1NETWORK WORKING GROUP L. Zhu
2Internet-Draft Microsoft Corporation
3Expires: August 11, 2006 B. Tung
4 USC Information Sciences Institute
5 February 7, 2006
6
7
8 Public Key Cryptography for Initial Authentication in Kerberos
9 draft-ietf-cat-kerberos-pk-init-34
10
11Status of this Memo
12
13 By submitting this Internet-Draft, each author represents that any
14 applicable patent or other IPR claims of which he or she is aware
15 have been or will be disclosed, and any of which he or she becomes
16 aware will be disclosed, in accordance with Section 6 of BCP 79.
17
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as Internet-
21 Drafts.
22
23 Internet-Drafts are draft documents valid for a maximum of six months
24 and may be updated, replaced, or obsoleted by other documents at any
25 time. It is inappropriate to use Internet-Drafts as reference
26 material or to cite them other than as "work in progress."
27
28 The list of current Internet-Drafts can be accessed at
29 http://www.ietf.org/ietf/1id-abstracts.txt.
30
31 The list of Internet-Draft Shadow Directories can be accessed at
32 http://www.ietf.org/shadow.html.
33
34 This Internet-Draft will expire on August 11, 2006.
35
36Copyright Notice
37
38 Copyright (C) The Internet Society (2006).
39
40Abstract
41
42 This document describes protocol extensions (hereafter called PKINIT)
43 to the Kerberos protocol specification. These extensions provide a
44 method for integrating public key cryptography into the initial
45 authentication exchange, by using asymmetric-key signature and/or
46 encryption algorithms in pre-authentication data fields.
47
48
49
50
51
52Zhu & Tung Expires August 11, 2006 [Page 1]
53�
54Internet-Draft PKINIT February 2006
55
56
57Table of Contents
58
59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
60 2. Conventions Used in This Document . . . . . . . . . . . . . . 5
61 3. Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
62 3.1. Definitions, Requirements, and Constants . . . . . . . . . 6
63 3.1.1. Required Algorithms . . . . . . . . . . . . . . . . . 6
64 3.1.2. Recommended Algorithms . . . . . . . . . . . . . . . . 6
65 3.1.3. Defined Message and Encryption Types . . . . . . . . . 7
66 3.1.4. Kerberos Encryption Types Defined for CMS
67 Algorithm Identifiers . . . . . . . . . . . . . . . . 8
68 3.2. PKINIT Pre-authentication Syntax and Use . . . . . . . . . 9
69 3.2.1. Generation of Client Request . . . . . . . . . . . . . 9
70 3.2.2. Receipt of Client Request . . . . . . . . . . . . . . 14
71 3.2.3. Generation of KDC Reply . . . . . . . . . . . . . . . 18
72 3.2.4. Receipt of KDC Reply . . . . . . . . . . . . . . . . . 25
73 3.3. Interoperability Requirements . . . . . . . . . . . . . . 26
74 3.4. KDC Indication of PKINIT Support . . . . . . . . . . . . . 27
75 4. Security Considerations . . . . . . . . . . . . . . . . . . . 27
76 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30
77 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
78 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
79 7.1. Normative References . . . . . . . . . . . . . . . . . . . 30
80 7.2. Informative References . . . . . . . . . . . . . . . . . . 32
81 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . . 32
82 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 38
83 Appendix C. Miscellaneous Information about Microsoft Windows
84 PKINIT Implementations . . . . . . . . . . . . . . . 40
85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
86 Intellectual Property and Copyright Statements . . . . . . . . . . 42
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108Zhu & Tung Expires August 11, 2006 [Page 2]
109�
110Internet-Draft PKINIT February 2006
111
112
1131. Introduction
114
115 The Kerberos V5 protocol [RFC4120] involves use of a trusted third
116 party known as the Key Distribution Center (KDC) to negotiate shared
117 session keys between clients and services and provide mutual
118 authentication between them.
119
120 The corner-stone of Kerberos V5 is the Ticket and the Authenticator.
121 A Ticket encapsulates a symmetric key (the ticket session key) in an
122 envelope (a public message) intended for a specific service. The
123 contents of the Ticket are encrypted with a symmetric key shared
124 between the service principal and the issuing KDC. The encrypted
125 part of the Ticket contains the client principal name, amongst other
126 items. An Authenticator is a record that can be shown to have been
127 recently generated using the ticket session key in the associated
128 Ticket. The ticket session key is known by the client who requested
129 the ticket. The contents of the Authenticator are encrypted with the
130 associated ticket session key. The encrypted part of an
131 Authenticator contains a timestamp and the client principal name,
132 amongst other items.
133
134 As shown in Figure 1 below, the Kerberos V5 protocol consists of the
135 following message exchanges between the client and the KDC, and the
136 client and the application service:
137
138 - The Authentication Service (AS) Exchange
139
140 The client obtains an "initial" ticket from the Kerberos
141 authentication server (AS), typically a Ticket Granting Ticket
142 (TGT). The AS-REQ message and the AS-REP message are the request
143 and the reply message respectively between the client and the AS.
144
145 - The Ticket Granting Service (TGS) Exchange
146
147 The client subsequently uses the TGT to authenticate and request a
148 service ticket for a particular service, from the Kerberos ticket-
149 granting server (TGS). The TGS-REQ message and the TGS-REP
150 message are the request and the reply message respectively between
151 the client and the TGS.
152
153 - The Client/Server Authentication Protocol (AP) Exchange
154
155 The client then makes a request with an AP-REQ message, consisting
156 of a service ticket and an authenticator that certifies the
157 client's possession of the ticket session key. The server may
158 optionally reply with an AP-REP message. AP exchanges typically
159 negotiate session specific symmetric keys.
160
161
162
163
164Zhu & Tung Expires August 11, 2006 [Page 3]
165�
166Internet-Draft PKINIT February 2006
167
168
169 Usually, the AS and TGS are integrated in a single device also known
170 as the KDC.
171
172 Figure 1: The Message Exchanges in the Kerberos V5 Protocol
173
174 +--------------+
175 +--------->| KDC |
176 AS-REQ / +-------| |
177 / / +--------------+
178 / / ^ |
179 / |AS-REP / |
180 | | / TGS-REQ + TGS-REP
181 | | / /
182 | | / /
183 | | / +---------+
184 | | / /
185 | | / /
186 | | / /
187 | v / v
188 ++-------+------+ +-----------------+
189 | Client +------------>| Application |
190 | | AP-REQ | Server |
191 | |<------------| |
192 +---------------+ AP-REP +-----------------+
193
194 In the AS exchange, the KDC reply contains the ticket session key,
195 amongst other items, that is encrypted using a key (the AS reply key)
196 shared between the client and the KDC. The AS reply key is typically
197 derived from the client's password for human users. Therefore for
198 human users the attack resistance strength of the Kerberos protocol
199 is no stronger than the strength of their passwords.
200
201 The use of asymmetric cryptography in the form of X.509 certificates
202 [RFC3280] is popular for facilitating data origin authentication and
203 perfect secrecy. An established Public Key Infrastructure (PKI)
204 provides key management and key distribution mechanisms that can be
205 used to establish authentication and secure communication. Adding
206 public-key cryptography to Kerberos provides a nice congruence to
207 public-key protocols, obviates the human users' burden to manage
208 strong passwords, and allows Kerberized applications to take
209 advantage of existing key services and identity management.
210
211 The advantage afforded by the Kerberos TGT is that the client exposes
212 his long-term secrets only once. The TGT and its associated session
213 key can then be used for any subsequent service ticket requests. One
214 result of this is that all further authentication is independent of
215 the method by which the initial authentication was performed.
216 Consequently, initial authentication provides a convenient place to
217
218
219
220Zhu & Tung Expires August 11, 2006 [Page 4]
221�
222Internet-Draft PKINIT February 2006
223
224
225 integrate public-key cryptography into Kerberos authentication. In
226 addition, the use of symmetric cryptography after the initial
227 exchange is preferred for performance.
228
229 This document describes the methods and data formats using which the
230 client and the KDC can use public and private key pairs to mutually
231 authenticate in the AS exchange and negotiate the AS reply key, known
232 only by the client and the KDC, to encrypt the AS-REP sent by the
233 KDC.
234
235
2362. Conventions Used in This Document
237
238 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
239 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
240 document are to be interpreted as described in [RFC2119].
241
242 In this protocol, both the client and the KDC have a public-private
243 key pair in order to prove their identities to each other over the
244 open network. The term "signature key" is used to refer to the
245 private key of the key pair being used.
246
247 The encryption key used to encrypt the enc-part field of the KDC-REP
248 in the AS-REP [RFC4120] is referred to as the AS reply key.
249
250 An empty sequence in an optional field can be either included or
251 omitted: both encodings are permitted and considered equivalent.
252
253 The term "Modular Exponential Diffie-Hellman" is used to refer to the
254 Diffie-Hellman key exchange as described in [RFC2631], in order to
255 differentiate it from other equivalent representations of the same
256 key agreement algorithm.
257
258
2593. Extensions
260
261 This section describes extensions to [RFC4120] for supporting the use
262 of public-key cryptography in the initial request for a ticket.
263
264 Briefly, this document defines the following extensions to [RFC4120]:
265
266 1. The client indicates the use of public-key authentication by
267 including a special preauthenticator in the initial request. This
268 preauthenticator contains the client's public-key data and a
269 signature.
270
271
272
273
274
275
276Zhu & Tung Expires August 11, 2006 [Page 5]
277�
278Internet-Draft PKINIT February 2006
279
280
281 2. The KDC tests the client's request against its authentication
282 policy and trusted Certification Authorities (CAs).
283
284 3. If the request passes the verification tests, the KDC replies as
285 usual, but the reply is encrypted using either:
286
287 a. a key generated through a Diffie-Hellman (DH) key exchange
288 [RFC2631] [IEEE1363] with the client, signed using the KDC's
289 signature key; or
290
291 b. a symmetric encryption key, signed using the KDC's signature
292 key and encrypted using the client's public key.
293
294 Any keying material required by the client to obtain the
295 encryption key for decrypting the KDC reply is returned in a pre-
296 authentication field accompanying the usual reply.
297
298 4. The client validates the KDC's signature, obtains the encryption
299 key, decrypts the reply, and then proceeds as usual.
300
301 Section 3.1 of this document enumerates the required algorithms and
302 necessary extension message types. Section 3.2 describes the
303 extension messages in greater detail.
304
3053.1. Definitions, Requirements, and Constants
306
3073.1.1. Required Algorithms
308
309 All PKINIT implementations MUST support the following algorithms:
310
311 o AS reply key enctype(s): aes128-cts-hmac-sha1-96 and aes256-cts-
312 hmac-sha1-96 [RFC3962].
313
314 o Signature algorithm(s): sha-1WithRSAEncryption [RFC3370].
315
316 o AS reply key delivery method(s): the Diffie-Hellman key delivery
317 method as described in Section 3.2.3.1.
318
319 In addition, implementations of this specification MUST be capable of
320 processing the Extended Key Usage (EKU) extension and the id-pkinit-
321 san (as defined in Section 3.2.2) otherName of the Subject
322 Alternative Name (SAN) extension in X.509 certificates [RFC3280].
323
3243.1.2. Recommended Algorithms
325
326 All PKINIT implementations SHOULD support the following algorithms:
327
328
329
330
331
332Zhu & Tung Expires August 11, 2006 [Page 6]
333�
334Internet-Draft PKINIT February 2006
335
336
337 o AS reply key delivery method(s): the public key encryption key
338 delivery method as described in Section 3.2.3.2.
339
340 For implementations that support the public key encryption key
341 delivery method, the following algorithms MUST be supported:
342
343 a) Key transport algorithm(s) identified in the
344 keyEncryptionAlgorithm field of the type KeyTransRecipientInfo
345 [RFC3852] for encrypting the temporary key in the encryptedKey
346 field [RFC3852] with a public key, as described in
347 Section 3.2.3.2: rsaEncryption (this is the RSAES-PKCS1-v1_5
348 encryption scheme) [RFC3370] [RFC3447].
349
350 b) Content encryption algorithm(s) identified in the
351 contentEncryptionAlgorithm field of the type EncryptedContentInfo
352 [RFC3852] for encrypting the AS reply key with the temporary key
353 contained in the encryptedKey field of the type
354 KeyTransRecipientInfo [RFC3852], as described in Section 3.2.3.2:
355 des-ede3-cbc (three-key 3DES, CBC mode) [RFC3370].
356
3573.1.3. Defined Message and Encryption Types
358
359 PKINIT makes use of the following new pre-authentication types:
360
361 PA_PK_AS_REQ 16
362 PA_PK_AS_REP 17
363
364 PKINIT also makes use of the following new authorization data type:
365
366 AD_INITIAL_VERIFIED_CAS 9
367
368 PKINIT introduces the following new error codes:
369
370 KDC_ERR_CLIENT_NOT_TRUSTED 62
371 KDC_ERR_INVALID_SIG 64
372 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65
373 KDC_ERR_CANT_VERIFY_CERTIFICATE 70
374 KDC_ERR_INVALID_CERTIFICATE 71
375 KDC_ERR_REVOKED_CERTIFICATE 72
376 KDC_ERR_REVOCATION_STATUS_UNKNOWN 73
377 KDC_ERR_CLIENT_NAME_MISMATCH 75
378 KDC_ERR_INCONSISTENT_KEY_PURPOSE 77
379 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78
380 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79
381 KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80
382 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
383
384 PKINIT uses the following typed data types for errors:
385
386
387
388Zhu & Tung Expires August 11, 2006 [Page 7]
389�
390Internet-Draft PKINIT February 2006
391
392
393 TD_TRUSTED_CERTIFIERS 104
394 TD_INVALID_CERTIFICATES 105
395 TD_DH_PARAMETERS 109
396
397 The ASN.1 module for all structures defined in this document (plus
398 IMPORT statements for all imported structures) is given in
399 Appendix A.
400
401 All structures defined in or imported into this document MUST be
402 encoded using Distinguished Encoding Rules (DER) [X680] [X690]
403 (unless otherwise noted). All data structures carried in OCTET
404 STRINGs must be encoded according to the rules specified in
405 corresponding specifications.
406
407 Interoperability note: Some implementations may not be able to decode
408 wrapped Cryptographic Message Syntax (CMS) [RFC3852] objects encoded
409 with BER; specifically, they may not be able to decode indefinite
410 length encodings. To maximize interoperability, implementers SHOULD
411 encode CMS objects used in PKINIT with DER.
412
4133.1.4. Kerberos Encryption Types Defined for CMS Algorithm Identifiers
414
415 PKINIT defines the following Kerberos encryption type numbers
416 [RFC3961], which can be used in the etype field of the AS-REQ
417 [RFC4120] message to indicate to the KDC the client's acceptance of
418 the corresponding algorithms (including key transport algorithms
419 [RFC3370], content encryption algorithms [RFC3370], and signature
420 algorithms) for use with Cryptographic Message Syntax (CMS) [RFC3852]
421 [RFC3370].
422
423 Per [RFC4120], the encryption types in the etype field are in the
424 decreasing preference order of the client. Note that there is no
425 significance in the relative order between any two of different types
426 of algorithms: key transport algorithms, content encryption
427 algorithms and signature algorithms.
428
429 The presence of each of these encryption types in the etype field is
430 equivalent to the presence of the corresponding algorithm Object
431 Identifier (OID) in the supportedCMSTypes field as described in
432 Section 3.2.1. And the preference order expressed in the
433 supportedCMSTypes field would override the preference order listed in
434 the etype field.
435
436
437
438
439
440
441
442
443
444Zhu & Tung Expires August 11, 2006 [Page 8]
445�
446Internet-Draft PKINIT February 2006
447
448
449 Kerberos Encryption Type Name Num Corresponding Algorithm OID
450 ============================== === ===============================
451 id-dsa-with-sha1-CmsOID 9 id-dsa-with-sha1 [RFC3370]
452 md5WithRSAEncryption-CmsOID 10 md5WithRSAEncryption [RFC3370]
453 sha-1WithRSAEncryption-CmsOID 11 sha-1WithRSAEncryption [RFC3370]
454 rc2-cbc-EnvOID 12 rc2-cbc [RFC3370]
455 rsaEncryption-EnvOID 13 rsaEncryption [RFC3447][RFC3370]
456 id-RSAES-OAEP-EnvOID 14 id-RSAES-OAEP [RFC3447][RFC3560]
457 des-ede3-cbc-EnvOID 15 des-ede3-cbc [RFC3370]
458
459 The above encryption type numbers are used only to indicate support
460 for the use of the corresponding algorithms in PKINIT; they do not
461 correspond to actual Kerberos encryption types [RFC3961] and MUST NOT
462 be used in the etype field of the Kerberos EncryptedData type
463 [RFC4120]. The practice of assigning Kerberos encryption type
464 numbers to indicate support for CMS algorithms is considered
465 deprecated, and new numbers should not be assigned for this purpose.
466 Instead, the supportedCMSTypes field should be used to identify the
467 algorithms supported by the client and the preference order of the
468 client.
469
470 For maximum interoperability, however, PKINIT clients wishing to
471 indicate to the KDC the support for one or more of the algorithms
472 listed above SHOULD include the corresponding encryption type
473 number(s) in the etype field of the AS-REQ.
474
4753.2. PKINIT Pre-authentication Syntax and Use
476
477 This section defines the syntax and use of the various pre-
478 authentication fields employed by PKINIT.
479
4803.2.1. Generation of Client Request
481
482 The initial authentication request (AS-REQ) is sent as per [RFC4120];
483 in addition, a pre-authentication data element, whose padata-type is
484 PA_PK_AS_REQ and whose padata-value contains the DER encoding of the
485 type PA-PK-AS-REQ, is included.
486
487 PA-PK-AS-REQ ::= SEQUENCE {
488 signedAuthPack [0] IMPLICIT OCTET STRING,
489 -- Contains a CMS type ContentInfo encoded
490 -- according to [RFC3852].
491 -- The contentType field of the type ContentInfo
492 -- is id-signedData (1.2.840.113549.1.7.2),
493 -- and the content field is a SignedData.
494 -- The eContentType field for the type SignedData is
495 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
496 -- eContent field contains the DER encoding of the
497
498
499
500Zhu & Tung Expires August 11, 2006 [Page 9]
501�
502Internet-Draft PKINIT February 2006
503
504
505 -- type AuthPack.
506 -- AuthPack is defined below.
507 trustedCertifiers [1] SEQUENCE OF
508 ExternalPrincipalIdentifier OPTIONAL,
509 -- Contains a list of CAs, trusted by the client,
510 -- that can be used to certify the KDC.
511 -- Each ExternalPrincipalIdentifier identifies a CA
512 -- or a CA certificate (thereby its public key).
513 -- The information contained in the
514 -- trustedCertifiers SHOULD be used by the KDC as
515 -- hints to guide its selection of an appropriate
516 -- certificate chain to return to the client.
517 kdcPkId [2] IMPLICIT OCTET STRING
518 OPTIONAL,
519 -- Contains a CMS type SignerIdentifier encoded
520 -- according to [RFC3852].
521 -- Identifies, if present, a particular KDC
522 -- public key that the client already has.
523 ...
524 }
525
526 DHNonce ::= OCTET STRING
527
528 ExternalPrincipalIdentifier ::= SEQUENCE {
529 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
530 -- Contains a PKIX type Name encoded according to
531 -- [RFC3280].
532 -- Identifies the certificate subject by the
533 -- distinguished subject name.
534 -- REQUIRED when there is a distinguished subject
535 -- name present in the certificate.
536 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
537 -- Contains a CMS type IssuerAndSerialNumber encoded
538 -- according to [RFC3852].
539 -- Identifies a certificate of the subject.
540 -- REQUIRED for TD-INVALID-CERTIFICATES and
541 -- TD-TRUSTED-CERTIFIERS.
542 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
543 -- Identifies the subject's public key by a key
544 -- identifier. When an X.509 certificate is
545 -- referenced, this key identifier matches the X.509
546 -- subjectKeyIdentifier extension value. When other
547 -- certificate formats are referenced, the documents
548 -- that specify the certificate format and their use
549 -- with the CMS must include details on matching the
550 -- key identifier to the appropriate certificate
551 -- field.
552 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
553
554
555
556Zhu & Tung Expires August 11, 2006 [Page 10]
557�
558Internet-Draft PKINIT February 2006
559
560
561 ...
562 }
563
564 AuthPack ::= SEQUENCE {
565 pkAuthenticator [0] PKAuthenticator,
566 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
567 -- Type SubjectPublicKeyInfo is defined in
568 -- [RFC3280].
569 -- Specifies Diffie-Hellman domain parameters
570 -- and the client's public key value [IEEE1363].
571 -- The DH public key value is encoded as a BIT
572 -- STRING according to [RFC3279].
573 -- This field is present only if the client wishes
574 -- to use the Diffie-Hellman key agreement method.
575 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
576 OPTIONAL,
577 -- Type AlgorithmIdentifier is defined in
578 -- [RFC3280].
579 -- List of CMS algorithm [RFC3370] identifiers
580 -- that identify key transport algorithms, or
581 -- content encryption algorithms, or signature
582 -- algorithms supported by the client in order of
583 -- (decreasing) preference.
584 clientDHNonce [3] DHNonce OPTIONAL,
585 -- Present only if the client indicates that it
586 -- wishes to reuse DH keys or to allow the KDC to
587 -- do so (see Section 3.2.3.1).
588 ...
589 }
590
591 PKAuthenticator ::= SEQUENCE {
592 cusec [0] INTEGER (0..999999),
593 ctime [1] KerberosTime,
594 -- cusec and ctime are used as in [RFC4120], for
595 -- replay prevention.
596 nonce [2] INTEGER (0..4294967295),
597 -- Chosen randomly; This nonce does not need to
598 -- match with the nonce in the KDC-REQ-BODY.
599 paChecksum [3] OCTET STRING OPTIONAL,
600 -- MUST be present.
601 -- Contains the SHA1 checksum, performed over
602 -- KDC-REQ-BODY.
603 ...
604 }
605
606 The ContentInfo [RFC3852] structure contained in the signedAuthPack
607 field of the type PA-PK-AS-REQ is encoded according to [RFC3852] and
608 is filled out as follows:
609
610
611
612Zhu & Tung Expires August 11, 2006 [Page 11]
613�
614Internet-Draft PKINIT February 2006
615
616
617 1. The contentType field of the type ContentInfo is id-signedData
618 (as defined in [RFC3852]), and the content field is a SignedData
619 (as defined in [RFC3852]).
620
621 2. The eContentType field for the type SignedData is id-pkinit-
622 authData: { iso(1) org(3) dod(6) internet(1) security(5)
623 kerberosv5(2) pkinit(3) authData(1) }. Notes to CMS
624 implementers: the signed attribute content-type MUST be present
625 in this SignedData instance and its value is id-pkinit-authData
626 according to [RFC3852].
627
628 3. The eContent field for the type SignedData contains the DER
629 encoding of the type AuthPack.
630
631 4. The signerInfos field of the type SignedData contains a single
632 signerInfo, which contains the signature over the type AuthPack.
633
634 5. The AuthPack structure contains a PKAuthenticator, the client
635 public key information, the CMS encryption types supported by the
636 client and a DHNonce. The pkAuthenticator field certifies to the
637 KDC that the client has recent knowledge of the signing key that
638 authenticates the client. The clientPublicValue field specifies
639 Diffie-Hellman domain parameters and the client's public key
640 value. The DH public key value is encoded as a BIT STRING
641 according to [RFC3279]. The clientPublicValue field is present
642 only if the client wishes to use the Diffie-Hellman key agreement
643 method. The supportedCMSTypes field specifies the list of CMS
644 algorithm identifiers that are supported by the client in order
645 of (decreasing) preference, and can be used to identify a
646 signature algorithm or a key transport algorithm [RFC3370] in the
647 keyEncryptionAlgorithm field of the type KeyTransRecipientInfo or
648 a content encryption algorithm [RFC3370] in the
649 contentEncryptionAlgorithm field of the type EncryptedContentInfo
650 [RFC3852] when encrypting the AS reply key as described in
651 Section 3.2.3.2. However, there is no significance in the
652 relative order between any two of different types of algorithms:
653 key transport algorithms, content encryption algorithms, and
654 signature algorithms. The clientDHNonce field is described later
655 in this section.
656
657 6. The ctime field in the PKAuthenticator structure contains the
658 current time on the client's host, and the cusec field contains
659 the microsecond part of the client's timestamp. The ctime and
660 cusec fields are used together to specify a reasonably accurate
661 timestamp [RFC4120]. The nonce field is chosen randomly. The
662 paChecksum field MUST be present and it contains a SHA1 checksum
663 that is performed over the KDC-REQ-BODY [RFC4120]. In order to
664 ease future migration from the use of SHA1, the paChecksum field
665
666
667
668Zhu & Tung Expires August 11, 2006 [Page 12]
669�
670Internet-Draft PKINIT February 2006
671
672
673 is made optional syntactically: when the request is extended to
674 negotiate hash algorithms, the new client wishing not to use SHA1
675 will send the request in the extended message syntax without the
676 paChecksum field. The KDC conforming to this specification MUST
677 return a KRB-ERROR [RFC4120] message with the code
678 KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (see Section 3.2.3). That
679 will allow a new client to retry with SHA1 if allowed by the
680 local policy.
681
682 7. The certificates field of the type SignedData contains
683 certificates intended to facilitate certification path
684 construction, so that the KDC can verify the signature over the
685 type AuthPack. For path validation, these certificates SHOULD be
686 sufficient to construct at least one certification path from the
687 client certificate to one trust anchor acceptable by the KDC
688 [RFC4158]. The client MUST be capable of including such a set of
689 certificates if configured to do so. The certificates field MUST
690 NOT contain "root" CA certificates.
691
692 8. The client's Diffie-Hellman public value (clientPublicValue) is
693 included if and only if the client wishes to use the Diffie-
694 Hellman key agreement method. The Diffie-Hellman domain
695 parameters [IEEE1363] for the client's public key are specified
696 in the algorithm field of the type SubjectPublicKeyInfo [RFC3279]
697 and the client's Diffie-Hellman public key value is mapped to a
698 subjectPublicKey (a BIT STRING) according to [RFC3279]. When
699 using the Diffie-Hellman key agreement method, implementations
700 MUST support Oakley 1024-bit Modular Exponential (MODP) well-
701 known group 2 [RFC2412] and Oakley 2048-bit MODP well-known group
702 14 [RFC3526], and SHOULD support Oakley 4096-bit MODP well-known
703 group 16 [RFC3526].
704
705 The Diffie-Hellman field size should be chosen so as to provide
706 sufficient cryptographic security [RFC3766].
707
708 When MODP Diffie-Hellman is used, the exponents should have at
709 least twice as many bits as the symmetric keys that will be
710 derived from them [ODL99].
711
712 9. The client may wish to reuse DH keys or to allow the KDC to do so
713 (see Section 3.2.3.1). If so, then the client includes the
714 clientDHNonce field. This nonce string MUST be as long as the
715 longest key length of the symmetric key types that the client
716 supports. This nonce MUST be chosen randomly.
717
718 The ExternalPrincipalIdentifier structure is used in this document to
719 identify the subject's public key thereby the subject principal.
720 This structure is filled out as follows:
721
722
723
724Zhu & Tung Expires August 11, 2006 [Page 13]
725�
726Internet-Draft PKINIT February 2006
727
728
729 1. The subjectName field contains a PKIX type Name encoded according
730 to [RFC3280]. This field identifies the certificate subject by
731 the distinguished subject name. This field is REQUIRED when
732 there is a distinguished subject name present in the certificate
733 being used.
734
735 2. The issuerAndSerialNumber field contains a CMS type
736 IssuerAndSerialNumber encoded according to [RFC3852]. This field
737 identifies a certificate of the subject. This field is REQUIRED
738 for TD-INVALID-CERTIFICATES and TD-TRUSTED-CERTIFIERS (both
739 structures are defined in Section 3.2.2).
740
741 3. The subjectKeyIdentifier [RFC3852] field identifies the subject's
742 public key by a key identifier. When an X.509 certificate is
743 referenced, this key identifier matches the X.509
744 subjectKeyIdentifier extension value. When other certificate
745 formats are referenced, the documents that specify the
746 certificate format and their use with the CMS must include
747 details on matching the key identifier to the appropriate
748 certificate field. This field is RECOMMENDED for TD-TRUSTED-
749 CERTIFIERS (as defined in Section 3.2.2).
750
751 The trustedCertifiers field of the type PA-PK-AS-REQ contains a list
752 of CAs, trusted by the client, that can be used to certify the KDC.
753 Each ExternalPrincipalIdentifier identifies a CA or a CA certificate
754 (thereby its public key).
755
756 The kdcPkId field of the type PA-PK-AS-REQ contains a CMS type
757 SignerIdentifier encoded according to [RFC3852]. This field
758 identifies, if present, a particular KDC public key that the client
759 already has.
760
7613.2.2. Receipt of Client Request
762
763 Upon receiving the client's request, the KDC validates it. This
764 section describes the steps that the KDC MUST (unless otherwise
765 noted) take in validating the request.
766
767 The KDC verifies the client's signature in the signedAuthPack field
768 according to [RFC3852].
769
770 If, while validating the client's X.509 certificate [RFC3280], the
771 KDC cannot build a certification path to validate the client's
772 certificate, it sends back a KRB-ERROR [RFC4120] message with the
773 code KDC_ERR_CANT_VERIFY_CERTIFICATE. The accompanying e-data for
774 this error message is a TYPED-DATA (as defined in [RFC4120]) that
775 contains an element whose data-type is TD_TRUSTED_CERTIFIERS, and
776 whose data-value contains the DER encoding of the type TD-TRUSTED-
777
778
779
780Zhu & Tung Expires August 11, 2006 [Page 14]
781�
782Internet-Draft PKINIT February 2006
783
784
785 CERTIFIERS:
786
787 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
788 ExternalPrincipalIdentifier
789 -- Identifies a list of CAs trusted by the KDC.
790 -- Each ExternalPrincipalIdentifier identifies a CA
791 -- or a CA certificate (thereby its public key).
792
793 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
794 TD-TRUSTED-CERTIFIERS structure identifies a CA or a CA certificate
795 (thereby its public key) trusted by the KDC.
796
797 Upon receiving this error message, the client SHOULD retry only if it
798 has a different set of certificates (from those of the previous
799 requests) that form a certification path (or a partial path) from one
800 of the trust anchors acceptable by the KDC to its own certificate.
801
802 If, while processing the certification path, the KDC determines that
803 the signature on one of the certificates in the signedAuthPack field
804 is invalid, it returns a KRB-ERROR [RFC4120] message with the code
805 KDC_ERR_INVALID_CERTIFICATE. The accompanying e-data for this error
806 message is a TYPED-DATA that contains an element whose data-type is
807 TD_INVALID_CERTIFICATES, and whose data-value contains the DER
808 encoding of the type TD-INVALID-CERTIFICATES:
809
810 TD-INVALID-CERTIFICATES ::= SEQUENCE OF
811 ExternalPrincipalIdentifier
812 -- Each ExternalPrincipalIdentifier identifies a
813 -- certificate (sent by the client) with an invalid
814 -- signature.
815
816 Each ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the
817 TD-INVALID-CERTIFICATES structure identifies a certificate (that was
818 sent by the client) with an invalid signature.
819
820 If more than one X.509 certificate signature is invalid, the KDC MAY
821 include one IssuerAndSerialNumber per invalid signature within the
822 TD-INVALID-CERTIFICATES.
823
824 The client's X.509 certificate is validated according to [RFC3280].
825
826 Based on local policy, the KDC may also check whether any X.509
827 certificates in the certification path validating the client's
828 certificate have been revoked. If any of them have been revoked, the
829 KDC MUST return an error message with the code
830 KDC_ERR_REVOKED_CERTIFICATE; if the KDC attempts to determine the
831 revocation status but is unable to do so, it SHOULD return an error
832 message with the code KDC_ERR_REVOCATION_STATUS_UNKNOWN. The
833
834
835
836Zhu & Tung Expires August 11, 2006 [Page 15]
837�
838Internet-Draft PKINIT February 2006
839
840
841 certificate or certificates affected are identified exactly as for
842 the error code KDC_ERR_INVALID_CERTIFICATE (see above).
843
844 Note that the TD_INVALID_CERTIFICATES error data is only used to
845 identify invalid certificates sent by the client in the request.
846
847 The client's public key is then used to verify the signature. If the
848 signature fails to verify, the KDC MUST return an error message with
849 the code KDC_ERR_INVALID_SIG. There is no accompanying e-data for
850 this error message.
851
852 In addition to validating the client's signature, the KDC MUST also
853 check that the client's public key used to verify the client's
854 signature is bound to the client's principal name as specified in the
855 AS-REQ as follows:
856
857 1. If the KDC has its own binding between either the client's
858 signature-verification public key or the client's certificate and
859 the client's Kerberos principal name, it uses that binding.
860
861 2. Otherwise, if the client's X.509 certificate contains a Subject
862 Alternative Name (SAN) extension carrying a KRB5PrincipalName
863 (defined below) in the otherName field of the type GeneralName
864 [RFC3280], it binds the client's X.509 certificate to that name.
865
866 The type of the otherName field is AnotherName. The type-id field
867 of the type AnotherName is id-pkinit-san:
868
869 id-pkinit-san OBJECT IDENTIFIER ::=
870 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
871 x509SanAN (2) }
872
873 And the value field of the type AnotherName is a
874 KRB5PrincipalName.
875
876 KRB5PrincipalName ::= SEQUENCE {
877 realm [0] Realm,
878 principalName [1] PrincipalName
879 }
880
881 If the Kerberos client name in the AS-REQ does not match a name bound
882 by the KDC (the binding can be in the certificate, for example as
883 described above), or if there is no binding found by the KDC, the KDC
884 MUST return an error message with the code
885 KDC_ERR_CLIENT_NAME_MISMATCH. There is no accompanying e-data for
886 this error message.
887
888 Even if the certification path is validated and the certificate is
889
890
891
892Zhu & Tung Expires August 11, 2006 [Page 16]
893�
894Internet-Draft PKINIT February 2006
895
896
897 mapped to the client's principal name, the KDC may decide not to
898 accept the client's certificate, depending on local policy.
899
900 The KDC MAY require the presence of an Extended Key Usage (EKU)
901 KeyPurposeId [RFC3280] id-pkinit-KPClientAuth in the extensions field
902 of the client's X.509 certificate:
903
904 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::=
905 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
906 pkinit(3) keyPurposeClientAuth(4) }
907 -- PKINIT client authentication.
908 -- Key usage bits that MUST be consistent:
909 -- digitalSignature.
910
911 The digitalSignature key usage bit [RFC3280] MUST be asserted when
912 the intended purpose of the client's X.509 certificate is restricted
913 with the id-pkinit-KPClientAuth EKU.
914
915 If this EKU KeyPurposeId is required but it is not present or if the
916 client certificate is restricted not to be used for PKINIT client
917 authentication per Section 4.2.1.13 of [RFC3280], the KDC MUST return
918 an error message of the code KDC_ERR_INCONSISTENT_KEY_PURPOSE. There
919 is no accompanying e-data for this error message. KDCs implementing
920 this requirement SHOULD also accept the EKU KeyPurposeId id-ms-kp-sc-
921 logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as there
922 are a large number of X.509 client certificates deployed for use with
923 PKINIT which have this EKU.
924
925 As a matter of local policy, the KDC MAY decide to reject requests on
926 the basis of the absence or presence of other specific EKU OID's.
927
928 If the digest algorithm used in generating the CA signature for the
929 public key in any certificate of the request is not acceptable by the
930 KDC, the KDC MUST return a KRB-ERROR [RFC4120] message with the code
931 KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED. The accompanying e-data MUST be
932 encoded in TYPED-DATA although none is defined at this point.
933
934 If the client's public key is not accepted with reasons other than
935 what were specified above, the KDC returns a KRB-ERROR [RFC4120]
936 message with the code KDC_ERR_CLIENT_NOT_TRUSTED. There is no
937 accompanying e-data currently defined for this error message.
938
939 The KDC MUST check the timestamp to ensure that the request is not a
940 replay, and that the time skew falls within acceptable limits. The
941 recommendations for clock skew times in [RFC4120] apply here. If the
942 check fails, the KDC MUST return error code KRB_AP_ERR_REPEAT or
943 KRB_AP_ERR_SKEW, respectively.
944
945
946
947
948Zhu & Tung Expires August 11, 2006 [Page 17]
949�
950Internet-Draft PKINIT February 2006
951
952
953 If the clientPublicValue is filled in, indicating that the client
954 wishes to use the Diffie-Hellman key agreement method, the KDC SHOULD
955 check to see if the key parameters satisfy its policy. If they do
956 not, it MUST return an error message with the code
957 KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. The accompanying e-data is a
958 TYPED-DATA that contains an element whose data-type is
959 TD_DH_PARAMETERS, and whose data-value contains the DER encoding of
960 the type TD-DH-PARAMETERS:
961
962 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
963 -- Each AlgorithmIdentifier specifies a set of
964 -- Diffie-Hellman domain parameters [IEEE1363].
965 -- This list is in decreasing preference order.
966
967 TD-DH-PARAMETERS contains a list of Diffie-Hellman domain parameters
968 that the KDC supports in decreasing preference order, from which the
969 client SHOULD pick one to retry the request.
970
971 The AlgorithmIdentifier structure is defined in [RFC3280] and is
972 filled in according to [RFC3279]. More specifically Section 2.3.3 of
973 [RFC3279] describes how to fill in the AlgorithmIdentifier structure
974 in the case where MODP Diffie-Hellman key exchange is used.
975
976 If the client included a kdcPkId field in the PA-PK-AS-REQ and the
977 KDC does not possess the corresponding key, the KDC MUST ignore the
978 kdcPkId field as if the client did not include one.
979
980 If the digest algorithm used by the id-pkinit-authData is not
981 acceptable by the KDC, the KDC MUST return a KRB-ERROR [RFC4120]
982 message with the code KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED.
983 The accompanying e-data MUST be encoded in TYPED-DATA although none
984 is defined at this point.
985
9863.2.3. Generation of KDC Reply
987
988 If the paChecksum filed in the request is not present, the KDC
989 conforming to this specification MUST return a KRB-ERROR [RFC4120]
990 message with the code KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED. The
991 accompanying e-data MUST be encoded in TYPED-DATA (no error data is
992 defined by this specification).
993
994 Assuming that the client's request has been properly validated, the
995 KDC proceeds as per [RFC4120], except as follows.
996
997 The KDC MUST set the initial flag and include an authorization data
998 element of ad-type [RFC4120] AD_INITIAL_VERIFIED_CAS in the issued
999 ticket. The ad-data [RFC4120] field contains the DER encoding of the
1000 type AD-INITIAL-VERIFIED-CAS:
1001
1002
1003
1004Zhu & Tung Expires August 11, 2006 [Page 18]
1005�
1006Internet-Draft PKINIT February 2006
1007
1008
1009 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
1010 ExternalPrincipalIdentifier
1011 -- Identifies the certification path based on which
1012 -- the client certificate was validated.
1013 -- Each ExternalPrincipalIdentifier identifies a CA
1014 -- or a CA certificate (thereby its public key).
1015
1016 The AD-INITIAL-VERIFIED-CAS structure identifies the certification
1017 path based on which the client certificate was validated. Each
1018 ExternalPrincipalIdentifier (as defined in Section 3.2.1) in the AD-
1019 INITIAL-VERIFIED-CAS structure identifies a CA or a CA certificate
1020 (thereby its public key).
1021
1022 Note that the syntax for the AD-INITIAL-VERIFIED-CAS authorization
1023 data does permit empty SEQUENCEs to be encoded. Such empty sequences
1024 may only be used if the KDC itself vouches for the user's
1025 certificate.
1026
1027 The AS wraps any AD-INITIAL-VERIFIED-CAS data in AD-IF-RELEVANT
1028 containers if the list of CAs satisfies the AS' realm's local policy
1029 (this corresponds to the TRANSITED-POLICY-CHECKED ticket flag
1030 [RFC4120]). Furthermore, any TGS MUST copy such authorization data
1031 from tickets used within a PA-TGS-REQ of the TGS-REQ into the
1032 resulting ticket. If the list of CAs satisfies the local KDC's
1033 realm's policy, the TGS MAY wrap the data into the AD-IF-RELEVANT
1034 container, otherwise it MAY unwrap the authorization data out of the
1035 AD-IF-RELEVANT container.
1036
1037 Application servers that understand this authorization data type
1038 SHOULD apply local policy to determine whether a given ticket bearing
1039 such a type *not* contained within an AD-IF-RELEVANT container is
1040 acceptable. (This corresponds to the AP server checking the
1041 transited field when the TRANSITED-POLICY-CHECKED flag has not been
1042 set [RFC4120].) If such a data type is contained within an AD-IF-
1043 RELEVANT container, AP servers MAY apply local policy to determine
1044 whether the authorization data is acceptable.
1045
1046 A pre-authentication data element, whose padata-type is PA_PK_AS_REP
1047 and whose padata-value contains the DER encoding of the type PA-PK-
1048 AS-REP (defined below), is included in the AS-REP [RFC4120].
1049
1050 PA-PK-AS-REP ::= CHOICE {
1051 dhInfo [0] DHRepInfo,
1052 -- Selected when Diffie-Hellman key exchange is
1053 -- used.
1054 encKeyPack [1] IMPLICIT OCTET STRING,
1055 -- Selected when public key encryption is used.
1056 -- Contains a CMS type ContentInfo encoded
1057
1058
1059
1060Zhu & Tung Expires August 11, 2006 [Page 19]
1061�
1062Internet-Draft PKINIT February 2006
1063
1064
1065 -- according to [RFC3852].
1066 -- The contentType field of the type ContentInfo is
1067 -- id-envelopedData (1.2.840.113549.1.7.3).
1068 -- The content field is an EnvelopedData.
1069 -- The contentType field for the type EnvelopedData
1070 -- is id-signedData (1.2.840.113549.1.7.2).
1071 -- The eContentType field for the inner type
1072 -- SignedData (when unencrypted) is
1073 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
1074 -- eContent field contains the DER encoding of the
1075 -- type ReplyKeyPack.
1076 -- ReplyKeyPack is defined in Section 3.2.3.2.
1077 ...
1078 }
1079
1080 DHRepInfo ::= SEQUENCE {
1081 dhSignedData [0] IMPLICIT OCTET STRING,
1082 -- Contains a CMS type ContentInfo encoded according
1083 -- to [RFC3852].
1084 -- The contentType field of the type ContentInfo is
1085 -- id-signedData (1.2.840.113549.1.7.2), and the
1086 -- content field is a SignedData.
1087 -- The eContentType field for the type SignedData is
1088 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
1089 -- eContent field contains the DER encoding of the
1090 -- type KDCDHKeyInfo.
1091 -- KDCDHKeyInfo is defined below.
1092 serverDHNonce [1] DHNonce OPTIONAL,
1093 -- Present if and only if dhKeyExpiration is
1094 -- present in the KDCDHKeyInfo.
1095 ...
1096 }
1097
1098 KDCDHKeyInfo ::= SEQUENCE {
1099 subjectPublicKey [0] BIT STRING,
1100 -- The KDC's DH public key.
1101 -- The DH public key value is encoded as a BIT
1102 -- STRING according to [RFC3279].
1103 nonce [1] INTEGER (0..4294967295),
1104 -- Contains the nonce in the pkAuthenticator field
1105 -- in the request if the DH keys are NOT reused,
1106 -- 0 otherwise.
1107 dhKeyExpiration [2] KerberosTime OPTIONAL,
1108 -- Expiration time for KDC's key pair,
1109 -- present if and only if the DH keys are reused.
1110 -- If present, the KDC's DH public key MUST not be
1111 -- used past the point of this expiration time.
1112 -- If this field is omitted then the serverDHNonce
1113
1114
1115
1116Zhu & Tung Expires August 11, 2006 [Page 20]
1117�
1118Internet-Draft PKINIT February 2006
1119
1120
1121 -- field MUST also be omitted.
1122 ...
1123 }
1124
1125 The content of the AS-REP is otherwise unchanged from [RFC4120]. The
1126 KDC encrypts the reply as usual, but not with the client's long-term
1127 key. Instead, it encrypts it with either a shared key derived from a
1128 Diffie-Hellman exchange, or a generated encryption key. The contents
1129 of the PA-PK-AS-REP indicate which key delivery method is used.
1130
1131 If the client does not wish to use the Diffie-Hellman key delivery
1132 method (the clientPublicValue field is not present in the request)
1133 and the KDC does not support the public key encryption key delivery
1134 method, the KDC MUST return an error message with the code
1135 KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED. There is no
1136 accompanying e-data for this error message.
1137
1138 In addition, the lifetime of the ticket returned by the KDC MUST NOT
1139 exceed that of the client's public-private key pair. The ticket
1140 lifetime, however, can be shorter than that of the client's public-
1141 private key pair. For the implementations of this specification, the
1142 lifetime of the client's public-private key pair is the validity
1143 period in X.509 certificates [RFC3280], unless configured otherwise.
1144
11453.2.3.1. Using Diffie-Hellman Key Exchange
1146
1147 In this case, the PA-PK-AS-REP contains a DHRepInfo structure.
1148
1149 The ContentInfo [RFC3852] structure for the dhSignedData field is
1150 filled in as follows:
1151
1152 1. The contentType field of the type ContentInfo is id-signedData
1153 (as defined in [RFC3852]), and the content field is a SignedData
1154 (as defined in [RFC3852]).
1155
1156 2. The eContentType field for the type SignedData is the OID value
1157 for id-pkinit-DHKeyData: { iso(1) org(3) dod(6) internet(1)
1158 security(5) kerberosv5(2) pkinit(3) DHKeyData(2) }. Notes to CMS
1159 implementers: the signed attribute content-type MUST be present
1160 in this SignedData instance and its value is id-pkinit-DHKeyData
1161 according to [RFC3852].
1162
1163 3. The eContent field for the type SignedData contains the DER
1164 encoding of the type KDCDHKeyInfo.
1165
1166 4. The KDCDHKeyInfo structure contains the KDC's public key, a nonce
1167 and optionally the expiration time of the KDC's DH key being
1168 reused. The subjectPublicKey field of the type KDCDHKeyInfo
1169
1170
1171
1172Zhu & Tung Expires August 11, 2006 [Page 21]
1173�
1174Internet-Draft PKINIT February 2006
1175
1176
1177 field identifies KDC's DH public key. This DH public key value
1178 is encoded as a BIT STRING according to [RFC3279]. The nonce
1179 field contains the nonce in the pkAuthenticator field in the
1180 request if the DH keys are NOT reused. The value of this nonce
1181 field is 0 if the DH keys are reused. The dhKeyExpiration field
1182 is present if and only if the DH keys are reused. If the
1183 dhKeyExpiration field is present, the KDC's public key in this
1184 KDCDHKeyInfo structure MUST NOT be used past the point of this
1185 expiration time. If this field is omitted then the serverDHNonce
1186 field MUST also be omitted.
1187
1188 5. The signerInfos field of the type SignedData contains a single
1189 signerInfo, which contains the signature over the type
1190 KDCDHKeyInfo.
1191
1192 6. The certificates field of the type SignedData contains
1193 certificates intended to facilitate certification path
1194 construction, so that the client can verify the KDC's signature
1195 over the type KDCDHKeyInfo. The information contained in the
1196 trustedCertifiers in the request SHOULD be used by the KDC as
1197 hints to guide its selection of an appropriate certificate chain
1198 to return to the client. This field may be left empty if the KDC
1199 public key specified by the kdcPkId field in the PA-PK-AS-REQ was
1200 used for signing. Otherwise, for path validation, these
1201 certificates SHOULD be sufficient to construct at least one
1202 certification path from the KDC certificate to one trust anchor
1203 acceptable by the client [RFC4158]. The KDC MUST be capable of
1204 including such a set of certificates if configured to do so. The
1205 certificates field MUST NOT contain "root" CA certificates.
1206
1207 7. If the client included the clientDHNonce field, then the KDC may
1208 choose to reuse its DH keys. If the server reuses DH keys then
1209 it MUST include an expiration time in the dhKeyExpiration field.
1210 Past the point of the expiration time, the signature over the
1211 type DHRepInfo is considered expired/invalid. When the server
1212 reuses DH keys then it MUST include a serverDHNonce at least as
1213 long as the length of keys for the symmetric encryption system
1214 used to encrypt the AS reply. Note that including the
1215 serverDHNonce changes how the client and server calculate the key
1216 to use to encrypt the reply; see below for details. The KDC
1217 SHOULD NOT reuse DH keys unless the clientDHNonce field is
1218 present in the request.
1219
1220 The AS reply key is derived as follows:
1221
1222
1223
1224
1225
1226
1227
1228Zhu & Tung Expires August 11, 2006 [Page 22]
1229�
1230Internet-Draft PKINIT February 2006
1231
1232
1233 1. Both the KDC and the client calculate the shared secret value as
1234 follows:
1235
1236 a) When MODP Diffie-Hellman is used, let DHSharedSecret be the
1237 shared secret value. DHSharedSecret is the value ZZ as
1238 described in Section 2.1.1 of [RFC2631].
1239
1240 DHSharedSecret is first padded with leading zeros such that the
1241 size of DHSharedSecret in octets is the same as that of the
1242 modulus, then represented as a string of octets in big-endian
1243 order.
1244
1245 Implementation note: Both the client and the KDC can cache the
1246 triple (ya, yb, DHSharedSecret), where ya is the client's public
1247 key and yb is the KDC's public key. If both ya and yb are the
1248 same in a later exchange, the cached DHSharedSecret can be used.
1249
1250 2. Let K be the key-generation seed length [RFC3961] of the AS reply
1251 key whose enctype is selected according to [RFC4120].
1252
1253 3. Define the function octetstring2key() as follows:
1254
1255 octetstring2key(x) == random-to-key(K-truncate(
1256 SHA1(0x00 | x) |
1257 SHA1(0x01 | x) |
1258 SHA1(0x02 | x) |
1259 ...
1260 ))
1261
1262 where x is an octet string; | is the concatenation operator; 0x00,
1263 0x01, 0x02, etc., are each represented as a single octet; random-
1264 to-key() is an operation that generates a protocol key from a
1265 bitstring of length K; and K-truncate truncates its input to the
1266 first K bits. Both K and random-to-key() are as defined in the
1267 kcrypto profile [RFC3961] for the enctype of the AS reply key.
1268
1269 4. When DH keys are reused, let n_c be the clientDHNonce, and n_k be
1270 the serverDHNonce; otherwise, let both n_c and n_k be empty octet
1271 strings.
1272
1273 5. The AS reply key k is:
1274
1275 k = octetstring2key(DHSharedSecret | n_c | n_k)
1276
12773.2.3.2. Using Public Key Encryption
1278
1279 In this case, the PA-PK-AS-REP contains the encKeyPack field where
1280 the AS reply key is encrypted.
1281
1282
1283
1284Zhu & Tung Expires August 11, 2006 [Page 23]
1285�
1286Internet-Draft PKINIT February 2006
1287
1288
1289 The ContentInfo [RFC3852] structure for the encKeyPack field is
1290 filled in as follows:
1291
1292 1. The contentType field of the type ContentInfo is id-envelopedData
1293 (as defined in [RFC3852]), and the content field is an
1294 EnvelopedData (as defined in [RFC3852]).
1295
1296 2. The contentType field for the type EnvelopedData is id-
1297 signedData: { iso (1) member-body (2) us (840) rsadsi (113549)
1298 pkcs (1) pkcs7 (7) signedData (2) }.
1299
1300 3. The eContentType field for the inner type SignedData (when
1301 decrypted from the encryptedContent field for the type
1302 EnvelopedData) is id-pkinit-rkeyData: { iso(1) org(3) dod(6)
1303 internet(1) security(5) kerberosv5(2) pkinit(3) rkeyData(3) }.
1304 Notes to CMS implementers: the signed attribute content-type MUST
1305 be present in this SignedData instance and its value is id-
1306 pkinit-rkeyData according to [RFC3852].
1307
1308 4. The eContent field for the inner type SignedData contains the DER
1309 encoding of the type ReplyKeyPack (as described below).
1310
1311 5. The signerInfos field of the inner type SignedData contains a
1312 single signerInfo, which contains the signature for the type
1313 ReplyKeyPack.
1314
1315 6. The certificates field of the inner type SignedData contains
1316 certificates intended to facilitate certification path
1317 construction, so that the client can verify the KDC's signature
1318 for the type ReplyKeyPack. The information contained in the
1319 trustedCertifiers in the request SHOULD be used by the KDC as
1320 hints to guide its selection of an appropriate certificate chain
1321 to return to the client. This field may be left empty if the KDC
1322 public key specified by the kdcPkId field in the PA-PK-AS-REQ was
1323 used for signing. Otherwise, for path validation, these
1324 certificates SHOULD be sufficient to construct at least one
1325 certification path from the KDC certificate to one trust anchor
1326 acceptable by the client [RFC4158]. The KDC MUST be capable of
1327 including such a set of certificates if configured to do so. The
1328 certificates field MUST NOT contain "root" CA certificates.
1329
1330 7. The recipientInfos field of the type EnvelopedData is a SET which
1331 MUST contain exactly one member of type KeyTransRecipientInfo.
1332 The encryptedKey of this member contains the temporary key which
1333 is encrypted using the client's public key.
1334
1335
1336
1337
1338
1339
1340Zhu & Tung Expires August 11, 2006 [Page 24]
1341�
1342Internet-Draft PKINIT February 2006
1343
1344
1345 8. The unprotectedAttrs or originatorInfo fields of the type
1346 EnvelopedData MAY be present.
1347
1348 If there is a supportedCMSTypes field in the AuthPack, the KDC must
1349 check to see if it supports any of the listed types. If it supports
1350 more than one of the types, the KDC SHOULD use the one listed first.
1351 If it does not support any of them, it MUST return an error message
1352 with the code KDC_ERR_ETYPE_NOSUPP [RFC4120].
1353
1354 Furthermore the KDC computes the checksum of the AS-REQ in the client
1355 request. This checksum is performed over the type AS-REQ and the
1356 protocol key [RFC3961] of the checksum operation is the replyKey and
1357 the key usage number is 6. If the replyKey's enctype is "newer"
1358 [RFC4120] [RFC4121], the checksum operation is the required checksum
1359 operation [RFC3961] of that enctype.
1360
1361 ReplyKeyPack ::= SEQUENCE {
1362 replyKey [0] EncryptionKey,
1363 -- Contains the session key used to encrypt the
1364 -- enc-part field in the AS-REP, i.e. the
1365 -- AS reply key.
1366 asChecksum [1] Checksum,
1367 -- Contains the checksum of the AS-REQ
1368 -- corresponding to the containing AS-REP.
1369 -- The checksum is performed over the type AS-REQ.
1370 -- The protocol key [RFC3961] of the checksum is the
1371 -- replyKey and the key usage number is 6.
1372 -- If the replyKey's enctype is "newer" [RFC4120]
1373 -- [RFC4121], the checksum is the required
1374 -- checksum operation [RFC3961] for that enctype.
1375 -- The client MUST verify this checksum upon receipt
1376 -- of the AS-REP.
1377 ...
1378 }
1379
1380 Implementations of this RSA encryption key delivery method are
1381 RECOMMENDED to support RSA keys at least 2048 bits in size.
1382
13833.2.4. Receipt of KDC Reply
1384
1385 Upon receipt of the KDC's reply, the client proceeds as follows. If
1386 the PA-PK-AS-REP contains the dhSignedData field, the client derives
1387 the AS reply key using the same procedure used by the KDC as defined
1388 in Section 3.2.3.1. Otherwise, the message contains the encKeyPack
1389 field, and the client decrypts and extracts the temporary key in the
1390 encryptedKey field of the member KeyTransRecipientInfo, and then uses
1391 that as the AS reply key.
1392
1393
1394
1395
1396Zhu & Tung Expires August 11, 2006 [Page 25]
1397�
1398Internet-Draft PKINIT February 2006
1399
1400
1401 If the public key encryption method is used, the client MUST verify
1402 the asChecksum contained in the ReplyKeyPack.
1403
1404 In either case, the client MUST verify the signature in the
1405 SignedData according to [RFC3852]. The KDC's X.509 certificate MUST
1406 be validated according to [RFC3280]. In addition, unless the client
1407 can otherwise verify that the public key used to verify the KDC's
1408 signature is bound to the KDC of the target realm, the KDC's X.509
1409 certificate MUST contain a Subject Alternative Name extension
1410 [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as
1411 defined in Section 3.2.2) and whose value is a KRB5PrincipalName that
1412 matches the name of the TGS of the target realm (as defined in
1413 Section 7.3 of [RFC4120]).
1414
1415 Unless the client knows by some other means that the KDC certificate
1416 is intended for a Kerberos KDC, the client MUST require that the KDC
1417 certificate contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc:
1418
1419 id-pkinit-KPKdc OBJECT IDENTIFIER ::=
1420 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
1421 pkinit(3) keyPurposeKdc(5) }
1422 -- Signing KDC responses.
1423 -- Key usage bits that MUST be consistent:
1424 -- digitalSignature.
1425
1426 The digitalSignature key usage bit [RFC3280] MUST be asserted when
1427 the intended purpose of the KDC's X.509 certificate is restricted
1428 with the id-pkinit-KPKdc EKU.
1429
1430 If the KDC certificate contains the Kerberos TGS name encoded as an
1431 id-pkinit-san SAN, this certificate is certified by the issuing CA as
1432 a KDC certificate, therefore the id-pkinit-KPKdc EKU is not required.
1433
1434 If all applicable checks are satisfied, the client then decrypts the
1435 enc-part field of the KDC-REP in the AS-REP using the AS reply key,
1436 and then proceeds as described in [RFC4120].
1437
14383.3. Interoperability Requirements
1439
1440 The client MUST be capable of sending a set of certificates
1441 sufficient to allow the KDC to construct a certification path for the
1442 client's certificate, if the correct set of certificates is provided
1443 through configuration or policy.
1444
1445 If the client sends all the X.509 certificates on a certification
1446 path to a trust anchor acceptable by the KDC, and the KDC can not
1447 verify the client's public key otherwise, the KDC MUST be able to
1448 process path validation for the client's certificate based on the
1449
1450
1451
1452Zhu & Tung Expires August 11, 2006 [Page 26]
1453�
1454Internet-Draft PKINIT February 2006
1455
1456
1457 certificates in the request.
1458
1459 The KDC MUST be capable of sending a set of certificates sufficient
1460 to allow the client to construct a certification path for the KDC's
1461 certificate, if the correct set of certificates is provided through
1462 configuration or policy.
1463
1464 If the KDC sends all the X.509 certificates on a certification path
1465 to a trust anchor acceptable by the client, and the client can not
1466 verify the KDC's public key otherwise, the client MUST be able to
1467 process path validation for the KDC's certificate based on the
1468 certificates in the reply.
1469
14703.4. KDC Indication of PKINIT Support
1471
1472 If pre-authentication is required, but was not present in the
1473 request, per [RFC4120] an error message with the code
1474 KDC_ERR_PREAUTH_FAILED is returned and a METHOD-DATA object will be
1475 stored in the e-data field of the KRB-ERROR message to specify which
1476 pre-authentication mechanisms are acceptable. The KDC can then
1477 indicate the support of PKINIT by including an empty element whose
1478 padata-type is PA_PK_AS_REQ in that METHOD-DATA object.
1479
1480 Otherwise if it is required by the KDC's local policy that the client
1481 must be pre-authenticated using the pre-authentication mechanism
1482 specified in this document, but no PKINIT pre-authentication was
1483 present in the request, an error message with the code
1484 KDC_ERR_PREAUTH_FAILED SHOULD be returned.
1485
1486 KDCs MUST leave the padata-value field of the PA_PK_AS_REQ element in
1487 the KRB-ERROR's METHOD-DATA empty (i.e., send a zero-length OCTET
1488 STRING), and clients MUST ignore this and any other value. Future
1489 extensions to this protocol may specify other data to send instead of
1490 an empty OCTET STRING.
1491
1492
14934. Security Considerations
1494
1495 The security of cryptographic algorithms is dependent on generating
1496 secret quantities [RFC4086]. The number of truly random bits is
1497 extremely important to determining the attack resistance strength of
1498 the cryptosystem, for example, the secret Diffie-Hellman exponents
1499 must be chosen based on n truly random bits (where n is the system
1500 security requirement). The security of the overall system is
1501 significantly weakened by using insufficient random inputs: a
1502 sophisticated attacker may find it easier to reproduce the
1503 environment that produced the secret quantities and to search the
1504 resulting small set of possibilities than to locate the quantities in
1505
1506
1507
1508Zhu & Tung Expires August 11, 2006 [Page 27]
1509�
1510Internet-Draft PKINIT February 2006
1511
1512
1513 the whole of the potential number space.
1514
1515 Kerberos error messages are not integrity protected, as a result, the
1516 domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered
1517 with by an attacker so that the set of domain parameters selected
1518 could be either weaker or not mutually preferred. Local policy can
1519 configure sets of domain parameters acceptable locally, or disallow
1520 the negotiation of DH domain parameters.
1521
1522 The symmetric reply key size and Diffie-Hellman field size or RSA
1523 modulus size should be chosen so as to provide sufficient
1524 cryptographic security [RFC3766].
1525
1526 When MODP Diffie-Hellman is used, the exponents should have at least
1527 twice as many bits as the symmetric keys that will be derived from
1528 them [ODL99].
1529
1530 PKINIT raises certain security considerations beyond those that can
1531 be regulated strictly in protocol definitions. We will address them
1532 in this section.
1533
1534 PKINIT extends the cross-realm model to the public-key
1535 infrastructure. Users of PKINIT must understand security policies
1536 and procedures appropriate to the use of Public Key Infrastructures
1537 [RFC3280].
1538
1539 In order to trust a KDC certificate that is certified by a CA as a
1540 KDC certificate for a target realm (for example, by asserting the TGS
1541 name of that Kerberos realm as an id-pkinit-san SAN and/or
1542 restricting the certificate usage by using the id-pkinit-KPKdc EKU,
1543 as described in Section 3.2.4), the client MUST verify that the KDC
1544 certificate's issuing CA is authorized to issue KDC certificates for
1545 that target realm. Otherwise, the binding between the KDC
1546 certificate and the KDC of the target realm is not established.
1547
1548 How to validate this authorization is a matter of local policy. A
1549 way to achieve this is the configuration of specific sets of
1550 intermediary CAs and trust anchors, one of which must be on the KDC
1551 certificate's certification path [RFC3280]; and for each CA or trust
1552 anchor the realms for which it is allowed to issue certificates.
1553
1554 In addition, if any CA is trusted to issue KDC certificates can also
1555 issue other kinds of certificates, then local policy must be able to
1556 distinguish between them: for example, it could require that KDC
1557 certificates contain the id-pkinit-KPKdc EKU or that the realm be
1558 specified with the id-pkinit-san SAN.
1559
1560 It is the responsibility of the PKI administrators for an
1561
1562
1563
1564Zhu & Tung Expires August 11, 2006 [Page 28]
1565�
1566Internet-Draft PKINIT February 2006
1567
1568
1569 organization to ensure that KDC certificates are only issued to KDCs,
1570 and that clients can ascertain this using their local policy.
1571
1572 Standard Kerberos allows the possibility of interactions between
1573 cryptosystems of varying strengths; this document adds interactions
1574 with public-key cryptosystems to Kerberos. Some administrative
1575 policies may allow the use of relatively weak public keys. When
1576 using such weak asymmetric keys to protect/exchange stronger
1577 symmetric Keys, the attack resistant strength of the overall system
1578 is no better than that of these weak keys [RFC3766].
1579
1580 PKINIT requires keys for symmetric cryptosystems to be generated.
1581 Some such systems contain "weak" keys. For recommendations regarding
1582 these weak keys, see [RFC4120].
1583
1584 PKINIT allows the use of the same RSA key pair for encryption and
1585 signing when doing RSA encryption based key delivery. This is not
1586 recommended usage of RSA keys [RFC3447], by using DH based key
1587 delivery this is avoided.
1588
1589 Care should be taken in how certificates are chosen for the purposes
1590 of authentication using PKINIT. Some local policies may require that
1591 key escrow be used for certain certificate types. Deployers of
1592 PKINIT should be aware of the implications of using certificates that
1593 have escrowed keys for the purposes of authentication. Because
1594 signing only certificates are normally not escrowed, by using DH
1595 based key delivery this is avoided.
1596
1597 PKINIT does not provide for a "return routability" test to prevent
1598 attackers from mounting a denial-of-service attack on the KDC by
1599 causing it to perform unnecessary and expensive public-key
1600 operations. Strictly speaking, this is also true of standard
1601 Kerberos, although the potential cost is not as great, because
1602 standard Kerberos does not make use of public-key cryptography. By
1603 using DH based key delivery and reusing DH keys, the necessary crypto
1604 processing cost per request can be minimized.
1605
1606 When the Diffie-Hellman key exchange method is used, additional pre-
1607 authentication data [RFC4120] (in addition to the PA_PK_AS_REQ as
1608 defined in this specification) is not bound to the AS_REQ by the
1609 mechanisms discussed in this specification (meaning it may be dropped
1610 or added by attackers without being detected by either the client or
1611 the KDC). Designers of additional pre-authentication data should
1612 take that into consideration if such additional pre-authentication
1613 data can be used in conjunction with the PA_PK_AS_REQ. The future
1614 work of the Kerberos working group is expected to update the hash
1615 algorithms specified in this document and provide a generic mechanism
1616 to bind additional pre-authentication data with the accompanying
1617
1618
1619
1620Zhu & Tung Expires August 11, 2006 [Page 29]
1621�
1622Internet-Draft PKINIT February 2006
1623
1624
1625 AS_REQ.
1626
1627
16285. Acknowledgements
1629
1630 The following people have made significant contributions to this
1631 draft: Paul Leach, Stefan Santesson, Sam Hartman, Love Hornquist
1632 Astrand, Ken Raeburn, Nicolas Williams, John Wray, Tom Yu, Jeffrey
1633 Hutzelman, David Cross, Dan Simon, Karthik Jaganathan, Chaskiel M
1634 Grundman and Jeffrey Altman.
1635
1636 Andre Scedrov, Aaron D. Jaggard, Iliano Cervesato, Joe-Kai Tsay and
1637 Chris Walstad discovered a binding issue between the AS-REQ and AS-
1638 REP in draft -26, the asChecksum field was added as the result.
1639
1640 Special thanks to Clifford Neuman, Matthew Hur, Sasha Medvinsky and
1641 Jonathan Trostle who wrote earlier versions of this document.
1642
1643 The authors are indebted to the Kerberos working group chair Jeffrey
1644 Hutzelman who kept track of various issues and was enormously helpful
1645 during the creation of this document.
1646
1647 Some of the ideas on which this document is based arose during
1648 discussions over several years between members of the SAAG, the IETF
1649 CAT working group, and the PSRG, regarding integration of Kerberos
1650 and SPX. Some ideas have also been drawn from the DASS system.
1651 These changes are by no means endorsed by these groups. This is an
1652 attempt to revive some of the goals of those groups, and this
1653 document approaches those goals primarily from the Kerberos
1654 perspective.
1655
1656 Lastly, comments from groups working on similar ideas in DCE have
1657 been invaluable.
1658
1659
16606. IANA Considerations
1661
1662 This document has no actions for IANA.
1663
1664
16657. References
1666
16677.1. Normative References
1668
1669 [IEEE1363]
1670 IEEE, "Standard Specifications for Public Key
1671 Cryptography", IEEE 1363, 2000.
1672
1673
1674
1675
1676Zhu & Tung Expires August 11, 2006 [Page 30]
1677�
1678Internet-Draft PKINIT February 2006
1679
1680
1681 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1682 Requirement Levels", BCP 14, RFC 2119, March 1997.
1683
1684 [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol",
1685 RFC 2412, November 1998.
1686
1687 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
1688 RFC 2631, June 1999.
1689
1690 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
1691 Identifiers for the Internet X.509 Public Key
1692 Infrastructure Certificate and Certificate Revocation List
1693 (CRL) Profile", RFC 3279, April 2002.
1694
1695 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
1696 X.509 Public Key Infrastructure Certificate and
1697 Certificate Revocation List (CRL) Profile", RFC 3280,
1698 April 2002.
1699
1700 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
1701 Algorithms", RFC 3370, August 2002.
1702
1703 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
1704 Standards (PKCS) #1: RSA Cryptography Specifications
1705 Version 2.1", RFC 3447, February 2003.
1706
1707 [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP)
1708 Diffie-Hellman groups for Internet Key Exchange (IKE)",
1709 RFC 3526, May 2003.
1710
1711 [RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport
1712 Algorithm in Cryptographic Message Syntax (CMS)",
1713 RFC 3560, July 2003.
1714
1715 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
1716 Encryption Algorithm in Cryptographic Message Syntax
1717 (CMS)", RFC 3565, July 2003.
1718
1719 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
1720 Public Keys Used For Exchanging Symmetric Keys", BCP 86,
1721 RFC 3766, April 2004.
1722
1723 [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
1724 RFC 3852, July 2004.
1725
1726 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
1727 Kerberos 5", RFC 3961, February 2005.
1728
1729
1730
1731
1732Zhu & Tung Expires August 11, 2006 [Page 31]
1733�
1734Internet-Draft PKINIT February 2006
1735
1736
1737 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
1738 Encryption for Kerberos 5", RFC 3962, February 2005.
1739
1740 [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
1741 Requirements for Security", BCP 106, RFC 4086, June 2005.
1742
1743 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
1744 Kerberos Network Authentication Service (V5)", RFC 4120,
1745 July 2005.
1746
1747 [X680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
1748 Information technology - Abstract Syntax Notation One
1749 (ASN.1): Specification of basic notation.
1750
1751 [X690] ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
1752 Information technology - ASN.1 encoding Rules: Specification
1753 of Basic Encoding Rules (BER), Canonical Encoding Rules
1754 (CER) and Distinguished Encoding Rules (DER).
1755
17567.2. Informative References
1757
1758 [LENSTRA] Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
1759 Sizes", Journal of Cryptology 14 (2001) 255-293.
1760
1761 [ODL99] Odlyzko, A., "Discrete logarithms: The past and the
1762 future, Designs, Codes, and Cryptography (1999)".
1763 April 1999.
1764
1765 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
1766 Version 5 Generic Security Service Application Program
1767 Interface (GSS-API) Mechanism: Version 2", RFC 4121,
1768 July 2005.
1769
1770 [RFC4158] Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., and R.
1771 Nicholas, "Internet X.509 Public Key Infrastructure:
1772 Certification Path Building", RFC 4158, September 2005.
1773
1774
1775Appendix A. PKINIT ASN.1 Module
1776
1777 KerberosV5-PK-INIT-SPEC {
1778 iso(1) identified-organization(3) dod(6) internet(1)
1779 security(5) kerberosV5(2) modules(4) pkinit(5)
1780 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
1781
1782 IMPORTS
1783
1784
1785
1786Zhu & Tung Expires August 11, 2006 [Page 32]
1787�
1788Internet-Draft PKINIT February 2006
1789
1790
1791 SubjectPublicKeyInfo, AlgorithmIdentifier
1792 FROM PKIX1Explicit88 { iso (1)
1793 identified-organization (3) dod (6) internet (1)
1794 security (5) mechanisms (5) pkix (7) id-mod (0)
1795 id-pkix1-explicit (18) }
1796 -- As defined in RFC 3280.
1797
1798 KerberosTime, PrincipalName, Realm, EncryptionKey
1799 FROM KerberosV5Spec2 { iso(1) identified-organization(3)
1800 dod(6) internet(1) security(5) kerberosV5(2)
1801 modules(4) krb5spec2(2) } ;
1802
1803 id-pkinit OBJECT IDENTIFIER ::=
1804 { iso (1) org (3) dod (6) internet (1) security (5)
1805 kerberosv5 (2) pkinit (3) }
1806
1807 id-pkinit-authData OBJECT IDENTIFIER ::= { id-pkinit 1 }
1808 id-pkinit-DHKeyData OBJECT IDENTIFIER ::= { id-pkinit 2 }
1809 id-pkinit-rkeyData OBJECT IDENTIFIER ::= { id-pkinit 3 }
1810 id-pkinit-KPClientAuth OBJECT IDENTIFIER ::= { id-pkinit 4 }
1811 id-pkinit-KPKdc OBJECT IDENTIFIER ::= { id-pkinit 5 }
1812
1813 id-pkinit-san OBJECT IDENTIFIER ::=
1814 { iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
1815 x509SanAN (2) }
1816
1817 pa-pk-as-req INTEGER ::= 16
1818 pa-pk-as-rep INTEGER ::= 17
1819
1820 ad-initial-verified-cas INTEGER ::= 9
1821
1822 td-trusted-certifiers INTEGER ::= 104
1823 td-invalid-certificates INTEGER ::= 105
1824 td-dh-parameters INTEGER ::= 109
1825
1826 PA-PK-AS-REQ ::= SEQUENCE {
1827 signedAuthPack [0] IMPLICIT OCTET STRING,
1828 -- Contains a CMS type ContentInfo encoded
1829 -- according to [RFC3852].
1830 -- The contentType field of the type ContentInfo
1831 -- is id-signedData (1.2.840.113549.1.7.2),
1832 -- and the content field is a SignedData.
1833 -- The eContentType field for the type SignedData is
1834 -- id-pkinit-authData (1.3.6.1.5.2.3.1), and the
1835 -- eContent field contains the DER encoding of the
1836 -- type AuthPack.
1837 -- AuthPack is defined below.
1838 trustedCertifiers [1] SEQUENCE OF
1839
1840
1841
1842Zhu & Tung Expires August 11, 2006 [Page 33]
1843�
1844Internet-Draft PKINIT February 2006
1845
1846
1847 ExternalPrincipalIdentifier OPTIONAL,
1848 -- Contains a list of CAs, trusted by the client,
1849 -- that can be used to certify the KDC.
1850 -- Each ExternalPrincipalIdentifier identifies a CA
1851 -- or a CA certificate (thereby its public key).
1852 -- The information contained in the
1853 -- trustedCertifiers SHOULD be used by the KDC as
1854 -- hints to guide its selection of an appropriate
1855 -- certificate chain to return to the client.
1856 kdcPkId [2] IMPLICIT OCTET STRING
1857 OPTIONAL,
1858 -- Contains a CMS type SignerIdentifier encoded
1859 -- according to [RFC3852].
1860 -- Identifies, if present, a particular KDC
1861 -- public key that the client already has.
1862 ...
1863 }
1864
1865 DHNonce ::= OCTET STRING
1866
1867 ExternalPrincipalIdentifier ::= SEQUENCE {
1868 subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
1869 -- Contains a PKIX type Name encoded according to
1870 -- [RFC3280].
1871 -- Identifies the certificate subject by the
1872 -- distinguished subject name.
1873 -- REQUIRED when there is a distinguished subject
1874 -- name present in the certificate.
1875 issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
1876 -- Contains a CMS type IssuerAndSerialNumber encoded
1877 -- according to [RFC3852].
1878 -- Identifies a certificate of the subject.
1879 -- REQUIRED for TD-INVALID-CERTIFICATES and
1880 -- TD-TRUSTED-CERTIFIERS.
1881 subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
1882 -- Identifies the subject's public key by a key
1883 -- identifier. When an X.509 certificate is
1884 -- referenced, this key identifier matches the X.509
1885 -- subjectKeyIdentifier extension value. When other
1886 -- certificate formats are referenced, the documents
1887 -- that specify the certificate format and their use
1888 -- with the CMS must include details on matching the
1889 -- key identifier to the appropriate certificate
1890 -- field.
1891 -- RECOMMENDED for TD-TRUSTED-CERTIFIERS.
1892 ...
1893 }
1894
1895
1896
1897
1898Zhu & Tung Expires August 11, 2006 [Page 34]
1899�
1900Internet-Draft PKINIT February 2006
1901
1902
1903 AuthPack ::= SEQUENCE {
1904 pkAuthenticator [0] PKAuthenticator,
1905 clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
1906 -- Type SubjectPublicKeyInfo is defined in
1907 -- [RFC3280].
1908 -- Specifies Diffie-Hellman domain parameters
1909 -- and the client's public key value [IEEE1363].
1910 -- The DH public key value is encoded as a BIT
1911 -- STRING according to [RFC3279].
1912 -- This field is present only if the client wishes
1913 -- to use the Diffie-Hellman key agreement method.
1914 supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier
1915 OPTIONAL,
1916 -- Type AlgorithmIdentifier is defined in
1917 -- [RFC3280].
1918 -- List of CMS algorithm [RFC3370] identifiers
1919 -- that identify key transport algorithms, or
1920 -- content encryption algorithms, or signature
1921 -- algorithms supported by the client in order of
1922 -- (decreasing) preference.
1923 clientDHNonce [3] DHNonce OPTIONAL,
1924 -- Present only if the client indicates that it
1925 -- wishes to reuse DH keys or to allow the KDC to
1926 -- do so.
1927 ...
1928 }
1929
1930 PKAuthenticator ::= SEQUENCE {
1931 cusec [0] INTEGER (0..999999),
1932 ctime [1] KerberosTime,
1933 -- cusec and ctime are used as in [RFC4120], for
1934 -- replay prevention.
1935 nonce [2] INTEGER (0..4294967295),
1936 -- Chosen randomly; This nonce does not need to
1937 -- match with the nonce in the KDC-REQ-BODY.
1938 paChecksum [3] OCTET STRING OPTIONAL,
1939 -- MUST be present.
1940 -- Contains the SHA1 checksum, performed over
1941 -- KDC-REQ-BODY.
1942 ...
1943 }
1944
1945 TD-TRUSTED-CERTIFIERS ::= SEQUENCE OF
1946 ExternalPrincipalIdentifier
1947 -- Identifies a list of CAs trusted by the KDC.
1948 -- Each ExternalPrincipalIdentifier identifies a CA
1949 -- or a CA certificate (thereby its public key).
1950
1951
1952
1953
1954Zhu & Tung Expires August 11, 2006 [Page 35]
1955�
1956Internet-Draft PKINIT February 2006
1957
1958
1959 TD-INVALID-CERTIFICATES ::= SEQUENCE OF
1960 ExternalPrincipalIdentifier
1961 -- Each ExternalPrincipalIdentifier identifies a
1962 -- certificate (sent by the client) with an invalid
1963 -- signature.
1964
1965 KRB5PrincipalName ::= SEQUENCE {
1966 realm [0] Realm,
1967 principalName [1] PrincipalName
1968 }
1969
1970 AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF
1971 ExternalPrincipalIdentifier
1972 -- Identifies the certification path based on which
1973 -- the client certificate was validated.
1974 -- Each ExternalPrincipalIdentifier identifies a CA
1975 -- or a CA certificate (thereby its public key).
1976
1977 PA-PK-AS-REP ::= CHOICE {
1978 dhInfo [0] DHRepInfo,
1979 -- Selected when Diffie-Hellman key exchange is
1980 -- used.
1981 encKeyPack [1] IMPLICIT OCTET STRING,
1982 -- Selected when public key encryption is used.
1983 -- Contains a CMS type ContentInfo encoded
1984 -- according to [RFC3852].
1985 -- The contentType field of the type ContentInfo is
1986 -- id-envelopedData (1.2.840.113549.1.7.3).
1987 -- The content field is an EnvelopedData.
1988 -- The contentType field for the type EnvelopedData
1989 -- is id-signedData (1.2.840.113549.1.7.2).
1990 -- The eContentType field for the inner type
1991 -- SignedData (when unencrypted) is
1992 -- id-pkinit-rkeyData (1.3.6.1.5.2.3.3) and the
1993 -- eContent field contains the DER encoding of the
1994 -- type ReplyKeyPack.
1995 -- ReplyKeyPack is defined below.
1996 ...
1997 }
1998
1999 DHRepInfo ::= SEQUENCE {
2000 dhSignedData [0] IMPLICIT OCTET STRING,
2001 -- Contains a CMS type ContentInfo encoded according
2002 -- to [RFC3852].
2003 -- The contentType field of the type ContentInfo is
2004 -- id-signedData (1.2.840.113549.1.7.2), and the
2005 -- content field is a SignedData.
2006 -- The eContentType field for the type SignedData is
2007
2008
2009
2010Zhu & Tung Expires August 11, 2006 [Page 36]
2011�
2012Internet-Draft PKINIT February 2006
2013
2014
2015 -- id-pkinit-DHKeyData (1.3.6.1.5.2.3.2), and the
2016 -- eContent field contains the DER encoding of the
2017 -- type KDCDHKeyInfo.
2018 -- KDCDHKeyInfo is defined below.
2019 serverDHNonce [1] DHNonce OPTIONAL,
2020 -- Present if and only if dhKeyExpiration is
2021 -- present.
2022 ...
2023 }
2024
2025 KDCDHKeyInfo ::= SEQUENCE {
2026 subjectPublicKey [0] BIT STRING,
2027 -- The KDC's DH public key.
2028 -- The DH public key value is encoded as a BIT
2029 -- STRING according to [RFC3279].
2030 nonce [1] INTEGER (0..4294967295),
2031 -- Contains the nonce in the pkAuthenticator field
2032 -- in the request if the DH keys are NOT reused,
2033 -- 0 otherwise.
2034 dhKeyExpiration [2] KerberosTime OPTIONAL,
2035 -- Expiration time for KDC's key pair,
2036 -- present if and only if the DH keys are reused.
2037 -- If present, the KDC's DH public key MUST not be
2038 -- used past the point of this expiration time.
2039 -- If this field is omitted then the serverDHNonce
2040 -- field MUST also be omitted.
2041 ...
2042 }
2043
2044 ReplyKeyPack ::= SEQUENCE {
2045 replyKey [0] EncryptionKey,
2046 -- Contains the session key used to encrypt the
2047 -- enc-part field in the AS-REP, i.e. the
2048 -- AS reply key.
2049 asChecksum [1] Checksum,
2050 -- Contains the checksum of the AS-REQ
2051 -- corresponding to the containing AS-REP.
2052 -- The checksum is performed over the type AS-REQ.
2053 -- The protocol key [RFC3961] of the checksum is the
2054 -- replyKey and the key usage number is 6.
2055 -- If the replyKey's enctype is "newer" [RFC4120]
2056 -- [RFC4121], the checksum is the required
2057 -- checksum operation [RFC3961] for that enctype.
2058 -- The client MUST verify this checksum upon receipt
2059 -- of the AS-REP.
2060 ...
2061 }
2062
2063
2064
2065
2066Zhu & Tung Expires August 11, 2006 [Page 37]
2067�
2068Internet-Draft PKINIT February 2006
2069
2070
2071 TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
2072 -- Each AlgorithmIdentifier specifies a set of
2073 -- Diffie-Hellman domain parameters [IEEE1363].
2074 -- This list is in decreasing preference order.
2075 END
2076
2077
2078Appendix B. Test Vectors
2079
2080 Function octetstring2key() is defined in Section 3.2.3.1. This
2081 section describes a few sets of test vectors that would be useful for
2082 implementers of octetstring2key().
2083
2084
2085 Set 1
2086 =====
2087 Input octet string x is:
2088
2089 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2091 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2092 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2093 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2094 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2095 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2097 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2098 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2099 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2101 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2102 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2103 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2104 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2105
2106 Output of K-truncate() when the key size is 32 octets:
2107
2108 5e e5 0d 67 5c 80 9f e5 9e 4a 77 62 c5 4b 65 83
2109 75 47 ea fb 15 9b d8 cd c7 5f fc a5 91 1e 4c 41
2110
2111
2112 Set 2:
2113 =====
2114 Input octet string x is:
2115
2116 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2117 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2118 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2119
2120
2121
2122Zhu & Tung Expires August 11, 2006 [Page 38]
2123�
2124Internet-Draft PKINIT February 2006
2125
2126
2127 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2128 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2129 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2131 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2132
2133 Output of K-truncate() when the key size is 32 octets:
2134
2135 ac f7 70 7c 08 97 3d df db 27 cd 36 14 42 cc fb
2136 a3 55 c8 88 4c b4 72 f3 7d a6 36 d0 7d 56 78 7e
2137
2138
2139 Set 3:
2140 ======
2141 Input octet string x is:
2142
2143 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
2144 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
2145 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
2146 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
2147 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b
2148 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a
2149 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08 09
2150 0a 0b 0c 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
2151
2152 Output of K-truncate() when the key size is 32 octets:
2153
2154 c4 42 da 58 5f cb 80 e4 3b 47 94 6f 25 40 93 e3
2155 73 29 d9 90 01 38 0d b7 83 71 db 3a cf 5c 79 7e
2156
2157
2158 Set 4:
2159 =====
2160 Input octet string x is:
2161
2162 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
2163 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
2164 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d
2165 0e 0f 10 00 01 02 03 04 05 06 07 08 09 0a 0b 0c
2166 0d 0e 0f 10 00 01 02 03 04 05 06 07 08
2167
2168 Output of K-truncate() when the key size is 32 octets:
2169
2170 00 53 95 3b 84 c8 96 f4 eb 38 5c 3f 2e 75 1c 4a
2171 59 0e d6 ff ad ca 6f f6 4f 47 eb eb 8d 78 0f fc
2172
2173
2174
2175
2176
2177
2178Zhu & Tung Expires August 11, 2006 [Page 39]
2179�
2180Internet-Draft PKINIT February 2006
2181
2182
2183Appendix C. Miscellaneous Information about Microsoft Windows PKINIT
2184 Implementations
2185
2186 Earlier revisions of the PKINIT I-D were implemented in various
2187 releases of Microsoft Windows and deployed in fairly large numbers.
2188 To enable the community to better interoperate with systems running
2189 those releases, the following information may be useful.
2190
2191 KDC certificates issued by Windows 2000 Enterprise CAs contain a
2192 dNSName SAN with the DNS name of the host running the KDC, and the
2193 id-kp-serverAuth EKU [RFC3280].
2194
2195 KDC certificates issued by Windows 2003 Enterprise CAs contain a
2196 dNSName SAN with the DNS name of the host running the KDC, the id-kp-
2197 serverAuth EKU and the id-ms-kp-sc-logon EKU.
2198
2199 It is anticipated that the next release of Windows is already too far
2200 along to allow it to support the issuing KDC certificates with id-
2201 pkinit-san SAN as specified in this RFC. Instead, they will have a
2202 dNSName SAN containing the domain name of the KDC and the intended
2203 purpose of these KDC certificates be restricted by the presence of
2204 the id-pkinit-KPKdc EKU and id-kp-serverAuth EKU.
2205
2206 In addition to checking that the above are present in a KDC
2207 certificate, Windows clients verify that the issuer of the KDC
2208 certificate is one of a set of allowed issuers of such certificates,
2209 so those wishing to issue KDC certificates need to configure their
2210 Windows clients appropriately.
2211
2212 Client certificates accepted by Windows 2000 and Windows 2003 Server
2213 KDCs must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3)
2214 SAN and the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN
2215 contains a UTF8 encoded string whose value is that of the Directory
2216 Service attribute UserPrincipalName of the client account object, and
2217 the purpose of including the id-ms-san-sc-logon-upn SAN in the client
2218 certificate is to validate the client mapping (in other words, the
2219 client's public key is bound to the account that has this
2220 UserPrincipalName value).
2221
2222 It should be noted that all Microsoft Kerberos realm names are domain
2223 style realm names and strictly in upper case. In addition, the
2224 UserPrincipalName attribute is globally unique in Windows 2000 and
2225 Windows 2003.
2226
2227
2228
2229
2230
2231
2232
2233
2234Zhu & Tung Expires August 11, 2006 [Page 40]
2235�
2236Internet-Draft PKINIT February 2006
2237
2238
2239Authors' Addresses
2240
2241 Larry Zhu
2242 Microsoft Corporation
2243 One Microsoft Way
2244 Redmond, WA 98052
2245 US
2246
2247 Email: lzhu@microsoft.com
2248
2249
2250 Brian Tung
2251 USC Information Sciences Institute
2252 4676 Admiralty Way Suite 1001
2253 Marina del Rey, CA 90292
2254 US
2255
2256 Email: brian@isi.edu
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290Zhu & Tung Expires August 11, 2006 [Page 41]
2291�
2292Internet-Draft PKINIT February 2006
2293
2294
2295Intellectual Property Statement
2296
2297 The IETF takes no position regarding the validity or scope of any
2298 Intellectual Property Rights or other rights that might be claimed to
2299 pertain to the implementation or use of the technology described in
2300 this document or the extent to which any license under such rights
2301 might or might not be available; nor does it represent that it has
2302 made any independent effort to identify any such rights. Information
2303 on the procedures with respect to rights in RFC documents can be
2304 found in BCP 78 and BCP 79.
2305
2306 Copies of IPR disclosures made to the IETF Secretariat and any
2307 assurances of licenses to be made available, or the result of an
2308 attempt made to obtain a general license or permission for the use of
2309 such proprietary rights by implementers or users of this
2310 specification can be obtained from the IETF on-line IPR repository at
2311 http://www.ietf.org/ipr.
2312
2313 The IETF invites any interested party to bring to its attention any
2314 copyrights, patents or patent applications, or other proprietary
2315 rights that may cover technology that may be required to implement
2316 this standard. Please address the information to the IETF at
2317 ietf-ipr@ietf.org.
2318
2319
2320Disclaimer of Validity
2321
2322 This document and the information contained herein are provided on an
2323 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2324 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2325 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2326 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2327 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2328 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2329
2330
2331Copyright Statement
2332
2333 Copyright (C) The Internet Society (2006). This document is subject
2334 to the rights, licenses and restrictions contained in BCP 78, and
2335 except as set forth therein, the authors retain all their rights.
2336
2337
2338Acknowledgment
2339
2340 Funding for the RFC Editor function is currently provided by the
2341 Internet Society.
2342
2343
2344
2345
2346Zhu & Tung Expires August 11, 2006 [Page 42]
2347