow it to support the issuing KDC certificates with id-
2115 pkinit-san SAN as specified in this RFC. Instead, they will have a
2116 dNSName SAN containing the domain name of the KDC and the intended
2117
2118
2119
2120Zhu & Tung Expires July 15, 2006 [Page 38]
2121�
2122Internet-Draft PKINIT January 2006
2123
2124
2125 purpose of these KDC certificates be restricted by the presence of
2126 the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU.
2127
2128 In addition to checking that the above are present in a KDC
2129 certificate, Windows clients verify that the issuer of the KDC
2130 certificate is one of a set of allowed issuers of such certificates,
2131 so those wishing to issue KDC certificates need to configure their
2132 Windows clients appropriately.
2133
2134 Client certificates accepted by Windows 2000 and Windows 2003 Server
2135 KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3)
2136 SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN
2137 contains a UTF8 encoded string whose value is that of the Directory
2138 Service attribute UserPrincipalName of the client account object, and
2139 the purpose of including the id-ms-san-sc-logon-upn SAN in the client
2140 certificate is to validate the client mapping (in other words, the
2141 client's public key is bound to the account that has this
2142 UserPrincipalName value).
2143
2144 It should be noted that all Microsoft Kerberos realm names are domain
2145 style realm names and strictly in upper case. In addition, the
2146 UserPrincipalName attribute is globally unique in Windows 2000 and
2147 Windows 2003.
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176Zhu & Tung Expires July 15, 2006 [Page 39]
2177�
2178Internet-Draft PKINIT January 2006
2179
2180
2181Authors' Addresses
2182
2183 Larry Zhu
2184 Microsoft Corporation
2185 One Microsoft Way
2186 Redmond, WA 98052
2187 US
2188
2189 Email: lzhu@microsoft.com
2190
2191
2192 Brian Tung
2193 USC Information Sciences Institute
2194 4676 Admiralty Way Suite 1001
2195 Marina del Rey, CA 90292
2196 US
2197
2198 Email: brian@isi.edu
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232Zhu & Tung Expires July 15, 2006 [Page 40]
2233�
2234Internet-Draft PKINIT January 2006
2235
2236
2237Intellectual Property Statement
2238
2239 The IETF takes no position regarding the validity or scope of any
2240 Intellectual Property Rights or other rights that might be claimed to
2241 pertain to the implementation or use of the technology described in
2242 this document or the extent to which any license under such rights
2243 might or might not be available; nor does it represent that it has
2244 made any independent effort to identify any such rights. Information
2245 on the procedures with respect to rights in RFC documents can be
2246 found in BCP 78 and BCP 79.
2247
2248 Copies of IPR disclosures made to the IETF Secretariat and any
2249 assurances of licenses to be made available, or the result of an
2250 attempt made to obtain a general license or permission for the use of
2251 such proprietary rights by implementers or users of this
2252 specification can be obtained from the IETF on-line IPR repository at
2253 http://www.ietf.org/ipr.
2254
2255 The IETF invites any interested party to bring to its attention any
2256 copyrights, patents or patent applications, or other proprietary
2257 rights that may cover technology that may be required to implement
2258 this standard. Please address the information to the IETF at
2259 ietf-ipr@ietf.org.
2260
2261
2262Disclaimer of Validity
2263
2264 This document and the information contained herein are provided on an
2265 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2266 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2267 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2268 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2269 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2270 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2271
2272
2273Copyright Statement
2274
2275 Copyright (C) The Internet Society (2006). This document is subject
2276 to the rights, licenses and restrictions contained in BCP 78, and
2277 except as set forth therein, the authors retain all their rights.
2278
2279
2280Acknowledgment
2281
2282 Funding for the RFC Editor function is currently provided by the
2283 Internet Society.
2284
2285
2286
2287
2288Zhu & Tung Expires July 15, 2006 [Page 41]
2289