1
2
3
4Kerberos Working Group S. Hartman
5Internet-Draft Painless Security
6Updates: 4120 (if approved) L. Zhu
7Intended status: Standards Track Microsoft Corporation
8Expires: February 13, 2010 August 12, 2009
9
10
11 A Generalized Framework for Kerberos Pre-Authentication
12 draft-ietf-krb-wg-preauth-framework-14
13
14Status of this Memo
15
16 This Internet-Draft is submitted to IETF in full conformance with the
17 provisions of BCP 78 and BCP 79.
18
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that
21 other groups may also distribute working documents as Internet-
22 Drafts.
23
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress."
28
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt.
31
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
34
35 This Internet-Draft will expire on February 13, 2010.
36
37Copyright Notice
38
39 Copyright (c) 2009 IETF Trust and the persons identified as the
40 document authors. All rights reserved.
41
42 This document is subject to BCP 78 and the IETF Trust's Legal
43 Provisions Relating to IETF Documents in effect on the date of
44 publication of this document (http://trustee.ietf.org/license-info).
45 Please review these documents carefully, as they describe your rights
46 and restrictions with respect to this document.
47
48Abstract
49
50 Kerberos is a protocol for verifying the identity of principals
51 (e.g., a workstation user or a network server) on an open network.
52
53
54
55Hartman & Zhu Expires February 13, 2010 [Page 1]
56�
57Internet-Draft Kerberos Preauth Framework August 2009
58
59
60 The Kerberos protocol provides a mechanism called pre-authentication
61 for proving the identity of a principal and for better protecting the
62 long-term secrets of the principal.
63
64 This document describes a model for Kerberos pre-authentication
65 mechanisms. The model describes what state in the Kerberos request a
66 pre-authentication mechanism is likely to change. It also describes
67 how multiple pre-authentication mechanisms used in the same request
68 will interact.
69
70 This document also provides common tools needed by multiple pre-
71 authentication mechanisms. One of these tools is a secure channel
72 between the client and the KDC with a reply key strengthening
73 mechanism; this secure channel can be used to protect the
74 authentication exchange thus eliminate offline dictionary attacks.
75 With these tools, it is relatively straightforward to chain multiple
76 authentication mechanisms, utilize a different key management system,
77 or support a new key agreement algorithm.
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111Hartman & Zhu Expires February 13, 2010 [Page 2]
112�
113Internet-Draft Kerberos Preauth Framework August 2009
114
115
116Table of Contents
117
118 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
119 2. Conventions and Terminology Used in This Document . . . . . . 6
120 3. Model for Pre-Authentication . . . . . . . . . . . . . . . . . 6
121 3.1. Information Managed by the Pre-authentication Model . . . 7
122 3.2. Initial Pre-authentication Required Error . . . . . . . . 10
123 3.3. Client to KDC . . . . . . . . . . . . . . . . . . . . . . 10
124 3.4. KDC to Client . . . . . . . . . . . . . . . . . . . . . . 11
125 4. Pre-Authentication Facilities . . . . . . . . . . . . . . . . 12
126 4.1. Client-authentication Facility . . . . . . . . . . . . . . 13
127 4.2. Strengthening-reply-key Facility . . . . . . . . . . . . . 14
128 4.3. Replacing-reply-key Facility . . . . . . . . . . . . . . . 15
129 4.4. KDC-authentication Facility . . . . . . . . . . . . . . . 15
130 5. Requirements for Pre-Authentication Mechanisms . . . . . . . . 16
131 6. Tools for Use in Pre-Authentication Mechanisms . . . . . . . . 17
132 6.1. Combining Keys . . . . . . . . . . . . . . . . . . . . . . 17
133 6.2. Protecting Requests/Responses . . . . . . . . . . . . . . 18
134 6.3. Managing States for the KDC . . . . . . . . . . . . . . . 19
135 6.4. Pre-authentication Set . . . . . . . . . . . . . . . . . . 20
136 6.5. Definition of Kerberos FAST Padata . . . . . . . . . . . . 23
137 6.5.1. FAST Armors . . . . . . . . . . . . . . . . . . . . . 24
138 6.5.2. FAST Request . . . . . . . . . . . . . . . . . . . . . 26
139 6.5.3. FAST Response . . . . . . . . . . . . . . . . . . . . 30
140 6.5.4. Authenticated Kerberos Error Messages using
141 Kerberos FAST . . . . . . . . . . . . . . . . . . . . 33
142 6.5.5. Outer and Inner Requests . . . . . . . . . . . . . . . 34
143 6.5.6. The Encrypted Challenge FAST Factor . . . . . . . . . 34
144 6.6. Authentication Strength Indication . . . . . . . . . . . . 36
145 7. Assigned Constants . . . . . . . . . . . . . . . . . . . . . . 37
146 7.1. New Errors . . . . . . . . . . . . . . . . . . . . . . . . 37
147 7.2. Key Usage Numbers . . . . . . . . . . . . . . . . . . . . 37
148 7.3. Authorization Data Elements . . . . . . . . . . . . . . . 37
149 7.4. New PA-DATA Types . . . . . . . . . . . . . . . . . . . . 38
150 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
151 8.1. Pre-authentication and Typed Data . . . . . . . . . . . . 38
152 8.2. Fast Armor Types . . . . . . . . . . . . . . . . . . . . . 40
153 8.3. FAST Options . . . . . . . . . . . . . . . . . . . . . . . 40
154 9. Security Considerations . . . . . . . . . . . . . . . . . . . 41
155 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 42
156 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43
157 11.1. Normative References . . . . . . . . . . . . . . . . . . . 43
158 11.2. Informative References . . . . . . . . . . . . . . . . . . 43
159 Appendix A. Test Vectors for KRB-FX-CF2 . . . . . . . . . . . . . 44
160 Appendix B. Change History . . . . . . . . . . . . . . . . . . . 45
161 B.1. Changes since 13 . . . . . . . . . . . . . . . . . . . . . 45
162 B.2. Changes since 12 . . . . . . . . . . . . . . . . . . . . . 45
163 B.3. Changes since 11 . . . . . . . . . . . . . . . . . . . . . 45
164
165
166
167Hartman & Zhu Expires February 13, 2010 [Page 3]
168�
169Internet-Draft Kerberos Preauth Framework August 2009
170
171
172 B.4. Changes since 10 . . . . . . . . . . . . . . . . . . . . . 45
173 B.5. Changes since 09 . . . . . . . . . . . . . . . . . . . . . 45
174 B.6. Changes since 08 . . . . . . . . . . . . . . . . . . . . . 46
175 B.7. Changes since 07 . . . . . . . . . . . . . . . . . . . . . 47
176 B.8. Changes since 06 . . . . . . . . . . . . . . . . . . . . . 47
177 Appendix C. ASN.1 module . . . . . . . . . . . . . . . . . . . . 47
178 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 50
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223Hartman & Zhu Expires February 13, 2010 [Page 4]
224�
225Internet-Draft Kerberos Preauth Framework August 2009
226
227
2281. Introduction
229
230 The core Kerberos specification [RFC4120] treats pre-authentication
231 data as an opaque typed hole in the messages to the KDC that may
232 influence the reply key used to encrypt the KDC reply. This
233 generality has been useful: pre-authentication data is used for a
234 variety of extensions to the protocol, many outside the expectations
235 of the initial designers. However, this generality makes designing
236 more common types of pre-authentication mechanisms difficult. Each
237 mechanism needs to specify how it interacts with other mechanisms.
238 Also, problems like combining a key with the long-term secrets or
239 proving the identity of the user are common to multiple mechanisms.
240 Where there are generally well-accepted solutions to these problems,
241 it is desirable to standardize one of these solutions so mechanisms
242 can avoid duplication of work. In other cases, a modular approach to
243 these problems is appropriate. The modular approach will allow new
244 and better solutions to common pre-authentication problems to be used
245 by existing mechanisms as they are developed.
246
247 This document specifies a framework for Kerberos pre-authentication
248 mechanisms. It defines the common set of functions that pre-
249 authentication mechanisms perform as well as how these functions
250 affect the state of the request and reply. In addition several
251 common tools needed by pre-authentication mechanisms are provided.
252 Unlike [RFC3961], this framework is not complete--it does not
253 describe all the inputs and outputs for the pre-authentication
254 mechanisms. Pre-Authentication mechanism designers should try to be
255 consistent with this framework because doing so will make their
256 mechanisms easier to implement. Kerberos implementations are likely
257 to have plugin architectures for pre-authentication; such
258 architectures are likely to support mechanisms that follow this
259 framework plus commonly used extensions. This framework also
260 facilitates combining multiple pre-authentication mechanisms, each of
261 which may represent an authentication factor, into a single multi-
262 factor pre-authentication mechanism.
263
264 One of these common tools is the flexible authentication secure
265 tunneling (FAST) padata type. FAST provides a protected channel
266 between the client and the KDC, and it can optionally deliver key
267 material used to strengthen the reply key within the protected
268 channel. Based on FAST, pre-authentication mechanisms can extend
269 Kerberos with ease, to support, for example, password authenticated
270 key exchange (PAKE) protocols with zero knowledge password proof
271 (ZKPP) [EKE] [IEEE1363.2]. Any pre-authentication mechanism can be
272 encapsulated in the FAST messages as defined in Section 6.5. A pre-
273 authentication type carried within FAST is called a FAST factor.
274 Creating a FAST factor is the easiest path to create a new pre-
275 authentication mechanism. FAST factors are significantly easier to
276
277
278
279Hartman & Zhu Expires February 13, 2010 [Page 5]
280�
281Internet-Draft Kerberos Preauth Framework August 2009
282
283
284 analyze from a security standpoint than other pre-authentication
285 mechanisms.
286
287 Mechanism designers should design FAST factors, instead of new pre-
288 authentication mechanisms outside of FAST.
289
290
2912. Conventions and Terminology Used in This Document
292
293 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
294 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
295 document are to be interpreted as described in [RFC2119].
296
297 This document should be read only after reading the documents
298 describing the Kerberos cryptography framework [RFC3961] and the core
299 Kerberos protocol [RFC4120]. This document may freely use
300 terminology and notation from these documents without reference or
301 further explanation.
302
303 The word padata is used as a shorthand for pre-authentication data.
304
305 A conversation is the set of all authentication messages exchanged
306 between the client and the client's Authentication Service (AS) in
307 order to authenticate the client principal. A conversation as
308 defined here consists of all messages that are necessary to complete
309 the authentication between the client and the client's AS. In the
310 Ticket Exchange Service (TGS) exchange, a conversation consists of
311 the request message and the reply message. The term conversation is
312 defined here for both AS and TGS for convenience of discussion. See
313 Section 6.3 for specific rules on the extent of a conversation in the
314 AS-REQ case. Prior to this framework, implementations needed to use
315 implementation-specific heuristics to determine the extent of a
316 conversation.
317
318 If the KDC reply in an AS exchange is verified, the KDC is
319 authenticated by the client. In this document, verification of the
320 KDC reply is used as a synonym of authentication of the KDC.
321
322
3233. Model for Pre-Authentication
324
325 When a Kerberos client wishes to obtain a ticket using the
326 authentication server, it sends an initial Authentication Service
327 (AS) request. If pre-authentication is required but not being used,
328 then the KDC will respond with a KDC_ERR_PREAUTH_REQUIRED error.
329 Alternatively, if the client knows what pre-authentication to use, it
330 MAY optimize away a round-trip and send an initial request with
331 padata included in the initial request. If the client includes the
332
333
334
335Hartman & Zhu Expires February 13, 2010 [Page 6]
336�
337Internet-Draft Kerberos Preauth Framework August 2009
338
339
340 padata computed using the wrong pre-authentication mechanism or
341 incorrect keys, the KDC MAY return KDC_ERR_PREAUTH_FAILED with no
342 indication of what padata should have been included. In that case,
343 the client MUST retry with no padata and examine the error data of
344 the KDC_ERR_PREAUTH_REQUIRED error. If the KDC includes pre-
345 authentication information in the accompanying error data of
346 KDC_ERR_PREAUTH_FAILED, the client SHOULD process the error data, and
347 then retry.
348
349 The conventional KDC maintains no state between two requests;
350 subsequent requests may even be processed by a different KDC. On the
351 other hand, the client treats a series of exchanges with KDCs as a
352 single conversation. Each exchange accumulates state and hopefully
353 brings the client closer to a successful authentication.
354
355 These models for state management are in apparent conflict. For many
356 of the simpler pre-authentication scenarios, the client uses one
357 round trip to find out what mechanisms the KDC supports. Then the
358 next request contains sufficient pre-authentication for the KDC to be
359 able to return a successful reply. For these simple scenarios, the
360 client only sends one request with pre-authentication data and so the
361 conversation is trivial. For more complex conversations, the KDC
362 needs to provide the client with a cookie to include in future
363 requests to capture the current state of the authentication session.
364 Handling of multiple round-trip mechanisms is discussed in
365 Section 6.3.
366
367 This framework specifies the behavior of Kerberos pre-authentication
368 mechanisms used to identify users or to modify the reply key used to
369 encrypt the KDC reply. The PA-DATA typed hole may be used to carry
370 extensions to Kerberos that have nothing to do with proving the
371 identity of the user or establishing a reply key. Such extensions
372 are outside the scope of this framework. However mechanisms that do
373 accomplish these goals should follow this framework.
374
375 This framework specifies the minimum state that a Kerberos
376 implementation needs to maintain while handling a request in order to
377 process pre-authentication. It also specifies how Kerberos
378 implementations process the padata at each step of the AS request
379 process.
380
3813.1. Information Managed by the Pre-authentication Model
382
383 The following information is maintained by the client and KDC as each
384 request is being processed:
385
386
387
388
389
390
391Hartman & Zhu Expires February 13, 2010 [Page 7]
392�
393Internet-Draft Kerberos Preauth Framework August 2009
394
395
396 o The reply key used to encrypt the KDC reply
397
398 o How strongly the identity of the client has been authenticated
399
400 o Whether the reply key has been used in this conversation
401
402 o Whether the reply key has been replaced in this conversation
403
404 o Whether the origin of the KDC reply can be verified by the client
405 (i.e. whether the KDC is authenticated to the client)
406
407
408 Conceptually, the reply key is initially the long-term key of the
409 principal. However, principals can have multiple long-term keys
410 because of support for multiple encryption types, salts and
411 string2key parameters. As described in Section 5.2.7.5 of the
412 Kerberos protocol [RFC4120], the KDC sends PA-ETYPE-INFO2 to notify
413 the client what types of keys are available. Thus in full
414 generality, the reply key in the pre-authentication model is actually
415 a set of keys. At the beginning of a request, it is initialized to
416 the set of long-term keys advertised in the PA-ETYPE-INFO2 element on
417 the KDC. If multiple reply keys are available, the client chooses
418 which one to use. Thus the client does not need to treat the reply
419 key as a set. At the beginning of a request, the client picks a key
420 to use.
421
422 KDC implementations MAY choose to offer only one key in the PA-ETYPE-
423 INFO2 element. Since the KDC already knows the client's list of
424 supported enctypes from the request, no interoperability problems are
425 created by choosing a single possible reply key. This way, the KDC
426 implementation avoids the complexity of treating the reply key as a
427 set.
428
429 When the padata in the request is verified by the KDC, then the
430 client is known to have that key, therefore the KDC SHOULD pick the
431 same key as the reply key.
432
433 At the beginning of handling a message on both the client and the
434 KDC, the client's identity is not authenticated. A mechanism may
435 indicate that it has successfully authenticated the client's
436 identity. This information is useful to keep track of on the client
437 in order to know what pre-authentication mechanisms should be used.
438 The KDC needs to keep track of whether the client is authenticated
439 because the primary purpose of pre-authentication is to authenticate
440 the client identity before issuing a ticket. The handling of
441 authentication strength using various authentication mechanisms is
442 discussed in Section 6.6.
443
444
445
446
447Hartman & Zhu Expires February 13, 2010 [Page 8]
448�
449Internet-Draft Kerberos Preauth Framework August 2009
450
451
452 Initially the reply key has not been used. A pre-authentication
453 mechanism that uses the reply key to encrypt or checksum some data in
454 the generation of new keys MUST indicate that the reply key is used.
455 This state is maintained by the client and the KDC to enforce the
456 security requirement stated in Section 4.3 that the reply key SHOULD
457 NOT be replaced after it is used.
458
459 Initially the reply key has not been replaced. If a mechanism
460 implements the Replace Reply Key facility discussed in Section 4.3,
461 then the state MUST be updated to indicate that the reply key has
462 been replaced. Once the reply key has been replaced, knowledge of
463 the reply key is insufficient to authenticate the client. The reply
464 key is marked replaced in exactly the same situations as the KDC
465 reply is marked as not being verified to the client principal.
466 However, while mechanisms can verify the KDC reply to the client,
467 once the reply key is replaced, then the reply key remains replaced
468 for the remainder of the conversation.
469
470 Without pre-authentication, the client knows that the KDC reply is
471 authentic and has not been modified because it is encrypted in a
472 long-term key of the client. Only the KDC and the client know that
473 key. So at the start of a conversation, the KDC reply is presumed to
474 be verified using the client's long-term key. It should be noted
475 that in this document, verifying the KDC reply means authenticating
476 the KDC, and these phrases are used interchangeably. Any pre-
477 authentication mechanism that sets a new reply key not based on the
478 principal's long-term secret MUST either verify the KDC reply some
479 other way or indicate that the reply is not verified. If a mechanism
480 indicates that the reply is not verified then the client
481 implementation MUST return an error unless a subsequent mechanism
482 verifies the reply. The KDC needs to track this state so it can
483 avoid generating a reply that is not verified.
484
485 In this specification, KDC verification/authentication refers to the
486 level of authentication of the KDC to the client provided by RFC
487 4120. There is a stronger form of KDC verification that, while
488 sometimes important in Kerberos deployments is not addressed in this
489 specification: the typical Kerberos request does not provide a way
490 for the client machine to know that it is talking to the correct KDC.
491 Someone who can inject packets into the network between the client
492 machine and the KDC and who knows the password that the user will
493 give to the client machine can generate a KDC reply that will decrypt
494 properly. So, if the client machine needs to authenticate that the
495 user is in fact the named principal, then the client machine needs to
496 do a TGS request for itself as a service. Some pre-authentication
497 mechanisms may provide a way for the client machine to authenticate
498 the KDC. Examples of this include signing the reply that can be
499 verified using a well-known public key or providing a ticket for the
500
501
502
503Hartman & Zhu Expires February 13, 2010 [Page 9]
504�
505Internet-Draft Kerberos Preauth Framework August 2009
506
507
508 client machine as a service.
509
5103.2. Initial Pre-authentication Required Error
511
512 Typically a client starts a conversation by sending an initial
513 request with no pre-authentication. If the KDC requires pre-
514 authentication, then it returns a KDC_ERR_PREAUTH_REQUIRED message.
515 After the first reply with the KDC_ERR_PREAUTH_REQUIRED error code,
516 the KDC returns the error code KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
517 (defined in Section 6.3) for pre-authentication configurations that
518 use multi-round-trip mechanisms; see Section 3.4 for details of that
519 case.
520
521 The KDC needs to choose which mechanisms to offer the client. The
522 client needs to be able to choose what mechanisms to use from the
523 first message. For example consider the KDC that will accept
524 mechanism A followed by mechanism B or alternatively the single
525 mechanism C. A client that supports A and C needs to know that it
526 should not bother trying A.
527
528 Mechanisms can either be sufficient on their own or can be part of an
529 authentication set--a group of mechanisms that all need to
530 successfully complete in order to authenticate a client. Some
531 mechanisms may only be useful in authentication sets; others may be
532 useful alone or in authentication sets. For the second group of
533 mechanisms, KDC policy dictates whether the mechanism will be part of
534 an authentication set, offered alone, or both. For each mechanism
535 that is offered alone (even if it is also offered in an
536 authentication set), the KDC includes the pre-authentication type ID
537 of the mechanism in the padata sequence returned in the
538 KDC_ERR_PREAUTH_REQUIRED error. Mechanisms that are only offered as
539 part of an authentication set are not directly represented in the
540 padata sequence returned in the KDC_ERR_PREAUTH_REQUIRED error,
541 although they are represented in the PA-AUTHENTICATION-SET sequence.
542
543 The KDC SHOULD NOT send data that is encrypted in the long-term
544 password-based key of the principal. Doing so has the same security
545 exposures as the Kerberos protocol without pre-authentication. There
546 are few situations where the KDC needs to expose cipher text
547 encrypted in a weak key before the client has proven knowledge of
548 that key, and pre-authentication is desirable.
549
5503.3. Client to KDC
551
552 This description assumes that a client has already received a
553 KDC_ERR_PREAUTH_REQUIRED from the KDC. If the client performs
554 optimistic pre-authentication then the client needs to guess values
555 for the information it would normally receive from that error
556
557
558
559Hartman & Zhu Expires February 13, 2010 [Page 10]
560�
561Internet-Draft Kerberos Preauth Framework August 2009
562
563
564 response or use cached information obtained in prior interactions
565 with the KDC.
566
567 The client starts by initializing the pre-authentication state as
568 specified. It then processes the padata in the
569 KDC_ERR_PREAUTH_REQUIRED.
570
571 When processing the response to the KDC_ERR_PREAUTH_REQUIRED, the
572 client MAY ignore any padata it chooses unless doing so violates a
573 specification to which the client conforms. Clients conforming to
574 this specification MUST NOT ignore the padata defined in Section 6.3.
575 Clients SHOULD process padata unrelated to this framework or other
576 means of authenticating the user. Clients SHOULD choose one
577 authentication set or mechanism that could lead to authenticating the
578 user and ignore the rest. Since the list of mechanisms offered by
579 the KDC is in the decreasing preference order, clients typically
580 choose the first mechanism or authentication set that the client can
581 usefully perform. If a client chooses to ignore a padata it MUST NOT
582 process the padata, allow the padata to affect the pre-authentication
583 state, nor respond to the padata.
584
585 For each padata the client chooses to process, the client processes
586 the padata and modifies the pre-authentication state as required by
587 that mechanism. Padata are processed in the order received from the
588 KDC.
589
590 After processing the padata in the KDC error, the client generates a
591 new request. It processes the pre-authentication mechanisms in the
592 order in which they will appear in the next request, updating the
593 state as appropriate. The request is sent when it is complete.
594
5953.4. KDC to Client
596
597 When a KDC receives an AS request from a client, it needs to
598 determine whether it will respond with an error or an AS reply.
599 There are many causes for an error to be generated that have nothing
600 to do with pre-authentication; they are discussed in the core
601 Kerberos specification.
602
603 From the standpoint of evaluating the pre-authentication, the KDC
604 first starts by initializing the pre-authentication state. If a PA-
605 FX-COOKIE pre-authentication data item is present, it is processed
606 first; see Section 6.3 for a definition. It then processes the
607 padata in the request. As mentioned in Section 3.3, the KDC MAY
608 ignore padata that is inappropriate for the configuration and MUST
609 ignore padata of an unknown type. The KDC MUST NOT ignore padata of
610 types used in previous messages. For example, if a KDC issues a
611 KDC_ERR_PREAUTH_REQUIRED error including padata of type x, then the
612
613
614
615Hartman & Zhu Expires February 13, 2010 [Page 11]
616�
617Internet-Draft Kerberos Preauth Framework August 2009
618
619
620 KDC cannot ignore padata of type x received in an AS-REQ message from
621 the client.
622
623 At this point the KDC decides whether it will issue an error or a
624 reply. Typically a KDC will issue a reply if the client's identity
625 has been authenticated to a sufficient degree.
626
627 In the case of a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error, the KDC
628 first starts by initializing the pre-authentication state. Then it
629 processes any padata in the client's request in the order provided by
630 the client. Mechanisms that are not understood by the KDC are
631 ignored. Next, it generates padata for the error response, modifying
632 the pre-authentication state appropriately as each mechanism is
633 processed. The KDC chooses the order in which it will generate
634 padata (and thus the order of padata in the response), but it needs
635 to modify the pre-authentication state consistently with the choice
636 of order. For example, if some mechanism establishes an
637 authenticated client identity, then the subsequent mechanisms in the
638 generated response receive this state as input. After the padata is
639 generated, the error response is sent. Typically the errors with the
640 code KDC_ERR_MORE_PREAUTH_DATA_REQUIRED in a conversation will
641 include KDC state as discussed in Section 6.3.
642
643 To generate a final reply, the KDC generates the padata modifying the
644 pre-authentication state as necessary. Then it generates the final
645 response, encrypting it in the current pre-authentication reply key.
646
647
6484. Pre-Authentication Facilities
649
650 Pre-Authentication mechanisms can be thought of as providing various
651 conceptual facilities. This serves two useful purposes. First,
652 mechanism authors can choose only to solve one specific small
653 problem. It is often useful for a mechanism designed to offer key
654 management not to directly provide client authentication but instead
655 to allow one or more other mechanisms to handle this need. Secondly,
656 thinking about the abstract services that a mechanism provides yields
657 a minimum set of security requirements that all mechanisms providing
658 that facility must meet. These security requirements are not
659 complete; mechanisms will have additional security requirements based
660 on the specific protocol they employ.
661
662 A mechanism is not constrained to only offering one of these
663 facilities. While such mechanisms can be designed and are sometimes
664 useful, many pre-authentication mechanisms implement several
665 facilities. By combining multiple facilities in a single mechanism,
666 it is often easier to construct a secure, simple solution than by
667 solving the problem in full generality. Even when mechanisms provide
668
669
670
671Hartman & Zhu Expires February 13, 2010 [Page 12]
672�
673Internet-Draft Kerberos Preauth Framework August 2009
674
675
676 multiple facilities, they need to meet the security requirements for
677 all the facilities they provide. If the FAST factor approach is
678 used, it is likely that one or a small number of facilities can be
679 provided by a single mechanism without complicating the security
680 analysis.
681
682 According to Kerberos extensibility rules (Section 1.5 of the
683 Kerberos specification [RFC4120]), an extension MUST NOT change the
684 semantics of a message unless a recipient is known to understand that
685 extension. Because a client does not know that the KDC supports a
686 particular pre-authentication mechanism when it sends an initial
687 request, a pre-authentication mechanism MUST NOT change the semantics
688 of the request in a way that will break a KDC that does not
689 understand that mechanism. Similarly, KDCs MUST NOT send messages to
690 clients that affect the core semantics unless the client has
691 indicated support for the message.
692
693 The only state in this model that would break the interpretation of a
694 message is changing the expected reply key. If one mechanism changed
695 the reply key and a later mechanism used that reply key, then a KDC
696 that interpreted the second mechanism but not the first would fail to
697 interpret the request correctly. In order to avoid this problem,
698 extensions that change core semantics are typically divided into two
699 parts. The first part proposes a change to the core semantic--for
700 example proposes a new reply key. The second part acknowledges that
701 the extension is understood and that the change takes effect.
702 Section 4.2 discusses how to design mechanisms that modify the reply
703 key to be split into a proposal and acceptance without requiring
704 additional round trips to use the new reply key in subsequent pre-
705 authentication. Other changes in the state described in Section 3.1
706 can safely be ignored by a KDC that does not understand a mechanism.
707 Mechanisms that modify the behavior of the request outside the scope
708 of this framework need to carefully consider the Kerberos
709 extensibility rules to avoid similar problems.
710
7114.1. Client-authentication Facility
712
713 The client authentication facility proves the identity of a user to
714 the KDC before a ticket is issued. Examples of mechanisms
715 implementing this facility include the encrypted timestamp facility
716 defined in Section 5.2.7.2 of the Kerberos specification [RFC4120].
717 Mechanisms that provide this facility are expected to mark the client
718 as authenticated.
719
720 Mechanisms implementing this facility SHOULD require the client to
721 prove knowledge of the reply key before transmitting a successful KDC
722 reply. Otherwise, an attacker can intercept the pre-authentication
723 exchange and get a reply to attack. One way of proving the client
724
725
726
727Hartman & Zhu Expires February 13, 2010 [Page 13]
728�
729Internet-Draft Kerberos Preauth Framework August 2009
730
731
732 knows the reply key is to implement the Replace Reply Key facility
733 along with this facility. The PKINIT mechanism [RFC4556] implements
734 Client Authentication alongside Replace Reply Key.
735
736 If the reply key has been replaced, then mechanisms such as
737 encrypted-timestamp that rely on knowledge of the reply key to
738 authenticate the client MUST NOT be used.
739
7404.2. Strengthening-reply-key Facility
741
742 Particularly when dealing with keys based on passwords, it is
743 desirable to increase the strength of the key by adding additional
744 secrets to it. Examples of sources of additional secrets include the
745 results of a Diffie-Hellman key exchange or key bits from the output
746 of a smart card [KRB-WG.SAM]. Typically these additional secrets can
747 be first combined with the existing reply key and then converted to a
748 protocol key using tools defined in Section 6.1.
749
750 Typically a mechanism implementing this facility will know that the
751 other side of the exchange supports the facility before the reply key
752 is changed. For example, a mechanism might need to learn the
753 certificate for a KDC before encrypting a new key in the public key
754 belonging to that certificate. However, if a mechanism implementing
755 this facility wishes to modify the reply key before knowing that the
756 other party in the exchange supports the mechanism, it proposes
757 modifying the reply key. The other party then includes a message
758 indicating that the proposal is accepted if it is understood and
759 meets policy. In many cases it is desirable to use the new reply key
760 for client authentication and for other facilities. Waiting for the
761 other party to accept the proposal and actually modify the reply key
762 state would add an additional round trip to the exchange. Instead,
763 mechanism designers are encouraged to include a typed hole for
764 additional padata in the message that proposes the reply key change.
765 The padata included in the typed hole are generated assuming the new
766 reply key. If the other party accepts the proposal, then these
767 padata are considered as an inner level. As with the outer level,
768 one authentication set or mechanism is typically chosen for client
769 authentication, along with auxiliary mechanisms such as KDC cookies,
770 and other mechanisms are ignored. When mechanisms include such a
771 container, the hint provided for use in authentication sets (as
772 defined in Section 6.4) MUST contain a sequence of inner mechanisms
773 along with hints for those mechanisms. The party generating the
774 proposal can determine whether the padata were processed based on
775 whether the proposal for the reply key is accepted.
776
777 The specific formats of the proposal message, including where padata
778 are included is a matter for the mechanism specification. Similarly,
779 the format of the message accepting the proposal is mechanism-
780
781
782
783Hartman & Zhu Expires February 13, 2010 [Page 14]
784�
785Internet-Draft Kerberos Preauth Framework August 2009
786
787
788 specific.
789
790 Mechanisms implementing this facility and including a typed hole for
791 additional padata MUST checksum that padata using a keyed checksum or
792 encrypt the padata. This requirement protects against modification
793 of the contents of the typed hole. By modifying these contents an
794 attacker might be able to choose which mechanism is used to
795 authenticate the client, or to convince a party to provide text
796 encrypted in a key that the attacker had manipulated. It is
797 important that mechanisms strengthen the reply key enough that using
798 it to checksum padata is appropriate.
799
8004.3. Replacing-reply-key Facility
801
802 The Replace Reply Key facility replaces the key in which a successful
803 AS reply will be encrypted. This facility can only be used in cases
804 where knowledge of the reply key is not used to authenticate the
805 client. The new reply key MUST be communicated to the client and the
806 KDC in a secure manner. This facility MUST NOT be used if there can
807 be a man-in-the-middle between the client and the KDC. Mechanisms
808 implementing this facility MUST mark the reply key as replaced in the
809 pre-authentication state. Mechanisms implementing this facility MUST
810 either provide a mechanism to verify the KDC reply to the client or
811 mark the reply as unverified in the pre-authentication state.
812 Mechanisms implementing this facility SHOULD NOT be used if a
813 previous mechanism has used the reply key.
814
815 As with the strengthening-reply-key facility, Kerberos extensibility
816 rules require that the reply key not be changed unless both sides of
817 the exchange understand the extension. In the case of this facility
818 it will likely be the case for both sides to know that the facility
819 is available by the time that the new key is available to be used.
820 However, mechanism designers can use a container for padata in a
821 proposal message as discussed in Section 4.2 if appropriate.
822
8234.4. KDC-authentication Facility
824
825 This facility verifies that the reply comes from the expected KDC.
826 In traditional Kerberos, the KDC and the client share a key, so if
827 the KDC reply can be decrypted then the client knows that a trusted
828 KDC responded. Note that the client machine cannot trust the client
829 unless the machine is presented with a service ticket for it
830 (typically the machine can retrieve this ticket by itself). However,
831 if the reply key is replaced, some mechanism is required to verify
832 the KDC. Pre-authentication mechanisms providing this facility allow
833 a client to determine that the expected KDC has responded even after
834 the reply key is replaced. They mark the pre-authentication state as
835 having been verified.
836
837
838
839Hartman & Zhu Expires February 13, 2010 [Page 15]
840�
841Internet-Draft Kerberos Preauth Framework August 2009
842
843
8445. Requirements for Pre-Authentication Mechanisms
845
846 This section lists requirements for specifications of pre-
847 authentication mechanisms.
848
849 For each message in the pre-authentication mechanism, the
850 specification describes the pa-type value to be used and the contents
851 of the message. The processing of the message by the sender and
852 recipient is also specified. This specification needs to include all
853 modifications to the pre-authentication state.
854
855 Generally mechanisms have a message that can be sent in the error
856 data of the KDC_ERR_PREAUTH_REQUIRED error message or in an
857 authentication set. If the client needs information such as trusted
858 certificate authorities in order to determine if it can use the
859 mechanism, then this information should be in that message. In
860 addition, such mechanisms should also define a pa-hint to be included
861 in authentication sets. Often, the same information included in the
862 padata-value is appropriate to include in the pa-hint (as defined in
863 Section 6.4).
864
865 In order to ease security analysis the mechanism specification should
866 describe what facilities from this document are offered by the
867 mechanism. For each facility, the security consideration section of
868 the mechanism specification should show that the security
869 requirements of that facility are met. This requirement is
870 applicable to any FAST factor that provides authentication
871 information.
872
873 Significant problems have resulted in the specification of Kerberos
874 protocols because much of the KDC exchange is not protected against
875 alteration. The security considerations section should discuss
876 unauthenticated plaintext attacks. It should either show that
877 plaintext is protected or discuss what harm an attacker could do by
878 modifying the plaintext. It is generally acceptable for an attacker
879 to be able to cause the protocol negotiation to fail by modifying
880 plaintext. More significant attacks should be evaluated carefully.
881
882 As discussed in Section 6.3, there is no guarantee that a client will
883 use the same KDCs for all messages in a conversation. The mechanism
884 specification needs to show why the mechanism is secure in this
885 situation. The hardest problem to deal with, especially for
886 challenge/response mechanisms is to make sure that the same response
887 cannot be replayed against two KDCs while allowing the client to talk
888 to any KDC.
889
890
891
892
893
894
895Hartman & Zhu Expires February 13, 2010 [Page 16]
896�
897Internet-Draft Kerberos Preauth Framework August 2009
898
899
9006. Tools for Use in Pre-Authentication Mechanisms
901
902 This section describes common tools needed by multiple pre-
903 authentication mechanisms. By using these tools mechanism designers
904 can use a modular approach to specify mechanism details and ease
905 security analysis.
906
9076.1. Combining Keys
908
909 Frequently a weak key needs to be combined with a stronger key before
910 use. For example, passwords are typically limited in size and
911 insufficiently random, therefore it is desirable to increase the
912 strength of the keys based on passwords by adding additional secrets.
913 Additional source of secrecy may come from hardware tokens.
914
915 This section provides standard ways to combine two keys into one.
916
917 KRB-FX-CF1() is defined to combine two pass-phrases.
918
919 KRB-FX-CF1(UTF-8 string, UTF-8 string) -> (UTF-8 string)
920 KRB-FX-CF1(x, y) := x || y
921
922 Where || denotes concatenation. The strength of the final key is
923 roughly the total strength of the individual keys being combined
924 assuming that the string_to_key() function [RFC3961] uses all its
925 input evenly.
926
927 An example usage of KRB-FX-CF1() is when a device provides random but
928 short passwords, the password is often combined with a personal
929 identification number (PIN). The password and the PIN can be
930 combined using KRB-FX-CF1().
931
932 KRB-FX-CF2() combines two protocol keys based on the pseudo-random()
933 function defined in [RFC3961].
934
935 Given two input keys, K1 and K2, where K1 and K2 can be of two
936 different enctypes, the output key of KRB-FX-CF2(), K3, is derived as
937 follows:
938
939 KRB-FX-CF2(protocol key, protocol key, octet string,
940 octet string) -> (protocol key)
941
942 PRF+(K1, pepper1) -> octet-string-1
943 PRF+(K2, pepper2) -> octet-string-2
944 KRB-FX-CF2(K1, K2, pepper1, pepper2) :=
945 random-to-key(octet-string-1 ^ octet-string-2)
946
947 Where ^ denotes the exclusive-OR operation. PRF+() is defined as
948
949
950
951Hartman & Zhu Expires February 13, 2010 [Page 17]
952�
953Internet-Draft Kerberos Preauth Framework August 2009
954
955
956 follows:
957
958 PRF+(protocol key, octet string) -> (octet string)
959
960 PRF+(key, shared-info) := pseudo-random( key, 1 || shared-info ) ||
961 pseudo-random( key, 2 || shared-info ) ||
962 pseudo-random( key, 3 || shared-info ) || ...
963
964 Here the counter value 1, 2, 3 and so on are encoded as a one-octet
965 integer. The pseudo-random() operation is specified by the enctype
966 of the protocol key. PRF+() uses the counter to generate enough bits
967 as needed by the random-to-key() [RFC3961] function for the
968 encryption type specified for the resulting key; unneeded bits are
969 removed from the tail. Unless otherwise specified, the resulting
970 enctype of KRB-FX-CF2 is the enctype of k1.
971
972 Mechanism designers MUST specify the values for the input parameter
973 pepper1 and pepper2 when combining two keys using KRB-FX-CF2(). The
974 pepper1 and pepper2 MUST be distinct so that if the two keys being
975 combined are the same, the resulting key is not a trivial key.
976
9776.2. Protecting Requests/Responses
978
979 Mechanism designers SHOULD protect clear text portions of pre-
980 authentication data. Various denial of service attacks and downgrade
981 attacks against Kerberos are possible unless plaintexts are somehow
982 protected against modification. An early design goal of Kerberos
983 Version 5 [RFC4120] was to avoid encrypting more of the
984 authentication exchange that was required. (Version 4 doubly-
985 encrypted the encrypted part of a ticket in a KDC reply, for
986 example.) This minimization of encryption reduces the load on the
987 KDC and busy servers. Also, during the initial design of Version 5,
988 the existence of legal restrictions on the export of cryptography
989 made it desirable to minimize of the number of uses of encryption in
990 the protocol. Unfortunately, performing this minimization created
991 numerous instances of unauthenticated security-relevant plaintext
992 fields.
993
994 If there is more than one round trip for an authentication exchange,
995 mechanism designers need to allow either the client or the KDC to
996 provide a checksum of all the messages exchanged on the wire in the
997 conversation, and the checksum is then verified by the receiver.
998
999 New mechanisms MUST NOT be hard-wired to use a specific algorithm.
1000
1001 Primitives defined in [RFC3961] are RECOMMENDED for integrity
1002 protection and confidentiality. Mechanisms based on these primitives
1003 are crypto-agile as the result of using [RFC3961] along with
1004
1005
1006
1007Hartman & Zhu Expires February 13, 2010 [Page 18]
1008�
1009Internet-Draft Kerberos Preauth Framework August 2009
1010
1011
1012 [RFC4120]. The advantage afforded by crypto-agility is the ability
1013 to incrementally deploy a fix specific to a particular algorithm thus
1014 avoid a multi-year standardization and deployment cycle, when real
1015 attacks do arise against that algorithm.
1016
1017 Note that data used by FAST factors (defined in Section 6.5) is
1018 encrypted in a protected channel, thus they do not share the un-
1019 authenticated-text issues with mechanisms designed as full-blown pre-
1020 authentication mechanisms.
1021
10226.3. Managing States for the KDC
1023
1024 Kerberos KDCs are stateless in that there is no requirement that
1025 clients will choose the same KDC for the second request in a
1026 conversation. Proxies or other intermediate nodes may also influence
1027 KDC selection. So, each request from a client to a KDC must include
1028 sufficient information that the KDC can regenerate any needed state.
1029 This is accomplished by giving the client a potentially long opaque
1030 cookie in responses to include in future requests in the same
1031 conversation. The KDC MAY respond that a conversation is too old and
1032 needs to restart by responding with a KDC_ERR_PREAUTH_EXPIRED error.
1033
1034 KDC_ERR_PREAUTH_EXPIRED 90
1035
1036 When a client receives this error, the client SHOULD abort the
1037 existing conversation, and restart a new one.
1038
1039 An example, where more than one message from the client is needed, is
1040 when the client is authenticated based on a challenge-response
1041 scheme. In that case, the KDC needs to keep track of the challenge
1042 issued for a client authentication request.
1043
1044 The PA-FX-COOKIE padata type is defined in this section to facilitate
1045 state management in the AS exchange. This padata is sent by the KDC
1046 when the KDC requires state for a future transaction. The client
1047 includes this opaque token in the next message in the conversation.
1048 The token may be relatively large; clients MUST be prepared for
1049 tokens somewhat larger than the size of all messages in a
1050 conversation.
1051
1052 PA-FX-COOKIE 133
1053 -- Stateless cookie that is not tied to a specific KDC.
1054
1055 The corresponding padata-value field [RFC4120] contains an opaque
1056 token that will be echoed by the client in its response to an error
1057 from the KDC.
1058
1059 The cookie token is generated by the KDC and transmitted in a PA-FX-
1060
1061
1062
1063Hartman & Zhu Expires February 13, 2010 [Page 19]
1064�
1065Internet-Draft Kerberos Preauth Framework August 2009
1066
1067
1068 COOKIE pre-authentication data item of a KRB-ERROR message. The
1069 client MUST copy the exact cookie encapsulated in a PA-FX-COOKIE data
1070 element into the next message of the same conversation. The content
1071 of the cookie field is a local matter of the KDC. As a result, it is
1072 not generally possible to mix KDC implementations from different
1073 vendors in the same realm. However the KDC MUST construct the cookie
1074 token in such a manner that a malicious client cannot subvert the
1075 authentication process by manipulating the token. The KDC
1076 implementation needs to consider expiration of tokens, key rollover
1077 and other security issues in token design. The content of the cookie
1078 field is likely specific to the pre-authentication mechanisms used to
1079 authenticate the client. If a client authentication response can be
1080 replayed to multiple KDCs via the PA-FX-COOKIE mechanism, an
1081 expiration in the cookie is RECOMMENDED to prevent the response being
1082 presented indefinitely.
1083
1084 If at least one more message for a mechanism or a mechanism set is
1085 expected by the KDC, the KDC returns a
1086 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with a PA-FX-COOKIE to
1087 identify the conversation with the client according to Section 3.2.
1088 The cookie is not expected to stay constant for a conversation: the
1089 KDC is expected to generate a new cookie for each message.
1090
1091 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91
1092
1093 A client MAY throw away the state associated with a conversation and
1094 begin a new conversation by discarding its state and not including a
1095 cookie in the first message of a conversation. KDCs that comply with
1096 this specification MUST include a cookie in a response when the
1097 client can continue the conversation. In particular, a KDC MUST
1098 include a cookie in a KDC_ERR_PREAUTH_REQUIRED or
1099 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. KDCs SHOULD include a cookie in
1100 errors containing additional information allowing a client to retry.
1101 One reasonable strategy for meeting these requirements is to always
1102 include a cookie in KDC errors.
1103
1104 A KDC MAY indicate that it is terminating a conversation by not
1105 including a cookie in a response. When FAST is used, clients can
1106 assume that the absence of a cookie means that the KDC is ending the
1107 conversation. Clients also need to deal with KDCs prior to this
1108 specification that do not include cookies; if cookies nor FAST are
1109 used in a conversation, the absence of a cookie is not a strong
1110 indication that the KDC is terminating the conversation.
1111
11126.4. Pre-authentication Set
1113
1114 If all mechanisms in a group need to successfully complete in order
1115 to authenticate a client, the client and the KDC SHOULD use the PA-
1116
1117
1118
1119Hartman & Zhu Expires February 13, 2010 [Page 20]
1120�
1121Internet-Draft Kerberos Preauth Framework August 2009
1122
1123
1124 AUTHENTICATION-SET padata element.
1125
1126 PA-AUTHENTICATION-SET 134
1127
1128 A PA-AUTHENTICATION-SET padata element contains the ASN.1 DER
1129 encoding of the PA-AUTHENTICATION-SET structure:
1130
1131 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM
1132
1133 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE {
1134 pa-type [0] Int32,
1135 -- same as padata-type.
1136 pa-hint [1] OCTET STRING OPTIONAL,
1137 pa-value [2] OCTET STRING OPTIONAL,
1138 ...
1139 }
1140
1141 The pa-type field of the PA-AUTHENTICATION-SET-ELEM structure
1142 contains the corresponding value of padata-type in PA-DATA [RFC4120].
1143 Associated with the pa-type is a pa-hint, which is an octet-string
1144 specified by the pre-authentication mechanism. This hint may provide
1145 information for the client which helps it determine whether the
1146 mechanism can be used. For example a public-key mechanism might
1147 include the certificate authorities it trusts in the hint info. Most
1148 mechanisms today do not specify hint info; if a mechanism does not
1149 specify hint info the KDC MUST NOT send a hint for that mechanism.
1150 To allow future revisions of mechanism specifications to add hint
1151 info, clients MUST ignore hint info received for mechanisms that the
1152 client believes do not support hint info. The pa-value element of
1153 the PA-AUTHENTICATION-SET-ELEM sequence is included to carry the
1154 first padata-value from the KDC to the client. If the client chooses
1155 this authentication set then the client MUST process this pa-value.
1156 The pa-value element MUST be absent for all but the first entry in
1157 the authentication set. Clients MUST ignore pa-value for the second
1158 and following entries in the authentication set.
1159
1160 If the client chooses an authentication set, then its first AS-REQ
1161 message MUST contain a PA-AUTH-SET-SELECTED padata element. This
1162 element contains the encoding of the PA-AUTHENTICATION-SET sequence
1163 received from the KDC corresponding to the authentication set that is
1164 chosen. The client MUST use the same octet values received from the
1165 KDC; it cannot re-encode the sequence. This allows KDCs to use bit-
1166 wise comparison to identify the selected authentication set. The PA-
1167 AUTH-SET-SELECTED padata element MUST come before any padata elements
1168 from the authentication set in the padata sequence in the AS-REQ
1169 message. The client MAY cache authentication sets from prior
1170 messages and use them to construct an optimistic initial AS-REQ. If
1171 the KDC receives a PA-AUTH-SET-SELECTED padata element that does not
1172
1173
1174
1175Hartman & Zhu Expires February 13, 2010 [Page 21]
1176�
1177Internet-Draft Kerberos Preauth Framework August 2009
1178
1179
1180 correspond to an authentication set that it would offer, then the KDC
1181 returns the KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET error. The e-data
1182 in this error contains a sequence of padata just as for the
1183 KDC_ERR_PREAUTH_REQUIRED error.
1184
1185
1186 PA-AUTH-SET-SELECTED 135
1187 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92
1188
1189 The PA-AUTHENTICATION-SET appears only in the first message from the
1190 KDC to the client. In particular, the client MAY fail if the
1191 authentication mechanism sets change as the conversation progresses.
1192 Clients MAY assume that the hints provided in the authentication set
1193 contain enough information that the client knows what user interface
1194 elements need to be displayed during the entire authentication
1195 conversation. Exceptional circumstances such as expired passwords or
1196 expired accounts may require that additional user interface be
1197 displayed. Mechanism designers needs to carefully consider the
1198 design of their hints so that the client has this information. This
1199 way, clients can construct necessary dialogue boxes or wizards based
1200 on the authentication set and can present a coherent user interface.
1201 Current standards for user interface do not provide an acceptable
1202 experience when the client has to ask additional questions later in
1203 the conversation.
1204
1205 When indicating which sets of pre-authentication mechanisms are
1206 supported, the KDC includes a PA-AUTHENTICATION-SET padata element
1207 for each pre-authentication mechanism set.
1208
1209 The client sends the padata-value for the first mechanism it picks in
1210 the pre-authentication set, when the first mechanism completes, the
1211 client and the KDC will proceed with the second mechanism, and so on
1212 until all mechanisms complete successfully. The PA-FX-COOKIE as
1213 defined in Section 6.3 MUST be sent by the KDC. One reason for this
1214 requirement is so that the conversation can continue if the
1215 conversation involves multiple KDCs. KDCs MUST support clients that
1216 do not include a cookie because they optimistically choose an
1217 authentication set, although they MAY always return
1218 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET and include a cookie in that
1219 message. Clients that support PA-AUTHENTICATION-SET MUST support PA-
1220 FX-COOKIE.
1221
1222 Before the authentication succeeds and a ticket is returned, the
1223 message that the client sends is an AS_REQ and the message that the
1224 KDC sends is a KRB-ERROR message. The error code in the KRB-ERROR
1225 message from the KDC is KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined
1226 in Section 6.3 and the accompanying e-data contains the DER encoding
1227 of ASN.1 type METHOD-DATA. The KDC includes the padata elements in
1228
1229
1230
1231Hartman & Zhu Expires February 13, 2010 [Page 22]
1232�
1233Internet-Draft Kerberos Preauth Framework August 2009
1234
1235
1236 the METHOD-DATA. If there is no padata, the e-data field is absent
1237 in the KRB-ERROR message.
1238
1239 If the client sends the last message for a given mechanism, then the
1240 KDC sends the first message for the next mechanism. If the next
1241 mechanism does not start with a KDC-side challenge, then the KDC
1242 includes a padata item with the appropriate pa-type and an empty pa-
1243 data.
1244
1245 If the KDC sends the last message for a particular mechanism, the KDC
1246 also includes the first padata for the next mechanism.
1247
12486.5. Definition of Kerberos FAST Padata
1249
1250 As described in [RFC4120], Kerberos is vulnerable to offline
1251 dictionary attacks. An attacker can request an AS-REP and try
1252 various passwords to see if they can decrypt the resulting ticket.
1253 RFC 4120 provides the encrypted timestamp pre-authentication method
1254 that ameliorates the situation somewhat by requiring that an attacker
1255 observe a successful authentication. However stronger security is
1256 desired in many environments. The Kerberos FAST pre-authentication
1257 padata defined in this section provides a tool to significantly
1258 reduce vulnerability to offline dictionary attack. When combined
1259 with encrypted challenge, FAST requires an attacker to mount a
1260 successful man-in-the-middle attack to observe ciphertext. When
1261 combined with host keys, FAST can even protect against active
1262 attacks. FAST also provides solutions to common problems for pre-
1263 authentication mechanisms such as binding of the request and the
1264 reply, freshness guarantee of the authentication. FAST itself,
1265 however, does not authenticate the client or the KDC, instead, it
1266 provides a typed hole to allow pre-authentication data be tunneled.
1267 A pre-authentication data element used within FAST is called a FAST
1268 factor. A FAST factor captures the minimal work required for
1269 extending Kerberos to support a new pre-authentication scheme.
1270
1271 A FAST factor MUST NOT be used outside of FAST unless its
1272 specification explicitly allows so. The typed holes in FAST messages
1273 can also be used as generic holes for other padata that are not
1274 intended to prove the client's identity, or establish the reply key.
1275
1276 New pre-authentication mechanisms SHOULD be designed as FAST factors,
1277 instead of full-blown pre-authentication mechanisms.
1278
1279 FAST factors that are pre-authentication mechanisms MUST meet the
1280 requirements in Section 5.
1281
1282 FAST employs an armoring scheme. The armor can be a Ticket Granting
1283 Ticket (TGT) obtained by the client's machine using the host keys to
1284
1285
1286
1287Hartman & Zhu Expires February 13, 2010 [Page 23]
1288�
1289Internet-Draft Kerberos Preauth Framework August 2009
1290
1291
1292 pre-authenticate with the KDC, or an anonymous TGT obtained based on
1293 anonymous PKINIT [KRB-ANON] [RFC4556].
1294
1295 The rest of this section describes the types of armors and the syntax
1296 of the messages used by FAST. Conforming implementations MUST
1297 support Kerberos FAST padata.
1298
1299 Any FAST armor scheme MUST provide a fresh armor key for each
1300 conversation. Clients and KDCs can assume that if a message is
1301 encrypted and integrity protected with a given armor key then it is
1302 part of the conversation using that armor key.
1303
1304 All KDCs in a realm MUST support FAST if FAST is offered by any KDC
1305 as a pre-authentication mechanism.
1306
13076.5.1. FAST Armors
1308
1309 An armor key is used to encrypt pre-authentication data in the FAST
1310 request and the response. The KrbFastArmor structure is defined to
1311 identify the armor key. This structure contains the following two
1312 fields: the armor-type identifies the type of armors, and the armor-
1313 value is an OCTET STRING that contains the description of the armor
1314 scheme and the armor key.
1315
1316 KrbFastArmor ::= SEQUENCE {
1317 armor-type [0] Int32,
1318 -- Type of the armor.
1319 armor-value [1] OCTET STRING,
1320 -- Value of the armor.
1321 ...
1322 }
1323
1324 The value of the armor key is a matter of the armor type
1325 specification. Only one armor type is defined in this document.
1326
1327 FX_FAST_ARMOR_AP_REQUEST 1
1328
1329 The FX_FAST_ARMOR_AP_REQUEST armor is based on Kerberos tickets.
1330
1331 Conforming implementations MUST implement the
1332 FX_FAST_ARMOR_AP_REQUEST armor type. If a FAST KDC receives an
1333 unknown armor type it MUST respond with KDC_ERR_PREAUTH_FAILED.
1334
1335 An armor type may be appropriate for use in armoring AS requests,
1336 armoring TGS requests or both. TGS armor types MUST authenticate the
1337 client to to the KDC, typically by binding the TGT subsession key to
1338 the armor key. As discussed below, it is desirable for AS armor
1339 types to authenticate the KDC to the client, but this is not
1340
1341
1342
1343Hartman & Zhu Expires February 13, 2010 [Page 24]
1344�
1345Internet-Draft Kerberos Preauth Framework August 2009
1346
1347
1348 required.
1349
1350 FAST implementations MUST maintain state about whether the armor
1351 mechanism authenticates the KDC. If it does not, then a fast factor
1352 that authenticates the KDC MUST be used if the reply key is replaced.
1353
13546.5.1.1. Ticket-based Armors
1355
1356 This is a ticket-based armoring scheme. The armor-type is
1357 FX_FAST_ARMOR_AP_REQUEST, the armor-value contains an ASN.1 DER
1358 encoded AP-REQ. The ticket in the AP-REQ is called an armor ticket
1359 or an armor TGT. The subkey field in the AP-REQ MUST be present.
1360 The armor key is defined by the following function:
1361
1362 armor_key = KRB-FX-CF2( subkey, ticket_session_key,
1363 "subkeyarmor", "ticketarmor" )
1364
1365 The `ticket_session_key' is the session key from the ticket in the
1366 ap-req. The `subkey' is the ap-req subkey. This construction
1367 guarantees that both the KDC (through the session key) and the client
1368 (through the subkey) contribute to the armor key.
1369
1370 The server name field of the armor ticket MUST identify the TGS of
1371 the target realm. Here are three common ways in the decreasing
1372 preference order how an armor TGT SHOULD be obtained:
1373
1374 1. If the client is authenticating from a host machine whose
1375 Kerberos realm has an authentication path to the client's realm,
1376 the host machine obtains a TGT by using the host keys. If the
1377 client's realm is different than the realm of the local host, the
1378 machine then obtains a cross-realm TGT to the client's realm as
1379 the armor ticket. Otherwise, the host's primary TGT is the armor
1380 ticket.
1381
1382 2. If the client's host machine cannot obtain a host ticket strictly
1383 based on RFC4120, but the KDC has an asymmetric signing key whose
1384 binding with the expected KDC can be verified by the client, the
1385 client can use anonymous PKINIT [KRB-ANON] [RFC4556] to
1386 authenticate the KDC and obtain an anonymous TGT as the armor
1387 ticket. The armor ticket can also be a cross-realm TGT obtained
1388 based on the initial primary TGT obtained using anonymous PKINIT
1389 with KDC authentication.
1390
1391 3. Otherwise, the client uses anonymous PKINIT to get an anonymous
1392 TGT without KDC authentication and that TGT is the armor ticket.
1393 Note that this mode of operation is vulnerable to man-in-the-
1394 middle attacks at the time of obtaining the initial anonymous
1395 armor TGT.
1396
1397
1398
1399Hartman & Zhu Expires February 13, 2010 [Page 25]
1400�
1401Internet-Draft Kerberos Preauth Framework August 2009
1402
1403
1404 If anonymous PKINIT is used to obtain the armor ticket, the KDC
1405 cannot know whether its signing key can be verified by the client,
1406 hence the KDC MUST be marked as unverified from the KDC's point of
1407 view while the client could be able to authenticate the KDC by
1408 verifying the KDC's signing key is bound with the expected KDC. The
1409 client needs to carefully consider the risk and benefit tradeoffs
1410 associated with active attacks before exposing cipher text encrypted
1411 using the user's long-term secrets when the armor does not
1412 authenticate the KDC.
1413
1414 The TGS MUST reject a request if there is an AD-fx-fast-armor (TBD)
1415 element in the authenticator of the pa-tgs-req padata or if the
1416 ticket in the authenticator of a pa-tgs-req contains the AD-fx-fast-
1417 armor authorization data element. These tickets and authenticators
1418 MAY be used as FAST armor tickets but not to obtain a ticket via the
1419 TGS. This authorization data is used in a system where the
1420 encryption of the user's pre-authentication data is performed in an
1421 unprivileged user process. A privileged process can provide to the
1422 user process a host ticket, an authenticator for use with that
1423 ticket, and the sub session key contained in the authenticator. In
1424 order for the host process to ensure that the host ticket is not
1425 accidentally or intentionally misused, (i.e. the user process might
1426 use the host ticket to authenticate as the host), it MUST include a
1427 critical authorization data element of the type AD-fx-fast-armor when
1428 providing the authenticator or in the enc-authorization-data field of
1429 the TGS request used to obtain the TGT. The corresponding ad-data
1430 field of the AD-fx-fast-armor element is empty.
1431
1432 Only implicit armors are allowed in the TGS at this time.
1433
14346.5.2. FAST Request
1435
1436 A padata type PA-FX-FAST is defined for the Kerberos FAST pre-
1437 authentication padata. The corresponding padata-value field
1438 [RFC4120] contains the DER encoding of the ASN.1 type PA-FX-FAST-
1439 REQUEST. As with all pre-authentication types, the KDC SHOULD
1440 advertise PA-FX-FAST in a PREAUTH_REQUIRED error. KDCs MUST send the
1441 advertisement of pa-fx-fast with an empty pa-value. Clients MUST
1442 ignore the pa-value of PA-FX-FAST in an initial PREAUTH_REQUIRED
1443 error. FAST is not expected to be used in an authentication set:
1444 clients will typically use FAST padata if available and this decision
1445 should not depend on what other pre-authentication methods are
1446 available. As such, no pa-hint is defined for FAST at this time.
1447
1448
1449
1450
1451
1452
1453
1454
1455Hartman & Zhu Expires February 13, 2010 [Page 26]
1456�
1457Internet-Draft Kerberos Preauth Framework August 2009
1458
1459
1460 PA-FX-FAST 136
1461 -- Padata type for Kerberos FAST
1462
1463 PA-FX-FAST-REQUEST ::= CHOICE {
1464 armored-data [0] KrbFastArmoredReq,
1465 ...
1466 }
1467
1468 KrbFastArmoredReq ::= SEQUENCE {
1469 armor [0] KrbFastArmor OPTIONAL,
1470 -- Contains the armor that identifies the armor key.
1471 -- MUST be present in AS-REQ.
1472 req-checksum [1] Checksum,
1473 -- For AS, contains the checksum performed over the type
1474 -- KDC-REQ-BODY for the req-body field of the KDC-REQ
1475 -- structure;
1476 -- For TGS, contains the checksum performed over the type
1477 -- AP-REQ in the PA-TGS-REQ padata.
1478 -- The checksum key is the armor key, the checksum
1479 -- type is the required checksum type for the enctype of
1480 -- the armor key, and the key usage number is
1481 -- KEY_USAGE_FAST_REQ_CHKSUM.
1482 enc-fast-req [2] EncryptedData, -- KrbFastReq --
1483 -- The encryption key is the armor key, and the key usage
1484 -- number is KEY_USAGE_FAST_ENC.
1485 ...
1486 }
1487
1488 KEY_USAGE_FAST_REQ_CHKSUM 50
1489 KEY_USAGE_FAST_ENC 51
1490
1491 The PA-FX-FAST-REQUEST structure contains a KrbFastArmoredReq type.
1492 The KrbFastArmoredReq encapsulates the encrypted padata.
1493
1494 The enc-fast-req field contains an encrypted KrbFastReq structure.
1495 The armor key is used to encrypt the KrbFastReq structure, and the
1496 key usage number for that encryption is KEY_USAGE_FAST_ENC.
1497
1498 The armor key is selected as follows:
1499
1500 o In an AS request, the armor field in the KrbFastArmoredReq
1501 structure MUST be present and the armor key is identified
1502 according to the specification of the armor type.
1503
1504 o There are two possibilities for armor for a TGS request. If the
1505 ticket presented in the PA-TGS-REQ authenticator is a TGT, then
1506 the client SHOULD NOT include the armor field in the Krbfastreq
1507 and a subkey MUST be included in the PA-TGS-REQ authenticator. In
1508
1509
1510
1511Hartman & Zhu Expires February 13, 2010 [Page 27]
1512�
1513Internet-Draft Kerberos Preauth Framework August 2009
1514
1515
1516 this case, the armor key is the same armor key that would be
1517 computed if the TGS-REQ authenticator was used in a
1518 FX_FAST_ARMOR_AP_REQUEST armor. Clients MAY present a non-TGT in
1519 the PA-TGS-REQ authenticator and omit the armor field, in which
1520 case the armor key is the same that would be computed if the
1521 authenticator were used in a FX_FAST_ARMOR_AP_REQUEST armor. This
1522 is the only case where a ticket other than a TGT can be used to
1523 establish an armor key; even though the armor key is computed the
1524 same as a FX_FAST_ARMOR_AP_REQUEST, a non-TGT cannot be used as an
1525 armor ticket in FX_FAST_ARMOR_AP_REQUEST. Alternatively, a client
1526 MAY use an armor type defined in the future for use with the TGS
1527 request.
1528
1529 The req-checksum field contains a checksum computed differently for
1530 AS and TGS. For an AS-REQ, it is performed over the type KDC-REQ-
1531 BODY for the req-body field of the KDC-REQ structure of the
1532 containing message; for an TGS-REQ, it is performed over the type AP-
1533 REQ in the PA-TGS-REQ padata of the TGS request. The checksum key is
1534 the armor key, and the checksum type is the required checksum type
1535 for the enctype of the armor key per [RFC3961]. This checksum MUST
1536 be a keyed checksume and it is included in order to bind the FAST
1537 padata to the outer request. A KDC that implements FAST will ignore
1538 the outer request, but including a checksum is relatively cheap and
1539 may prevent confusing behavior.
1540
1541 The KrbFastReq structure contains the following information:
1542
1543 KrbFastReq ::= SEQUENCE {
1544 fast-options [0] FastOptions,
1545 -- Additional options.
1546 padata [1] SEQUENCE OF PA-DATA,
1547 -- padata typed holes.
1548 req-body [2] KDC-REQ-BODY,
1549 -- Contains the KDC request body as defined in Section
1550 -- 5.4.1 of [RFC4120].
1551 -- This req-body field is preferred over the outer field
1552 -- in the KDC request.
1553 ...
1554 }
1555
1556 The fast-options field indicates various options that are to modify
1557 the behavior of the KDC. The following options are defined:
1558
1559 FastOptions ::= KerberosFlags
1560 -- reserved(0),
1561 -- hide-client-names(1),
1562 -- kdc-follow-referrals(16)
1563
1564
1565
1566
1567Hartman & Zhu Expires February 13, 2010 [Page 28]
1568�
1569Internet-Draft Kerberos Preauth Framework August 2009
1570
1571
1572 Bits Name Description
1573 -----------------------------------------------------------------
1574 0 RESERVED Reserved for future expansion of this
1575 field.
1576 1 hide-client-names Requesting the KDC to hide client
1577 names in the KDC response, as
1578 described next in this section.
1579 16 kdc-follow-referrals Requesting the KDC to follow referrals.
1580
1581 Bits 1 through 15 inclusive (with bit 1 and bit 15 included) are
1582 critical options. If the KDC does not support a critical option, it
1583 MUST fail the request with KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, and
1584 there is no accompanying e-data defined in this document for this
1585 error code. Bit 16 and onward (with bit 16 included) are non-
1586 critical options. KDCs conforming to this specification ignore
1587 unknown non-critical options.
1588
1589 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93
1590
1591 The hide-client-names Option
1592
1593 The Kerberos response defined in [RFC4120] contains the client
1594 identity in clear text, This makes traffic analysis
1595 straightforward. The hide-client-names option is designed to
1596 complicate traffic analysis. If the hide-client-names option is
1597 set, the KDC implementing PA-FX-FAST MUST identify the client as
1598 the anonymous principal [KRB-ANON] in the KDC reply and the error
1599 response. Hence this option is set by the client if it wishes to
1600 conceal the client identity in the KDC response. A conforming KDC
1601 ignores the client principal name in the outer KDC-REQ-BODY field,
1602 and identifies the client using the cname and crealm fields in the
1603 req-body field of the KrbFastReq structure.
1604
1605 The kdc-follow-referrals Option
1606
1607 The Kerberos client described in [RFC4120] has to request referral
1608 TGTs along the authentication path in order to get a service
1609 ticket for the target service. The Kerberos client described in
1610 the [REFERRALS] needs to contact the AS specified in the error
1611 response in order to complete client referrals. The kdc-follow-
1612 referrals option is designed to minimize the number of messages
1613 that need to be processed by the client. This option is useful
1614 when, for example, the client may contact the KDC via a satellite
1615 link that has high network latency, or the client has limited
1616 computational capabilities. If the kdc-follow-referrals option is
1617 set, the KDC MAY act as the client to follow TGS referrals
1618 [REFERRALS], and return the service ticket to the named server
1619 principal in the client request using the reply key expected by
1620
1621
1622
1623Hartman & Zhu Expires February 13, 2010 [Page 29]
1624�
1625Internet-Draft Kerberos Preauth Framework August 2009
1626
1627
1628 the client. That is, rather than returning a referral, the KDC
1629 follows that referral by contacting a remote KDC and processing
1630 the referral. The kdc-referrals option can be implemented when
1631 the KDC knows the reply key. The KDC can ignore kdc-referrals
1632 option when it does not understand it or it does not allow this
1633 option based on local policy. The client SHOULD be capable of
1634 processing the KDC responses when this option is not honored by
1635 the KDC. Clients SHOULD use TCP to contact a KDC if this option
1636 is going to be used to avoid problems when the client's UDP
1637 retransmit algorithm has timeouts insufficient to allow the KDC to
1638 interact with remote KDCs.
1639
1640 The padata field contains a list of PA-DATA structures as described
1641 in Section 5.2.7 of [RFC4120]. These PA-DATA structures can contain
1642 FAST factors. They can also be used as generic typed-holes to
1643 contain data not intended for proving the client's identity or
1644 establishing a reply key, but for protocol extensibility. If the KDC
1645 supports the PA-FX-FAST-REQUEST padata, unless otherwise specified,
1646 the client MUST place any padata that is otherwise in the outer KDC
1647 request body into this field. In a TGS request, PA-TGS-REQ padata is
1648 not included in this field and it is present in the outer KDC request
1649 body.
1650
1651 The KDC-REQ-BODY in the FAST structure is used in preference to the
1652 KDC-REQ-BODY outside of the FAST pre-authentication. The outer KDC-
1653 REQ-BODY structure SHOULD be filled in for backwards compatibility
1654 with KDCs that do not support FAST. A conforming KDC ignores the
1655 outer KDC-REQ-BODY field in the KDC request. Pre-authentication data
1656 methods such as [RFC4556] that include a checksum of the KDC-REQ-BODY
1657 should checksum the KDC-REQ-BODY in the FAST structure.
1658
1659 In a TGS request, a client MAY include the AD-fx-fast-used authdata
1660 either in the pa-tgs-req authenticator or in the authorization data
1661 in the pa-tgs-req ticket. If the KDC receives this authorization
1662 data but does not find a FAST padata then it MUST return
1663 KRB_APP_ERR_MODIFIED.
1664
16656.5.3. FAST Response
1666
1667 The KDC that supports the PA-FX-FAST padata MUST include a PA-FX-FAST
1668 padata element in the KDC reply. In the case of an error, the PA-FX-
1669 FAST padata is included in the KDC responses according to
1670 Section 6.5.4.
1671
1672 The corresponding padata-value field [RFC4120] for the PA-FX-FAST in
1673 the KDC response contains the DER encoding of the ASN.1 type PA-FX-
1674 FAST-REPLY.
1675
1676
1677
1678
1679Hartman & Zhu Expires February 13, 2010 [Page 30]
1680�
1681Internet-Draft Kerberos Preauth Framework August 2009
1682
1683
1684 PA-FX-FAST-REPLY ::= CHOICE {
1685 armored-data [0] KrbFastArmoredRep,
1686 ...
1687 }
1688
1689 KrbFastArmoredRep ::= SEQUENCE {
1690 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
1691 -- The encryption key is the armor key in the request, and
1692 -- the key usage number is KEY_USAGE_FAST_REP.
1693 ...
1694 }
1695 KEY_USAGE_FAST_REP 52
1696
1697 The PA-FX-FAST-REPLY structure contains a KrbFastArmoredRep
1698 structure. The KrbFastArmoredRep structure encapsulates the padata
1699 in the KDC reply in the encrypted form. The KrbFastResponse is
1700 encrypted with the armor key used in the corresponding request, and
1701 the key usage number is KEY_USAGE_FAST_REP.
1702
1703 The Kerberos client who does not receive a PA-FX-FAST-REPLY in the
1704 KDC response MUST support a local policy that rejects the response.
1705 Clients MAY also support policies that fall back to other mechanisms
1706 or that do not use pre-authentication when FAST is unavailable. It
1707 is important to consider the potential downgrade attacks when
1708 deploying such a policy.
1709
1710 The KrbFastResponse structure contains the following information:
1711
1712 KrbFastResponse ::= SEQUENCE {
1713 padata [0] SEQUENCE OF PA-DATA,
1714 -- padata typed holes.
1715 strengthen-key [1] EncryptionKey OPTIONAL,
1716 -- This, if present, strengthens the reply key for AS and
1717 -- TGS. MUST be present for TGS.
1718 -- MUST be absent in KRB-ERROR.
1719 finished [2] KrbFastFinished OPTIONAL,
1720 -- Present in AS or TGS reply; absent otherwise.
1721 nonce [3] UInt32,
1722 -- Nonce from the client request.
1723 ...
1724 }
1725
1726 The padata field in the KrbFastResponse structure contains a list of
1727 PA-DATA structures as described in Section 5.2.7 of [RFC4120]. These
1728 PA-DATA structures are used to carry data advancing the exchange
1729 specific for the FAST factors. They can also be used as generic
1730 typed-holes for protocol extensibility. Unless otherwise specified,
1731 the KDC MUST include any padata that is otherwise in the outer KDC-
1732
1733
1734
1735Hartman & Zhu Expires February 13, 2010 [Page 31]
1736�
1737Internet-Draft Kerberos Preauth Framework August 2009
1738
1739
1740 REP structure into this field. The padata field in the KDC reply
1741 structure outside of the PA-FX-FAST-REPLY structure typically
1742 includes only the PA-FX- FAST-REPLY padata.
1743
1744 The strengthen-key field provides a mechanism for the KDC to
1745 strengthen the reply key. If set, the reply key is strengthened
1746 after all padata items are processed. Let padata-reply-key be the
1747 reply key after padata processing.
1748
1749 reply-key = KRB-FX-CF2(strengthen-key, padata-reply-key,
1750 "strengthenkey", "replykey")
1751
1752 The strengthen-key field MAY be set in an AS reply; it MUST be set in
1753 a TGS reply; it must be absent in an error reply. The strengthen key
1754 is required in a TGS reply so that an attacker cannot remove the FAST
1755 PADATA from a TGS reply, causing the KDC to appear not to support
1756 FAST.
1757
1758 The finished field contains a KrbFastFinished structure. It is
1759 filled by the KDC in the final message in the conversation. This
1760 field is present in an AS-REP or a TGS-REP when a ticket is returned,
1761 and it is not present in an error reply.
1762
1763 The KrbFastFinished structure contains the following information:
1764
1765 KrbFastFinished ::= SEQUENCE {
1766 timestamp [0] KerberosTime,
1767 usec [1] Microseconds,
1768 -- timestamp and usec represent the time on the KDC when
1769 -- the reply was generated.
1770 crealm [2] Realm,
1771 cname [3] PrincipalName,
1772 -- Contains the client realm and the client name.
1773 ticket-checksum [4] Checksum,
1774 -- checksum of the ticket in the KDC-REP using the armor
1775 -- and the key usage is KEY_USAGE_FAST_FINISH.
1776 -- The checksum type is the required checksum type
1777 -- of the armor key.
1778 ...
1779 }
1780 KEY_USAGE_FAST_FINISHED 53
1781
1782 The timestamp and usec fields represent the time on the KDC when the
1783 reply ticket was generated, these fields have the same semantics as
1784 the corresponding-identically-named fields in Section 5.6.1 of
1785 [RFC4120]. The client MUST use the KDC's time in these fields
1786 thereafter when using the returned ticket. Note that the KDC's time
1787 in AS-REP may not match the authtime in the reply ticket if the kdc-
1788
1789
1790
1791Hartman & Zhu Expires February 13, 2010 [Page 32]
1792�
1793Internet-Draft Kerberos Preauth Framework August 2009
1794
1795
1796 follow-referrals option is requested and honored by the KDC. The
1797 client need not confirm that the timestamp returned is within
1798 allowable clock skew: the armor key guarantees that the reply is
1799 fresh. The client MAY trust the time stamp returned.
1800
1801 The cname and crealm fields identify the authenticated client. If
1802 facilities described in [REFERRALS] are used, the authenticated
1803 client may differ from the client in the FAST request.
1804
1805 The ticket-checksum is a checksum of the issued ticket. The checksum
1806 key is the armor key, and the checksum type is the required checksum
1807 type of the enctype of that key, and the key usage number is
1808 KEY_USAGE_FAST_FINISHED.
1809
1810 When FAST padata is included, the PA-FX-COOKIE padata as defined in
1811 Section 6.3 MUST be included in the padata sequence in the
1812 KrbFastResponse sequence if the KDC expects at least one more message
1813 from the client in order to complete the authentication.
1814
1815 The nonce field in the KrbFastResponse contains the value of the
1816 nonce field in the KDC-REQ of the corresponding client request and it
1817 binds the KDC response with the client request. The client MUST
1818 verify that this nonce value in the reply matches with that of the
1819 request and reject the KDC reply otherwise. To prevent the response
1820 from one message in a conversation from being replayed to a request
1821 in another message, clients SHOULD use a new nonce for each message
1822 in a conversation.
1823
18246.5.4. Authenticated Kerberos Error Messages using Kerberos FAST
1825
1826 If the Kerberos FAST padata was included in the request, unless
1827 otherwise specified, the e-data field of the KRB-ERROR message
1828 [RFC4120] contains the ASN.1 DER encoding of the type METHOD-DATA
1829 [RFC4120] and a PA-FX-FAST is included in the METHOD-DATA. The KDC
1830 MUST include all the padata elements such as PA-ETYPE-INFO2 and
1831 padata elements that indicate acceptable pre-authentication
1832 mechanisms [RFC4120] in the KrbFastResponse structure.
1833
1834 The KDC MUST also include a PA-FX-ERROR padata item in the
1835 KRBFastResponse structure. The padata-value element of this sequence
1836 is the ASN.1 DER encoding of the type KRB-ERROR. The e-data field
1837 MUST be absent in the PA-FX-ERROR padata. All other fields should be
1838 the same as the outer KRB-ERROR. The client ignores the outer error
1839 and uses the combination of the padata in the KRBFastResponse and the
1840 error information in the PA-FX-ERROR.
1841
1842 PA-FX-ERROR 137
1843
1844
1845
1846
1847Hartman & Zhu Expires February 13, 2010 [Page 33]
1848�
1849Internet-Draft Kerberos Preauth Framework August 2009
1850
1851
1852 If the Kerberos FAST padata is included in the request but not
1853 included in the error reply, it is a matter of the local policy on
1854 the client to accept the information in the error message without
1855 integrity protection. The client SHOULD however process the KDC
1856 errors as the result of the KDC's inability to accept the AP_REQ
1857 armor and potentially retry another request with a different armor
1858 when applicable. The Kerberos client MAY process an error message
1859 without a PA-FX-FAST-REPLY, if that is only intended to return better
1860 error information to the application, typically for trouble-shooting
1861 purposes.
1862
1863 In the cases where the e-data field of the KRB-ERROR message is
1864 expected to carry a TYPED-DATA [RFC4120] element, then that
1865 information should be transmitted in a pa-data element within the
1866 KRBFastResponse structure. The padata-type is the same as the data-
1867 type would be in the typed data element and the padata-value is the
1868 same as the data-value. As discussed in Section 8, data-types and
1869 padata-types are drawn from the same namespace. For example, the
1870 TD_TRUSTED_CERTIFIERS structure is expected to be in the KRB-ERROR
1871 message when the error code is KDC_ERR_CANT_VERIFY_CERTIFICATE
1872 [RFC4556].
1873
18746.5.5. Outer and Inner Requests
1875
1876 Typically, a client will know that FAST is being used before a
1877 request containing PA-FX-FAST is sent. So, the outer AS request
1878 typically only includes one pa-data item: PA-FX-FAST. The client MAY
1879 include additional pa-data, but the KDC MUST ignore the outer request
1880 body and any padata besides PA-FX-FAST if and only if PA-FX-FAST is
1881 processed. In the case of the TGS request, the outer request should
1882 include PA-FX-FAST and PA-TGS-REQ.
1883
1884 When an AS generates a response, all padata besides PA-FX-FAST should
1885 be included in PA-FX-FAST. The client MUST ignore other padata
1886 outside of PA-FX-FAST.
1887
18886.5.6. The Encrypted Challenge FAST Factor
1889
1890 The encrypted challenge FAST factor authenticates a client using the
1891 client's long-term key. This factor works similarly to the encrypted
1892 time stamp pre-authentication option described in [RFC4120]. The
1893 word challenge is used instead of timestamp because while the
1894 timestamp is used as an initial challenge, if the KDC and client do
1895 not have synchronized time, then the KDC can provide updated time to
1896 the client to use as a challenge. The client encrypts a structure
1897 containing a timestamp in the challenge key. The challenge key used
1898 by the client to send a message to the KDC is KRB-FX-
1899 CF2(armor_key,long_term_key, "clientchallengearmor",
1900
1901
1902
1903Hartman & Zhu Expires February 13, 2010 [Page 34]
1904�
1905Internet-Draft Kerberos Preauth Framework August 2009
1906
1907
1908 "challengelongterm"). The challenge key used by the KDC encrypting
1909 to the client is KRB-FX-CF2(armor_key, long_term_key,
1910 "kdcchallengearmor", "challengelongterm"). Because the armor key is
1911 fresh and random, the challenge key is fresh and random. The only
1912 purpose of the timestamp is to limit the validity of the
1913 authentication so that a request cannot be replayed. A client MAY
1914 base the timestamp on the KDC time in a KDC error and need not
1915 maintain accurate time synchronization itself. If a client bases its
1916 time on an untrusted source, an attacker may trick the client into
1917 producing an authentication request that is valid at some future
1918 time. The attacker may be able to use this authentication request to
1919 make it appear that a client has authenticated at that future time.
1920 If ticket-based armor is used, then the lifetime of the ticket will
1921 limit the window in which an attacker can make the client appear to
1922 have authenticated. For many situations, the ability of an attacker
1923 to cause a client to appear to have authenticated is not a
1924 significant concern; the ability to avoid requiring time
1925 synchronization on clients is more valuable.
1926
1927 The client sends a padata of type PA-ENCRYPTED-CHALLENGE. The
1928 corresponding padata-value contains the DER encoding of ASN.1 type
1929 EncryptedChallenge.
1930
1931 EncryptedChallenge ::= EncryptedData
1932 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key
1933 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the
1934 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC.
1935
1936 PA-ENCRYPTED-CHALLENGE 138
1937 KEY_USAGE_ENC_CHALLENGE_CLIENT 54
1938 KEY_USAGE_ENC_CHALLENGE_KDC 55
1939
1940 The client includes some time stamp reasonably close to the KDC's
1941 current time and encrypts it in the challenge key. Clients MAY use
1942 the current time; doing so prevents the exposure where an attacker
1943 can cause a client to appear to authenticate in the future. The
1944 client sends the request including this factor.
1945
1946 On receiving an AS-REQ containing the PA-ENCRYPTED-CHALLENGE fast
1947 factor, the KDC decrypts the timestamp. If the decryption fails the
1948 KDC SHOULD return KDC_ERR_PREAUTH_FAILED, including PA-ETYPE-INFO2 in
1949 the KRBFastResponse in the error. The KDC confirms that the
1950 timestamp falls within its current clock skew returning
1951 KRB_APP_ERR_SKEW if not. The KDC then SHOULD check to see if the
1952 encrypted challenge is a replay. The KDC MUST NOT consider two
1953 encrypted challenges replays simply because the time stamps are the
1954 same; to be a replay, the ciphertext MUST be identical. Allowing
1955 clients to re-use time stamps avoids requiring that clients maintain
1956
1957
1958
1959Hartman & Zhu Expires February 13, 2010 [Page 35]
1960�
1961Internet-Draft Kerberos Preauth Framework August 2009
1962
1963
1964 state about which time stamps have been used.
1965
1966 If the KDC accepts the encrypted challenge, it MUST include a padata
1967 element of type PA-ENCRYPTED-CHALLENGE. The KDC encrypts its current
1968 time in the challenge key. The KDC MUST strengthen the reply key
1969 before issuing a ticket. The client MUST check that the timestamp
1970 decrypts properly. The client MAY check that the timestamp is within
1971 the window of acceptable clock skew for the client. The client MUST
1972 NOT require that the timestamp be identical to the timestamp in the
1973 issued credentials or the returned message.
1974
1975 The encrypted challenge FAST factor provides the following
1976 facilities: client-authentication and KDC authentication. This FAST
1977 factor also takes advantage of the FAST facility to strengthen the
1978 reply key. It does not provide the replacing-reply-key facility.
1979 The security considerations section of this document provides an
1980 explanation why the security requirements are met.
1981
1982 The encrypted challenge FAST factor can be useful in an
1983 authentication set. No pa-hint is defined because the only
1984 information needed by this mechanism is information contained in the
1985 PA-ETYPE-INFO2 pre-authentication data. KDCs are already required to
1986 send PA-ETYPE-INFO2. If KDCs were not required to send PA-ETYPE-
1987 INFO2 then that information would need to be part of a hint for
1988 encrypted challenge.
1989
1990 Conforming implementations MUST support the encrypted challenge FAST
1991 factor.
1992
19936.6. Authentication Strength Indication
1994
1995 Implementations that have pre-authentication mechanisms offering
1996 significantly different strengths of client authentication MAY choose
1997 to keep track of the strength of the authentication used as an input
1998 into policy decisions. For example, some principals might require
1999 strong pre-authentication, while less sensitive principals can use
2000 relatively weak forms of pre-authentication like encrypted timestamp.
2001
2002 An AuthorizationData data type AD-Authentication-Strength is defined
2003 for this purpose.
2004
2005 AD-authentication-strength 70
2006
2007 The corresponding ad-data field contains the DER encoding of the pre-
2008 authentication data set as defined in Section 6.4. This set contains
2009 all the pre-authentication mechanisms that were used to authenticate
2010 the client. If only one pre-authentication mechanism was used to
2011 authenticate the client, the pre-authentication set contains one
2012
2013
2014
2015Hartman & Zhu Expires February 13, 2010 [Page 36]
2016�
2017Internet-Draft Kerberos Preauth Framework August 2009
2018
2019
2020 element.
2021
2022 The AD-authentication-strength element MUST be included in the AD-IF-
2023 RELEVANT, thus it can be ignored if it is unknown to the receiver.
2024
2025
20267. Assigned Constants
2027
2028 The pre-authentication framework and FAST involve using a number of
2029 Kerberos protocol constants. This section lists protocol constants
2030 first introduced in this specification drawn from registries not
2031 managed by IANA. Many of these registries would best be managed by
2032 IANA; that is a known issue that is out of scope for this document.
2033 The constants described in this section have been accounted for and
2034 will appear in the next revision of the Kerberos core specification
2035 or in a document creating IANA registries.
2036
2037 Section 8 creates IANA registries for a different set of constants
2038 used by the extensions described in this document.
2039
20407.1. New Errors
2041
2042 KDC_ERR_PREAUTH_EXPIRED 90
2043 KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91
2044 KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92
2045 KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS 93
2046
20477.2. Key Usage Numbers
2048
2049 KEY_USAGE_FAST_REQ_CHKSUM 50
2050 KEY_USAGE_FAST_ENC 51
2051 KEY_USAGE_FAST_REP 52
2052 KEY_USAGE_FAST_FINISHED 53
2053 KEY_USAGE_ENC_CHALLENGE_CLIENT 54
2054 KEY_USAGE_ENC_CHALLENGE_KDC 55
2055
20567.3. Authorization Data Elements
2057
2058 AD-authentication-strength 70
2059 AD-fx-fast-armor 71
2060 AD-fx-fast-used 72
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071Hartman & Zhu Expires February 13, 2010 [Page 37]
2072�
2073Internet-Draft Kerberos Preauth Framework August 2009
2074
2075
20767.4. New PA-DATA Types
2077
2078 PA-FX-COOKIE 133
2079 PA-AUTHENTICATION-SET 134
2080 PA-AUTH-SET-SELECTED 135
2081 PA-FX-FAST 136
2082 PA-FX-ERROR 137
2083 PA-ENCRYPTED-CHALLENGE 138
2084
2085
20868. IANA Considerations
2087
2088 This document creates a number of IANA registries. These registries
2089 should all be located under
2090 http://www.iana.org/assignments/kerberos-parameters.
2091
20928.1. Pre-authentication and Typed Data
2093
2094 RFC 4120 defines pre-authentication data, which can be included in a
2095 KDC request or response in order to authenticate the client or extend
2096 the protocol. In addition, it defines Typed-Data which is an
2097 extension mechanism for errors. Both pre-authentication data and
2098 typed data are carried as a 32-bit signed integer along with an octet
2099 string. The encoding of typed data and pre-authentication data is
2100 slightly different. However the types for pre-authentication data
2101 and typed-data are drawn from the same namespace. By convention,
2102 registrations starting with TD- are typed data and registration
2103 starting with PA- are pre-authentication data. It is important that
2104 these data types be drawn from the same namespace, because some
2105 errors where it would be desirable to include typed data require the
2106 e-data field to be formatted as pre-authentication data.
2107
2108 When Kerberos FAST is used, pre-authentication data encoding is
2109 always used.
2110
2111 There is one apparently conflicting registration between typed data
2112 and pre-authentication data. PA-GET-FROM-TYPED-DATA and TD-PADATA
2113 are both assigned the value 22. However this registration is simply
2114 a mechanism to include an element of the other encoding. The use of
2115 both should be deprecated.
2116
2117 This document creates a registry for pre-authentication and typed
2118 data. The registration procedures are as follows. Expert review for
2119 pre-authentication mechanisms designed to authenticate users, KDCs,
2120 or establish the reply key. The expert first determines that the
2121 purpose of the method is to authenticate clients, KDCs, or to
2122 establish the reply key. If so, expert review is appropriate. The
2123 expert evaluates the security and interoperability of the
2124
2125
2126
2127Hartman & Zhu Expires February 13, 2010 [Page 38]
2128�
2129Internet-Draft Kerberos Preauth Framework August 2009
2130
2131
2132 specification.
2133
2134 IETF review is required if the expert believes that the pre-
2135 authentication method is broader than these three areas. Pre-
2136 authentication methods that change the Kerberos state machine or
2137 otherwise make significant changes to the Kerberos protocol should be
2138 standards track RFCs. A concern that a particular method needs to be
2139 a standards track RFC may be raised as an objection during IETF
2140 review.
2141
2142 Type Value Reference
2143 ----------------------------------------------------------------------
2144 PA-TGS-REQ 1 RFC 4120
2145 PA-ENC-TIMESTAMP 2 RFC 4120
2146 PA-PW-SALT 3 RFC 4120
2147 [reserved] 4
2148 PA-ENC-UNIX-TIME 5 (deprecated)
2149 PA-SANDIA-SECUREID 6
2150 PA-SESAME 7
2151 PA-OSF-DCE 8
2152 PA-CYBERSAFE-SECUREID 9
2153 PA-AFS3-SALT 10
2154 PA-ETYPE-INFO 11 RFC 4120
2155 PA-SAM-CHALLENGE 12 (sam/otp)
2156 PA-SAM-RESPONSE 13 (sam/otp)
2157 PA-PK-AS-REQ_OLD 14 draft-ietf-cat-kerberos-pk-init-09
2158 PA-PK-AS-REP_OLD 15 draft-ietf-cat-kerberos-pk-init-09
2159 PA-PK-AS-REQ 16 RFC 4556
2160 PA-PK-AS-REP 17 RFC 4556
2161 PA-PK-OCSP-RESPONSE 18 RFC 4557
2162 PA-ETYPE-INFO2 19 RFC 4120
2163 PA-USE-SPECIFIED-KVNO 20
2164 PA-SVR-REFERRAL-INFO 20 (referrals)
2165 PA-SAM-REDIRECT 21 (sam/otp)
2166 PA-GET-FROM-TYPED-DATA 22 (embedded in typed data)
2167 TD-PADATA 22 (embeds padata)
2168 PA-SAM-ETYPE-INFO 23 (sam/otp)
2169 PA-ALT-PRINC 24 (crawdad@fnal.gov)
2170 PA-SERVER-REFERRAL 25 (referrals)
2171 PA-SAM-CHALLENGE2 30 (kenh@pobox.com)
2172 PA-SAM-RESPONSE2 31 (kenh@pobox.com)
2173 PA-EXTRA-TGT 41 Reserved extra TGT
2174 TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS
2175 TD-KRB-PRINCIPAL 102 PrincipalName
2176 TD-KRB-REALM 103 Realm
2177 TD-TRUSTED-CERTIFIERS 104 PKINIT
2178 TD-CERTIFICATE-INDEX 105 PKINIT
2179 TD-APP-DEFINED-ERROR 106 Application specific
2180
2181
2182
2183Hartman & Zhu Expires February 13, 2010 [Page 39]
2184�
2185Internet-Draft Kerberos Preauth Framework August 2009
2186
2187
2188 TD-REQ-NONCE 107 INTEGER
2189 TD-REQ-SEQ 108 INTEGER
2190 PA-PAC-REQUEST 128 MS-KILE
2191 PA-FOR_USER 129 MS-KILE
2192 PA-FOR-X509-USER 130 MS-KILE
2193 PA-FOR-CHECK_DUPS 131 MS-KILE
2194 PA-AS-CHECKSUM 132 MS-KILE
2195 PA-FX-COOKIE 133 draft-ietf-krb-wg-preauth-framework
2196 PA-AUTHENTICATION-SET 134 draft-ietf-krb-wg-preauth-framework
2197 PA-AUTH-SET-SELECTED 135 draft-ietf-krb-wg-preauth-framework
2198 PA-FX-FAST 136 draft-ietf-krb-wg-preauth-framework
2199 PA-FX-ERROR 137 draft-ietf-krb-wg-preauth-framework
2200 PA-ENCRYPTED-CHALLENGE 138 draft-ietf-krb-wg-preauth-framework
2201 PA-OTP-CHALLENGE 141 (gareth.richards@rsa.com)
2202 PA-OTP-REQUEST 142 (gareth.richards@rsa.com)
2203 PA-OTP-CONFIRM 143 (gareth.richards@rsa.com)
2204 PA-OTP-PIN-CHANGE 144 (gareth.richards@rsa.com)
2205 PA-EPAK-AS-REQ 145 (sshock@gmail.com)
2206 PA-EPAK-AS-REP 146 (sshock@gmail.com>)
2207 PA_PKINIT_KX 147 draft-ietf-krb-wg-anon
2208 PA_PKU2U_NAME 148 draft-zhu-pku2u
2209 PA-SUPPORTED-ETYPES 165 MS-KILE
2210 PA-EXTENDED_ERROR 166 MS-KILE
2211
22128.2. Fast Armor Types
2213
2214 FAST armor types are defined in Section 6.5.1. A FAST armor type is
2215 a signed 32-bit integer. FAST armor types are assigned by standards
2216 action.
2217
2218 Type Name Description
2219 ------------------------------------------------------------
2220 0 Reserved.
2221 1 FX_FAST_ARMOR_AP_REQUEST Ticket armor using an ap-req.
2222
22238.3. FAST Options
2224
2225 A FAST request includes a set of bit flags to indicate additional
2226 options. Bits 0-15 are critical; other bits are non-critical.
2227 Assigning bits greater than 31 may require special support in
2228 implementations. Assignment of FAST options requires standards
2229 action.
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239Hartman & Zhu Expires February 13, 2010 [Page 40]
2240�
2241Internet-Draft Kerberos Preauth Framework August 2009
2242
2243
2244 Type Name Description
2245 -------------------------------------------------------------------
2246 0 RESERVED Reserved for future expansion of this
2247 field.
2248 1 hide-client-names Requesting the KDC to hide client
2249 names in the KDC response
2250 16 kdc-follow-referrals Requesting the KDC to follow
2251 referrals
2252
2253
22549. Security Considerations
2255
2256 The kdc-referrals option in the Kerberos FAST padata requests the KDC
2257 to act as the client to follow referrals. This can overload the KDC.
2258 To limit the damages of denial of service using this option, KDCs MAY
2259 restrict the number of simultaneous active requests with this option
2260 for any given client principal.
2261
2262 Regarding to the facilities provided by the Encrypted Challenge FAST
2263 factor, the challenge key is derived from the client secrets and
2264 because the client secrets are known only to the client and the KDC,
2265 the verification of the EncryptedChallenge structure proves the
2266 client's identity, the verification of the EncryptedChallenge
2267 structure in the KDC reply proves that the expected KDC responded.
2268 Therefore, the Encrypted Challenge FAST factor as a pre-
2269 authentication mechanism offers the following facilities: client-
2270 authentication and KDC-authentication. There is no un-authenticated
2271 clear text introduced by the Encrypted Challenge FAST factor.
2272
2273 FAST provides an encrypted tunnel over which pre-authentication
2274 conversations can take place. In addition, FAST optionally
2275 authenticates the KDC to the client. It is the responsibility of
2276 FAST factors to authenticate the client to the KDC. Care MUST be
2277 taken to design FAST factors such that they are bound to the
2278 conversation. If this is not done, a man-in-the-middle may be able
2279 to cut&paste a fast factor from one conversation to another. The
2280 easiest way to do this is to bind each fast factor to the armor key
2281 which is guaranteed to be unique for each conversation.
2282
2283 The anonymous pkinit mode for obtaining an armor ticket does not
2284 always authenticate the KDC to the client before the conversation
2285 begins. Tracking the KDC verified state guarantees that by the end
2286 of the conversation, the client has authenticated the KDC. However
2287 fast factor designers need to consider the implications of using
2288 their factor when the KDC has not yet been authenticated. If this
2289 proves problematic in an environment, then the particular fast factor
2290 should not be used with anonymous PKINIT.
2291
2292
2293
2294
2295Hartman & Zhu Expires February 13, 2010 [Page 41]
2296�
2297Internet-Draft Kerberos Preauth Framework August 2009
2298
2299
2300 Existing pre-authentication mechanisms are believed to be at least as
2301 secure when used with FAST as they are when used outside of FAST.
2302 One part of this security is making sure that when pre-authentication
2303 methods checksum the request, they checksum the inner request rather
2304 than the outer request. If the mechanism checksummed the outer
2305 request, a man-in-the-middle could observe it outside a FAST tunnel
2306 and then cut&paste it into a FAST exchange where the inner rather
2307 than outer request would be used to select attributes of the issued
2308 ticket. Such attacks would typically invalidate auditing information
2309 or create a situation where the client and KDC disagree about what
2310 ticket is issued. However, such attacks are unlikely to allow an
2311 attacker who would not be able to authenticate as a principal to do
2312 so. Even so, FAST is believed to defend against these attacks in
2313 existing legacy mechanism. However since there is no standard for
2314 how legacy mechanisms bind the request to the pre-authentication or
2315 provide integrity protection, security analysis can be difficult. In
2316 some cases FAST may significantly improve the integrity protection of
2317 legacy mechanisms.
2318
2319 The security of the TGS exchange depends on authenticating the client
2320 to the KDC. In the AS exchange, this is done using pre-
2321 authentication data or FAST factors. In the TGS exchange, this is
2322 done by presenting a TGT and by using the session (or sub-session)
2323 key in constructing the request. Because FAST uses a request body in
2324 the inner request, encrypted in the armor key, rather than the
2325 request body in the outer request, it is critical that establishing
2326 the armor key be tied to the authentication of the client to the KDC.
2327 If this is not done, an attacker could manipulate the options
2328 requested in the TGS request, for example requesting a ticket with
2329 different validity or addresses. The easiest way to bind the armor
2330 key to the authentication of the client to the KDC is for the armor
2331 key to depend on the sub-session key of the TGT. This is done with
2332 the implicit TGS armor supported by this specification. Future armor
2333 types designed for use with the TGS MUST either bind their armor keys
2334 to the TGT or provide another mechanism to authenticate the client to
2335 the KDC.
2336
2337
233810. Acknowledgements
2339
2340 Sam Hartman would like to thank the MIT Kerberos Consortium for its
2341 funding of his time on this project.
2342
2343 Several suggestions from Jeffrey Hutzelman based on early revisions
2344 of this documents led to significant improvements of this document.
2345
2346 The proposal to ask one KDC to chase down the referrals and return
2347 the final ticket is based on requirements in [ID.CROSS].
2348
2349
2350
2351Hartman & Zhu Expires February 13, 2010 [Page 42]
2352�
2353Internet-Draft Kerberos Preauth Framework August 2009
2354
2355
2356 Joel Webber had a proposal for a mechanism similar to FAST that
2357 created a protected tunnel for Kerberos pre-authentication.
2358
2359 Srinivas Cheruku and Greg Hudson provided valuable review comments.
2360
2361
236211. References
2363
236411.1. Normative References
2365
2366 [KRB-ANON]
2367 Zhu, L. and P. Leach, "Kerberos Anonymity Support",
2368 draft-ietf-krb-wg-anon-04.txt (work in progress), 2007.
2369
2370 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2371 Requirement Levels", BCP 14, RFC 2119, March 1997.
2372
2373 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
2374 Kerberos 5", RFC 3961, February 2005.
2375
2376 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
2377 Kerberos Network Authentication Service (V5)", RFC 4120,
2378 July 2005.
2379
2380 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
2381 Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.
2382
238311.2. Informative References
2384
2385 [EKE] Bellovin, S. and M. Merritt, "Augmented Encrypted Key
2386 Exchange: A Password-Based Protocol Secure Against
2387 Dictionary Attacks and Password File Compromise,
2388 Proceedings of the 1st ACM Conference on Computer and
2389 Communications Security, ACM Press.", November 1993.
2390
2391 [ID.CROSS]
2392 Sakane, S., Zrelli, S., and M. Ishiyama , "Problem
2393 Statement on the Operation of Kerberos in a Specific
2394 System", draft-sakane-krb-cross-problem-statement-02.txt
2395 (work in progress), April 2007.
2396
2397 [IEEE1363.2]
2398 IEEE, "IEEE P1363.2: Password-Based Public-Key
2399 Cryptography", 2004.
2400
2401 [KRB-WG.SAM]
2402 Hornstein, K., Renard, K., Neuman, C., and G. Zorn,
2403 "Integrating Single-use Authentication Mechanisms with
2404
2405
2406
2407Hartman & Zhu Expires February 13, 2010 [Page 43]
2408�
2409Internet-Draft Kerberos Preauth Framework August 2009
2410
2411
2412 Kerberos", draft-ietf-krb-wg-kerberos-sam-02.txt (work in
2413 progress), October 2003.
2414
2415 [REFERRALS]
2416 Raeburn, K. and L. Zhu, "Generating KDC Referrals to
2417 Locate Kerberos Realms",
2418 draft-ietf-krb-wg-kerberos-referrals-10.txt (work in
2419 progress), 2007.
2420
2421
2422Appendix A. Test Vectors for KRB-FX-CF2
2423
2424 This informative appendix presents test vectors for the KRB-FX-CF2
2425 function. Test vectors are presented for several encryption types.
2426 In all cases the first key (k1) is the result of string-to-
2427 key("key1", "key1", default_parameters) and the second key (k2) is
2428 the result of string-to-key("key2", "key2", default_parameters).
2429 Both keys are of the same enctype. The presented test vector is the
2430 hexadecimal encoding of the key produced by KRB-FX-CF2(k1, k2, "a",
2431 "b"). The peppers are one-octet ASCII strings.
2432
2433 In performing interoperability testing, there was significant
2434 ambiguity surrounding [RFC3961] pseudo-random operations. These test
2435 vectors assume that the AES pseudo-random operation is aes-
2436 ecb(trunc128(sha-1(input))) where trunc128 truncates its input to
2437 128-bits. The 3DES pseudo-random operation is assumed to be des3-
2438 cbc(trunc128(sha-1(input))). The DES pseudo-random operation is
2439 assumed to be des-cbc(md5(input)). As specified in RFC 4757, the RC4
2440 pseudo-random operation is hmac-sha1(input).
2441
2442 Interoperability testing also demonstrated ambiguity surrounding the
2443 DES random-to-key operation. The random-to-key operation is assumed
2444 to be distribute 56 bits into high-7-bits of 8 octets and generate
2445 parity.
2446
2447 These test vectors were produced with revision 22359 of the MIT
2448 Kerberos sources. The AES 256 and AES 128 test vectors have been
2449 confirmed by multiple other implementors. The RC4 test vectors have
2450 been confirmed by one other implementor. The DES and triple DES test
2451 vectors have not been confirmed.
2452
2453
2454 aes 128 (enctype 17): 97df97e4b798b29eb31ed7280287a92a
2455 AES256 (enctype 18): 4d6ca4e629785c1f01baf55e2e548566
2456 b9617ae3a96868c337cb93b5e72b1c7b
2457 DES (enctype 1): 43bae3738c9467e6
2458 3DES (enctype 16): e58f9eb643862c13ad38e529313462a7f73e62834fe54a01
2459 RC4 (enctype 23): 24d7f6b6bae4e5c00d2082c5ebab3672
2460
2461
2462
2463Hartman & Zhu Expires February 13, 2010 [Page 44]
2464�
2465Internet-Draft Kerberos Preauth Framework August 2009
2466
2467
2468Appendix B. Change History
2469
2470 RFC editor, please remove this section before publication.
2471
2472B.1. Changes since 13
2473
2474 Restore DES test vectors; their removal was not mentioned in 13.
2475 Clarify that only implicit TGS armor is defined at this time. In
2476 the future we may define explicit TGS armor.
2477
2478B.2. Changes since 12
2479
2480 Per comment from Greg Hudson, KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
2481 instead of KDC_ERR_MORE_PREAUTH_DATA_NEEDED
2482 Use pa-authentication-set-selected not pa-auth-set-selected
2483 Update discussion of KDC verification (Love)
2484 Remove explicit TGS armor, note that TGS armor must authenticate
2485 the client to the KDC, describe in security considerations.
2486
2487B.3. Changes since 11
2488
2489 Checksum the inner request body in methods like PKINIT, not the
2490 outer request body. Per mailing list discussion, this change
2491 addresses a potential security weakness.
2492 Add additional security considerations text
2493
2494B.4. Changes since 10
2495
2496 The checksum member of the KrbFastFinished sequence has been
2497 removed. A nonce field has been added to KrbFastResponse.
2498 The cookie no longer needs to be outside of FAST. In fact, some
2499 security guarantees depend on the cookie being inside FAST now
2500 that the finish checksum has been removed. Affected that change.
2501 Replace the rep-key field in KrbFastResponse with the strengthen-
2502 key field. Per mailing list discussion, there are security
2503 advantages to strengthening the reply key.
2504 Clarify handling of authentication sets.
2505 Include the AD-fx-fast-used authorization data type.
2506 Include note about random nonces.
2507
2508B.5. Changes since 09
2509
2510 Clarify conversations by defining for TGS and by describing how
2511 cookies form conversation boundaries.
2512 Simplify text surrounding when finish is included: always for AS
2513 and TGS reply, never for error.
2514
2515
2516
2517
2518
2519Hartman & Zhu Expires February 13, 2010 [Page 45]
2520�
2521Internet-Draft Kerberos Preauth Framework August 2009
2522
2523
2524 Fill in IANA and constants
2525
2526B.6. Changes since 08
2527
2528 Fix a number of typos
2529 Rename anonymous flag to hide-client-name; rename kdc-referals to
2530 kdc-follow-referrals
2531 Clarify how anonymous pkinit interacts with KDC verified.
2532 Introduce AD-fx-fast-armor authorization data to deal with
2533 unprivileged processes constructing KDC requests. Note that a TGT
2534 is always used for armor tickets if the armor field is present; if
2535 you proxy or validate you'll end up with a TGT armor ticket and
2536 another ticket in the pa-tgs-req. Alternatively you can simply
2537 use the other ticket in the PA-TGS-REQ; weak consensus within WG.
2538 All KDCs in a realm MUST support FAST if it is to be offered.
2539 The cookie message is always generated by the KDC.
2540 Note that the client can trust and need not verify the time stamp
2541 in the finish message. This can seed the client's idea of KDC
2542 time.
2543 Note that the client name in the finish message may differ from
2544 the name in the request if referrals are used.
2545 Note that KDCs should advertize fast in preauth_required errors.
2546 Armor key is constructed using KRB-FX-CF2. This is true even in
2547 the TGS case; there is no security reason to do this. Using the
2548 subkey as done in draft 08 would be fine, but the current text
2549 uses the same procedure both in the TGS and AS case.
2550 Use a different challenge key in each direction in the encrypted
2551 challenge option.
2552 Note that the KDC should process PA-FX-COOKIE before other padata.
2553 KRB-FX-CF2 uses k1's enctype for the result; change around calling
2554 order so we pass in subkeys and armor keys as k1 in preference to
2555 long-term keys or ticket session keys.
2556 Clarify the relationship between authentication sets and cookies.
2557 A cookie may not be needed in the first message. Clarify how this
2558 interacts with optimistic clients.
2559 Remove text raising a concern that RFC 3961 may permit ciphertext
2560 transformations that do not change plaintext: discussion on the
2561 list came to the conclusion that RFC 3961 does not permit this.
2562 Remove binding key concept; use the armor key instead. The cookie
2563 becomes just an octet string.
2564 Include PA-FX-ERROR to protect the error information per Dublin.
2565 Returning preauth_failed in the failed to decrypt encrypted
2566 challenge seems fine; remove the issue marker
2567 Add a section describing what goes in the inner and outer request.
2568 I believe it is redundant but found it useful while putting
2569 together an implementation proposal.
2570
2571
2572
2573
2574
2575Hartman & Zhu Expires February 13, 2010 [Page 46]
2576�
2577Internet-Draft Kerberos Preauth Framework August 2009
2578
2579
2580 Use hyphen rather than underscore in the constants for pre-
2581 authentication data to be consistent with RFC 4120.
2582 Add a ticket-checksum to the finished message
2583 Remove redundant KEY_USAGE_FAST_ARMOR.
2584 Add protocol constants section for non-IANA registrations and
2585 flesh out IANA section.
2586 Clarify that kdc-req-body checksums should always use the outer
2587 body even for mechanisms like PKINIT that include their own (now
2588 redundant) checksum.
2589 Remove mechanism for encapsulating typed data in padata; just
2590 reflect the value.
2591
2592B.7. Changes since 07
2593
2594 Propose replacement of authenticated timestamp with encrypted
2595 challenge. The desire to avoid clients needing time
2596 synchronization and to simply the factor.
2597 Add a requirement that any FAST armor scheme must provide a fresh
2598 key for each conversation. This allows us to assume that anything
2599 encrypted/integrity protected in the right key is fresh and not
2600 subject to cross-conversation cut and paste.
2601 Removed heartbeat padata. The KDC will double up messages if it
2602 needs to; the client simply sends its message and waits for the
2603 next response.
2604 Define PA-auth-SET-SELECTED
2605 Clarify a KDC cannot ignore padata is has claimed to support
2606
2607B.8. Changes since 06
2608
2609 Note that even for replace reply key it is likely that the side
2610 using the mechanism will know that the other side supports it.
2611 Since it is reasonably unlikely we'll need a container mechanism
2612 other than FAST itself, we don't need to optimize for that case.
2613 So, we want to optimize for implementation simplicity. Thus if
2614 you do have such a container mechanism interacting with
2615 authentication sets we'll assume that the hint need to describe
2616 hints for all contained mechanisms. This closes out a long-
2617 standing issue.
2618 Write up what Sam believes is the consensus on UI and prompts in
2619 the authentication set: clients MAY assume that they have all the
2620 UI information they need.
2621
2622
2623Appendix C. ASN.1 module
2624
2625 KerberosPreauthFramework {
2626 iso(1) identified-organization(3) dod(6) internet(1)
2627 security(5) kerberosV5(2) modules(4) preauth-framework(3)
2628
2629
2630
2631Hartman & Zhu Expires February 13, 2010 [Page 47]
2632�
2633Internet-Draft Kerberos Preauth Framework August 2009
2634
2635
2636 } DEFINITIONS EXPLICIT TAGS ::= BEGIN
2637
2638 IMPORTS
2639 KerberosTime, PrincipalName, Realm, EncryptionKey, Checksum,
2640 Int32, EncryptedData, PA-ENC-TS-ENC, PA-DATA, KDC-REQ-BODY,
2641 Microseconds, KerberosFlags
2642 FROM KerberosV5Spec2 { iso(1) identified-organization(3)
2643 dod(6) internet(1) security(5) kerberosV5(2)
2644 modules(4) krb5spec2(2) };
2645 -- as defined in RFC 4120.
2646
2647
2648 PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM
2649
2650 PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE {
2651 pa-type [0] Int32,
2652 -- same as padata-type.
2653 pa-hint [1] OCTET STRING OPTIONAL,
2654 pa-value [2] OCTET STRING OPTIONAL,
2655 ...
2656 }
2657
2658 KrbFastArmor ::= SEQUENCE {
2659 armor-type [0] Int32,
2660 -- Type of the armor.
2661 armor-value [1] OCTET STRING,
2662 -- Value of the armor.
2663 ...
2664 }
2665
2666 PA-FX-FAST-REQUEST ::= CHOICE {
2667 armored-data [0] KrbFastArmoredReq,
2668 ...
2669 }
2670
2671 KrbFastArmoredReq ::= SEQUENCE {
2672 armor [0] KrbFastArmor OPTIONAL,
2673 -- Contains the armor that identifies the armor key.
2674 -- MUST be present in AS-REQ.
2675 req-checksum [1] Checksum,
2676 -- For AS, contains the checksum performed over the type
2677 -- KDC-REQ-BODY for the req-body field of the KDC-REQ
2678 -- structure;
2679 -- For TGS, contains the checksum performed over the type
2680 -- AP-REQ in the PA-TGS-REQ padata.
2681 -- The checksum key is the armor key, the checksum
2682 -- type is the required checksum type for the enctype of
2683 -- the armor key, and the key usage number is
2684
2685
2686
2687Hartman & Zhu Expires February 13, 2010 [Page 48]
2688�
2689Internet-Draft Kerberos Preauth Framework August 2009
2690
2691
2692 -- KEY_USAGE_FAST_REQ_CHKSUM.
2693 enc-fast-req [2] EncryptedData, -- KrbFastReq --
2694 -- The encryption key is the armor key, and the key usage
2695 -- number is KEY_USAGE_FAST_ENC.
2696 ...
2697 }
2698
2699 KrbFastReq ::= SEQUENCE {
2700 fast-options [0] FastOptions,
2701 -- Additional options.
2702 padata [1] SEQUENCE OF PA-DATA,
2703 -- padata typed holes.
2704 req-body [2] KDC-REQ-BODY,
2705 -- Contains the KDC request body as defined in Section
2706 -- 5.4.1 of [RFC4120].
2707 -- This req-body field is preferred over the outer field
2708 -- in the KDC request.
2709 ...
2710 }
2711
2712 FastOptions ::= KerberosFlags
2713 -- reserved(0),
2714 -- hide-client-names(1),
2715 -- kdc-follow-referrals(16)
2716
2717 PA-FX-FAST-REPLY ::= CHOICE {
2718 armored-data [0] KrbFastArmoredRep,
2719 ...
2720 }
2721
2722 KrbFastArmoredRep ::= SEQUENCE {
2723 enc-fast-rep [0] EncryptedData, -- KrbFastResponse --
2724 -- The encryption key is the armor key in the request, and
2725 -- the key usage number is KEY_USAGE_FAST_REP.
2726 ...
2727 }
2728
2729 KrbFastResponse ::= SEQUENCE {
2730 padata [0] SEQUENCE OF PA-DATA,
2731 -- padata typed holes.
2732 strengthen-key [1] EncryptionKey OPTIONAL,
2733 -- This, if present, strengthens the reply key for AS and
2734 -- TGS. MUST be present for TGS
2735 -- MUST be absent in KRB-ERROR.
2736 finished [2] KrbFastFinished OPTIONAL,
2737 -- Present in AS or TGS reply; absent otherwise.
2738 nonce [3] UInt32,
2739 -- Nonce from the client request.
2740
2741
2742
2743Hartman & Zhu Expires February 13, 2010 [Page 49]
2744�
2745Internet-Draft Kerberos Preauth Framework August 2009
2746
2747
2748 ...
2749 }
2750
2751 KrbFastFinished ::= SEQUENCE {
2752 timestamp [0] KerberosTime,
2753 usec [1] Microseconds,
2754 -- timestamp and usec represent the time on the KDC when
2755 -- the reply was generated.
2756 crealm [2] Realm,
2757 cname [3] PrincipalName,
2758 -- Contains the client realm and the client name.
2759 ticket-checksum [4] Checksum,
2760 -- checksum of the ticket in the KDC-REP using the armor
2761 -- and the key usage is KEY_USAGE_FAST_FINISH.
2762 -- The checksum type is the required checksum type
2763 -- of the armor key.
2764 ...
2765 }
2766
2767 EncryptedChallenge ::= EncryptedData
2768 -- Encrypted PA-ENC-TS-ENC, encrypted in the challenge key
2769 -- using key usage KEY_USAGE_ENC_CHALLENGE_CLIENT for the
2770 -- client and KEY_USAGE_ENC_CHALLENGE_KDC for the KDC.
2771 END
2772
2773
2774Authors' Addresses
2775
2776 Sam hartman
2777 Painless Security
2778
2779 Email: hartmans-ietf@mit.edu
2780
2781
2782 Larry Zhu
2783 Microsoft Corporation
2784 One Microsoft Way
2785 Redmond, WA 98052
2786 US
2787
2788 Email: lzhu@microsoft.com
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799Hartman & Zhu Expires February 13, 2010 [Page 50]
2800�
2801
2802