1
2
3
4
5
6
7Internet Engineering Task Force (IETF)                            L. Zhu
8Request for Comments: 6112                                      P. Leach
9Updates: 4120, 4121, 4556                          Microsoft Corporation
10Category: Standards Track                                     S. Hartman
11ISSN: 2070-1721                                        Painless Security
12                                                              April 2011
13
14
15                     Anonymity Support for Kerberos
16
17Abstract
18
19   This document defines extensions to the Kerberos protocol to allow a
20   Kerberos client to securely communicate with a Kerberos application
21   service without revealing its identity, or without revealing more
22   than its Kerberos realm.  It also defines extensions that allow a
23   Kerberos client to obtain anonymous credentials without revealing its
24   identity to the Kerberos Key Distribution Center (KDC).  This
25   document updates RFCs 4120, 4121, and 4556.
26
27Status of This Memo
28
29   This is an Internet Standards Track document.
30
31   This document is a product of the Internet Engineering Task Force
32   (IETF).  It represents the consensus of the IETF community.  It has
33   received public review and has been approved for publication by the
34   Internet Engineering Steering Group (IESG).  Further information on
35   Internet Standards is available in Section 2 of RFC 5741.
36
37   Information about the current status of this document, any errata,
38   and how to provide feedback on it may be obtained at
39   http://www.rfc-editor.org/info/rfc6112.
40
41Copyright Notice
42
43   Copyright (c) 2011 IETF Trust and the persons identified as the
44   document authors.  All rights reserved.
45
46   This document is subject to BCP 78 and the IETF Trust's Legal
47   Provisions Relating to IETF Documents
48   (http://trustee.ietf.org/license-info) in effect on the date of
49   publication of this document.  Please review these documents
50   carefully, as they describe your rights and restrictions with respect
51   to this document.  Code Components extracted from this document must
52   include Simplified BSD License text as described in Section 4.e of
53   the Trust Legal Provisions and are provided without warranty as
54   described in the Simplified BSD License.
55
56
57
58Zhu, et al.                  Standards Track                    [Page 1]
59
60RFC 6112               Kerberos Anonymity Support             April 2011
61
62
63   This document may contain material from IETF Documents or IETF
64   Contributions published or made publicly available before November
65   10, 2008.  The person(s) controlling the copyright in some of this
66   material may not have granted the IETF Trust the right to allow
67   modifications of such material outside the IETF Standards Process.
68   Without obtaining an adequate license from the person(s) controlling
69   the copyright in such materials, this document may not be modified
70   outside the IETF Standards Process, and derivative works of it may
71   not be created outside the IETF Standards Process, except to format
72   it for publication as an RFC or to translate it into languages other
73   than English.
74
75Table of Contents
76
77   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
78   2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
79   3.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
80   4.  Protocol Description . . . . . . . . . . . . . . . . . . . . .  5
81     4.1.  Anonymity Support in AS Exchange . . . . . . . . . . . . .  5
82       4.1.1.  Anonymous PKINIT . . . . . . . . . . . . . . . . . . .  6
83     4.2.  Anonymity Support in TGS Exchange  . . . . . . . . . . . .  7
84     4.3.  Subsequent Exchanges and Protocol Actions Common to AS
85           and TGS for Anonymity Support  . . . . . . . . . . . . . .  9
86   5.  Interoperability Requirements  . . . . . . . . . . . . . . . . 10
87   6.  GSS-API Implementation Notes . . . . . . . . . . . . . . . . . 10
88   7.  PKINIT Client Contribution to the Ticket Session Key . . . . . 11
89     7.1.  Combining Two Protocol Keys  . . . . . . . . . . . . . . . 12
90   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
91   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
92   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
93   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
94     11.1. Normative References . . . . . . . . . . . . . . . . . . . 15
95     11.2. Informative References . . . . . . . . . . . . . . . . . . 16
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114Zhu, et al.                  Standards Track                    [Page 2]
115
116RFC 6112               Kerberos Anonymity Support             April 2011
117
118
1191.  Introduction
120
121   In certain situations, the Kerberos [RFC4120] client may wish to
122   authenticate a server and/or protect communications without revealing
123   the client's own identity.  For example, consider an application that
124   provides read access to a research database and that permits queries
125   by arbitrary requesters.  A client of such a service might wish to
126   authenticate the service, to establish trust in the information
127   received from it, but might not wish to disclose the client's
128   identity to the service for privacy reasons.
129
130   Extensions to Kerberos are specified in this document by which a
131   client can authenticate the Key Distribution Center (KDC) and request
132   an anonymous ticket.  The client can use the anonymous ticket to
133   authenticate the server and protect subsequent client-server
134   communications.
135
136   By using the extensions defined in this specification, the client can
137   request an anonymous ticket where the client may reveal the client's
138   identity to the client's own KDC, or the client can hide the client's
139   identity completely by using anonymous Public Key Cryptography for
140   Initial Authentication in Kerberos (PKINIT) as defined in
141   Section 4.1.  Using the returned anonymous ticket, the client remains
142   anonymous in subsequent Kerberos exchanges thereafter to KDCs on the
143   cross-realm authentication path and to the server with which it
144   communicates.
145
146   In this specification, the client realm in the anonymous ticket is
147   the anonymous realm name when anonymous PKINIT is used to obtain the
148   ticket.  The client realm is the client's real realm name if the
149   client is authenticated using the client's long-term keys.  Note that
150   the membership of a realm can imply a member of the community
151   represented by the realm.
152
153   The interaction with Generic Security Service Application Program
154   Interface (GSS-API) is described after the protocol description.
155
1562.  Conventions Used in This Document
157
158   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
159   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
160   document are to be interpreted as described in [RFC2119].
161
1623.  Definitions
163
164   The anonymous Kerberos realm name is defined as a well-known realm
165   name based on [RFC6111], and the value of this well-known realm name
166   is the literal "WELLKNOWN:ANONYMOUS".
167
168
169
170Zhu, et al.                  Standards Track                    [Page 3]
171
172RFC 6112               Kerberos Anonymity Support             April 2011
173
174
175   The anonymous Kerberos principal name is defined as a well-known
176   Kerberos principal name based on [RFC6111].  The value of the name-
177   type field is KRB_NT_WELLKNOWN [RFC6111], and the value of the name-
178   string field is a sequence of two KerberosString components:
179   "WELLKNOWN", "ANONYMOUS".
180
181   The anonymous ticket flag is defined as bit 16 (with the first bit
182   being bit 0) in the TicketFlags:
183
184           TicketFlags     ::= KerberosFlags
185             -- anonymous(16)
186             -- TicketFlags and KerberosFlags are defined in [RFC4120]
187
188   This is a new ticket flag that is used to indicate that a ticket is
189   an anonymous one.
190
191   An anonymous ticket is a ticket that has all of the following
192   properties:
193
194   o  The cname field contains the anonymous Kerberos principal name.
195
196   o  The crealm field contains the client's realm name or the anonymous
197      realm name.
198
199   o  The anonymous ticket contains no information that can reveal the
200      client's identity.  However, the ticket may contain the client
201      realm, intermediate realms on the client's authentication path,
202      and authorization data that may provide information related to the
203      client's identity.  For example, an anonymous principal that is
204      identifiable only within a particular group of users can be
205      implemented using authorization data and such authorization data,
206      if included in the anonymous ticket, would disclose the client's
207      membership of that group.
208
209   o  The anonymous ticket flag is set.
210
211   The anonymous KDC option is defined as bit 16 (with the first bit
212   being bit 0) in the KDCOptions:
213
214           KDCOptions      ::= KerberosFlags
215             -- anonymous(16)
216             -- KDCOptions and KerberosFlags are defined in [RFC4120]
217
218
219
220
221
222
223
224
225
226Zhu, et al.                  Standards Track                    [Page 4]
227
228RFC 6112               Kerberos Anonymity Support             April 2011
229
230
231   As described in Section 4, the anonymous KDC option is set to request
232   an anonymous ticket in an Authentication Service (AS) request or a
233   Ticket Granting Service (TGS) request.
234
2354.  Protocol Description
236
237   In order to request an anonymous ticket, the client sets the
238   anonymous KDC option in an AS request or a TGS request.
239
240   The rest of this section is organized as follows: it first describes
241   protocol actions specific to AS exchanges, then it describes those of
242   TGS exchanges.  These are then followed by the description of
243   protocol actions common to both AS and TGS and those in subsequent
244   exchanges.
245
2464.1.  Anonymity Support in AS Exchange
247
248   The client requests an anonymous ticket by setting the anonymous KDC
249   option in an AS exchange.
250
251   The Kerberos client can use the client's long-term keys, the client's
252   X.509 certificates [RFC4556], or any other pre-authentication data,
253   to authenticate to the KDC and requests an anonymous ticket in an AS
254   exchange where the client's identity is known to the KDC.
255
256   If the client in the AS request is anonymous, the anonymous KDC
257   option MUST be set in the request.  Otherwise, the KDC MUST return a
258   KRB-ERROR message with the code KDC_ERR_BADOPTION.
259
260   If the client is anonymous and the KDC does not have a key to encrypt
261   the reply (this can happen when, for example, the KDC does not
262   support PKINIT [RFC4556]), the KDC MUST return an error message with
263   the code KDC_ERR_NULL_KEY [RFC4120].
264
265   When policy allows, the KDC issues an anonymous ticket.  If the
266   client name in the request is the anonymous principal, the client
267   realm (crealm) in the reply is the anonymous realm, otherwise, the
268   client realm is the realm of the AS.  According to [RFC4120], the
269   client name and the client realm in the EncTicketPart of the reply
270   MUST match with the corresponding client name and the client realm of
271   the KDC reply; the client MUST use the client name and the client
272   realm returned in the KDC-REP in subsequent message exchanges when
273   using the obtained anonymous ticket.
274
275   Care MUST be taken by the KDC not to reveal the client's identity in
276   the authorization data of the returned ticket when populating the
277   authorization data in a returned anonymous ticket.
278
279
280
281
282Zhu, et al.                  Standards Track                    [Page 5]
283
284RFC 6112               Kerberos Anonymity Support             April 2011
285
286
287   The AD-INITIAL-VERIFIED-CAS authorization data, as defined in
288   [RFC4556], contains the issuer name of the client certificate.  This
289   authorization is not applicable and MUST NOT be present in the
290   returned anonymous ticket when anonymous PKINIT is used.  When the
291   client is authenticated (i.e., anonymous PKINIT is not used), if it
292   is undesirable to disclose such information about the client's
293   identity, the AD-INITIAL-VERIFIED-CAS authorization data SHOULD be
294   removed from the returned anonymous ticket.
295
296   The client can use the client keys to mutually authenticate with the
297   KDC and request an anonymous Ticket Granting Ticket (TGT) in the AS
298   request.  In that case, the reply key is selected as normal,
299   according to Section 3.1.3 of [RFC4120].
300
3014.1.1.  Anonymous PKINIT
302
303   This sub-section defines anonymous PKINIT.
304
305   As described earlier in this section, the client can request an
306   anonymous ticket by authenticating to the KDC using the client's
307   identity; alternatively, without revealing the client's identity to
308   the KDC, the Kerberos client can request an anonymous ticket as
309   follows: the client sets the client name as the anonymous principal
310   in the AS exchange and provides PA_PK_AS_REQ pre-authentication data
311   [RFC4556] where the signerInfos field of the SignedData [RFC5652] of
312   the PA_PK_AS_REQ is empty, and the certificates field is absent.
313   Because the anonymous client does not have an associated asymmetric
314   key pair, the client MUST choose the Diffie-Hellman key agreement
315   method by filling in the Diffie-Hellman domain parameters in the
316   clientPublicValue [RFC4556].  This use of the anonymous client name
317   in conjunction with PKINIT is referred to as anonymous PKINIT.  If
318   anonymous PKINIT is used, the realm name in the returned anonymous
319   ticket MUST be the anonymous realm.
320
321   Upon receiving the anonymous PKINIT request from the client, the KDC
322   processes the request, according to Section 3.1.2 of [RFC4120].  The
323   KDC skips the checks for the client's signature and the client's
324   public key (such as the verification of the binding between the
325   client's public key and the client name), but performs otherwise
326   applicable checks, and proceeds as normal, according to [RFC4556].
327   For example, the AS MUST check if the client's Diffie-Hellman domain
328   parameters are acceptable.  The Diffie-Hellman key agreement method
329   MUST be used and the reply key is derived according to Section
330   3.2.3.1 of [RFC4556].  If the clientPublicValue is not present in the
331   request, the KDC MUST return a KRB-ERROR with the code
332   KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED [RFC4556].  If all goes
333   well, an anonymous ticket is generated, according to Section 3.1.3 of
334   [RFC4120], and PA_PK_AS_REP [RFC4556] pre-authentication data is
335
336
337
338Zhu, et al.                  Standards Track                    [Page 6]
339
340RFC 6112               Kerberos Anonymity Support             April 2011
341
342
343   included in the KDC reply, according to [RFC4556].  If the KDC does
344   not have an asymmetric key pair, it MAY reply anonymously or reject
345   the authentication attempt.  If the KDC replies anonymously, the
346   signerInfos field of the SignedData [RFC5652] of PA_PK_AS_REP in the
347   reply is empty, and the certificates field is absent.  The server
348   name in the anonymous KDC reply contains the name of the TGS.
349
350   Upon receipt of the KDC reply that contains an anonymous ticket and
351   PA_PK_AS_REP [RFC4556] pre-authentication data, the client can then
352   authenticate the KDC based on the KDC's signature in the
353   PA_PK_AS_REP.  If the KDC's signature is missing in the KDC reply
354   (the reply is anonymous), the client MUST reject the returned ticket
355   if it cannot authenticate the KDC otherwise.
356
357   A KDC that supports anonymous PKINIT MUST indicate the support of
358   PKINIT, according to Section 3.4 of [RFC4556].  In addition, such a
359   KDC MUST indicate support for anonymous PKINIT by including a padata
360   element of padata-type PA_PKINIT_KX and empty padata-value when
361   including PA-PK-AS-REQ in an error reply.
362
363   When included in a KDC error, PA_PKINIT_KX indicates support for
364   anonymous PKINIT.  As discussed in Section 7, when included in an AS-
365   REP, PA_PKINIT_KX proves that the KDC and client both contributed to
366   the session key for any use of Diffie-Hellman key agreement with
367   PKINIT.
368
369   Note that in order to obtain an anonymous ticket with the anonymous
370   realm name, the client MUST set the client name as the anonymous
371   principal in the request when requesting an anonymous ticket in an AS
372   exchange.  Anonymity PKINIT is the only way via which an anonymous
373   ticket with the anonymous realm as the client realm can be generated
374   in this specification.
375
3764.2.  Anonymity Support in TGS Exchange
377
378   The client requests an anonymous ticket by setting the anonymous KDC
379   option in a TGS exchange, and in that request the client can use a
380   normal Ticket Granting Ticket (TGT) with the client's identity, or an
381   anonymous TGT, or an anonymous cross-realm TGT.  If the client uses a
382   normal TGT, the client's identity is known to the TGS.
383
384   Note that the client can completely hide the client's identity in an
385   AS exchange using anonymous PKINIT, as described in the previous
386   section.
387
388
389
390
391
392
393
394Zhu, et al.                  Standards Track                    [Page 7]
395
396RFC 6112               Kerberos Anonymity Support             April 2011
397
398
399   If the ticket in the PA-TGS-REQ of the TGS request is an anonymous
400   one, the anonymous KDC option MUST be set in the request.  Otherwise,
401   the KDC MUST return a KRB-ERROR message with the code
402   KDC_ERR_BADOPTION.
403
404   When policy allows, the KDC issues an anonymous ticket.  If the
405   ticket in the TGS request is an anonymous one, the client name and
406   the client realm are copied from that ticket; otherwise, the ticket
407   in the TGS request is a normal ticket, the returned anonymous ticket
408   contains the client name as the anonymous principal and the client
409   realm as the true realm of the client.  In all cases, according to
410   [RFC4120] the client name and the client realm in the EncTicketPart
411   of the reply MUST match with the corresponding client name and the
412   client realm of the anonymous ticket in the reply; the client MUST
413   use the client name and the client realm returned in the KDC-REP in
414   subsequent message exchanges when using the obtained anonymous
415   ticket.
416
417   Care MUST be taken by the TGS not to reveal the client's identity in
418   the authorization data of the returned ticket.  When propagating
419   authorization data in the ticket or in the enc-authorization-data
420   field of the request, the TGS MUST ensure that the client
421   confidentiality is not violated in the returned anonymous ticket.
422   The TGS MUST process the authorization data recursively, according to
423   Section 5.2.6 of [RFC4120], beyond the container levels such that all
424   embedded authorization elements are interpreted.  The TGS SHOULD NOT
425   populate identity-based authorization data into an anonymous ticket
426   in that such authorization data typically reveals the client's
427   identity.  The specification of a new authorization data type MUST
428   specify the processing rules of the authorization data when an
429   anonymous ticket is returned.  If there is no processing rule defined
430   for an authorization data element or the authorization data element
431   is unknown, the TGS MUST process it when an anonymous ticket is
432   returned as follows:
433
434   o  If the authorization data element may reveal the client's
435      identity, it MUST be removed unless otherwise specified.
436
437   o  If the authorization data element, that could reveal the client's
438      identity, is intended to restrict the use of the ticket or limit
439      the rights otherwise conveyed in the ticket, it cannot be removed
440      in order to hide the client's identity.  In this case, the
441      authentication attempt MUST be rejected, and the TGS MUST return
442      an error message with the code KDC_ERR_POLICY.  Note this is
443      applicable to both critical and optional authorization data.
444
445
446
447
448
449
450Zhu, et al.                  Standards Track                    [Page 8]
451
452RFC 6112               Kerberos Anonymity Support             April 2011
453
454
455   o  If the authorization data element is unknown, the TGS MAY remove
456      it, or transfer it into the returned anonymous ticket, or reject
457      the authentication attempt, based on local policy for that
458      authorization data type unless otherwise specified.  If there is
459      no policy defined for a given unknown authorization data type, the
460      authentication MUST be rejected.  The error code is KDC_ERR_POLICY
461      when the authentication is rejected.
462
463   The AD-INITIAL-VERIFIED-CAS authorization data, as defined in
464   [RFC4556], contains the issuer name of the client certificate.  If it
465   is undesirable to disclose such information about the client's
466   identity, the AD-INITIAL-VERIFIED-CAS authorization data SHOULD be
467   removed from an anonymous ticket.
468
469   The TGS encodes the name of the previous realm into the transited
470   field, according to Section 3.3.3.2 of [RFC4120].  Based on local
471   policy, the TGS MAY omit the previous realm, if the cross realm TGT
472   is an anonymous one, in order to hide the authentication path of the
473   client.  The unordered set of realms in the transited field, if
474   present, can reveal which realm may potentially be the realm of the
475   client or the realm that issued the anonymous TGT.  The anonymous
476   Kerberos realm name MUST NOT be present in the transited field of a
477   ticket.  The true name of the realm that issued the anonymous ticket
478   MAY be present in the transited field of a ticket.
479
4804.3.  Subsequent Exchanges and Protocol Actions Common to AS and TGS for
481      Anonymity Support
482
483   In both AS and TGS exchanges, the realm field in the KDC request is
484   always the realm of the target KDC, not the anonymous realm when the
485   client requests an anonymous ticket.
486
487   Absent other information, the KDC MUST NOT include any identifier in
488   the returned anonymous ticket that could reveal the client's identity
489   to the server.
490
491   Unless anonymous PKINIT is used, if a client requires anonymous
492   communication, then the client MUST check to make sure that the
493   ticket in the reply is actually anonymous by checking the presence of
494   the anonymous ticket flag in the flags field of the EncKDCRepPart.
495   This is because KDCs ignore unknown KDC options.  A KDC that does not
496   understand the anonymous KDC option will not return an error, but
497   will instead return a normal ticket.
498
499   The subsequent client and server communications then proceed as
500   described in [RFC4120].
501
502
503
504
505
506Zhu, et al.                  Standards Track                    [Page 9]
507
508RFC 6112               Kerberos Anonymity Support             April 2011
509
510
511   Note that the anonymous principal name and realm are only applicable
512   to the client in Kerberos messages, the server cannot be anonymous in
513   any Kerberos message per this specification.
514
515   A server accepting an anonymous service ticket may assume that
516   subsequent requests using the same ticket originate from the same
517   client.  Requests with different tickets are likely to originate from
518   different clients.
519
520   Upon receipt of an anonymous ticket, the transited policy check is
521   performed in the same way as that of a normal ticket if the client's
522   realm is not the anonymous realm; if the client realm is the
523   anonymous realm, absent other information any realm in the
524   authentication path is allowed by the cross-realm policy check.
525
5265.  Interoperability Requirements
527
528   Conforming implementations MUST support the anonymous principal with
529   a non-anonymous realm, and they MAY support the anonymous principal
530   with the anonymous realm using anonymous PKINIT.
531
5326.  GSS-API Implementation Notes
533
534   GSS-API defines the name_type GSS_C_NT_ANONYMOUS [RFC2743] to
535   represent the anonymous identity.  In addition, Section 2.1.1 of
536   [RFC1964] defines the single string representation of a Kerberos
537   principal name with the name_type GSS_KRB5_NT_PRINCIPAL_NAME.  The
538   anonymous principal with the anonymous realm corresponds to the GSS-
539   API anonymous principal.  A principal with the anonymous principal
540   name and a non-anonymous realm is an authenticated principal; hence,
541   such a principal does not correspond to the anonymous principal in
542   GSS-API with the GSS_C_NT_ANONYMOUS name type.  The [RFC1964] name
543   syntax for GSS_KRB5_NT_PRINCIPAL_NAME MUST be used for importing the
544   anonymous principal name with a non-anonymous realm name and for
545   displaying and exporting these names.  In addition, this syntax must
546   be used along with the name type GSS_C_NT_ANONYMOUS for displaying
547   and exporting the anonymous principal with the anonymous realm.
548
549   At the GSS-API [RFC2743] level, an initiator/client requests the use
550   of an anonymous principal with the anonymous realm by asserting the
551   "anonymous" flag when calling GSS_Init_Sec_Context().  The GSS-API
552   implementation MAY provide implementation-specific means for
553   requesting the use of an anonymous principal with a non-anonymous
554   realm.
555
556   GSS-API does not know or define "anonymous credentials", so the
557   (printable) name of the anonymous principal will rarely be used by or
558   relevant for the initiator/client.  The printable name is relevant
559
560
561
562Zhu, et al.                  Standards Track                   [Page 10]
563
564RFC 6112               Kerberos Anonymity Support             April 2011
565
566
567   for the acceptor/server when performing an authorization decision
568   based on the initiator name that is returned from the acceptor side
569   upon the successful security context establishment.
570
571   A GSS-API initiator MUST carefully check the resulting context
572   attributes from the initial call to GSS_Init_Sec_Context() when
573   requesting anonymity, because (as in the GSS-API tradition and for
574   backwards compatibility) anonymity is just another optional context
575   attribute.  It could be that the mechanism doesn't recognize the
576   attribute at all or that anonymity is not available for some other
577   reasons -- and in that case the initiator MUST NOT send the initial
578   security context token to the acceptor, because it will likely reveal
579   the initiators identity to the acceptor, something that can rarely be
580   "un-done".
581
582   Portable initiators are RECOMMENDED to use default credentials
583   whenever possible, and request anonymity only through the input
584   anon_req_flag [RFC2743] to GSS_Init_Sec_Context().
585
5867.  PKINIT Client Contribution to the Ticket Session Key
587
588   The definition in this section was motivated by protocol analysis of
589   anonymous PKINIT (defined in this document) in building tunneling
590   channels [RFC6113] and subsequent channel bindings.  In order to
591   enable applications of anonymous PKINIT to form channels, all
592   implementations of anonymous PKINIT need to meet the requirements of
593   this section.  There is otherwise no connection to the rest of this
594   document.
595
596   PKINIT is useful for constructing tunneling channels.  To ensure that
597   an attacker cannot create a channel with a given name, it is
598   desirable that neither the KDC nor the client unilaterally determine
599   the ticket session key.  To achieve that end, a KDC conforming to
600   this definition MUST encrypt a randomly generated key, called the KDC
601   contribution key, in the PA_PKINIT_KX padata (defined next in this
602   section).  The KDC contribution key is then combined with the reply
603   key to form the ticket session key of the returned ticket.  These two
604   keys are then combined using the KRB-FX-CF2 operation defined in
605   Section 7.1, where K1 is the KDC contribution key, K2 is the reply
606   key, the input pepper1 is American Standard Code for Information
607   Interchange (ASCII) [ASAX34] string "PKINIT", and the input pepper2
608   is ASCII string "KeyExchange".
609
610
611
612
613
614
615
616
617
618Zhu, et al.                  Standards Track                   [Page 11]
619
620RFC 6112               Kerberos Anonymity Support             April 2011
621
622
623   PA_PKINIT_KX      147
624     -- padata for PKINIT that contains an encrypted
625     -- KDC contribution key.
626
627   PA-PKINIT-KX  ::= EncryptedData -- EncryptionKey
628     -- Contains an encrypted key randomly
629     -- generated by the KDC (known as the KDC contribution key).
630     -- Both EncryptedData and EncryptionKey are defined in [RFC4120]
631
632   The PA_PKINIT_KX padata MUST be included in the KDC reply when
633   anonymous PKINIT is used; it SHOULD be included if PKINIT is used
634   with the Diffie-Hellman key exchange but the client is not anonymous;
635   it MUST NOT be included otherwise (e.g., when PKINIT is used with the
636   public key encryption as the key exchange).
637
638   The padata-value field of the PA-PKINIT-KX type padata contains the
639   DER [X.680] [X.690] encoding of the Abstract Syntax Notation One
640   (ASN.1) type PA-PKINIT-KX.  The PA-PKINIT-KX structure is an
641   EncryptedData.  The cleartext data being encrypted is the DER-encoded
642   KDC contribution key randomly generated by the KDC.  The encryption
643   key is the reply key and the key usage number is
644   KEY_USAGE_PA_PKINIT_KX (44).
645
646   The client then decrypts the KDC contribution key and verifies the
647   ticket session key in the returned ticket is the combined key of the
648   KDC contribution key and the reply key as described above.  A
649   conforming client MUST reject anonymous PKINIT authentication if the
650   PA_PKINIT_KX padata is not present in the KDC reply or if the ticket
651   session key of the returned ticket is not the combined key of the KDC
652   contribution key and the reply key when PA-PKINIT-KX is present in
653   the KDC reply.
654
6557.1.  Combining Two Protocol Keys
656
657   KRB-FX-CF2() combines two protocol keys based on the pseudo-random()
658   function defined in [RFC3961].
659
660   Given two input keys, K1 and K2, where K1 and K2 can be of two
661   different enctypes, the output key of KRB-FX-CF2(), K3, is derived as
662   follows:
663
664    KRB-FX-CF2(protocol key, protocol key, octet string,
665              octet string)  ->  (protocol key)
666
667    PRF+(K1, pepper1) -> octet-string-1
668    PRF+(K2, pepper2) -> octet-string-2
669    KRB-FX-CF2(K1, K2, pepper1, pepper2) ->
670           random-to-key(octet-string-1 ^ octet-string-2)
671
672
673
674Zhu, et al.                  Standards Track                   [Page 12]
675
676RFC 6112               Kerberos Anonymity Support             April 2011
677
678
679   Where ^ denotes the exclusive-OR operation.  PRF+() is defined as
680   follows:
681
682   PRF+(protocol key, octet string) -> (octet string)
683
684   PRF+(key, shared-info) -> pseudo-random( key,  1 || shared-info ) ||
685                pseudo-random( key, 2 || shared-info ) ||
686                pseudo-random( key, 3 || shared-info ) || ...
687
688   Here the counter value 1, 2, 3, and so on are encoded as a one-octet
689   integer.  The pseudo-random() operation is specified by the enctype
690   of the protocol key.  PRF+() uses the counter to generate enough bits
691   as needed by the random-to-key() [RFC3961] function for the
692   encryption type specified for the resulting key; unneeded bits are
693   removed from the tail.
694
6958.  Security Considerations
696
697   Since KDCs ignore unknown options, a client requiring anonymous
698   communication needs to make sure that the returned ticket is actually
699   anonymous.  This is because a KDC that does not understand the
700   anonymous option would not return an anonymous ticket.
701
702   By using the mechanism defined in this specification, the client does
703   not reveal the client's identity to the server but the client
704   identity may be revealed to the KDC of the server principal (when the
705   server principal is in a different realm than that of the client),
706   and any KDC on the cross-realm authentication path.  The Kerberos
707   client MUST verify the ticket being used is indeed anonymous before
708   communicating with the server, otherwise, the client's identity may
709   be revealed unintentionally.
710
711   In cases where specific server principals must not have access to the
712   client's identity (for example, an anonymous poll service), the KDC
713   can define server-principal-specific policy that ensures any normal
714   service ticket can NEVER be issued to any of these server principals.
715
716   If the KDC that issued an anonymous ticket were to maintain records
717   of the association of identities to an anonymous ticket, then someone
718   obtaining such records could breach the anonymity.  Additionally, the
719   implementations of most (for now all) KDC's respond to requests at
720   the time that they are received.  Traffic analysis on the connection
721   to the KDC will allow an attacker to match client identities to
722   anonymous tickets issued.  Because there are plaintext parts of the
723   tickets that are exposed on the wire, such matching by a third-party
724   observer is relatively straightforward.  A service that is
725   authenticated by the anonymous principals may be able to infer the
726
727
728
729
730Zhu, et al.                  Standards Track                   [Page 13]
731
732RFC 6112               Kerberos Anonymity Support             April 2011
733
734
735   identity of the client by examining and linking quasi-static protocol
736   information such as the IP address from which a request is received,
737   or by linking multiple uses of the same anonymous ticket.
738
739   Two mechanisms, the FAST facility with the hide-client-names option
740   in [RFC6113] and the Kerberos5 starttls option [STARTTLS], protect
741   the client identity so that an attacker would never be able to
742   observe the client identity sent to the KDC.  Transport or network
743   layer security between the client and the server will help prevent
744   tracking of a particular ticket to link a ticket to a user.  In
745   addition, clients can limit how often a ticket is reused to minimize
746   ticket linking.
747
748   The client's real identity is not revealed when the client is
749   authenticated as the anonymous principal.  Application servers MAY
750   reject the authentication in order to, for example, prevent
751   information disclosure or as part of Denial of Service (DoS)
752   prevention.  Application servers MUST avoid accepting anonymous
753   credentials in situations where they must record the client's
754   identity; for example, when there must be an audit trail.
755
7569.  Acknowledgements
757
758   JK Jaganathan helped editing early revisions of this document.
759
760   Clifford Neuman contributed the core notions of this document.
761
762   Ken Raeburn reviewed the document and provided suggestions for
763   improvements.
764
765   Martin Rex wrote the text for GSS-API considerations.
766
767   Nicolas Williams reviewed the GSS-API considerations section and
768   suggested ideas for improvements.
769
770   Sam Hartman and Nicolas Williams were great champions of this work.
771
772   Miguel Garcia and Phillip Hallam-Baker reviewed the document and
773   provided helpful suggestions.
774
775   In addition, the following individuals made significant
776   contributions: Jeffrey Altman, Tom Yu, Chaskiel M Grundman, Love
777   Hornquist Astrand, Jeffrey Hutzelman, and Olga Kornievskaia.
778
779
780
781
782
783
784
785
786Zhu, et al.                  Standards Track                   [Page 14]
787
788RFC 6112               Kerberos Anonymity Support             April 2011
789
790
79110.  IANA Considerations
792
793   This document defines a new 'anonymous' Kerberos well-known name and
794   a new 'anonymous' Kerberos well-known realm based on [RFC6111].  IANA
795   has added these two values to the Kerberos naming registries that are
796   created in [RFC6111].
797
79811.  References
799
80011.1.  Normative References
801
802   [ASAX34]    American Standards Institute, "American Standard Code for
803               Information Interchange", ASA X3.4-1963, June 1963.
804
805   [RFC1964]   Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
806               RFC 1964, June 1996.
807
808   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
809               Requirement Levels", BCP 14, RFC 2119, March 1997.
810
811   [RFC2743]   Linn, J., "Generic Security Service Application Program
812               Interface Version 2, Update 1", RFC 2743, January 2000.
813
814   [RFC3961]   Raeburn, K., "Encryption and Checksum Specifications for
815               Kerberos 5", RFC 3961, February 2005.
816
817   [RFC4120]   Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
818               Kerberos Network Authentication Service (V5)", RFC 4120,
819               July 2005.
820
821   [RFC4556]   Zhu, L. and B. Tung, "Public Key Cryptography for Initial
822               Authentication in Kerberos (PKINIT)", RFC 4556,
823               June 2006.
824
825   [RFC5652]   Housley, R., "Cryptographic Message Syntax (CMS)",
826               STD 70, RFC 5652, September 2009.
827
828   [RFC6111]   Zhu, L., "Additional Kerberos Naming Constraints",
829               RFC 6111, April 2011.
830
831   [X.680]     "Abstract Syntax Notation One (ASN.1): Specification of
832               Basic Notation", ITU-T Recommendation X.680: ISO/IEC
833               International Standard 8824-1:1998, 1997.
834
835   [X.690]     "ASN.1 encoding rules: Specification of Basic Encoding
836               Rules (BER), Canonical Encoding Rules (CER) and
837               Distinguished Encoding Rules (DER)", ITU-T Recommendation
838               X.690  ISO/IEC International Standard 8825-1:1998, 1997.
839
840
841
842Zhu, et al.                  Standards Track                   [Page 15]
843
844RFC 6112               Kerberos Anonymity Support             April 2011
845
846
84711.2.  Informative References
848
849   [RFC6113]   Hartman, S. and L. Zhu, "A Generalized Framework for
850               Kerberos Pre-Authentication", RFC 6113, April 2011.
851
852   [STARTTLS]  Josefsson, S., "Using Kerberos V5 over the Transport
853               Layer Security (TLS) protocol", Work in Progress,
854               August 2010.
855
856Authors' Addresses
857
858   Larry Zhu
859   Microsoft Corporation
860   One Microsoft Way
861   Redmond, WA  98052
862   US
863
864   EMail: larry.zhu@microsoft.com
865
866
867   Paul Leach
868   Microsoft Corporation
869   One Microsoft Way
870   Redmond, WA  98052
871   US
872
873   EMail: paulle@microsoft.com
874
875
876   Sam Hartman
877   Painless Security
878
879   EMail: hartmans-ietf@mit.edu
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898Zhu, et al.                  Standards Track                   [Page 16]
899
900