1
2
3NETWORK WORKING GROUP                                             L. Zhu
4Internet-Draft                                                 K. Damour
5Updates: 4178 (if approved)                                 D. McPherson
6Intended status: Informational                     Microsoft Corporation
7Expires: January 15, 2009                                  July 14, 2008
8
9
10          The Extended GSS-API Negotiation Mechanism (NEGOEX)
11                          draft-zhu-negoex-01
12
13Status of this Memo
14
15   By submitting this Internet-Draft, each author represents that any
16   applicable patent or other IPR claims of which he or she is aware
17   have been or will be disclosed, and any of which he or she becomes
18   aware will be disclosed, in accordance with Section 6 of BCP 79.
19
20   Internet-Drafts are working documents of the Internet Engineering
21   Task Force (IETF), its areas, and its working groups.  Note that
22   other groups may also distribute working documents as Internet-
23   Drafts.
24
25   Internet-Drafts are draft documents valid for a maximum of six months
26   and may be updated, replaced, or obsoleted by other documents at any
27   time.  It is inappropriate to use Internet-Drafts as reference
28   material or to cite them other than as "work in progress."
29
30   The list of current Internet-Drafts can be accessed at
31   http://www.ietf.org/ietf/1id-abstracts.txt.
32
33   The list of Internet-Draft Shadow Directories can be accessed at
34   http://www.ietf.org/shadow.html.
35
36   This Internet-Draft will expire on January 15, 2009.
37
38Abstract
39
40   This document defines the Extended Generic Security Service
41   Application Program Interface (GSS-API) Negotiation Mechanism
42   (NegoEx).  NegoEx is a pseudo-security mechanism that logically
43   extends the SPNEGO protocol as defined in RFC4178.
44
45   The NegoEx protocol itself is a security mechanism negotiated by
46   SPNEGO.  When selected as the common mechanism, NegoEx OPTIONALLY
47   adds a pair of meta-data messages for each negotiated security
48   mechanism.  The meta-data exchange allows security mechanisms to
49   exchange auxiliary information such as trust configurations, thus
50   NegoEx provides additional flexibility than just exchanging object
51
52
53
54Zhu, et al.             Expires January 15, 2009                [Page 1]
55
56Internet-Draft                   NEGOEX                        July 2008
57
58
59   identifiers in SPNEGO.
60
61   NegoEx preserves the optimistic token semantics of SPNEGO and applies
62   that recursively.  Consequently a context establishment mechanism
63   token can be included in the initial NegoEx message, and NegoEx does
64   not require an extra round-trip when the initiator's optimistic token
65   is accepted by the target.
66
67   Similar to SPNEGO, NegoEx defines a few new GSS-API extensions that a
68   security mechanism MUST support in order to be negotiated by NegoEx.
69   This document defines these GSS-API extensions.
70
71   Unlike SPNEGO however, NegoEx defines its own way for signing the
72   protocol messages in order to protect the protocol negotiation.  The
73   NegoEx message signing or verification can occur before the security
74   context for the negotiated real security mechanism is fully
75   established.
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110Zhu, et al.             Expires January 15, 2009                [Page 2]
111
112Internet-Draft                   NEGOEX                        July 2008
113
114
115Table of Contents
116
117   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
118   2.  Requirements Terminology . . . . . . . . . . . . . . . . . . .  6
119   3.  Presentation Language and Primitive Data Types . . . . . . . .  6
120     3.1.  Basic Block Size . . . . . . . . . . . . . . . . . . . . .  7
121     3.2.  Miscellaneous  . . . . . . . . . . . . . . . . . . . . . .  7
122     3.3.  Constants  . . . . . . . . . . . . . . . . . . . . . . . .  7
123     3.4.  Numbers  . . . . . . . . . . . . . . . . . . . . . . . . .  7
124     3.5.  Enum Types . . . . . . . . . . . . . . . . . . . . . . . .  7
125     3.6.  Typedef Declarations . . . . . . . . . . . . . . . . . . .  8
126     3.7.  Array Types  . . . . . . . . . . . . . . . . . . . . . . .  8
127     3.8.  Vector Types . . . . . . . . . . . . . . . . . . . . . . .  8
128     3.9.  Constructed Types  . . . . . . . . . . . . . . . . . . . .  9
129   4.  Cryptographic Computations . . . . . . . . . . . . . . . . . . 10
130   5.  The NegoEx Protocol  . . . . . . . . . . . . . . . . . . . . . 11
131     5.1.  Generation of the Initiator Initial Token  . . . . . . . . 11
132     5.2.  Receipt of the Initial Initiator Token and Generation
133           of the Initial Acceptor Response . . . . . . . . . . . . . 13
134     5.3.  Receipt of the Acceptor Initial Response and
135           Completion of Authentication after the Negotiation
136           Phrase . . . . . . . . . . . . . . . . . . . . . . . . . . 14
137     5.4.  Finalizing Negotiation . . . . . . . . . . . . . . . . . . 15
138     5.5.  High-level NegoEx Message Flow . . . . . . . . . . . . . . 15
139   6.  Supporting GSS-API Extensions  . . . . . . . . . . . . . . . . 16
140     6.1.  GSS_Query_meta_data  . . . . . . . . . . . . . . . . . . . 16
141     6.2.  GSS_Exchange_meta_data . . . . . . . . . . . . . . . . . . 16
142     6.3.  GSS_Query_mechanism_info . . . . . . . . . . . . . . . . . 16
143     6.4.  GSS_Query_context_attr . . . . . . . . . . . . . . . . . . 16
144   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 16
145   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
146   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 17
147   10. Normative References . . . . . . . . . . . . . . . . . . . . . 17
148   Appendix A.  Protocol Data Structures and Constant Values  . . . . 17
149   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
150   Intellectual Property and Copyright Statements . . . . . . . . . . 22
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166Zhu, et al.             Expires January 15, 2009                [Page 3]
167
168Internet-Draft                   NEGOEX                        July 2008
169
170
1711.  Introduction
172
173   If more than one GSS-API mechanism is shared between the initator and
174   the acceptor, the Simple and Protected (GSS-API) Negotiation
175   Mechanism (SPNEGO) as defined in [RFC4178] can be deployed to choose
176   a mutually preferred one.  This pseudo mechanism does well in the
177   most basic scenarios but suffers from a couple of drawbacks, notably:
178
179   o  First, the SPNEGO negotiation model is inefficient when
180      negotiating based on mechanism specific configuration information.
181      SPNEGO negotiation is based on exchanging object identifiers only,
182      and it does not allow exchange of auxiliary information in any
183      other from.  This is inefficient and often impractical in that one
184      object identifier effectively conveys only one bit of information.
185
186   o  Secondly, the SPNEGO negotiation model is inadequate when the
187      choice cannot be made by the acceptor in the initial response.  In
188      SPNEGO, the negotiation information is sent one-way from the
189      initiator for the acceptor to make a choice, and the acceptor must
190      choose one when it makes the initial response.  This negotiation
191      model is counter intuitive.  The selection of a security mechanism
192      is typically the result of selecting one type of credentials from
193      the available set, and the initiator typically does not wish to
194      reveal credentials information often associated with user
195      identities.  In practice, in order to operate in this model, the
196      Kerberos GSS-API mechanism [RFC4121] must acquire the context
197      establishment token in the initial call to GSS_Init_sec_context().
198      If the initiator fails to acquire the initial Kerberos GSS-API
199      context token, it must not offer Kerberos; otherwise the SPNEGO
200      context negotiation will fail without being able to select the
201      next available mechanism that could work.  Obtaining the initial
202      Kerberos GSS-API context token may require multiple round-trips of
203      network calls and the cost of the operation can be substantial.
204      It is suboptimal when multiple GSS-API mechanisms have to add the
205      extra cost that would not exist if the negotiated security
206      mechanism were selected based on configuration.
207
208   The Extended Generic Security Service Application Program Interface
209   (GSS-API) Negotiation Mechanism (NegoEx) is defined to address these
210   concerns.  NegoEx is a pseudo security mechanism that is negotiated
211   by SPNEGO, and when negotiated, it can recursively negotiate real
212   security mechanisms.
213
214   Any security mechanism negotiated by NegoEx MUST support integrity
215   protection.
216
217   The basic form of NegoEx works as follows:
218
219
220
221
222Zhu, et al.             Expires January 15, 2009                [Page 4]
223
224Internet-Draft                   NEGOEX                        July 2008
225
226
227   1.  The initiator proposes a list of mechanisms in decreasing
228       preference order.  For each of these mechanism, NegoEx
229       OPTIOINALLY includes a mechanism specific meta-data token.  GSS-
230       API extensions are defined later in this document for NegoEx to
231       query the meta-data token for inclusion in the NegoEx message.
232
233   2.  The acceptor then passes the meta-data token from the initiator
234       to the intended security mechanism.  A meta-data token for a
235       security mechanism not supported on the acceptor side is ignored.
236       New GSS-API extensions are defined later in this document for a
237       security mechanism to consume the meta-data token.  When
238       processing the received meta-data tokens, a security mechanism
239       that reports a failure is removed from the set of mutually
240       supported mechanisms.  The acceptor then responds with the list
241       of mutually supported mechanisms in decreasing preference order.
242       For each of these mechanism, NegoEx again OPTIOINALLY supplies a
243       mechanism specific meta-data token in the response.  These meta-
244       data tokens are returned to NegoEx via new GSS-API extensions as
245       described in the initial step.
246
247   3.  The initiator then passes the meta-data tokens to the intended
248       security mechanisms by invoking the new GSS-API extensions.  When
249       processing the received meta-data token, a security mechanism
250       that reports a failure is removed from the set of mutually
251       supported mechanisms for this negotiation context.  The initiator
252       then selects one from the set of mutually-supported mechanisms.
253       If more than one security mechanism is available, unless
254       otherwise specified, the preferred one in the acceptor's
255       preference order SHOULD be selected.  Once the common security
256       mechanism is identified, the security mechanism may also
257       negotiate mechanism-specific options during its context
258       establishments.  This will be inside the mechanism tokens, and
259       invisible to the NegoEx protocol.
260
261   4.  The selected security mechanism provides keying materials to
262       NegoEx, and NegoEx then signs and verifies the negotiation NegoEx
263       messages to protect the negotiation.
264
265   5.  The initiator and the acceptor proceed to exchange tokens until
266       the GSS-API context for selected security mechanism is
267       established.  Once the security context is established, the per-
268       message tokens are generated and verified in accordance with the
269       selected security mechanism.
270
271   NegoEx does not work outside of SPNEGO.  When negotiated by SPNEGO,
272   NegoEx uses the concepts developed in the GSS-API specification
273   [RFC2743].  The negotiation data is encapsulated in context-level
274   tokens.  Therefore, callers of the GSS-API do not need to be aware of
275
276
277
278Zhu, et al.             Expires January 15, 2009                [Page 5]
279
280Internet-Draft                   NEGOEX                        July 2008
281
282
283   the existence of the negotiation tokens but only of the SPENGO
284   pseudo-security mechanism.
285
286   In its basic form NegoEx requires at least one extra round-trip.
287   Network connection setup is a critical performance characteristic of
288   any network infrastructure and extra round trips over WAN links,
289   packet radio networks, etc. really make a difference.  In order to
290   avoid such an extra round trip the initial security token of the
291   preferred mechanism for the initiator may be embedded in the initial
292   NegoEx token.  The optimistic mechanism token may be accompanied by
293   the meta-data tokens and the optimistic mechanism token MUST be that
294   of the first mechanism in the list of the mechanisms proposed by the
295   initiator.  The NegoEx message that contains signatures for
296   protecting the NegoEx negotiation can also be included along with the
297   mechanism token.  If the target preferred mechanism matches the
298   initiator's preferred mechanism, and when the NegoEx negotiation
299   protection messages are included along with the mechanism token, no
300   additional round trips are incurred by using the NegoEx protocol with
301   SPNEGO.
302
303   NegoEx does not update the ASN.1 structures of SPNEGO in that a large
304   deployment of SPNEGO does not have the ASN.1 extensibility marker in
305   the message definition.  There is no change to the SPNEGO messages.
306
307   NegoEx does not use ASN.1 encoding and it uses simple C structures
308   encoded in little endian for all its messages.
309
310   The rest of the document is organized as follows: Section 3 defines
311   the encoding of NegoEx data structures and all the primitive data
312   types.  Section 4 describes the cryptographic framework required by
313   the NegoEx for protecting the NegoEx negotiation.  Section 5 defines
314   the NegoEx messages and the NegoEx protocol.  Section 6 defines the
315   new GSS-API extensions that a security mechanism MUST support in
316   order to be negotiated by NegoEx.  These then are followed by the
317   security considerations section.  Lastly Appendix A contains all the
318   protocol constructs and constants.
319
320
3212.  Requirements Terminology
322
323   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
324   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
325   document are to be interpreted as described in [RFC2119].
326
327
3283.  Presentation Language and Primitive Data Types
329
330   The following very basic and somewhat casually defined presentation
331
332
333
334Zhu, et al.             Expires January 15, 2009                [Page 6]
335
336Internet-Draft                   NEGOEX                        July 2008
337
338
339   syntax will be used in all NegoEx messages.  Although it resembles
340   the programming language "C" in its syntax, it would be risky to draw
341   too many parallels.  The purpose of this presentation language is to
342   document NegoEx only; it has no general application beyond that
343   particular goal.
344
345   This section also defines all the primitive data types.  The
346   semantics of the data types is explained in the next section.
347
3483.1.  Basic Block Size
349
350   The representation of all data items is explicitly specified.  The
351   basic data block size is one octet.  Multiple octet data items are
352   concatenations of octets, from left to right, from top to bottom
353   Unless otherwise specific a multi-octet numeric is in little endian
354   order with the least significant octet first.
355
3563.2.  Miscellaneous
357
358   Comments start with "//"' and continue until the end of the line.
359
3603.3.  Constants
361
362   Constants are denoted using "#define" followed by the symbolic name
363   and then the constant value.
364
3653.4.  Numbers
366
367   UCHAR is the data type for a one-octet number.
368
369   ULONG is the data type for a 4-octet number encoded in little enidan.
370
371   USHORT is the data type for a 2-octet number encoded in little
372   endian.
373
374   ULONG64 is the data type for a 8-octet number encoded in little
375   endian.
376
377   GUID is the data type for a 16-octet number encoded in little endian.
378
3793.5.  Enum Types
380
381   An enum type is the data type for a number with a small number of
382   permissible values.  An instance of an enum type is a 4-octet number
383   encoded in little endian.
384
385   The definition of an enum type follows the simple "C" convention.
386
387
388
389
390Zhu, et al.             Expires January 15, 2009                [Page 7]
391
392Internet-Draft                   NEGOEX                        July 2008
393
394
395   MESSAGE_TYPE is an enum type defined as follows:
396
397       enum
398       {
399           MESSAGE_TYPE_INITIATOR_NEGO = 0,
400           MESSAGE_TYPE_ACCEPTOR_NEGO,
401           MESSAGE_TYPE_INITIATOR_META_DATA,
402           MESSAGE_TYPE_ACCEPTOR_META_DATA,
403           MESSAGE_TYPE_CHALLENGE,
404               // an exchange message from the acceptor
405           MESSAGE_TYPE_AP_REQUEST,
406               // an exchange message from the initiator
407           MESSAGE_TYPE_VERIFY,
408           MESSAGE_TYPE_ALERT,
409       } MESSAGE_TYPE;
410
411   MESSAGE_TYPE_INITIATOR_NEGO has the value 0, and MESSAGE_TYPE_ALERT
412   has the value 7.
413
4143.6.  Typedef Declarations
415
416   A typedef creates a synonym for the type.  This is used to create
417   more meaningful names for existing types.
418
419   The following two type synonyms are defined.
420
421   typedef GUID AUTH_SCHEME;
422   typedef GUID CONVERSATION_ID;
423
4243.7.  Array Types
425
426   Arrays are a data structure which holds multiple variables of the
427   same data type consecutively and the number of elements is fixed.  An
428   array is declared using "C" convention.  For example, the following
429   defines an array of 32 octets.
430
431   UCHAR Random[32];
432
4333.8.  Vector Types
434
435   Vectors are a data structure which holds multiple variables of the
436   same data type consecutively and the number of elements is not fixed.
437   A vector contains a fixed length header followed by a variable length
438   payload.  The header of a vector structure contains the count of
439   elements and the offset to the payload.  In this document all the
440   offset fields start from the beginning of the containing NegoEx
441   message.  The size of each element is specified by the vector type
442   definition.
443
444
445
446Zhu, et al.             Expires January 15, 2009                [Page 8]
447
448Internet-Draft                   NEGOEX                        July 2008
449
450
451   The following vector types are defined.
452
453       struct
454       {
455           ULONG ByteArrayOffset; // each element contains an octet/byte
456           ULONG ByteArrayLength;
457       } BYTE_VECTOR;
458
459   BYTE_VECTOR encapsulates a variable length array of octets (or bytes)
460   that are stored consecutively.  Each element in is a byte (8 bits).
461
462       struct
463       {
464           ULONG AuthSchemeArrayOffset;
465                // each element contains an AUTH_SCHEME
466           USHORT AuthSchemeCount;
467       } AUTH_SCHEME_VECTOR;
468
469   AUTH_SCHEME_VECTOR encapsulates a variable length array of
470   AUTH_SCHEMEs that are stored consecutively.  Each element is a
471   structure of the type AUTH_SCHEME.
472
473       struct
474       {
475           ULONG ExtensionArrayOffset;
476               // each element contains an EXTENSION
477           USHORT ExtensionCount;
478       } EXTENSION_VECTOR;
479
480   EXTENSION_VECTOR encapsulates a variable length array of EXTENSIONs
481   that are stored consecutively.  Each element is a structure of the
482   type EXTENSION.
483
4843.9.  Constructed Types
485
486   Structure types may be constructed from primitive types for
487   convenience.  Each specification declares a new, unique type.  The
488   syntax for definition is much like that of C.
489
490         struct {
491             T1 f1;
492             T2 f2;
493             ...
494             Tn fn;
495         } T;
496
497
498   Structure definitions may be embedded.
499
500
501
502Zhu, et al.             Expires January 15, 2009                [Page 9]
503
504Internet-Draft                   NEGOEX                        July 2008
505
506
507   The following types are defined as constructed types:
508
509       struct
510       {
511           ULONG ExtensionType; // negative extensions are critical
512           BYTE_VECTOR ExtensionValue;
513       } EXTENSION;
514
515   An extension has two fields.  The ExtensionType field indicates how
516   the extension data should be interpreted.  The ExtensionValue field
517   contains the extension data.
518
519       //
520       // schemes defined for the checksum in the VERIFY message
521       //
522
523       struct
524       {
525           ULONG cbHeaderLength;
526           ULONG ChecksumScheme;
527           ULONG ChecksumType; // in the case of RFC3961 scheme, this is
528             // the RFC3961 checksum type
529           BYTE_VECTOR ChecksumValue;
530       } CHECKSUM;
531
532   The CHECKSUM structure contains 4 fields.  The cbHeaderLength length
533   contains the length of the structure defintion in octets, and this
534   field has a value of 20.
535
536   The ChecksumScheme field describes how checksum is computed and
537   verified.  Currently only one value is defined.
538
539   #define CHECKSUM_SCHEME_RFC3961 1
540
541   When the value of the ChecksumScheme field is 1
542   (CHECKSUM_SCHEME_RFC3961), the ChecksumValue field contains a
543   sequence of octets computed according to [RFC3961] and the
544   ChecksumType field contains the checksum type value defined according
545   to [RFC3961].
546
547
5484.  Cryptographic Computations
549
550   The message signing and verification in NegoEx is based on [RFC3961].
551   [RFC3961] is used here as a generic framework and this application is
552   not Kerberos specific.
553
554   A security mechanism MUST support [RFC3961] in order to be negotiated
555
556
557
558Zhu, et al.             Expires January 15, 2009               [Page 10]
559
560Internet-Draft                   NEGOEX                        July 2008
561
562
563   by NegoEx.
564
565
5665.  The NegoEx Protocol
567
568   This section describes the NegoEx protocol and it defines NegoEx
569   messages in the order that the messages can appear on the wire.  The
570   enum type MESSAGE_TYPE defined in Section 3.5 lists all NegoEx
571   message types.  A GSS-API context token for NegoEx consists of one or
572   more NegoEx messages.  If there are more than one NegoEx message,
573   these messages are concatenated together.  The smallest data unit for
574   NegoEx to compute the checksum for negotiation protection is a NegoEx
575   message.  Note that NegoEx is not a GSS-API mechanism itself and the
576   initial NegoEx context establishment token does not follow the
577   mechanism-independent token format defined in Section 3.1 of
578   [RFC2743].
579
580   A security mechanism negotiated by NegoEx is identified by a unique
581   identifier of the data type AUTH_SCHEME defined in Section 3.5.  The
582   value of the security mechanism is returned to NegoEx via the
583   GSS_Query_mechanism_info() GSS-API extension as defined in Section 6.
584
585   The object identifier of the NegoEx within SPNEGO is iso(1)
586   identified-organization(3) dod(6) internet(1) private(4)
587   enterprise(1) microsoft (311) security(2) mechanisms(2) negoex(30).
588   Note that NegoEx does not work outside of SPNEGO and it is not GSS-
589   API mechanism.
590
5915.1.  Generation of the Initiator Initial Token
592
593   The GSS-API initiator makes the first call to GSS_Init_sec_context()
594   with no input token, and the output token starts as a NEGO_MESSAGE
595   message with the MESSAGE_TYPE_INITIATOR_NEGO message type.
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614Zhu, et al.             Expires January 15, 2009               [Page 11]
615
616Internet-Draft                   NEGOEX                        July 2008
617
618
619       struct
620       {
621           ULONG64 Signature; // contains MESSAGE_SIGNATURE
622           MESSAGE_TYPE MessageType;
623           ULONG SequenceNum; // the message sequence number of this,
624                  // conversation, starting with 0 and sequentially
625                  // incremented
626           ULONG cbHeaderLength; // the header length of this message,
627              // including the message specific header, excluding the
628              // payload
629           ULONG cbMessageLength; // the length of this message
630           CONVERSATION_ID ConversationId;
631       } MESSAGE_HEADER;
632
633       struct
634       {
635           MESSAGE_HEADER Header;
636                    // MESSAGE_TYPE_INITIATOR_NEGO for the initiator,
637                    // MESSAGE_TYPE_ACCEPTOR_NEGO for the acceptor
638           UCHAR Random[32];
639           ULONG64 ProtocolVersion;
640                   // version of the protocol, this contains 0
641           AUTH_SCHEME_VECTOR AuthSchemes;
642           EXTENSION_VECTOR Extensions;
643       } NEGO_MESSAGE;
644
645   The initiator randomly generates a ConversationID and fills the
646   common header.  The ConversationID in subsequent NegoEx messages MUST
647   remain the same.  The initiator also fills the Random field using a
648   secure random number generator.  The initiator fills the AuthSchemes
649   with available security mechanisms supported by the initiator in
650   decreasing preference order.
651
652   The extensions field contains NegoEx extensions for future
653   extensibility.  There is no extension defined in this document.  All
654   negative extension types (the highest bit is set to 1) are critical.
655   If the receiver does not understand a critical extension, the
656   authentication attempt must be rejected.
657
658   The initiator can OPTIONALLY include a meta-data token, one for each
659   available security mechanism.
660
661   A meta-data token is returned to NegoEx for a security mechanism
662   using GSS_Query_meta_data() extension as defined in Section 6.  A
663   meta-data token is encapsulated in an EXCHANGE message with the
664   message type MESSAGE_TYPE_INITIATOR_META_DATA.
665
666
667
668
669
670Zhu, et al.             Expires January 15, 2009               [Page 12]
671
672Internet-Draft                   NEGOEX                        July 2008
673
674
675       struct
676       {
677           MESSAGE_HEADER Header;
678                // MESSAGE_TYPE_CHALLENGE for the acceptor,
679                // or MESSAGE_TYPE_AP_REQUEST for the initiator
680               // MESSAGE_TYPE_INITIATOR_META_DATA for
681               // the initiator metadata
682               // MESSAGE_TYPE_ACCEPTOR_META_DATA for
683               // the acceptor metadata
684           AUTH_SCHEME AuthScheme;
685           BYTE_VECTOR Exchange;
686               // contains the opaque handshake message for the
687               // authentication scheme
688       } EXCHANGE_MESSAGE;
689
690   The AuthScheme field signifies the security mechanism for which the
691   EXCHANGE message is targeted.  If a security mechanism fails to
692   produce the metadata token, it should be removed from the list of
693   supported security mechanism for this negotiation context.
694
695   If there are more than one exchange messages, the order in which the
696   exchange message is included bears no significance.  In other words,
697   the exchange messages are in an unordered set.  The NEGO_MESSAGE MAY
698   be followed by a set of MESSAGE_TYPE_INITIATOR_META_DATA messages as
699   described above, in which case all the NegoEx messages concatenated
700   are returned as a single input token.
701
702   The first mechanism in the initiator proposed list can OPTIONALLY
703   include its initial context context in an AP_REQUEST message.
704
705   Both an AP_REQUSET(short for MESSAGE_TYPE_AP_REQUEST) message and a
706   INITIATOR_META_DATA(short for MESSAGE_TYPE_INITIATOR_META_DATA)
707   message are instances of the EXCHANGE_MESSAGE structure with
708   different message type values.  An AP_REQUEST message contains the
709   type MESSAGE_TYPE_AP_REQUEST while an INITIATOR_META_DATA message
710   contains the type MESSAGE_TYPE_INITIATOR_META_DATA.
711
7125.2.  Receipt of the Initial Initiator Token and Generation of the
713      Initial Acceptor Response
714
715   Upon receipt of the NEGO_MESSAGE from the initiator, the acceptor
716   verifies the NEGO_MESSAGE to make sure it is well-formed.  The
717   acceptor then computes the list of authentication schemes that are
718   mutually supported by examining the set of security mechanisms
719   proposed by the initiator and the meta-data tokens from the
720   initiator.  The meta-data tokens are passed to the security mechanism
721   via GSS_Exchange_meta_data() as defined in Section 6.
722
723
724
725
726Zhu, et al.             Expires January 15, 2009               [Page 13]
727
728Internet-Draft                   NEGOEX                        July 2008
729
730
731   The acceptor MUST examine the NegoEx extensions in the NEGO_MESSAGE.
732   If there is an unknown critical extension, the authentication must be
733   rejected.
734
735   The acceptor's response starts as a NEGO_MESSAGE but with the
736   MESSAGE_TYPE_ACCEPTOR_NEGO.  The AuthSchemes field contains the list
737   of mutually supported security mechanism in decreasing preference
738   order of the acceptor.  The acceptor does not need to honor the
739   preference order proposed by the initiator when computing its
740   preference list.
741
742   The acceptor can OPTIONALLY include a meta-data token, one for each
743   available security mechanism.
744
745   A meta-data token is returned to NegoEx for a security mechanism
746   using GSS_Query_meta_data() extension as defined in Section 6.  A
747   meta-data token is encapsulated in an EXCHANGE message with the
748   message type MESSAGE_TYPE_ACCEPTOR_META_DATA.  For a given security
749   mechanism if a meta-token is received from the initiator,
750   GSS_Query_meta_data() MUST be invoked on the acceptor side for that
751   security mechanism, and the output meta-data token, if present, MUST
752   be included in the NegoEx reply.
753
7545.3.  Receipt of the Acceptor Initial Response and Completion of
755      Authentication after the Negotiation Phrase
756
757   Upon receipt of the initial response from the acceptor, the initial
758   verifies the NEGO_MESSAGE to make sure it is well-formed.  The
759   initiator then computes the list of authentication schemes that are
760   mutually supported by examining the set of security mechanisms
761   returned by the acceptor and the meta-data tokens from the acceptor
762   The meta-data tokens are passed to the security mechanism via
763   GSS_Exchange_meta_data() as defined in Section 6.
764
765   The initiator MUST examine the NegoEx extensions in the NEGO_MESSAGE.
766   If there is an unknown critical extension, the authentication must be
767   rejected.
768
769   After the initial exchange of NEGO_MESSAGE messages, the initiator
770   MUST choose the negotiated security mechanism.  The negotiated
771   security mechanism cannot be changed once it is selected.
772
773   The initiator and the acceptor can then proceed to exchange handshake
774   messages as determined by the negotiated security mechanism until its
775   authentication context is established.  The context tokens of the
776   negotiated security mechanism are encapsulated in an
777   EXCHANGE_MESSAGE.  If the context token is from the initiator, the
778   EXCHANGE_MESSAGE message has the message type
779
780
781
782Zhu, et al.             Expires January 15, 2009               [Page 14]
783
784Internet-Draft                   NEGOEX                        July 2008
785
786
787   MESSAGE_TYPE_AP_REQUEST; otherwise, the message type is
788   MESSAGE_TYPE_CHALLENGE.
789
7905.4.  Finalizing Negotiation
791
792   Whenever there is a shared key established returned by
793   GSS_Query_context_attr(NEGOEX_SESSION_KEYS) as defined in Section 6,,
794   a VERIFY message is produced and included in the output token.  The
795   returned protocol key is used as the base key in the parlance of
796   RFC3961 to sign all the NegoEx messages in the negotiation context.
797
798   A VERIFY message is a VERIFY_MESSAGE structure.  The AuthScheme field
799   signifies from which security mechanism the protocol key was
800   obtained.  The checksum is computed based on RFC3961 and the key
801   usage number is 23 for the message is signed by the initiator, 25
802   otherwise.  The checksum is performed over all the previous NegoEx
803   messages in the context negotiation.
804
805       struct
806       {
807           MESSAGE_HEADER Header; // MESSAGE_TYPE_VERIFY
808           AUTH_SCHEME AuthScheme;
809           CHECKSUM Checksum;
810                // contains the checksum of all the previously
811                // exchanged messages in the order they were sent.
812       } VERIFY_MESSAGE;
813
814   Note that the VERIFY_MESSAGE message can be included before the
815   security context for the negotiated security mechanism is fully
816   established.
817
8185.5.  High-level NegoEx Message Flow
819
820   The following text art summarizes the protocol message flow:
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838Zhu, et al.             Expires January 15, 2009               [Page 15]
839
840Internet-Draft                   NEGOEX                        July 2008
841
842
843  INITIATOR_NEGO
844  *INITIATOR_META_DATA
845  *AP_REQUEST
846                                    --------->
847                                                           ACCEPTOR_NEGO
848                                                    ACCEPTOR_META_DATA*+
849                                    ---------                CHALLENGE*
850
851                                        .
852                                        .
853  *AP_REQUEST
854  VERIFY                            --------->
855                                                              CHALLENGE*
856                                    --------                     VERIFY
857         * Indicates optional or situation-dependent messages that are
858           not always sent.
859         + Indicates there can be more than one instance.
860
861
8626.  Supporting GSS-API Extensions
863
864   This section defined all the required GSS-API extensions required by
865   NegoEx.
866
8676.1.  GSS_Query_meta_data
868
869   TBD.
870
8716.2.  GSS_Exchange_meta_data
872
873   TBD.
874
8756.3.  GSS_Query_mechanism_info
876
877   TBD.
878
8796.4.  GSS_Query_context_attr
880
881   TBD.
882
883
8847.  Security Considerations
885
886   TBD.
887
888
889
890
891
892
893
894Zhu, et al.             Expires January 15, 2009               [Page 16]
895
896Internet-Draft                   NEGOEX                        July 2008
897
898
8998.  Acknowledgements
900
901   TBD.
902
903
9049.  IANA Considerations
905
906   There is no action required for IANA.
907
908
90910.  Normative References
910
911   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
912              Requirement Levels", BCP 14, RFC 2119, March 1997.
913
914   [RFC2743]  Linn, J., "Generic Security Service Application Program
915              Interface Version 2, Update 1", RFC 2743, January 2000.
916
917   [RFC3961]  Raeburn, K., "Encryption and Checksum Specifications for
918              Kerberos 5", RFC 3961, February 2005.
919
920   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
921              Kerberos Network Authentication Service (V5)", RFC 4120,
922              July 2005.
923
924   [RFC4121]  Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
925              Version 5 Generic Security Service Application Program
926              Interface (GSS-API) Mechanism: Version 2", RFC 4121,
927              July 2005.
928
929   [RFC4178]  Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
930              Simple and Protected Generic Security Service Application
931              Program Interface (GSS-API) Negotiation Mechanism",
932              RFC 4178, October 2005.
933
934
935Appendix A.  Protocol Data Structures and Constant Values
936
937   This section complies all the protocol data structures and constant
938   values.
939
940       #define MESSAGE_SIGNATURE    0x535458454f47454ei64
941           // "NEGOEXTS"
942
943       struct
944       {
945           ULONG ByteArrayOffset; // each element contains a byte
946           ULONG ByteArrayLength;
947
948
949
950Zhu, et al.             Expires January 15, 2009               [Page 17]
951
952Internet-Draft                   NEGOEX                        July 2008
953
954
955       } BYTE_VECTOR;
956
957       struct
958       {
959           ULONG AuthSchemeArrayOffset;
960               // each element contains an AUTH_SCHEME
961           USHORT AuthSchemeCount;
962       } AUTH_SCHEME_VECTOR;
963
964       struct
965       {
966           ULONG ExtensionArrayOffset;
967               // each element contains an EXTENSION
968           USHORT ExtensionCount;
969       } EXTENSION_VECTOR;
970
971       struct
972       {
973           ULONG ExtensionType; // negative extensions are critical
974           BYTE_VECTOR ExtensionValue;
975       } EXTENSION;
976
977       //
978       // schemes defined for the checksum in the VERIFY message
979       //
980
981       #define CHECKSUM_SCHEME_RFC3961  1
982
983       struct
984       {
985           ULONG cbHeaderLength;
986           ULONG ChecksumScheme;
987           ULONG ChecksumType; // in the case of RFC3961 scheme, this is
988              // the RFC3961 checksum type
989           BYTE_VECTOR ChecksumValue;
990       } CHECKSUM;
991
992       typedef GUID AUTH_SCHEME;
993       typedef GUID CONVERSATION_ID;
994
995       enum
996       {
997           MESSAGE_TYPE_INITIATOR_NEGO = 0,
998           MESSAGE_TYPE_ACCEPTOR_NEGO,
999           MESSAGE_TYPE_INITIATOR_META_DATA,
1000           MESSAGE_TYPE_ACCEPTOR_META_DATA,
1001           MESSAGE_TYPE_CHALLENGE,
1002               // an exchange message from the acceptor
1003
1004
1005
1006Zhu, et al.             Expires January 15, 2009               [Page 18]
1007
1008Internet-Draft                   NEGOEX                        July 2008
1009
1010
1011           MESSAGE_TYPE_AP_REQUEST,
1012               // an exchange message from the initiator
1013           MESSAGE_TYPE_VERIFY,
1014           MESSAGE_TYPE_ALERT,
1015       } MESSAGE_TYPE;
1016
1017       struct
1018       {
1019           ULONG64 Signature; // contains MESSAGE_SIGNATURE
1020           MESSAGE_TYPE MessageType;
1021           ULONG SequenceNum; // the message sequence number of this,
1022                  // conversation, starting with 0 and sequentially
1023                  // incremented
1024           ULONG cbHeaderLength; // the header length of this message,
1025              // including the message specific header, excluding the
1026              // payload
1027           ULONG cbMessageLength; // the length of this message
1028           CONVERSATION_ID ConversationId;
1029       } MESSAGE_HEADER;
1030
1031       struct
1032       {
1033           MESSAGE_HEADER Header;
1034                    // MESSAGE_TYPE_INITIATOR_NEGO for the initiator,
1035                    // MESSAGE_TYPE_ACCEPTOR_NEGO for the acceptor
1036           UCHAR Random[32];
1037           ULONG64 ProtocolVersion;
1038                   // version of the protocol, this contains 0
1039           AUTH_SCHEME_VECTOR AuthSchemes;
1040           EXTENSION_VECTOR Extensions;
1041       } NEGO_MESSAGE;
1042
1043       struct
1044       {
1045           MESSAGE_HEADER Header;
1046                // MESSAGE_TYPE_CHALLENGE for the acceptor,
1047                // or MESSAGE_TYPE_AP_REQUEST for the initiator
1048               // MESSAGE_TYPE_INITiATOR_META_DATA for
1049               // the initiator metadata
1050               // MESSAGE_TYPE_ACCEPTOR_META_DATA for
1051               // the acceptor metadata
1052           AUTH_SCHEME AuthScheme;
1053           BYTE_VECTOR Exchange;
1054               // contains the opaque handshake message for the
1055               // authentication scheme
1056       } EXCHANGE_MESSAGE;
1057
1058       struct
1059
1060
1061
1062Zhu, et al.             Expires January 15, 2009               [Page 19]
1063
1064Internet-Draft                   NEGOEX                        July 2008
1065
1066
1067       {
1068           MESSAGE_HEADER Header; // MESSAGE_TYPE_VERIFY
1069           AUTH_SCHEME AuthScheme;
1070           CHECKSUM Checksum;
1071                // contains the checksum of all the previously
1072                // exchanged messages in the order they were sent.
1073       } VERIFY_MESSAGE;
1074
1075       struct
1076       {
1077           ULONG AlertType;
1078           BYTE_VECTOR AlertValue;
1079       } ALERT;
1080
1081       //
1082       // alert types
1083       //
1084
1085       #define ALERT_TYPE_PULSE             1
1086
1087       //
1088       // reason codes for the heartbeat message
1089       //
1090
1091       #define ALERT_VERIFY_NO_KEY          1
1092
1093       struct
1094       {
1095           ULONG cbHeaderLength;
1096           ULONG Reason;
1097       } ALERT_PULSE;
1098
1099       struct
1100       {
1101           ULONG AlertArrayOffset; // the element is an ALERT
1102           USHORT AlertCount; // contains the number of alerts
1103       } ALERT_VECTOR;
1104
1105       struct
1106       {
1107           MESSAGE_HEADER Header;
1108           AUTH_SCHEME AuthScheme;
1109           ULONG ErrorCode; // an NTSTATUS code
1110           ALERT_VECTOR Alerts;
1111       } ALERT_MESSAGE;
1112
1113
1114
1115
1116
1117
1118Zhu, et al.             Expires January 15, 2009               [Page 20]
1119
1120Internet-Draft                   NEGOEX                        July 2008
1121
1122
1123Authors' Addresses
1124
1125   Larry Zhu
1126   Microsoft Corporation
1127   One Microsoft Way
1128   Redmond, WA  98052
1129   US
1130
1131   Email: lzhu@microsoft.com
1132
1133
1134   Kevin Damour
1135   Microsoft Corporation
1136   One Microsoft Way
1137   Redmond, WA  98052
1138   US
1139
1140   Email: kdamour@microsoft.com
1141
1142
1143   Dave McPherson
1144   Microsoft Corporation
1145   One Microsoft Way
1146   Redmond, WA  98052
1147   US
1148
1149   Email: davemm@microsoft.com
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174Zhu, et al.             Expires January 15, 2009               [Page 21]
1175
1176Internet-Draft                   NEGOEX                        July 2008
1177
1178
1179Full Copyright Statement
1180
1181   Copyright (C) The IETF Trust (2008).
1182
1183   This document is subject to the rights, licenses and restrictions
1184   contained in BCP 78, and except as set forth therein, the authors
1185   retain all their rights.
1186
1187   This document and the information contained herein are provided on an
1188   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1189   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1190   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1191   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1192   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1193   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1194
1195
1196Intellectual Property
1197
1198   The IETF takes no position regarding the validity or scope of any
1199   Intellectual Property Rights or other rights that might be claimed to
1200   pertain to the implementation or use of the technology described in
1201   this document or the extent to which any license under such rights
1202   might or might not be available; nor does it represent that it has
1203   made any independent effort to identify any such rights.  Information
1204   on the procedures with respect to rights in RFC documents can be
1205   found in BCP 78 and BCP 79.
1206
1207   Copies of IPR disclosures made to the IETF Secretariat and any
1208   assurances of licenses to be made available, or the result of an
1209   attempt made to obtain a general license or permission for the use of
1210   such proprietary rights by implementers or users of this
1211   specification can be obtained from the IETF on-line IPR repository at
1212   http://www.ietf.org/ipr.
1213
1214   The IETF invites any interested party to bring to its attention any
1215   copyrights, patents or patent applications, or other proprietary
1216   rights that may cover technology that may be required to implement
1217   this standard.  Please address the information to the IETF at
1218   ietf-ipr@ietf.org.
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230Zhu, et al.             Expires January 15, 2009               [Page 22]
1231
1232
1233