doc/standardisation/draft-ietf-kitten-gssapi-channel-bindings-01.txt

KITTEN WG                                                    N. Williams
Internet-Draft                                                       Sun
Expires: April 19, 2006                                 October 16, 2005


  Clarifications and Extensions to the GSS-API for the Use of Channel
                                Bindings
            draft-ietf-kitten-gssapi-channel-bindings-01.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 19, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document clarifies and generalizes the GSS-API "channel
   bindings" facility.  This document also specifies the format of the
   various types of channel bindings.


Williams                 Expires April 19, 2006                 [Page 1]

Internet-Draft          GSS-API Channel Bindings            October 2005


Table of Contents

   1.  Conventions used in this document  . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Generic Structure for GSS-API Channel Bindings . . . . . . . .  5
     3.1.  Proper Mechanism Use of Channel Bindings . . . . . . . . .  5
   4.  Channel Bindings for SSHv2 . . . . . . . . . . . . . . . . . .  6
     4.1.  GSS_Make_sshv2_channel_bindings()  . . . . . . . . . . . .  6
       4.1.1.  C-Bindings . . . . . . . . . . . . . . . . . . . . . .  7
   5.  Channel Bindings for TLS . . . . . . . . . . . . . . . . . . .  8
     5.1.  GSS_Make_tls_channel_bindings()  . . . . . . . . . . . . .  8
       5.1.1.  C-Bindings . . . . . . . . . . . . . . . . . . . . . .  9
   6.  Channel Bindings for IPsec . . . . . . . . . . . . . . . . . . 10
     6.1.  GSS_Make_ipsec_channel_bindings()  . . . . . . . . . . . . 10
       6.1.1.  C-Bindings . . . . . . . . . . . . . . . . . . . . . . 11
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     8.1.  Normative  . . . . . . . . . . . . . . . . . . . . . . . . 13
     8.2.  Informative  . . . . . . . . . . . . . . . . . . . . . . . 13
   Appendix A.  Acknowledgments . . . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
   Intellectual Property and Copyright Statements . . . . . . . . . . 16


Williams                 Expires April 19, 2006                 [Page 2]

Internet-Draft          GSS-API Channel Bindings            October 2005


1.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


Williams                 Expires April 19, 2006                 [Page 3]

Internet-Draft          GSS-API Channel Bindings            October 2005


2.  Introduction

   The concept of "channel bindings" and the abstract construction of
   channel bindings for several types of channels are described in
   [CHANNEL-BINDINGS]

   To actually use channel bindings in GSS-API aplications additional
   details are required that are given below.

   First the structure given to channel bindings data in [RFC2744] is
   generalized to all of the GSS-API, not just its C-Bindings.

   Then the actual construction of channel bindings to SSHv2, TLS and
   IPsec channels is given.


Williams                 Expires April 19, 2006                 [Page 4]

Internet-Draft          GSS-API Channel Bindings            October 2005


3.  Generic Structure for GSS-API Channel Bindings

   The base GSS-API v2, update 1 specification [RFC2743]describes
   channel bindings as an OCTET STRING and leaves it to the GSS-API v2,
   update 1 C-Bindings specification to specify the structure of the
   contents of the channel bindings OCTET STRINGs.  The C-Bindings
   specification [RFC2744]then defines, in terms of C, what should be
   generic structure for channel bindings.  The Kerberos V GSS mechanism
   [RFC1964]then defines a method for encoding GSS channel bindings in a
   way that is independent of the C-Bindings!

   In other words, the structure of GSS channel bindings given in
   [RFC2744] is actually generic, rather than specific to the C
   programming language.

   Here, then, is a generic re-statement of this structure, in pseudo-
   ASN.1:

                   GSS-CHANNEL-BINDINGS := SEQUENCE {
                           initiator-address-type  INTEGER,
                           initiator-address       OCTET STRING,
                           acceptor-address-type   INTEGER,
                           acceptor-address        OCTET STRING,
                           application-data        OCTET STRING,
                   }

   The values for the address fields are described in [RFC2744].

   Language-specific bindings of the GSS-API should specify a language-
   specific formulation of this structure.

3.1.  Proper Mechanism Use of Channel Bindings

   As described in [CHANNEL-BINDINGS], GSS mechanisms should exchange
   integrity protected proofs of channel bindings, where the proof is
   obtained by running a strong hash of the channel bindings data
   (encoded as per some mechanism-specific, such as in [RFC1964]) and a
   binary value to represent the initiator->acceptor, and opposite,
   direction.

   The encoding of channel bindings used in [RFC1964], with the addition
   of a binary value as described above, and the substitution of SHA-1
   for MD5 is a reasonable, generic encoding of GSS-CHANNEL-BINDINGS
   that any future GSS mechanisms can use.


Williams                 Expires April 19, 2006                 [Page 5]

Internet-Draft          GSS-API Channel Bindings            October 2005


4.  Channel Bindings for SSHv2

   The SSHv2 channel bindings are constructed as an octet string for the
   'application-data' field of the channel bindings by concatenating the
   following values and in this order:

   1.  The ASCII string "GSS SSHv2 CB:"

   2.  The SSHv2 session ID

   3.  Any additional application-provided data, encoded as the DER
       encoding of an ASN.1 OCTET STRING

4.1.  GSS_Make_sshv2_channel_bindings()

   Inputs:


   o  session_id OCTET STRING,

   o  additional_app_data OCTET STRING

   Outputs:


   o  major_status INTEGER,

   o  minor_status INTEGER,

   o  channel_bindings_app_data OCTET STRING

   Return major_status codes:

   o  GSS_S_COMPLETE indicates no error.

   o  GSS_S_FAILURE indicates failure to construct the channel bindings
      as a result, perhaps, of a memory management, or similar failure.

   This function constructs an OCTET STRING for use as the value of the
   application-data field of the GSS-CHANNEL-BINDINGS structure
   described above.


Williams                 Expires April 19, 2006                 [Page 6]

Internet-Draft          GSS-API Channel Bindings            October 2005


4.1.1.  C-Bindings

   OM_uint32 gss_make_sshv2_channel_bindings(
     OM_uint32                     *minor_status,
     const gss_buffer_t            session_id,
     const gss_buffer_t            additional_app_data,
     gss_buffer_t       channel_bindings_app_data
   );


Williams                 Expires April 19, 2006                 [Page 7]

Internet-Draft          GSS-API Channel Bindings            October 2005


5.  Channel Bindings for TLS

   The TLS channel bindings are constructed as an octet string for the
   'application-data' field of the channel bindings by concatenating the
   following values and in this order:

   1.  The ASCII string "GSS TLSv1.0 CB:"

   2.  The TLS finished message sent by the client

   3.  The TLS finished message sent by the server

   4.  Any additional application-provided data, encoded as the DER
       encoding of an ASN.1 OCTET STRING

5.1.  GSS_Make_tls_channel_bindings()

   Inputs:


   o  client_finished_msg OCTET STRING,

   o  server_finished_msg OCTET STRING,

   o  additional_app_data OCTET STRING

   Outputs:


   o  major_status INTEGER,

   o  minor_status INTEGER,

   o  channel_bindings_app_data OCTET STRING

   Return major_status codes:

   o  GSS_S_COMPLETE indicates no error.

   o  GSS_S_FAILURE indicates failure to construct the channel bindings
      as a result, perhaps, of a memory management, or similar failure.

   This function constructs an OCTET STRING for use as the value of the
   application-data field of the GSS-CHANNEL-BINDINGS structure
   described above.


Williams                 Expires April 19, 2006                 [Page 8]

Internet-Draft          GSS-API Channel Bindings            October 2005


5.1.1.  C-Bindings

   OM_uint32 gss_make_tls_channel_bindings(
     OM_uint32                     *minor_status,
     const gss_buffer_t            client_finished_msg,
     const gss_buffer_t            server_finished_msg,
     const gss_buffer_t            additional_app_data,
     gss_buffer_t          channel_bindings_app_data
   );


Williams                 Expires April 19, 2006                 [Page 9]

Internet-Draft          GSS-API Channel Bindings            October 2005


6.  Channel Bindings for IPsec

   The IPsec channel bindings are constructed as an octet string for the
   'application-data' field of the channel bindings by concatenating the
   following values and in this order:


   1.  The ASCII string "GSS IPsec CB:"

   2.  The transform ID for encryption, as a 16-bit big-endian word

   3.  The transform ID for integrity protection, as 16-bit in big-
       endian word

   4.  NOTE: The following needs to be updated to take into account
       progress of BTNS.

   5.  The initiator ID payload as used in the key exchange protocol
       used for setting up the channel's SAs

   6.  The responder ID payload as used in the key exchange protocol
       used for setting up the channel's SAs

   7.  Any additional application-provided data, encoded as the DER
       encoding of an ASN.1 OCTET STRING

   Note that traffic selectors are not included.  Inclusion of
   confidentiality/integrity algorithms protects against MITMs that can
   compromise weaker algorithms that policy might permit, for the same
   peers, for other traffic.

6.1.  GSS_Make_ipsec_channel_bindings()

   Inputs:


   o  encr_alg INTEGER,

   o  integ_alg INTEGER,

   o  initiator_id OCTET_STRING,

   o  acceptor_id OCTET_STRING,

   o  additional_app_data OCTET STRING

   Outputs:


Williams                 Expires April 19, 2006                [Page 10]

Internet-Draft          GSS-API Channel Bindings            October 2005


   o  major_status INTEGER,

   o  minor_status INTEGER,

   o  channel_bindings_app_data OCTET STRING

   Return major_status codes:

   o  GSS_S_COMPLETE indicates no error.

   o  GSS_S_FAILURE indicates failure to construct the channel bindings
      as a result, perhaps, of a memory management, or similar failure.

   This function constructs an OCTET STRING for use as the value of the
   application-data field of the GSS-CHANNEL-BINDINGS structure
   described above.

6.1.1.  C-Bindings

   OM_uint32 gss_make_ipsec_channel_bindings(
     OM_uint32                     *minor_status,
     OM_uint32                     encr_alg,
     OM_uint32                     integ_alg,
     const gss_buffer_t            initiator_id,
     const gss_buffer_t            acceptor_id,
     const gss_buffer_t            additional_app_data,
     gss_buffer_t          channel_bindings_app_data
   );


Williams                 Expires April 19, 2006                [Page 11]

Internet-Draft          GSS-API Channel Bindings            October 2005


7.  Security Considerations

   For general security considerations relating to channel bindings see
   [CHANNEL-BINDINGS]


Williams                 Expires April 19, 2006                [Page 12]

Internet-Draft          GSS-API Channel Bindings            October 2005


8.  References

8.1.  Normative

   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
              RFC 1964, June 1996.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2743]  Linn, J., "Generic Security Service Application Program
              Interface Version 2, Update 1", RFC 2743, January 2000.

   [RFC2744]  Wray, J., "Generic Security Service API Version 2 :
              C-bindings", RFC 2744, January 2000.

8.2.  Informative

   [RFC0854]  Postel, J. and J. Reynolds, "Telnet Protocol
              Specification", STD 8, RFC 854, May 1983.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2025]  Adams, C., "The Simple Public-Key GSS-API Mechanism
              (SPKM)", RFC 2025, October 1996.

   [RFC2203]  Eisler, M., Chiu, A., and L. Ling, "RPCSEC_GSS Protocol
              Specification", RFC 2203, September 1997.

   [RFC2478]  Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
              Negotiation Mechanism", RFC 2478, December 1998.

   [RFC2623]  Eisler, M., "NFS Version 2 and Version 3 Security Issues
              and the NFS Protocol's Use of RPCSEC_GSS and Kerberos V5",
              RFC 2623, June 1999.

   [RFC3530]  Shepler, S., Callaghan, B., Robinson, D., Thurlow, R.,
              Beame, C., Eisler, M., and D. Noveck, "Network File System
              (NFS) version 4 Protocol", RFC 3530, April 2003.


Williams                 Expires April 19, 2006                [Page 13]

Internet-Draft          GSS-API Channel Bindings            October 2005


Appendix A.  Acknowledgments

   The author would like to thank Mike Eisler for his work on the
   Channel Conjunction Mechanism I-D and for bringing the problem to a
   head, Sam Hartman for pointing out that channel bindings provide a
   general solution to the channel binding problem, Jeff Altman for his
   suggestion of using the TLS finished messages as the TLS channel
   bindings, Bill Sommerfeld, for his help in developing channel
   bindings for IPsec, and Radia Perlman for her most helpful comments.


Williams                 Expires April 19, 2006                [Page 14]

Internet-Draft          GSS-API Channel Bindings            October 2005


Author's Address

   Nicolas Williams
   Sun Microsystems
   5300 Riata Trace Ct
   Austin, TX  78727
   US

   Email: Nicolas.Williams@sun.com


Williams                 Expires April 19, 2006                [Page 15]

Internet-Draft          GSS-API Channel Bindings            October 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.


Williams                 Expires April 19, 2006                [Page 16]