draft-josefsson-kerberos5-starttls-00.txt   draft-josefsson-kerberos5-starttls-01.txt 
Network Working Group S. Josefsson
Expires: May 14, 2005 Network Working Group S. Josefsson
Internet-Draft SJD
Intended status: Standards Track October 4, 2006
Expires: April 7, 2007
Using Transport Layer Security (TLS) with Kerberos 5 Using Kerberos V5 over the Transport Layer Security (TLS) protocol
draft-josefsson-kerberos5-starttls-00 draft-josefsson-kerberos5-starttls-01
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions By submitting this Internet-Draft, each author represents that any
of section 3 of RFC 3667. By submitting this Internet-Draft, each applicable patent or other IPR claims of which he or she is aware
author represents that any applicable patent or other IPR claims of have been or will be disclosed, and any of which he or she becomes
which he or she is aware have been or will be disclosed, and any of aware will be disclosed, in accordance with Section 6 of BCP 79.
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as other groups may also distribute working documents as Internet-
Internet-Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 14, 2005. This Internet-Draft will expire on April 7, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document specify how the Transport Layer Security (TLS) protocol This document specify how the Kerberos V5 protocol can be transported
is used in conjunction with the Kerberos 5 protocol. over the Transport Layer Security (TLS) protocol, to provide
additional security features.
Table of Contents Table of Contents
1. Introduction and Background . . . . . . . . . . . . . . . . . 3 1. Introduction and Background . . . . . . . . . . . . . . . . . 3
2. Extension Mechanism for TCP/IP transport . . . . . . . . . . . 4 2. Kerberos V5 STARTTLS Extension . . . . . . . . . . . . . . . . 5
3. Kerberos 5 STARTTLS Extension . . . . . . . . . . . . . . . . 4 3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 STARTTLS requested by client (extension 1) . . . . . . . . 4 4. STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . . . 7
3.2 STARTTLS request accepted by server (extension 2) . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
3.3 Proceeding after successful TLS negotiation . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
3.4 Proceeding after failed TLS negotiation . . . . . . . . . 5 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.5 STARTTLS aware KDC Discovery . . . . . . . . . . . . . . . 5 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
3.6 Initial Authentication via TLS . . . . . . . . . . . . . . 5 7.2. Informative References . . . . . . . . . . . . . . . . . . 10
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Intellectual Property and Copyright Statements . . . . . . . . . . 12
5.1 Normative References . . . . . . . . . . . . . . . . . . . . 6
5.2 Informative References . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . 8
1. Introduction and Background 1. Introduction and Background
This document describe how Shishi, a Kerberos 5 [1] implementation, This document describe how a Kerberos V5 [2] implementation may
upgrade communication between clients and Key Distribution Centers upgrade communication between clients and Key Distribution Centers
(KDCs) to use the Transport Layer Security (TLS) [2] protocol. (KDCs) to use the Transport Layer Security (TLS) [4] protocol.
The TLS protocol offer integrity and privacy protected exchanges that The TLS protocol offer integrity and privacy protected exchanges that
can be authentication using X.509 certificates, OpenPGP keys [6], and can be authentication using X.509 certificates, OpenPGP keys [7], and
user name and passwords via SRP [5]. user name and passwords via SRP [6].
An inconclusive list of the motivation for using TLS with Kerberos 5
is given below.
o Explicit server authentication of the KDC to the client. In
traditional Kerberos 5, authentication of the KDC is proved as a
side effect that the KDC knows your encryption key (i.e., your
password).
o Flexible authentication against KDC. Kerberos 5 assume the user There are several reasons to use Kerberos V5 over TLS.
knows a key (usually in the form of a password). Sometimes
external factors make this hard to fulfill. In some situations,
users are equipped with smart cards with a RSA authentication key.
In others, users have a OpenPGP client on their desktop, with a
public OpenPGP key known to the server. In some situations, the
policy may be that password authentication may only be done
through SRP.
o Kerberos exchanges are privacy protected. Part of many Kerberos o Kerberos exchanges are privacy protected. Part of many Kerberos
packets are transfered without privacy protection (i.e., packets are transfered without privacy protection (i.e.,
encryption). That part contains information, such as the client encryption). That part contains information, such as the client
principal name, the server principal name, the encryption types principal name, the server principal name, the encryption types
supported by the client, the lifetime of tickets, etc. Revealing supported by the client, the lifetime of tickets, etc. Revealing
such information is, in some threat models, considered a problem. such information is, in some threat models, considered a problem.
o Prevents downgrade attacks affecting encryption types. The o Prevents downgrade attacks affecting encryption types. The
encryption type of the ticket in KDC-REQ are sent in the clear in encryption type of the ticket in KDC-REQ are sent in the clear in
Kerberos 5. This allows an attacker to replace the encryption Kerberos 5. This allows an attacker to replace the encryption
type with a compromised mechanisms, e.g. 56-bit DES. Since type with a compromised mechanisms, e.g., 56-bit DES. Since
clients in general cannot know the encryption types other servers clients in general cannot know the encryption types other servers
support, it is difficult for the client to detect if there was a support, it is difficult for the client to detect if there was a
man-in-the-middle or if the remote server simply did not support a man-in-the-middle or if the remote server simply did not support a
stronger mechanism. Clients could chose to refuse 56-bit DES stronger mechanism. Clients could chose to refuse, e.g., 56-bit
altogether, but in some environments this leads to operational DES altogether, but in some environments this leads to operational
difficulties. difficulties.
o Additional authentication against the KDC. In some situations,
users are equipped with smart cards with a RSA authentication key.
In others, users have a OpenPGP client on their desktop, with a
public OpenPGP key known to the server. In some situations, the
policy may be that password authentication may only be done
through SRP.
o The TLS protocol has been studied by many parties. In some threat o The TLS protocol has been studied by many parties. In some threat
models, the designer prefer to reduce the number of protocols that models, the designer prefer to reduce the number of protocols that
can hurt the overall system security if they are compromised. can hurt the overall system security if they are compromised.
o Explicit server authentication of the KDC to the client. In
traditional Kerberos 5, authentication of the KDC is proved as a
side effect that the KDC knows your encryption key (i.e., your
password).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [4]. document are to be interpreted as described in RFC 2119 [1].
2. Extension Mechanism for TCP/IP transport 2. Kerberos V5 STARTTLS Extension
Kerberos 5 require Key Distribution Centers (KDCs) to accept requests The STARTTLS extension uses the Kerberos V5 TCP extension mechanism
over TCP. Each request and response is prefixed by 4 octets, [3]. The extension uses bit #TBD in the extension bitmask.
encoding an integer in network byte order, that indicate the length
of the packet. The high bit of the 4 octet length field was reserved
for future expansion. Servers that do not understand how to
interpret a set high bit are required to return a KRB-ERROR with the
KRB_ERR_FIELD_TOOLONG error code, and to close the TCP stream.
We will use the reserved bit to provide an extension mechanism. When The protocol is as follows. After the server has sent the 4-octet
the reserved high bit is set, the remaining 31 bits of the 4 octets value 0x00000000 to indicate support of this extension, the stream
are treated as an extensible typed hole, and thus form a 31 bit will be controlled by the TLS protocol and its framing. The TLS
integer enumerating various extensions. Each of the values indicate protocol is initiated by the client.
a specific extended operation mode, two of which are used and defined
here, and the rest are left for others to use.
If the KDC do not understand a requested extension, it MUST return a Typically, the client initiate the TLS handshake protocol by sending
KRB-ERROR with a KRB_ERR_FIELD_TOOLONG value (prefixed by the 4 octet a client hello, and the server responds, and the handshake continues
length integer, with the high bit clear, as usual) and close the TCP until it either succeed or fails.
stream.
The following table specify the meaning of the 31 lower bits in the 4 If for any reason the handshake fails, the STARTTLS protocol will
octet field, when the high bit is set: also fail, and the TLS error is used as the error indication.
0 RESERVED. If the handshake succeeds, the Kerberos V5 authentication protocol is
1 STARTTLS requested by client. performed within the protected TLS channel, like a normal TCP
2 STARTTLS request accepted by server. Kerberos V5 exchange. In particular, this means that every Kerberos
3...2147483647 AVAILABLE for registration (via bug-shishi@josefsson.org). V5 packet will be prefixed by a 4-octet length field, that indicate
2147483648 RESERVED. the length of the Kerberos V5 packet.
3. Kerberos 5 STARTTLS Extension 3. Examples
3.1 STARTTLS requested by client (extension 1) A complete packet flow for a successful AS-REQ/REP exchange protected
by this mechanism will be as follows. The "STARTTLS-bit" is a
4-octet value with only the bit allocated for this extension set.
When this message is sent by the client, the client is requesting the Client Server
server to start TLS negotiation on the TCP stream. The client MUST
NOT start TLS negotiation immediately. Instead, the client wait for
either a KRB-ERROR (sent normally, prefixed by a 4 octet length
integer) indicating the server do not understand the set high bit, or
4 octets which is to be interpreted as an integer in network byte
order, where the high bit is set and the remaining 31 bit are
interpreted as an integer specifying ``STARTTLS request accepted by
server'' (extension 2). In the first case, the client infer that the
server do not understand (or wish to support) STARTTLS, and can
re-try using normal TCP, if unprotected Kerberos 5 exchanges are
acceptable to the client policy. In the latter case, it should
invoke TLS negotiation on the stream. If any other data is received,
the client MUST close the TCP stream.
3.2 STARTTLS request accepted by server (extension 2) [ Kerberos V5 TCP extension mechanism negotiation starts ]
This message should be sent by the server when it has received the [0x70000000 & STARTTLS-bit] -------->
extension 1 message. The message is an acknowledgment of the [0x00000000]
client's request to initiate STARTTLS on the channel. The server <--------
MUST then invoke a TLS negotiation.
3.3 Proceeding after successful TLS negotiation [ TLS negotiation starts ]
If the TLS negotiation ended successfully, possibly also considering ClientHello -------->
client or server policies, the exchange within the TLS protected ServerHello
stream is performed like normal UDP Kerberos 5 exchanges, i.e., there Certificate*
is no TCP 4 octet length field before each packet. Instead each ServerKeyExchange*
Kerberos packet MUST be sent within one TLS record, so the CertificateRequest*
application can use the TLS record length as the Kerberos 5 packet <-------- ServerHelloDone
length. Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
3.4 Proceeding after failed TLS negotiation [ Kerberos V5 negotiation starts ]
If the TLS negotiation fails, possibly due to client or server policy Kerberos V5 AS-REQ -------->
(e.g., inadequate support of encryption types in TLS, or lack of Kerberos V5 AS-REP
client or server authentication) the entity that detect the failure <--------
MUST disconnected the connection. It is expected that any error
messages that explain the error condition is transfered by TLS.
3.5 STARTTLS aware KDC Discovery * Indicates optional or situation-dependent messages that are not
always sent.
4. STARTTLS aware KDC Discovery
Section 7.2.3 of Kerberos V5 [2] describe how Domain Name System
(DNS) SRV records [5] can be used to find the address of an KDC.
Using the terminology of Section 7.2.3 of RFC 4120, we define a new
Proto of "tls" to indicate that the particular KDC is intended to
support this STARTTLS extension. The Service, Realm, TTL, Class,
SRV, Priority, Weight, Port and Target have the same meaning as in
RFC 4120.
Section 7.2.3 of Kerberos 5 [1] describe how Domain Name System (DNS)
SRV records [3] can be used to find the address of an KDC. To locate
a KDC that support the STARTTLS extension, we use the "_tls" domain.
For example: For example:
_kerberos._tls._tcp.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com. _kerberos._tls.EXAMPLE.COM. IN SRV 0 0 88 kdc1.example.com.
_kerberos._tls._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com. _kerberos._tls.EXAMPLE.COM. IN SRV 1 0 88 kdc2.example.com.
3.6 Initial Authentication via TLS 5. IANA Considerations
The server MAY consider the authentication performed by the TLS The IANA is requested to allocate a bit in the "Kerberos TCP
exchange as sufficient to issue Kerberos 5 tickets to the client, Extensions" registry for the extension described in this document, as
without requiring, e.g., pre-authentication. However, it is not an per [3].
error to require or use pre-authentication as well.
The client may also indicate that it wishes to use TLS both for 6. Security Considerations
authentication and data protection by using the NULL encryption type
in its request. The server can decide from its local policy whether
or not issuing tickets based solely on TLS authentication, and
whether NULL encryption within TLS, is acceptable or not.
4. Security Considerations The security considerations in Kerberos V5, TLS, and the extension
mechanism framework are inherited.
Because the initial token is not protected, it is possible for an To protect against the inherent downgrade attack in the extension
active attacker to make it appear to the client that the server do framework, it is suggested that implementations offer a policy to
not support this extension. It is up to client configuration to require that this extension is successfully negotiated. For
disallow non-TLS connections, if that vulnerability is deemed interoperability with implementations that do not support this
unacceptable. For interoperability, we suggest the default behaviour extension, it is suggested that the policy is disabled by default.
should be to allow automatic fall back to TCP or UDP.
The security considerations of both TLS and Kerberos 5 are inherited. 7. References
Using TLS for authentication and/or data protection together with
Kerberos alter the authentication logic fundamentally. Thus, it may
be that even if the TLS and Kerberos 5 protocols and implementations
were secure, the combination of TLS and Kerberos 5 described here
could be insecure.
No channel bindings are provided in the Kerberos messages. It is an 7.1. Normative References
open question whether, and how, this could be solved. One idea for
solving this may be to specify a new encryption algorithm in Kerberos
5 that is similar to the NULL encryption algorithm, but also include
the TLS session identifier.
5. References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
5.1 Normative References [2] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos
Network Authentication Service (V5)", RFC 4120, July 2005.
[1] Neuman, C., "The Kerberos Network Authentication Service (V5)", [3] Josefsson, S., "Extended Kerberos Version 5 Key Distribution
draft-ietf-krb-wg-kerberos-clarifications-07 (work in progress), Center (KDC) Exchanges Over TCP",
September 2004. draft-ietf-krb-wg-tcp-expansion-01 (work in progress),
September 2006.
[2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC [4] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
2246, January 1999. Protocol Version 1.1", RFC 4346, April 2006.
[3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for [5] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
5.2 Informative References 7.2. Informative References
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[5] Taylor, D., "Using SRP for TLS Authentication", [6] Taylor, D., "Using SRP for TLS Authentication",
draft-ietf-tls-srp-08 (work in progress), August 2004. draft-ietf-tls-srp-12 (work in progress), June 2006.
[6] Mavroyanopoulos, N., "Using OpenPGP keys for TLS [7] Mavroyanopoulos, N., "Using OpenPGP keys for TLS
authentication", draft-ietf-tls-openpgp-keys-05 (work in authentication", draft-ietf-tls-openpgp-keys-10 (work in
progress), April 2004. progress), June 2006.
Author's Address Author's Address
Simon Josefsson Simon Josefsson
SJD
EMail: simon@josefsson.org Email: simon@josefsson.org
Intellectual Property Statement Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 8, line 29 skipping to change at page 12, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 56 change blocks. 
183 lines changed or deleted 156 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/