| draft-ietf-sasl-gs2-01.txt | | draft-ietf-sasl-gs2-02.txt | |
|---|
| | | | |
| Network Working Group S. Josefsson | | Network Working Group S. Josefsson | |
| | | | |
|
| Expires: December 28, 2006 | | Expires: January 14, 2007 | |
| | | | |
| Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family | | Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family | |
|
| draft-ietf-sasl-gs2-01 | | draft-ietf-sasl-gs2-02 | |
| | | | |
| Status of this Memo | | Status of this Memo | |
| | | | |
| By submitting this Internet-Draft, each author represents that any | | By submitting this Internet-Draft, each author represents that any | |
| applicable patent or other IPR claims of which he or she is aware | | applicable patent or other IPR claims of which he or she is aware | |
| have been or will be disclosed, and any of which he or she becomes | | have been or will be disclosed, and any of which he or she becomes | |
| aware will be disclosed, in accordance with Section 6 of BCP 79. | | aware will be disclosed, in accordance with Section 6 of BCP 79. | |
| | | | |
| Internet-Drafts are working documents of the Internet Engineering | | Internet-Drafts are working documents of the Internet Engineering | |
| Task Force (IETF), its areas, and its working groups. Note that | | Task Force (IETF), its areas, and its working groups. Note that | |
| | | | |
| skipping to change at page 1, line 33 | | skipping to change at page 1, line 33 | |
|---|
| and may be updated, replaced, or obsoleted by other documents at any | | and may be updated, replaced, or obsoleted by other documents at any | |
| time. It is inappropriate to use Internet-Drafts as reference | | time. It is inappropriate to use Internet-Drafts as reference | |
| material or to cite them other than as "work in progress." | | material or to cite them other than as "work in progress." | |
| | | | |
| The list of current Internet-Drafts can be accessed at | | The list of current Internet-Drafts can be accessed at | |
| http://www.ietf.org/ietf/1id-abstracts.txt. | | http://www.ietf.org/ietf/1id-abstracts.txt. | |
| | | | |
| The list of Internet-Draft Shadow Directories can be accessed at | | The list of Internet-Draft Shadow Directories can be accessed at | |
| http://www.ietf.org/shadow.html. | | http://www.ietf.org/shadow.html. | |
| | | | |
|
| This Internet-Draft will expire on December 28, 2006. | | This Internet-Draft will expire on January 14, 2007. | |
| | | | |
| Copyright Notice | | Copyright Notice | |
| | | | |
| Copyright (C) The Internet Society (2006). | | Copyright (C) The Internet Society (2006). | |
| | | | |
| Abstract | | Abstract | |
| | | | |
| This document describes how to use a Generic Security Service | | This document describes how to use a Generic Security Service | |
| Application Program Interface (GSS-API) mechanism in the the Simple | | Application Program Interface (GSS-API) mechanism in the the Simple | |
| Authentication and Security Layer (SASL) framework. | | Authentication and Security Layer (SASL) framework. | |
| | | | |
| See <http://josefsson.org/sasl-gs2-*/> for more information. | | See <http://josefsson.org/sasl-gs2-*/> for more information. | |
| | | | |
| Table of Contents | | Table of Contents | |
| | | | |
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |
|
| 2. Conventions Used in this Document . . . . . . . . . . . . . . 3 | | 2. Conventions used in this document . . . . . . . . . . . . . . 3 | |
| 3. Mechanism Name . . . . . . . . . . . . . . . . . . . . . . . . 3 | | 3. Mechanism name . . . . . . . . . . . . . . . . . . . . . . . . 3 | |
| 3.1. Generating SASL Mechanism Names From GSS-API OIDs . . . . 3 | | 3.1. Generating SASL mechanism names from GSS-API OIDs . . . . 3 | |
| 3.2. Computing Mechanism Names Manually . . . . . . . . . . . . 4 | | 3.2. Computing mechanism names manually . . . . . . . . . . . . 4 | |
| 3.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 4 | | 3.3. Example . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |
| 4. Packet Format . . . . . . . . . . . . . . . . . . . . . . . . 4 | | 4. Packet Format . . . . . . . . . . . . . . . . . . . . . . . . 4 | |
| 4.1. SASL Tokens . . . . . . . . . . . . . . . . . . . . . . . 4 | | 4.1. SASL Tokens . . . . . . . . . . . . . . . . . . . . . . . 4 | |
|
| 4.2. Flags . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | | 4.2. Context Token . . . . . . . . . . . . . . . . . . . . . . 5 | |
| 4.3. Context Token . . . . . . . . . . . . . . . . . . . . . . 6 | | 4.3. Wrap Token . . . . . . . . . . . . . . . . . . . . . . . . 6 | |
| 4.4. Wrap Token . . . . . . . . . . . . . . . . . . . . . . . . 7 | | 4.3.1. GSS_Wrap input for client requests . . . . . . . . . . 7 | |
| 4.4.1. Wrap Token Input For Client Requests . . . . . . . . . 7 | | 4.3.2. GSS_Wrap input for server responses . . . . . . . . . 8 | |
| 4.4.2. WraP Token Input For Server Responses . . . . . . . . 8 | | 4.3.3. GSS_Wrap input for server requests . . . . . . . . . . 8 | |
| 4.4.3. Wrap Token Input For Server Requests . . . . . . . . . 9 | | 4.3.4. GSS_Wrap input for client responses . . . . . . . . . 9 | |
| 4.4.4. Wrap Token Input For Client Responses . . . . . . . . 9 | | 5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 9 | |
| 5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 10 | | 6. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 10 | |
| 5.1. Name Of Tls Channel For Use As Channel Binding . . . . . . 11 | | 7. Authentication Conditions . . . . . . . . . . . . . . . . . . 13 | |
| 6. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 11 | | 8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 13 | |
| 7. Authentication Conditions . . . . . . . . . . . . . . . . . . 14 | | 9. Security Layer Bits . . . . . . . . . . . . . . . . . . . . . 13 | |
| 8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 14 | | 9.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |
| 9. Security Layer Bits . . . . . . . . . . . . . . . . . . . . . 15 | | 10. Interoperability with the GSSAPI mechanism . . . . . . . . . . 14 | |
| 10. Interoperability With The Gssapi Mechanism . . . . . . . . . . 15 | | 10.1. The interoperability problem . . . . . . . . . . . . . . . 15 | |
| 10.1. The Interoperability problem . . . . . . . . . . . . . . . 15 | | | |
| 10.2. Resolving the problem . . . . . . . . . . . . . . . . . . 15 | | 10.2. Resolving the problem . . . . . . . . . . . . . . . . . . 15 | |
| 10.3. Additional recommendations . . . . . . . . . . . . . . . . 15 | | 10.3. Additional recommendations . . . . . . . . . . . . . . . . 15 | |
|
| 11. Mechanisms That Negotiate Other Mechanisms . . . . . . . . . . 16 | | 11. Mechanisms that negotiate other mechanisms . . . . . . . . . . 15 | |
| 11.1. The Interoperability Problem . . . . . . . . . . . . . . . 16 | | 11.1. The interoperability problem . . . . . . . . . . . . . . . 15 | |
| 11.2. Security Problem . . . . . . . . . . . . . . . . . . . . . 16 | | 11.2. Security problem . . . . . . . . . . . . . . . . . . . . . 15 | |
| 11.3. Resolving the Problems . . . . . . . . . . . . . . . . . . 16 | | 11.3. Resolving the problems . . . . . . . . . . . . . . . . . . 16 | |
| 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | | 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | |
|
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |
| 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18 | | 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 | |
| 15. Copying Conditions . . . . . . . . . . . . . . . . . . . . . . 18 | | 15. Copying Conditions . . . . . . . . . . . . . . . . . . . . . . 17 | |
| 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | | 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |
| 16.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | | 16.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | |
|
| 16.2. Informative References . . . . . . . . . . . . . . . . . . 19 | | 16.2. Informative References . . . . . . . . . . . . . . . . . . 18 | |
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20 | | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |
| Intellectual Property and Copyright Statements . . . . . . . . . . 21 | | Intellectual Property and Copyright Statements . . . . . . . . . . 21 | |
| | | | |
| 1. Introduction | | 1. Introduction | |
| | | | |
| Generic Security Service Application Program Interface (GSS-API) [3] | | Generic Security Service Application Program Interface (GSS-API) [3] | |
| is a framework that provide security services to applications. | | is a framework that provide security services to applications. | |
| Simple Authentication and Security Layer (SASL) [2] is a framework to | | Simple Authentication and Security Layer (SASL) [2] is a framework to | |
| provide authentication and security layers for connection based | | provide authentication and security layers for connection based | |
| protocols. This document describe how to use a GSS-API mechanism in | | protocols. This document describe how to use a GSS-API mechanism in | |
| a connection-based protocol using the SASL framework. | | a connection-based protocol using the SASL framework. | |
| | | | |
| All GSSAPI mechanisms are implicitly registered for use within SASL | | All GSSAPI mechanisms are implicitly registered for use within SASL | |
| by this specification. The SASL mechanism defined in this document | | by this specification. The SASL mechanism defined in this document | |
| is known as the GS2 family. | | is known as the GS2 family. | |
| | | | |
|
| The "Kerberos V5 GSS-API mechanism" [9] is also supported in SASL | | The "Kerberos V5 GSS-API mechanism" [10] is also supported in SASL | |
| through "SASL GSSAPI mechanisms" [11]. The difference between that | | through "SASL GSSAPI mechanisms" [12]. The difference between that | |
| protocol and the one described here, is that this protocol offer more | | protocol and the one described here, is that this protocol offer more | |
| features (i.e., channel bindings and round-trip optimizations) while | | features (i.e., channel bindings and round-trip optimizations) while | |
| the other protocol is more widely deployed. There are | | the other protocol is more widely deployed. There are | |
| interoperability concerns by having the same GSS-API mechanism | | interoperability concerns by having the same GSS-API mechanism | |
| available under more than one SASL mechanism name, see the section | | available under more than one SASL mechanism name, see the section | |
| "Interoperability with the GSSAPI mechanism" below. | | "Interoperability with the GSSAPI mechanism" below. | |
| | | | |
| There are interoperability and security concerns if this SASL | | There are interoperability and security concerns if this SASL | |
| mechanism is used together with a GSS-API mechanism that negotiate | | mechanism is used together with a GSS-API mechanism that negotiate | |
|
| other GSS-API mechanisms (such as SPNEGO [10]), see the section | | other GSS-API mechanisms (such as SPNEGO [11]), see the section | |
| "Mechanisms that negotiate other mechanisms" below. | | "Mechanisms that negotiate other mechanisms" below. | |
| | | | |
| SASL mechanism names starting with "GS2-" are reserved for SASL | | SASL mechanism names starting with "GS2-" are reserved for SASL | |
| mechanisms which conform to this document. | | mechanisms which conform to this document. | |
| | | | |
| The IESG is considered to be the owner of all SASL mechanisms which | | The IESG is considered to be the owner of all SASL mechanisms which | |
| conform to this document. This does not necessarily imply that the | | conform to this document. This does not necessarily imply that the | |
| IESG is considered to be the owner of the underlying GSSAPI | | IESG is considered to be the owner of the underlying GSSAPI | |
| mechanism. | | mechanism. | |
| | | | |
|
| 2. Conventions Used in this Document | | 2. Conventions used in this document | |
| | | | |
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |
| document are to be interpreted as described in [1]. | | document are to be interpreted as described in [1]. | |
| | | | |
|
| 3. Mechanism Name | | 3. Mechanism name | |
| | | | |
|
| 3.1. Generating SASL Mechanism Names From GSS-API OIDs | | 3.1. Generating SASL mechanism names from GSS-API OIDs | |
| | | | |
| The SASL mechanism name for a GSS-API mechanism is the concatenation | | The SASL mechanism name for a GSS-API mechanism is the concatenation | |
| of the string "GS2-" and the Base32 encoding [5] (with an upper case | | of the string "GS2-" and the Base32 encoding [5] (with an upper case | |
| alphabet) of the first ten bytes of the binary SHA-1 hash [4] string | | alphabet) of the first ten bytes of the binary SHA-1 hash [4] string | |
|
| computed over the ASN.1 DER encoding [7] of the GSS-API mechanism's | | computed over the ASN.1 DER encoding [8] of the GSS-API mechanism's | |
| Object Identifier. The Base32 rules on padding characters and | | Object Identifier. The Base32 rules on padding characters and | |
| characters outside of the base32 alphabet are not relevant to this | | characters outside of the base32 alphabet are not relevant to this | |
| use of Base32. If any padding or non-alphabet characters are | | use of Base32. If any padding or non-alphabet characters are | |
| encountered, the name is not a GS2 family mechanism name. | | encountered, the name is not a GS2 family mechanism name. | |
| | | | |
|
| 3.2. Computing Mechanism Names Manually | | 3.2. Computing mechanism names manually | |
| | | | |
| The SASL mechanism name may be computed manually. This is useful | | The SASL mechanism name may be computed manually. This is useful | |
| when the set of supported GSS-API mechanisms is known in advance. It | | when the set of supported GSS-API mechanisms is known in advance. It | |
| also obliterate the need to implement Base32, SHA-1 and DER in the | | also obliterate the need to implement Base32, SHA-1 and DER in the | |
| SASL mechanism. The computed mechanism name can be used directly in | | SASL mechanism. The computed mechanism name can be used directly in | |
| the implementation, and the implementation need not concern itself | | the implementation, and the implementation need not concern itself | |
| with that the mechanism is part of a mechanism family. | | with that the mechanism is part of a mechanism family. | |
| | | | |
| 3.3. Example | | 3.3. Example | |
| | | | |
|
| For example, the OID for the SPKM-1 mechanism [12] is | | For example, the OID for the SPKM-1 mechanism [13] is | |
| 1.3.6.1.5.5.1.1. The ASN.1 DER encoding of the OID is 06 07 2b 06 01 | | 1.3.6.1.5.5.1.1. The ASN.1 DER encoding of the OID is 06 07 2b 06 01 | |
| 05 05 01 01. The SHA-1 hash of the ASN.1 DER encoding is | | 05 05 01 01. The SHA-1 hash of the ASN.1 DER encoding is | |
| 1cf8f42b5a9f80fae9f831226d5d9d56278661ad. The Base32 encoding of the | | 1cf8f42b5a9f80fae9f831226d5d9d56278661ad. The Base32 encoding of the | |
|
| first ten bytes of this is "dt4pik22t6epv2py". Thus the SASL | | first ten bytes of this is "DT4PIK22T6EPV2PY". Thus the SASL | |
| mechanism name for the SPKM-1 GSSAPI mechanism is "GS2- | | mechanism name for the SPKM-1 GSSAPI mechanism is "GS2- | |
| DT4PIK22T6EPV2PY". | | DT4PIK22T6EPV2PY". | |
| | | | |
| 4. Packet Format | | 4. Packet Format | |
| | | | |
| 4.1. SASL Tokens | | 4.1. SASL Tokens | |
| | | | |
| All top-level SASL packets for the GS2 mechanism family follow the | | All top-level SASL packets for the GS2 mechanism family follow the | |
| following format: | | following format: | |
| | | | |
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | Context length | | | | Context length | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
|
| | Flags | | | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | |
| | / | | | / | |
| / Context token / | | / Context token / | |
| / --------------------/ | | / --------------------/ | |
| / ---------------------/ / | | / ---------------------/ / | |
| /--------------------/ / | | /--------------------/ / | |
| / [Wrap token] / | | / [Wrap token] / | |
| / / | | / / | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
|
| | | | |
| The "Context length" field is a 4 octet (32 bit) integer encoded in | | The "Context length" field is a 4 octet (32 bit) integer encoded in | |
| network byte order, it indicate the length of the "Context token" | | network byte order, it indicate the length of the "Context token" | |
| field. | | field. | |
| | | | |
|
| The "Flags" field is a 4 octet (32 bit) bitmask that holds flags that | | | |
| influence the authentication process. | | | |
| | | | |
| The "Context token" field contain a GSS-API context establishment | | The "Context token" field contain a GSS-API context establishment | |
| token generated by GSS_Init_sec_context or GSS_Accept_sec_context. | | token generated by GSS_Init_sec_context or GSS_Accept_sec_context. | |
| | | | |
| The "Wrap token" field is optional, and if present will contain the | | The "Wrap token" field is optional, and if present will contain the | |
| output generated by GSS_Wrap. | | output generated by GSS_Wrap. | |
| | | | |
| The length field does not include the length of the length field | | The length field does not include the length of the length field | |
| itself. Whether the "Wrap token" field is included or not can be | | itself. Whether the "Wrap token" field is included or not can be | |
| infered from the length field; if the length field is shorter than | | infered from the length field; if the length field is shorter than | |
| the entire packet size minus 4 octets, the "Wrap token" field is | | the entire packet size minus 4 octets, the "Wrap token" field is | |
| present and begins after length+4 octets into the packet. The tokens | | present and begins after length+4 octets into the packet. The tokens | |
| need not be aligned to 32-bit a boundary. There is no padding | | need not be aligned to 32-bit a boundary. There is no padding | |
| between the tokens. | | between the tokens. | |
| | | | |
| Packets shorter than 4 octets are invalid. If the length field is | | Packets shorter than 4 octets are invalid. If the length field is | |
| longer than the entire packet size, minus 4 octets, the packet is | | longer than the entire packet size, minus 4 octets, the packet is | |
| invalid. | | invalid. | |
| | | | |
|
| 4.2. Flags | | 4.2. Context Token | |
| | | | |
| Bit 0 signal whether GSS-API Channel bindings are used. It is only | | | |
| useful in the first token sent from the client, and MUST be set to 0 | | | |
| in all other tokens. The bit is called the "Native Channel Bindings" | | | |
| bit. The client chooses whether to set this bit or not depending on | | | |
| local policy or user requests. | | | |
| | | | |
| The other bits are not specified and MUST be zero. If a bit is set | | | |
| that is not understood by the implementation, it MUST be ignored. | | | |
| | | | |
| 4.3. Context Token | | | |
| | | | |
| The format of the "Context token" field inside the SASL token are | | The format of the "Context token" field inside the SASL token are | |
| defined by the GSS-API specifications, and the data is computed by | | defined by the GSS-API specifications, and the data is computed by | |
| the GSS_Init_sec_context and GSS_Accept_sec_context functions. | | the GSS_Init_sec_context and GSS_Accept_sec_context functions. | |
| | | | |
| The client calls GSS_Init_sec_context, passing in | | The client calls GSS_Init_sec_context, passing in | |
| input_context_handle of 0 (initially), mech_type of the GSSAPI | | input_context_handle of 0 (initially), mech_type of the GSSAPI | |
| mechanism for which this SASL mechanism is registered, the | | mechanism for which this SASL mechanism is registered, the | |
|
| chan_binding is set to NULL or the channel binding data depending on | | chan_binding is set to NULL, and targ_name equal to output_name from | |
| the Native Channel Binding flag, and targ_name equal to output_name | | GSS_Import_Name called with input_name_type of | |
| from GSS_Import_Name called with input_name_type of | | | |
| GSS_C_NT_HOSTBASED_SERVICE and input_name_string of | | GSS_C_NT_HOSTBASED_SERVICE and input_name_string of | |
| "service@hostname" where "service" is the service name specified in | | "service@hostname" where "service" is the service name specified in | |
| the protocol's profile, and "hostname" is the fully qualified host | | the protocol's profile, and "hostname" is the fully qualified host | |
| name of the server. If the client will be requesting a security | | name of the server. If the client will be requesting a security | |
| layer, it MUST also supply to the GSS_Init_sec_context a | | layer, it MUST also supply to the GSS_Init_sec_context a | |
| mutual_req_flag of TRUE, a sequence_req_flag of TRUE, and an | | mutual_req_flag of TRUE, a sequence_req_flag of TRUE, and an | |
| integ_req_flag of TRUE. If the client will be requesting a security | | integ_req_flag of TRUE. If the client will be requesting a security | |
| layer providing confidentiality protection, it MUST also supply to | | layer providing confidentiality protection, it MUST also supply to | |
| the GSS_Init_sec_context a conf_req_flag of TRUE. If | | the GSS_Init_sec_context a conf_req_flag of TRUE. If | |
| GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the client | | GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the client | |
|
| should expect the server to issue a token in a subsequent challenge | | expect the server to issue a token in a subsequent challenge or as | |
| or as additional information to the outcome of the authentication. | | additional information to the outcome of the authentication. The | |
| The client must pass the context token to another call to | | client pass the context token to another call to | |
| GSS_Init_sec_context, repeating the actions in this paragraph, until | | GSS_Init_sec_context, repeating the actions in this paragraph, until | |
| GSS_S_COMPLETE is returned or authentication is aborted. If the | | GSS_S_COMPLETE is returned or authentication is aborted. If the | |
|
| server supply data beyond the context token, the context token should | | server supply data beyond the context token, the context token is | |
| be processed first, and then the overflow data should be passed to | | processed first, and then the overflow data is passed to GSS_Unwrap | |
| GSS_Unwrap and the unwrapped data should be interpreted. During the | | and the unwrapped data interpreted. During the authentication | |
| authentication exchange, the client will generate one Wrap token | | exchange, the client will generate one Wrap token using GSS_Wrap. | |
| using GSS_Wrap. | | | |
| | | | |
| The server passes the first client response to GSS_Accept_sec_context | | The server passes the first client response to GSS_Accept_sec_context | |
| as input_token, setting input_context_handle to 0 (initially), | | as input_token, setting input_context_handle to 0 (initially), | |
| mech_type of the GSSAPI mechanism for which this SASL mechanism is | | mech_type of the GSSAPI mechanism for which this SASL mechanism is | |
|
| registered, the chan_binding set to NULL or the channel binding data | | registered, the chan_binding set to NULL, and acceptor_cred_handle | |
| depending on the Native Channel Binding bit, and acceptor_cred_handle | | | |
| equal to output_cred_handle from GSS_Acquire_cred called with | | equal to output_cred_handle from GSS_Acquire_cred called with | |
| desired_name equal to output_name from GSS_Import_name with | | desired_name equal to output_name from GSS_Import_name with | |
| input_name_type of GSS_C_NT_HOSTBASED_SERVICE and input_name_string | | input_name_type of GSS_C_NT_HOSTBASED_SERVICE and input_name_string | |
| of "service@hostname" where "service" is the service name specified | | of "service@hostname" where "service" is the service name specified | |
| in the protocol's profile, and "hostname" is the fully qualified host | | in the protocol's profile, and "hostname" is the fully qualified host | |
|
| name of the server. The server must pass any resulting challenge | | name of the server. The server pass any resulting challenge from the | |
| from the client to another call to GSS_Accept_sec_context, repeating | | client to another call to GSS_Accept_sec_context, repeating the | |
| the actions in this paragraph, until GSS_S_COMPLETE is returned or | | actions in this paragraph, until GSS_S_COMPLETE is returned or | |
| authentication is aborted. If the client supply data beyond the | | authentication is aborted. If the client supply data beyond the | |
|
| context token, the context token should be processed first, and then | | context token, the context token is processed first, and then the | |
| the overflow data should be passed to GSS_Unwrap and the unwrapped | | overflow data is passed to GSS_Unwrap and the unwrapped data | |
| data should be interpreted. During the authentication exchange, the | | interpreted. During the authentication exchange, the server will | |
| server will generate one Wrap token using GSS_Wrap. | | generate one Wrap token using GSS_Wrap. | |
| | | | |
|
| 4.4. Wrap Token | | 4.3. Wrap Token | |
| | | | |
| The Wrap token MUST NOT be sent before the PROT_READY flag has been | | The Wrap token MUST NOT be sent before the PROT_READY flag has been | |
| set locally (by GSS_Init_sec_context or Gss_Accept_sec_context), or | | set locally (by GSS_Init_sec_context or Gss_Accept_sec_context), or | |
| if the PROT_READY flag is never set, before the context has been | | if the PROT_READY flag is never set, before the context has been | |
| fully established. The GSS_Wrap token does not have to be sent | | fully established. The GSS_Wrap token does not have to be sent | |
| directly when the PROT_READY flag is set. During any exchange, | | directly when the PROT_READY flag is set. During any exchange, | |
| exactly one GSS_Wrap token is sent in each direction. The input to | | exactly one GSS_Wrap token is sent in each direction. The input to | |
| the GSS_Wrap function MUST follow the format described below. If not | | the GSS_Wrap function MUST follow the format described below. If not | |
| exactly one GSS_Wrap token is received by the client and by the | | exactly one GSS_Wrap token is received by the client and by the | |
| server, the authentication MUST fail. | | server, the authentication MUST fail. | |
| | | | |
| skipping to change at page 7, line 47 | | skipping to change at page 7, line 15 | |
|---|
| when the server sends the GSS_Wrap token first and the client | | when the server sends the GSS_Wrap token first and the client | |
| responds. | | responds. | |
| | | | |
| The input formats below are passed to GSS_Wrap with conf_flag set to | | The input formats below are passed to GSS_Wrap with conf_flag set to | |
| FALSE, and the Wrap token output will be the generated | | FALSE, and the Wrap token output will be the generated | |
| output_message. | | output_message. | |
| | | | |
| Some fields in the input formats are optional, indicated by brackets | | Some fields in the input formats are optional, indicated by brackets | |
| ("[" and "]") and explained by the text below. | | ("[" and "]") and explained by the text below. | |
| | | | |
|
| 4.4.1. Wrap Token Input For Client Requests | | 4.3.1. GSS_Wrap input for client requests | |
| | | | |
| The input to GSS_Wrap when the client sends the GSS_Wrap token first | | The input to GSS_Wrap when the client sends the GSS_Wrap token first | |
| is as follows. | | is as follows. | |
| | | | |
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | client_qops | client_maxbuf | | | | client_qops | client_maxbuf | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | channel_binding_length | | | | channel_binding_length | | |
| | | | |
| skipping to change at page 8, line 41 | | skipping to change at page 8, line 8 | |
|---|
| | | | |
| The optional field "channel_binding_data" is present only if | | The optional field "channel_binding_data" is present only if | |
| "channel_binding_length" is non-zero, and contain the actual channel | | "channel_binding_length" is non-zero, and contain the actual channel | |
| binding data. | | binding data. | |
| | | | |
| The optional field "authzid" contain the authorization identity. The | | The optional field "authzid" contain the authorization identity. The | |
| authorization identity is encoded using UTF-8 [6]. The authorization | | authorization identity is encoded using UTF-8 [6]. The authorization | |
| identity is not terminated with the NUL (U+0000) character. Servers | | identity is not terminated with the NUL (U+0000) character. Servers | |
| MUST validate that the authorization identity is valid UTF-8. | | MUST validate that the authorization identity is valid UTF-8. | |
| | | | |
|
| 4.4.2. WraP Token Input For Server Responses | | 4.3.2. GSS_Wrap input for server responses | |
| | | | |
| The data format for input to GSS_Wrap when the server responds to the | | The data format for input to GSS_Wrap when the server responds to the | |
| previous GSS_Wrap token data is as follows. | | previous GSS_Wrap token data is as follows. | |
| | | | |
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | server_qop | server_maxbuf | | | | server_qop | server_maxbuf | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | | | |
| The "server_qop" field integer indicate the selected quality of | | The "server_qop" field integer indicate the selected quality of | |
| protection. | | protection. | |
| | | | |
| The "server_maxbuf" field indicate the maximum data buffer size the | | The "server_maxbuf" field indicate the maximum data buffer size the | |
| server can receive. It MUST be 0 if the server doesn't advertise | | server can receive. It MUST be 0 if the server doesn't advertise | |
| support for any security layer, the client MUST verify this. | | support for any security layer, the client MUST verify this. | |
| | | | |
|
| 4.4.3. Wrap Token Input For Server Requests | | 4.3.3. GSS_Wrap input for server requests | |
| | | | |
| The data format for input to GSS_Wrap when the server sends the | | The data format for input to GSS_Wrap when the server sends the | |
| GSS_Wrap token first is as follows. | | GSS_Wrap token first is as follows. | |
| | | | |
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | server_qops | server_maxbuf | | | | server_qops | server_maxbuf | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | channel_binding_length | | | | channel_binding_length | | |
| | | | |
| skipping to change at page 9, line 43 | | skipping to change at page 9, line 11 | |
|---|
| | | | |
| The optional field "server_cbqops" is present only if | | The optional field "server_cbqops" is present only if | |
| "channel_binding_length" is non-zero, and indicate the server's | | "channel_binding_length" is non-zero, and indicate the server's | |
| preferred quality of protection if channel binding negotiation | | preferred quality of protection if channel binding negotiation | |
| succeeds. | | succeeds. | |
| | | | |
| The optional field "channel_binding_data" is present only if | | The optional field "channel_binding_data" is present only if | |
| "channel_binding_length" is non-zero, and contain the actual channel | | "channel_binding_length" is non-zero, and contain the actual channel | |
| binding data. | | binding data. | |
| | | | |
|
| 4.4.4. Wrap Token Input For Client Responses | | 4.3.4. GSS_Wrap input for client responses | |
| | | | |
| The data format for input to GSS_Wrap when the client responds to the | | The data format for input to GSS_Wrap when the client responds to the | |
| previous token is as follows. | | previous token is as follows. | |
| | | | |
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | client_qop | client_maxbuf | | | | client_qop | client_maxbuf | | |
| / [authzid] | | | / [authzid] | | |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| | | | |
| The "client_qop" field is the selected quality of protection. | | The "client_qop" field is the selected quality of protection. | |
| | | | |
| The "client_maxbuf" and "authzid" fields are as above. | | The "client_maxbuf" and "authzid" fields are as above. | |
| | | | |
| 5. Channel Bindings | | 5. Channel Bindings | |
| | | | |
|
| [[This section is tentative further discussion on the topic. This | | The GS2 mechanism provide its own channel binding mechanism, instead | |
| was written to provide an example of how the details of how one | | of using the "chan_binding" parameter in the GSS-API context | |
| approach to this concept could look like. There are other approaches | | functions. The reason for this is that the GS2 mechanism provide an | |
| that may be preferable.]] | | option to proceed even if the channel bindings does not match. The | |
| | | GSS-API framework specifies that authentication cannot proceed if | |
| The GS2 mechanism provide its own token field for channel bindings, | | channel bindings does not match. | |
| in addition to the "chan_binding" parameter in the GSS-API context | | | |
| functions. The reason for this is that the GS2 mechanism wish to | | | |
| provide an option to proceed even if the channel bindings does not | | | |
| match. The GSS-API framework specifies that authentication cannot | | | |
| proceed if channel bindings does not match. The GSS-API framework | | | |
| also does not specify the kind of privacy layer the channel binding | | | |
| should be transferred under, thus making it possible for attackers to | | | |
| modify it to always make channel binding negotiation succeed. | | | |
| | | | |
| The client can select, using the "Native Channel Bindings" bit, | | | |
| whether it wishes to use the "chan_bindings" parameter in the GSS-API | | | |
| layer or not. If it wishes to use this, it is not possible to | | | |
| continue after a failed channel binding negotiation. | | | |
| | | | |
| A client that wish to continue with the authentication even if the | | | |
| channel bindings does not match, set the "Native Channel Binding" bit | | | |
| to 0. It MUST use the channel binding field in the GS2 token. It | | | |
| MUST set the "chan_binding" parameter in the calls to | | | |
| GSS_Init_sec_context to GSS_Accept_sec_context to NULL. The | | | |
| application MUST set the "client_qops" field to include privacy | | | |
| protection (to protect the SASL application data), and MAY set the | | | |
| "client_cbqops" to no security layer (to avoid performance | | | |
| degradation due to two security layers). | | | |
| | | | |
| If a client do not wish to continue the authentication if channel | | | |
| binding negotiation fails, or wishes to use the channel binding in | | | |
| the GSS-API layer, it will set the "Native Channel Binding" bit to 1 | | | |
| in its first token. It MUST use both the channel binding field in | | | |
| the GS2 token and the "chan_binding" parameter in the calls to | | | |
| GSS_Init_sec_context and GSS_Accept_sec_context. The authentication | | | |
| will fail in the GSS-API layer if the channel bindings does not | | | |
| match, and thus the "client_qops" and "client_cbqops" MUST be set to | | | |
| the same value. It MAY be set to no security layer (to avoid | | | |
| performance degradation due to two security layers). | | | |
| | | | |
| For TLS, the channel binding data is specified in the next section. | | | |
| For other security layers, channel binding data will have to | | | |
| specified elsewhere, and this specification will have to be updated | | | |
| with explicit considerations. | | | |
| | | | |
| [[All channel bindings should go into a separate document.]] | | | |
| | | | |
| 5.1. Name Of Tls Channel For Use As Channel Binding | | | |
| | | | |
|
| The TLS Pseudo-Random Function (PRF) generate, using the constant | | Client and servers MUST set the "chan_binding" parameter in the calls | |
| string "TLS channel binding", and based on the master secret and the | | to GSS_Init_sec_context to GSS_Accept_sec_context, respectively, to | |
| random values established during a TLS handshake, a 64 octet string | | NULL. | |
| that make up the SASL channel binding data. | | | |
| | | | |
|
| Using the terminology of TLS [13], the channel binding data is | | Implementations SHOULD set the "client_cbqops" and "server_cbqops" to | |
| computed as follows: | | no security layer and instead depend on the session security afforded | |
| | | by the bound-in channel. | |
| | | | |
|
| SASL_channel_binding = | | Use of no SASL security layers in combination with channel binding | |
| PRF(SecurityParameters.master_secret, | | should provide better performance than using SASL security layers | |
| "TLS channel binding", | | over secure channels, and better security characteristics than using | |
| SecurityParameters.server_random + | | no SASL security layers over secure channels without channel binding. | |
| SecurityParameters.client_random) [0..64]; | | | |
| | | | |
|
| The derived data is intended to be used as a name of the TLS channel | | For more discussions of channel bindings, and the syntax of the | |
| that is cryptographically bound to the channel, for use in | | channel binding data for various security protocols, see [7]. | |
| authentication mechanisms tunneled over TLS. | | | |
| | | | |
| 6. Protocol Overview | | 6. Protocol Overview | |
| | | | |
| This section describe several high-level protocol exchanges. The | | This section describe several high-level protocol exchanges. The | |
| descriptions do not assume any properties of the actual GSS-API | | descriptions do not assume any properties of the actual GSS-API | |
| mechanism. Protocol profiles, GSS-API mechanism specific behaviour, | | mechanism. Protocol profiles, GSS-API mechanism specific behaviour, | |
| and to some extent implementation and policy choices, will dictate | | and to some extent implementation and policy choices, will dictate | |
| which packets are sent in what order. The protocol exchanges are | | which packets are sent in what order. The protocol exchanges are | |
| examples and other exchanges are permitted and will occur. | | examples and other exchanges are permitted and will occur. | |
| | | | |
| | | | |
| skipping to change at page 14, line 6 | | skipping to change at page 12, line 32 | |
|---|
| C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | | C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | |
| token, send [length, context token, | | token, send [length, context token, | |
| GSS_Wrap(client_qops, client_maxbuf, | | GSS_Wrap(client_qops, client_maxbuf, | |
| channel_binding_length=0, authzid)] | | channel_binding_length=0, authzid)] | |
| S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | | S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | |
| output a token, send [length, context token, | | output a token, send [length, context token, | |
| GSS_Wrap(server_qop, server_maxbuf, | | GSS_Wrap(server_qop, server_maxbuf, | |
| channel_binding_length=0)] | | channel_binding_length=0)] | |
| S: Outcome of authentication exchange | | S: Outcome of authentication exchange | |
| | | | |
|
| | | Adding channel bindings to the last examples, gives the following | |
| | | situation. Here the client request confidentiality for the | |
| | | application data if channel binding fails but no SASL security layer | |
| | | if channel binding negotiation succeeds: | |
| | | | |
| | | C: Request authentication exchange | |
| | | ... | |
| | | C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | |
| | | token, send [length, context token, | |
| | | GSS_Wrap(client_qops=0x04, client_maxbuf, | |
| | | channel_binding_length=n, | |
| | | client_cbqops=0x01, channel_binding_data, | |
| | | authzid)] | |
| | | S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | |
| | | output a token, send [length, context token, | |
| | | GSS_Wrap(server_qop, server_maxbuf, | |
| | | channel_binding_length=0)] | |
| | | S: Outcome of authentication exchange | |
| | | | |
| If the protocol support initial data from the client, and the | | If the protocol support initial data from the client, and the | |
| PROT_READY flag is set in the client after the first call to | | PROT_READY flag is set in the client after the first call to | |
| GSS_Init_sec_context, and the server can send additional data to the | | GSS_Init_sec_context, and the server can send additional data to the | |
| client when indicating successful authentication, the following | | client when indicating successful authentication, the following | |
| protocol exchange will occur. | | protocol exchange will occur. | |
| | | | |
| C: Request authentication exchange and | | C: Request authentication exchange and | |
| send [length, GSS_Init_sec_context, | | send [length, GSS_Init_sec_context, | |
| GSS_Wrap (client_qops, client_maxbuf, | | GSS_Wrap (client_qops, client_maxbuf, | |
| channel_binding_length=0, authzid)] token | | channel_binding_length=0, authzid)] token | |
| | | | |
| skipping to change at page 14, line 35 | | skipping to change at page 13, line 31 | |
|---|
| | | | |
| Authentication MUST NOT succeed if any one of the following | | Authentication MUST NOT succeed if any one of the following | |
| conditions are true: | | conditions are true: | |
| o An invalid SASL token is received (i.e., length shorter than 4 | | o An invalid SASL token is received (i.e., length shorter than 4 | |
| octets). | | octets). | |
| o GSS_Init/Accept_sec_context() return anything other than | | o GSS_Init/Accept_sec_context() return anything other than | |
| GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE. | | GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE. | |
| o GSS_Wrap() returns anything other than GSS_S_COMPLETE. | | o GSS_Wrap() returns anything other than GSS_S_COMPLETE. | |
| o GSS_Unwrap() returns anything other than GSS_S_COMPLETE. (There | | o GSS_Unwrap() returns anything other than GSS_S_COMPLETE. (There | |
| can't be supplementary status codes in GS2 at this point, so any | | can't be supplementary status codes in GS2 at this point, so any | |
|
| indications of out of order processing or replays should be | | indications of out of order processing or replays is fatal.) | |
| fatal.) | | | |
| o The token returned from GSS_Unwrap fail to parse correctly (e.g., | | o The token returned from GSS_Unwrap fail to parse correctly (e.g., | |
| too short, invalid maximum buffer size) as the expected Wrap | |