1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
|
NETWORK WORKING GROUP L. Zhu
Internet-Draft Microsoft Corporation
Updates: 4279 (if approved) July 9, 2007
Intended status: Standards Track
Expires: January 10, 2008
Flexible Key Agreement for Transport Layer Security (FKA-TLS)
draft-santesson-tls-gssapi-02
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 10, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document defines extensions to RFC 4279 to enable dynamic key
sharing in distributed environments. By using these extensions, the
client and the server can use off-shelf libraries to exchange tokens
and establish a shared secret, based on a Generic Security Service
Application Program Interface (GSS-API) mechanism such as Kerberos as
defined in RFC 4121, and then proceed according to RFC 4279 to
complete the authentication and provide data protection.
Zhu Expires January 10, 2008 [Page 1]
Internet-Draft FKA-TLS July 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document . . . . . . . . . . . . . . . 3
3. Protocol Definition . . . . . . . . . . . . . . . . . . . . . . 3
4. Choosing GSS-API Mechanisms . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Zhu Expires January 10, 2008 [Page 2]
Internet-Draft FKA-TLS July 2007
1. Introduction
[RFC4279] defines Transport Layer Security (TLS) based on pre-shared
keys (PSK). This assumes a pair-wise key sharing scheme that is less
scalable and more costly to manage in comparison with a trusted third
party scheme such as Kerberos [RFC4120]. In addition, off-shelf GSS-
API libraries that allow dynamic key sharing are not currently
accessible to TLS applications. For example, Kerberos [RFC4121] is a
GSS-API mechanism that can establish a shared key between a client
and a server based on either asymmetric keys [RFC4556] or symmetric
keys [RFC4120].
This document extends [RFC4279] to allow the client and the server
establish a shared key on demand by using off-shelf GSS-API
libraries, and then proceed according to RFC 4279. This is a modular
approach to leverage Kerberos alike trust infrastructures in securing
TLS connections.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Protocol Definition
The GSS-API TLS extension is defined according to [RFC3546]. The
extension data carries GSS-API token within the TLS hello messages.
enum {
GSS-API(TBD), (65535)
} ExtensionType;
Initially the client calls GSS_Init_sec_context() [RFC2743] to
establish a security context, it MUST set the mutual_req_flag and
identify the server by targ_name so that mutual authentication is
performed in the course of context establishment. If the mutual
authentication is not available when the context is established
successfully, the GSS-API security context MUST be discarded. The
extension_data from the client contains the output token of
GSS_Init_sec_context(). If a GSS-API context cannot be established,
the GSS-API TLS extension MUST NOT be included in the client hello
message and it is a matter of local policy on the client whether to
continue or reject the TLS authentication as if the GSS-API TLS
extension is not supported.
Zhu Expires January 10, 2008 [Page 3]
Internet-Draft FKA-TLS July 2007
Upon receipt of the GSS-API TLS extension from the client, and if the
server supports the GSS-API TLS extension, the server calls
GSS_Accept_sec_context() with the client GSS-API output token in the
client's extension data as the input token. If
GSS_Accept_sec_context() returns a token successfully, the server
responds with a GSS-API TLS extension and places the output token in
the extension_data. If GSS_Accept_sec_context() fails, it is a
matter of local policy on the server whether to continue or reject
the TLS authentication as if the GSS-API TLS extension is not
supported.
The server MUST NOT include a GSS-API TLS extension in the hello
message if the cipher_suite in the ServerHello message is not a PSK
ciphersuite [RFC4279].
If the server expects at least one more token to be accepted from the
client in order to establish the security context, the additional
GSS-API tokens are carried in a new handshake message called the
token-transfer message.
enum {
token_transfer(TBD), (255)
} HandshakeType;
struct {
HandshakeType msg_type; /* handshake type */
uint24 length; /* bytes in message */
select (HandshakeType) {
case token_transfer: /* NEW */
TokenTranfer;
} body;
} Handshake;
enum {
gss-api-token(1), (255)
} TokenTransferType;
struct {
TokenTransferType token_type; /* token type */
opaque token<0..2^16-1>;
} TokenTranfer;
The TokenTranfer structure is filled out as follows:
o The token_type is gss-api-token.
Zhu Expires January 10, 2008 [Page 4]
Internet-Draft FKA-TLS July 2007
o The token field contains the GSS-API context establishment tokens
from the client and the server.
The client calls GSS_Init_sec_context() with the token in the
TokenTranfer stucture from the server as the input token, and then
places the output token, if any, into the TokenTranfer message and
sends the handshake message to the server. The server calls
GSS_Accept_sec_context() with the token in the TokenTranfer structure
from the client as the input token, and then places the output token,
if any, into the TokenTranfer message and sends the handshake message
to the client. This loop repeats until either the context fails to
establish or the context is established successfully. To prevent an
infinite loop, both the client and the server MUST have a policy to
limit the maximum number of GSS-API context establishment calls for a
given session. The recommended value is 5. If the GSS-API context
fails to establish, it is a matter of local policy whether to
continue or reject the TLS authentication as if the GSS-API TLS
extension is not supported.
When the last GSS-API context establishment token is sent by the
client or when the GSS-API context fails to establish on the client
side and the local policy allows the TLS authentication to proceed as
if the TLS GSS-API extension is not supported, the client sends an
empty TokenTransfer handshake message.
If the GSS-API context fails to establish and local policy allows the
TLS authentication continue as if the GSS-API TLS extension is not
supported, the server MAY send another ServerHello message in order
to choose a different cipher suite. The client then MUST expect the
second ServerHello message from the server before the session is
established. The second ServerHello message MUST differ from the
first ServerHello message in the cipher_suite field and only in that
field.
If the client and the server establish a security context
successfully, both the client and the server call GSS_Pseudo_random()
[RFC4401] to compute a sufficiently long shared secret with the same
value based on the negotiated ciphersuite, and then proceed according
to [RFC4279] using this shared secret value as the "PSK". Both
psk_identity and psk_identity_hint are empty in the handshake
messages when the shared key is established using a GSS-API mechanism
as described in this document.
The following text art summaries the protocol message flow.
Zhu Expires January 10, 2008 [Page 5]
Internet-Draft FKA-TLS July 2007
Client Server
ClientHello -------->
ServerHello
<-------- TokenTransfer*
.
.
.
TokenTransfer* -------->
ServerHello*
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <--------> Application Data
Fig. 1. Message flow for a full handshake
* Indicates optional or situation-dependent messages that are
not always sent.
There could be multiple TokenTransfer handshake messages, and the
last TokenTranster message, if present, is always sent from the
client to the server and it can carry an empty token.
4. Choosing GSS-API Mechanisms
If more than one GSS-API mechanism is shared between the client and
the server, it is RECOMMENDED to deploy a pseudo GSS-API mechanism
such as [RFC4178] to choose a mutually preferred GSS-API mechanism.
If the Kerberos client does not have access to the KDC but the server
does, [IAKERB] can be chosen to tunnel the Kerberos authentication
exchange within the TLS handshake messages.
5. Security Considerations
When Kerberos as defined in [RFC4120] is used to establish the share
Zhu Expires January 10, 2008 [Page 6]
Internet-Draft FKA-TLS July 2007
key, it is vulnerable to offline dictionary attacks. The threat is
mitigated by deploying kerberos FAST [KRB-FAST].
6. Acknowledgements
Stefan Santesson, Ari Medvinsky and Jeffery Altman helped editing the
earlier revisions of this document.
7. IANA Considerations
A new handshake message token_transfer is defined according to
[RFC4346] and a new TLS extension called the GSS-API extension is
defined according to [RFC3546]. The registry need to be updated to
include these new types.
This document defines the type of the transfer tokens in Section 3, a
registry need to be setup and the allocation policy is "Specification
Required".
8. References
8.1. Normative References
[IAKERB] Zhu, L., "Initial and Pass Through Authentication Using
Kerberos V5 and the GSS-API", draft-zhu-ws-kerb-03.txt
(work in progress), 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 3546, June 2003.
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The
Simple and Protected Generic Security Service Application
Program Interface (GSS-API) Negotiation Mechanism",
RFC 4178, October 2005.
[RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
for Transport Layer Security (TLS)", RFC 4279,
December 2005.
Zhu Expires January 10, 2008 [Page 7]
Internet-Draft FKA-TLS July 2007
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API
Extension for the Generic Security Service Application
Program Interface (GSS-API)", RFC 4401, February 2006.
8.2. Informative References
[KRB-FAST]
Zhu, L. and S. Hartman, "A Generalized Framework for
Kerberos Pre-Authentication",
draft-ietf-krb-wg-preauth-framework-06.txt (work in
progress), 2007.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
Version 5 Generic Security Service Application Program
Interface (GSS-API) Mechanism: Version 2", RFC 4121,
July 2005.
[RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial
Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.
Author's Address
Larry Zhu
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Email: lzhu@microsoft.com
Zhu Expires January 10, 2008 [Page 8]
Internet-Draft FKA-TLS July 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Zhu Expires January 10, 2008 [Page 9]
|