| draft-ietf-sasl-gs2-04.txt | draft-ietf-sasl-gs2-05.txt | |||
|---|---|---|---|---|
| Network Working Group S. Josefsson | Network Working Group S. Josefsson | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: June 10, 2007 | Expires: July 13, 2007 | |||
| Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family | Using GSS-API Mechanisms in SASL: The GS2 Mechanism Family | |||
| draft-ietf-sasl-gs2-04 | draft-ietf-sasl-gs2-05 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 34 | skipping to change at page 1, line 34 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on June 10, 2007. | This Internet-Draft will expire on July 13, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2007). | |||
| Abstract | Abstract | |||
| This document describes how to use a Generic Security Service | This document describes how to use a Generic Security Service | |||
| Application Program Interface (GSS-API) mechanism in the the Simple | Application Program Interface (GSS-API) mechanism in the the Simple | |||
| Authentication and Security Layer (SASL) framework. This is done by | Authentication and Security Layer (SASL) framework. This is done by | |||
| defining a new SASL mechanism family, called GS2. This mechanism | defining a new SASL mechanism family, called GS2. This mechanism | |||
| family offers a number of improvements over the previous SASL/GSS-API | family offers a number of improvements over the previous SASL/GSS-API | |||
| mechanism: it is more general, uses fewer messages for the | mechanism: it is more general, uses fewer messages for the | |||
| authentication phase in some cases, and supports a SASL-specific | authentication phase in some cases, and supports a SASL-specific | |||
| skipping to change at page 3, line 19 | skipping to change at page 3, line 19 | |||
| 3. Mechanism name . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3. Mechanism name . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3.1. Generating SASL mechanism names from GSS-API OIDs . . . . 6 | 3.1. Generating SASL mechanism names from GSS-API OIDs . . . . 6 | |||
| 3.2. Computing mechanism names manually . . . . . . . . . . . . 6 | 3.2. Computing mechanism names manually . . . . . . . . . . . . 6 | |||
| 3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.3. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. SASL Authentication Exchange Message Format . . . . . . . . . 8 | 4. SASL Authentication Exchange Message Format . . . . . . . . . 8 | |||
| 4.1. SASL Messages . . . . . . . . . . . . . . . . . . . . . . 8 | 4.1. SASL Messages . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.2. Context Token Field . . . . . . . . . . . . . . . . . . . 9 | 4.2. Context Token Field . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2.1. Client side . . . . . . . . . . . . . . . . . . . . . 9 | 4.2.1. Client side . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2.2. Server side . . . . . . . . . . . . . . . . . . . . . 10 | 4.2.2. Server side . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.3. Wrap Token Field . . . . . . . . . . . . . . . . . . . . . 11 | 4.3. Wrap Token Field . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.3.1. Client first GSS_Wrap input . . . . . . . . . . . . . 12 | 4.3.1. The GS2_Wrap function . . . . . . . . . . . . . . . . 12 | |||
| 4.3.2. Server last GSS_Wrap input . . . . . . . . . . . . . . 13 | 4.3.2. Client first GS2_Wrap input . . . . . . . . . . . . . 12 | |||
| 4.3.3. Server first GSS_Wrap input . . . . . . . . . . . . . 13 | 4.3.3. Server last GS2_Wrap input . . . . . . . . . . . . . . 13 | |||
| 4.3.4. Client last GSS_Wrap input . . . . . . . . . . . . . . 14 | 4.3.4. Server first GS2_Wrap input . . . . . . . . . . . . . 13 | |||
| 4.3.5. Client last GS2_Wrap input . . . . . . . . . . . . . . 14 | ||||
| 5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 15 | 5. Channel Bindings . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 16 | 6. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 7. Authentication Conditions . . . . . . . . . . . . . . . . . . 20 | 7. Authentication Conditions . . . . . . . . . . . . . . . . . . 20 | |||
| 8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 21 | 8. GSS-API Parameters . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 9. Security Layer Bits . . . . . . . . . . . . . . . . . . . . . 22 | 9. Security Layer Bits . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 9.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 22 | 9.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 10. Interoperability with the SASL "GSSAPI" mechanism . . . . . . 24 | 10. Non-integrity capable GSS-API mechanisms . . . . . . . . . . . 24 | |||
| 10.1. The interoperability problem . . . . . . . . . . . . . . . 24 | 11. Interoperability with the SASL "GSSAPI" mechanism . . . . . . 25 | |||
| 10.2. Resolving the problem . . . . . . . . . . . . . . . . . . 24 | ||||
| 10.3. Additional recommendations . . . . . . . . . . . . . . . . 24 | ||||
| 11. Mechanisms that negotiate other mechanisms . . . . . . . . . . 25 | ||||
| 11.1. The interoperability problem . . . . . . . . . . . . . . . 25 | 11.1. The interoperability problem . . . . . . . . . . . . . . . 25 | |||
| 11.2. Security problem . . . . . . . . . . . . . . . . . . . . . 25 | 11.2. Resolving the problem . . . . . . . . . . . . . . . . . . 25 | |||
| 11.3. Resolving the problems . . . . . . . . . . . . . . . . . . 25 | 11.3. Additional recommendations . . . . . . . . . . . . . . . . 25 | |||
| 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 12. Mechanisms that negotiate other mechanisms . . . . . . . . . . 26 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 27 | 12.1. The interoperability problem . . . . . . . . . . . . . . . 26 | |||
| 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28 | 12.2. Security problem . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 | 12.3. Resolving the problems . . . . . . . . . . . . . . . . . . 26 | |||
| 15.1. Normative References . . . . . . . . . . . . . . . . . . . 29 | 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 15.2. Informative References . . . . . . . . . . . . . . . . . . 29 | 14. Security Considerations . . . . . . . . . . . . . . . . . . . 28 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 31 | 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| Intellectual Property and Copyright Statements . . . . . . . . . . 32 | 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 31 | |||
| 16.1. Normative References . . . . . . . . . . . . . . . . . . . 31 | ||||
| 16.2. Informative References . . . . . . . . . . . . . . . . . . 31 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 33 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . . . 34 | ||||
| 1. Introduction | 1. Introduction | |||
| Generic Security Service Application Program Interface (GSS-API) [3] | Generic Security Service Application Program Interface (GSS-API) [3] | |||
| is a framework that provide security services to applications. | is a framework that provide security services to applications. | |||
| Simple Authentication and Security Layer (SASL) [2] is a framework to | Simple Authentication and Security Layer (SASL) [2] is a framework to | |||
| provide authentication and security layers for connection based | provide authentication and security layers for connection based | |||
| protocols. This document describe how to use a GSS-API mechanism in | protocols. This document describe how to use a GSS-API mechanism in | |||
| a connection-based protocol using the SASL framework. | a connection-based protocol using the SASL framework. | |||
| skipping to change at page 4, line 32 | skipping to change at page 4, line 32 | |||
| the other protocol is more widely deployed. There are | the other protocol is more widely deployed. There are | |||
| interoperability concerns by having the same GSS-API mechanism | interoperability concerns by having the same GSS-API mechanism | |||
| available under more than one SASL mechanism name, see the section | available under more than one SASL mechanism name, see the section | |||
| "Interoperability with the GSSAPI mechanism" below. | "Interoperability with the GSSAPI mechanism" below. | |||
| There are interoperability and security concerns if this SASL | There are interoperability and security concerns if this SASL | |||
| mechanism is used together with a GSS-API mechanism that negotiate | mechanism is used together with a GSS-API mechanism that negotiate | |||
| other GSS-API mechanisms (such as SPNEGO [11]), see the section | other GSS-API mechanisms (such as SPNEGO [11]), see the section | |||
| "Mechanisms that negotiate other mechanisms" below. | "Mechanisms that negotiate other mechanisms" below. | |||
| There are interoperability and security concerns with GSSAPI | ||||
| mechanism that do not provide integrity, see the section "Non- | ||||
| integrity capable GSS-API mechanisms" below. | ||||
| SASL mechanism names starting with "GS2-" are reserved for SASL | SASL mechanism names starting with "GS2-" are reserved for SASL | |||
| mechanisms which conform to this document. | mechanisms which conform to this document. | |||
| The IESG is considered to be the owner of all SASL mechanisms which | The IESG is considered to be the owner of all SASL mechanisms which | |||
| conform to this document. This does not necessarily imply that the | conform to this document. This does not necessarily imply that the | |||
| IESG is considered to be the owner of the underlying GSSAPI | IESG is considered to be the owner of the underlying GSSAPI | |||
| mechanism. | mechanism. | |||
| 2. Conventions used in this document | 2. Conventions used in this document | |||
| skipping to change at page 8, line 40 | skipping to change at page 8, line 40 | |||
| octet (32 bit) integer encoded in network byte order, that indicate | octet (32 bit) integer encoded in network byte order, that indicate | |||
| the length of the "Context token" and "Wrap token" fields, | the length of the "Context token" and "Wrap token" fields, | |||
| respectively. A length of 0 means that a particular field is not | respectively. A length of 0 means that a particular field is not | |||
| present. | present. | |||
| The "Context token" field, if present, contain a GSS-API context | The "Context token" field, if present, contain a GSS-API context | |||
| establishment token generated by GSS_Init_sec_context or | establishment token generated by GSS_Init_sec_context or | |||
| GSS_Accept_sec_context. | GSS_Accept_sec_context. | |||
| The "Wrap token" field, if present, contain the output generated by | The "Wrap token" field, if present, contain the output generated by | |||
| GSS_Wrap. | the GS2_Wrap function. | |||
| The fields need not be aligned to 32-bit a boundary. There is no | The fields need not be aligned to 32-bit a boundary. There is no | |||
| padding between fields. | padding between fields. | |||
| Messages shorter than or equal to 8 octets are invalid. From that it | Messages shorter than or equal to 8 octets are invalid. From that it | |||
| follows that at least one of the "Context token length" and the "Wrap | follows that at least one of the "Context token length" and the "Wrap | |||
| token length" integers MUST be non-zero in a particular message. If | token length" integers MUST be non-zero in a particular message. If | |||
| the sum of the length integers is longer than the entire message | the sum of the length integers is longer than the entire message | |||
| size, minus 8 octets for the length fields, the message is invalid. | size, minus 8 octets for the length fields, the message is invalid. | |||
| skipping to change at page 9, line 14 | skipping to change at page 9, line 14 | |||
| Conforming implementations MUST NOT send additional data after the | Conforming implementations MUST NOT send additional data after the | |||
| above message syntax, and MUST ignore additional data. To | above message syntax, and MUST ignore additional data. To | |||
| illustrate, implementations MUST NOT assume that the last "Wrap token | illustrate, implementations MUST NOT assume that the last "Wrap token | |||
| length" octets of the packet correspond to the "Wrap token", because | length" octets of the packet correspond to the "Wrap token", because | |||
| that would be incorrect if the packet contained additional data not | that would be incorrect if the packet contained additional data not | |||
| described by this document. | described by this document. | |||
| 4.2. Context Token Field | 4.2. Context Token Field | |||
| The format of the "Context token" field inside the SASL token are | The format of the "Context token" field inside the SASL token is | |||
| defined by the GSS-API specifications, and the data is computed by | defined by each GSS-API mechanism, and the data is computed by (for | |||
| the GSS_Init_sec_context (for the client) and GSS_Accept_sec_context | the client) GSS_Init_sec_context and (for the server) | |||
| (for the server) functions. | GSS_Accept_sec_context. | |||
| 4.2.1. Client side | 4.2.1. Client side | |||
| The client calls GSS_Init_sec_context, passing in | The client calls GSS_Init_sec_context, passing in | |||
| input_context_handle of GSS_C_NO_CONTEXT (initially), mech_type of | input_context_handle of GSS_C_NO_CONTEXT (initially), mech_type of | |||
| the GSSAPI mechanism for which this SASL mechanism is registered, the | the GSSAPI mechanism for which this SASL mechanism is registered, the | |||
| chan_binding is set to NULL, and targ_name equal to output_name from | chan_binding is set to NULL, and targ_name equal to output_name from | |||
| GSS_Import_Name called with input_name_type of | GSS_Import_Name called with input_name_type of | |||
| GSS_C_NT_HOSTBASED_SERVICE (*) and input_name_string of | GSS_C_NT_HOSTBASED_SERVICE (*) and input_name_string of | |||
| "service@hostname" where "service" is the service name specified in | "service@hostname" where "service" is the service name specified in | |||
| the protocol's profile, and "hostname" is the fully qualified host | the protocol's profile, and "hostname" is the fully qualified host | |||
| name of the server. | name of the server. | |||
| (*) - Clients MAY use name types other than | (*) - Clients MAY use name types other than | |||
| GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but | GSS_C_NT_HOSTBASED_SERVICE to import servers' acceptor names, but | |||
| only when they have a priori knowledge that the servers support | only when they have a priori knowledge that the servers support | |||
| alternate name types. Otherwise clients MUST use | alternate name types. Otherwise clients MUST use | |||
| GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names. | GSS_C_NT_HOSTBASED_SERVICE for importing acceptor names. | |||
| When calling the GSS_Init_sec_context the client MUST pass the | When calling the GSS_Init_sec_context the client SHOULD pass the | |||
| integ_req_flag of TRUE. If the client intends to request a security | integ_req_flag of TRUE, but MAY set it to FALSE (see section 10 | |||
| layer, it MUST also supply to the GSS_Init_sec_context a | below). If the client intends to request a security layer, it MUST | |||
| mutual_req_flag of TRUE, and a sequence_req_flag of TRUE. If the | also supply to the GSS_Init_sec_context a mutual_req_flag of TRUE, | |||
| client will be requesting a security layer providing confidentiality | and a sequence_req_flag of TRUE. If the client will be requesting a | |||
| protection, it MUST also supply to the GSS_Init_sec_context a | security layer providing confidentiality protection, it MUST also | |||
| conf_req_flag of TRUE. | supply to the GSS_Init_sec_context a conf_req_flag of TRUE. | |||
| The client then responds with any resulting output_token. | The client then responds with any resulting output_token. | |||
| If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the | If GSS_Init_sec_context returns GSS_S_CONTINUE_NEEDED, then the | |||
| client expect the server to issue a token in a subsequent challenge | client expect the server to issue a token in a subsequent challenge | |||
| or as additional information to the outcome of the authentication. | or as additional information to the outcome of the authentication. | |||
| The client pass the context token to another call to | The client pass the context token to another call to | |||
| GSS_Init_sec_context, repeating the procedure, until GSS_S_COMPLETE | GSS_Init_sec_context, repeating the procedure, until GSS_S_COMPLETE | |||
| is returned or authentication is aborted. | is returned or authentication is aborted. | |||
| skipping to change at page 11, line 31 | skipping to change at page 11, line 31 | |||
| permitted by the server's security policy. | permitted by the server's security policy. | |||
| 4.3. Wrap Token Field | 4.3. Wrap Token Field | |||
| The Wrap token field MUST NOT be sent or received before the | The Wrap token field MUST NOT be sent or received before the | |||
| PROT_READY flag is set locally (by GSS_Init_sec_context or | PROT_READY flag is set locally (by GSS_Init_sec_context or | |||
| Gss_Accept_sec_context), or if the PROT_READY flag is never set, | Gss_Accept_sec_context), or if the PROT_READY flag is never set, | |||
| before the context has been fully established. The Wrap token field | before the context has been fully established. The Wrap token field | |||
| does not have to be present directly when the PROT_READY flag is set. | does not have to be present directly when the PROT_READY flag is set. | |||
| During any exchange, exactly one Wrap token field is sent in each | During any exchange, exactly one Wrap token field is sent in each | |||
| direction. The input to the GSS_Wrap function MUST follow the format | direction. The GS2_Wrap function is defined below, and its inputs | |||
| described below. If not exactly one Wrap token is received by the | MUST follow the format described below. If not exactly one Wrap | |||
| client and by the server, the authentication MUST fail. | token is received by the client and by the server, the authentication | |||
| MUST fail. | ||||
| If PROT_READY is never set by GSS_Init_sec_context or | If PROT_READY is never set by GSS_Init_sec_context or | |||
| GSS_Accept_sec_context, the flag is implied by successful context | GSS_Accept_sec_context, the flag is implied by successful context | |||
| negotiation. This is for GSS-API v1 mechanisms that do not support | negotiation. This is for GSS-API v1 mechanisms that do not support | |||
| PROT_READY. This may result in a SASL token consisting of a context | PROT_READY, or for GSS-API mechanism that do not provide per-message | |||
| protection. This may result in a SASL token consisting of a context | ||||
| token length of 0 and a Wrap token. | token length of 0 and a Wrap token. | |||
| The entity that sends its first Wrap token will have to specify a | The entity that sends the first Wrap token will have to specify a | |||
| bitmap of supported and preferred quality of protection schemes. The | bitmap of supported and preferred quality of protection schemes. The | |||
| entity that replies to the Wrap tokens will pick a scheme, based on | entity that replies to the Wrap tokens will pick a scheme, based on | |||
| the bitmask and local policy. The quality of protection values are | the bitmask and local policy. The quality of protection values are | |||
| defined in section 9. | defined in section 9. | |||
| Two pairs of input formats to the GSS_Wrap function are defined. The | Two pairs of input formats to the GS2_Wrap function are defined. The | |||
| first pair is used when the client sends the GSS_Wrap token first and | first pair is used when the client sends the Wrap token first and the | |||
| the server responds. The other pair is used when the server sends | server responds. The other pair is used when the server sends the | |||
| the GSS_Wrap token first and the client responds. | Wrap token first and the client responds. | |||
| The inputs below are passed to GSS_Wrap with conf_flag set to FALSE, | The inputs below are passed to GS2_Wrap, and the output is used as | |||
| and the Wrap token will be the generated output_message. | the Wrap token value. | |||
| Some fields in the input formats are optional, indicated by brackets | Some fields in the input formats are optional, indicated by brackets | |||
| ("[" and "]") and explained by the text below. | ("[" and "]") and explained by the text below. | |||
| 4.3.1. Client first GSS_Wrap input | 4.3.1. The GS2_Wrap function | |||
| The input to GSS_Wrap when the client sends a Wrap token field first | The GS2_Wrap function have two implementations, and which one is used | |||
| depends on whether the negotiated GSS-API context supports per- | ||||
| message protection. When a context is successfully negotiated (i.e., | ||||
| when GSS_S_COMPLETE is returned from, for clients, | ||||
| GSS_Init_sec_context, or, for servers, GSS_Accept_sec_context) and | ||||
| the output variable integ_avail is FALSE, then GSS_Wrap cannot be | ||||
| used and instead we define GS2_Wrap to be the identity function. | ||||
| When integ_avail is negotiated TRUE, the GS2_Wrap is identical to | ||||
| calling the GSS_Wrap function with conf_flag set to FALSE and using | ||||
| the generated output_message as the output data. | ||||
| 4.3.2. Client first GS2_Wrap input | ||||
| The input to GS2_Wrap when the client sends a Wrap token field first | ||||
| is as follows. | is as follows. | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | client_qops | client_maxbuf | | | client_qops | client_maxbuf | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | channel_binding_length | | | channel_binding_length | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| |[client_cbqops]| [channel_binding_data] / | |[client_cbqops]| [channel_binding_data] / | |||
| skipping to change at page 13, line 10 | skipping to change at page 13, line 24 | |||
| The optional field "channel_binding_data" is present only if | The optional field "channel_binding_data" is present only if | |||
| "channel_binding_length" is non-zero, and contain the actual channel | "channel_binding_length" is non-zero, and contain the actual channel | |||
| binding data. | binding data. | |||
| The optional field "authzid" contain the authorization identity. The | The optional field "authzid" contain the authorization identity. The | |||
| authorization identity is encoded using UTF-8 [5]. The authorization | authorization identity is encoded using UTF-8 [5]. The authorization | |||
| identity is not terminated with the NUL (U+0000) character. Servers | identity is not terminated with the NUL (U+0000) character. Servers | |||
| MUST validate that the authorization identity is valid UTF-8. | MUST validate that the authorization identity is valid UTF-8. | |||
| 4.3.2. Server last GSS_Wrap input | 4.3.3. Server last GS2_Wrap input | |||
| The input to GSS_Wrap when the server sends a Wrap token field, after | The input to GS2_Wrap when the server sends a Wrap token field, after | |||
| receiving the Wrap token in the previous section from the client, is | receiving the Wrap token in the previous section from the client, is | |||
| as follows. | as follows. | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | server_qop | server_maxbuf | | | server_qop | server_maxbuf | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| The "server_qop" field integer indicate the selected quality of | The "server_qop" field integer indicate the selected quality of | |||
| skipping to change at page 13, line 34 | skipping to change at page 13, line 48 | |||
| 9. | 9. | |||
| The "server_maxbuf" field indicate the maximum protected data buffer | The "server_maxbuf" field indicate the maximum protected data buffer | |||
| size the server can receive in network byte order. It MUST be 0 if | size the server can receive in network byte order. It MUST be 0 if | |||
| the server doesn't advertise support for any security layer, the | the server doesn't advertise support for any security layer, the | |||
| client MUST verify this. Small values can make it impossible for the | client MUST verify this. Small values can make it impossible for the | |||
| client to send any protected message to the server, due to the | client to send any protected message to the server, due to the | |||
| overhead added by GSS_Wrap, and the client MAY reject the | overhead added by GSS_Wrap, and the client MAY reject the | |||
| authentication if it detects this situation. | authentication if it detects this situation. | |||
| 4.3.3. Server first GSS_Wrap input | 4.3.4. Server first GS2_Wrap input | |||
| The input to GSS_Wrap when the server sends the Wrap token first is | The input to GS2_Wrap when the server sends the Wrap token first is | |||
| as follows. | as follows. | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | server_qops | server_maxbuf | | | server_qops | server_maxbuf | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| |[server_cbqops]| [channel_binding_data] / | |[server_cbqops]| [channel_binding_data] / | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| skipping to change at page 14, line 12 | skipping to change at page 14, line 27 | |||
| The "server_maxbuf" is the same as above. | The "server_maxbuf" is the same as above. | |||
| The optional field "server_cbqops" indicate the server's preferred | The optional field "server_cbqops" indicate the server's preferred | |||
| quality of protection if channel binding negotiation succeeds. The | quality of protection if channel binding negotiation succeeds. The | |||
| quality of protection values are defined in section 9. | quality of protection values are defined in section 9. | |||
| The optional field "channel_binding_data" contain the actual channel | The optional field "channel_binding_data" contain the actual channel | |||
| binding data. | binding data. | |||
| 4.3.4. Client last GSS_Wrap input | 4.3.5. Client last GS2_Wrap input | |||
| The input to GSS_Wrap when the clients sends a Wrap token field, | The input to GS2_Wrap when the clients sends a Wrap token field, | |||
| after receiving the Wrap token in the previous section from the | after receiving the Wrap token in the previous section from the | |||
| server, is as follows. | server, is as follows. | |||
| 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | client_qop | client_maxbuf | | | client_qop | client_maxbuf | | |||
| / [authzid] | | / [authzid] | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| skipping to change at page 16, line 15 | skipping to change at page 16, line 15 | |||
| 6. Protocol Overview | 6. Protocol Overview | |||
| This section describe several high-level protocol exchanges. The | This section describe several high-level protocol exchanges. The | |||
| descriptions do not assume any properties of the actual GSS-API | descriptions do not assume any properties of the actual GSS-API | |||
| mechanism. Protocol profiles, GSS-API mechanism specific behaviour, | mechanism. Protocol profiles, GSS-API mechanism specific behaviour, | |||
| and to some extent implementation and policy choices, will dictate | and to some extent implementation and policy choices, will dictate | |||
| which packets are sent in what order. The protocol exchanges are | which packets are sent in what order. The protocol exchanges are | |||
| examples and other exchanges are permitted and will occur. | examples and other exchanges are permitted and will occur. | |||
| An informal pseudo-language is used to describe the packets sent | An informal pseudo-language is used to describe the packets sent | |||
| below. In particular, when GSS_Wrap() is mentioned below, it refer | below. GS2_Wrap refer to the operation of calling GS2_Wrap on the | |||
| to the operation of calling GSS_Wrap on the indicated fields, | indicated fields, formatted in the structures described earlier. | |||
| formatted in the structures described earlier. | GSS_Init_sec_context and GSS_Accept_sec_context refer to the context | |||
| token generated by calling the respective function. The GS2 SASL | ||||
| Message is denoted as [Context_token, Wrap_token], and the length | ||||
| fields are not mentioned. | ||||
| An authentication exchange using GS2 may look like: | An authentication exchange using GS2 may look like: | |||
| C: Request authentication exchange | C: Request authentication exchange | |||
| S: Send [length=0] token | S: Send ["", ""] token | |||
| C: Send [length, GSS_Init_sec_context] token | C: Send [GSS_Init_sec_context, ""] token | |||
| ... | ... | |||
| S: After PROT_READY is set, | S: After PROT_READY is set, | |||
| send [length, GSS_Accept_sec_context, | send [GSS_Accept_sec_context, | |||
| GSS_Wrap(server_qops | server_maxbuf] | wrap_length, GS2_Wrap(server_qops | server_maxbuf] | |||
| ... | ... | |||
| C: After PROT_READY is set, | C: After PROT_READY is set, | |||
| send [length, GSS_Init_sec_context, | send [GSS_Init_sec_context, | |||
| GSS_Wrap (client_qop | client_maxbuf | authzid)] | wrap_length, GS2_Wrap (client_qop | client_maxbuf | | |||
| S: Send [length, GSS_Accept_sec_context] token | authzid)] | |||
| C: Send [length, GSS_Init_sec_context] token | S: Send [GSS_Accept_sec_context, ""] token | |||
| C: Send [GSS_Init_sec_context, ""] token | ||||
| ... | ... | |||
| S: Outcome of authentication exchange | S: Outcome of authentication exchange | |||
| Because GSS-API authentication is initiated by the client, the length | Because GSS-API authentication is initiated by the client, the length | |||
| field will be 0 in the initial token from the server to the client | field will be 0 in the initial token from the server to the client | |||
| when the protocol profile does not support additional information to | when the protocol profile does not support additional information to | |||
| be sent together with the authentication request. | be sent together with the authentication request. | |||
| The next example illustrate when the client sends its Wrap token | The next example illustrate when the client sends its Wrap token | |||
| first. | first. | |||
| C: Request authentication exchange | C: Request authentication exchange | |||
| S: Send [length=0] token | S: Send ["", ""] token | |||
| C: Send [length, GSS_Init_sec_context] token | C: Send [GSS_Init_sec_context, ""] token | |||
| ... | ... | |||
| C: After PROT_READY is set, | C: After PROT_READY is set, | |||
| send [length, GSS_Init_sec_context, | send [GSS_Init_sec_context, | |||
| GSS_Wrap(client_qops | client_maxbuf | | GS2_Wrap(client_qops | client_maxbuf | | |||
| channel_binding_length=0 | authzid)] | channel_binding_length=0 | authzid)] | |||
| ... | ... | |||
| S: After PROT_READY is set, | S: After PROT_READY is set, | |||
| send [length, GSS_Accept_sec_context, | send [GSS_Accept_sec_context, | |||
| GSS_Wrap (server_qop | server_maxbuf)] | GS2_Wrap (server_qop | server_maxbuf)] | |||
| C: Send [length, GSS_Init_sec_context] token | C: Send [GSS_Init_sec_context, ""] token | |||
| S: Send [length, GSS_Accept_sec_context] token | S: Send [GSS_Accept_sec_context, ""] token | |||
| ... | ... | |||
| S: Outcome of authentication exchange | S: Outcome of authentication exchange | |||
| If the protocol profile support the optional initial client response, | If the protocol profile support the optional initial client response, | |||
| the first empty message can be optimized away, and then the protocol | the first empty message can be optimized away, and then the protocol | |||
| exchange will look like: | exchange will look like: | |||
| C: Request authentication exchange and | C: Request authentication exchange and | |||
| send [length, GSS_Init_sec_context] token | send [GSS_Init_sec_context, ""] token | |||
| S: Send [length, GSS_Accept_sec_context] token | S: Send [GSS_Accept_sec_context, ""] token | |||
| ... | ... | |||
| S: Outcome of authentication exchange | S: Outcome of authentication exchange | |||
| If the protocol profile can also send additional information when | If the protocol profile can also send additional information when | |||
| indicating the outcome of the authentication, then the protocol | indicating the outcome of the authentication, then the protocol | |||
| exchange will look like: | exchange will look like: | |||
| C: Request authentication exchange and | C: Request authentication exchange and | |||
| send [length, GSS_Init_sec_context] token | send [GSS_Init_sec_context, ""] token | |||
| S: Send [length, GSS_Accept_sec_context] token | S: Send [GSS_Accept_sec_context, ""] token | |||
| ... | ... | |||
| C: Send [length, GSS_Init_sec_context] token | C: Send [GSS_Init_sec_context, ""] token | |||
| S: Indicate successful authentication and | S: Indicate successful authentication and | |||
| send [length, GSS_Accept_sec_context] token | send [GSS_Accept_sec_context, ""] token | |||
| as additional information. | as additional information. | |||
| If the PROT_READY flag is never set by the GSS-API mechanism, the | If the PROT_READY flag is never set by the GSS-API mechanism, the | |||
| GSS_Wrap message will be sent after the context has been established. | GS2_Wrap message will be sent after the context has been established. | |||
| The protocol may look like: | The protocol may look like: | |||
| C: Request authentication exchange | C: Request authentication exchange | |||
| ... | ... | |||
| S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and outputs | S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and outputs | |||
| a token, send [length, context token, | a token, send ["", GS2_Wrap(server_qops | server_maxbuf)] | |||
| GSS_Wrap(server_qops | server_maxbuf)] | ||||
| C: GSS_Init_sec_context() returns GSS_S_COMPLETE and does not | C: GSS_Init_sec_context() returns GSS_S_COMPLETE and does not | |||
| output a token, send | output a token, send | |||
| [length=0, context token, | ["", GS2_Wrap(client_qop | client_maxbuf | | |||
| GSS_Wrap(client_qop | client_maxbuf | | ||||
| channel_binding_length=0 | authzid)] | channel_binding_length=0 | authzid)] | |||
| S: Outcome of authentication exchange | S: Outcome of authentication exchange | |||
| Alternatively, if the client finishes first, it may look like: | Alternatively, if the client finishes first, it may look like: | |||
| C: Request authentication exchange | C: Request authentication exchange | |||
| ... | ... | |||
| C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | |||
| token, send [length, context token, | token, send ["", GS2_Wrap(client_qops | client_maxbuf | | |||
| GSS_Wrap(client_qops | client_maxbuf | | ||||
| channel_binding_length=0 | authzid)] | channel_binding_length=0 | authzid)] | |||
| S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | |||
| output a token, send [length, context token, | output a token, send ["", GS2_Wrap(server_qop | server_maxbuf | | |||
| GSS_Wrap(server_qop | server_maxbuf | | ||||
| channel_binding_length=0)] | channel_binding_length=0)] | |||
| S: Outcome of authentication exchange | S: Outcome of authentication exchange | |||
| Adding channel bindings to the last examples, gives the following | Adding channel bindings to the last examples, gives the following | |||
| situation. Here the client request confidentiality for the | complex situation. Here the client request confidentiality for the | |||
| application data if channel binding fails but no SASL security layer | application data if channel binding fails but no SASL security layer | |||
| if channel binding negotiation succeeds: | if channel binding negotiation succeeds: | |||
| C: Request authentication exchange | C: Request authentication exchange | |||
| ... | ... | |||
| C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | C: GSS_Init_sec_context() returns GSS_S_COMPLETE and outputs a | |||
| token, send [length, context token, | token, send [GSS_Init_sec_context, | |||
| GSS_Wrap(client_qops=0x04 | client_maxbuf | | GS2_Wrap(client_qops=0x04 | client_maxbuf | | |||
| channel_binding_length=n | | channel_binding_length=n | | |||
| client_cbqops=0x01 | channel_binding_data | | client_cbqops=0x01 | channel_binding_data | | |||
| authzid)] | authzid)] | |||
| S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | S: GSS_Accept_sec_context() returns GSS_S_COMPLETE and does not | |||
| output a token, send [length, context token, | output a token, send ["", | |||
| GSS_Wrap(server_qop | server_maxbuf | | GS2_Wrap(server_qop | server_maxbuf | | |||
| channel_binding_length=0)] | channel_binding_length=0)] | |||
| S: Outcome of authentication exchange | S: Outcome of authentication exchange | |||
| If the protocol support initial data from the client, and the | If the protocol support initial data from the client, and the | |||
| PROT_READY flag is set in the client after the first call to | PROT_READY flag is set in the client after the first call to | |||
| GSS_Init_sec_context, and the server can send additional data to the | GSS_Init_sec_context, and the server can send additional data to the | |||
| client when indicating successful authentication, the following | client when indicating successful authentication, the following | |||
| protocol exchange will occur. | protocol exchange will occur. | |||
| C: Request authentication exchange and | C: Request authentication exchange and | |||
| send [length, GSS_Init_sec_context, | send [GSS_Init_sec_context, | |||
| GSS_Wrap (client_qops | client_maxbuf | | GS2_Wrap (client_qops | client_maxbuf | | |||
| channel_binding_length=0 | authzid)] token | channel_binding_length=0 | authzid)] token | |||
| S: Indicate successful authentication and | S: Indicate successful authentication and | |||
| send [length, GSS_Accept_sec_context, | send [GSS_Accept_sec_context, | |||
| GSS_Wrap(server_qop | server_maxbuf)] token | GS2_Wrap(server_qop | server_maxbuf)] token | |||
| as additional information. | as additional information. | |||
| The last example illustrate the optimal (round-trip wise) | The last example illustrate the optimal (round-trip wise) | |||
| authentication possible using this protocol. | authentication possible using this protocol. | |||
| 7. Authentication Conditions | 7. Authentication Conditions | |||
| Authentication MUST NOT succeed if any one of the following | Authentication MUST NOT succeed if any one of the following | |||
| conditions are true: | conditions are true: | |||
| skipping to change at page 24, line 5 | skipping to change at page 24, line 5 | |||
| +-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ | |||
| When confidentiality is negotiated the octet will encode an integer 4 | When confidentiality is negotiated the octet will encode an integer 4 | |||
| as follows. | as follows. | |||
| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7 | |||
| +-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ | |||
| |0|0|0|0|0|1|0|0| | |0|0|0|0|0|1|0|0| | |||
| +-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ | |||
| 10. Interoperability with the SASL "GSSAPI" mechanism | 10. Non-integrity capable GSS-API mechanisms | |||
| Mechanisms that do not support integrity can be used with GS2, but | ||||
| some security features cannot be provided, in particular including | ||||
| channel bindings, security layers, and integrity protection of the | ||||
| authorization identity. | ||||
| Channel bindings and security layers MUST NOT be negotiated when the | ||||
| GSS-API mechanism do not support integrity. It should also be | ||||
| understood that the authorization identity is not integrity | ||||
| protected. | ||||
| Whether a mechanism supports integrity or not, for the purpose of | ||||
| GS2, is decided by whether the integ_avail output variable from | ||||
| GSS_Init_sec_context (for clients) and GSS_Accept_sec_context (for | ||||
| servers). If integ_avail is FALSE, integrity is not supported. | ||||
| There is a potential interoperability problem if a client call | ||||
| GSS_Init_sec_context with integ_req_flag of TRUE and the context | ||||
| negotiation fails because the mechanism (due to design, the | ||||
| capability of the credentials, or policy) cannot provide per-message | ||||
| protection. Calling GSS_Init_sec_context with a FALSE integ_req_flag | ||||
| instead is not optimal, since a mechanism may then negotiate less | ||||
| security than it would have otherwise done. | ||||
| It is RECOMMENDED that implementations only ever call | ||||
| GSS_Init_sec_context with a integ_req_flag of FALSE when it knows | ||||
| that the particular GSS-API mechanism will not be able to negotiate | ||||
| per-message protection services. | ||||
| Implementations MAY have a policy to disallow non-integrity capable | ||||
| mechanisms, and always call GSS_Init_sec_context with the | ||||
| integ_req_flag set to TRUE. | ||||
| 11. Interoperability with the SASL "GSSAPI" mechanism | ||||
| The Kerberos V5 GSS-API [10] mechanism is currently used in SASL | The Kerberos V5 GSS-API [10] mechanism is currently used in SASL | |||
| under the name "GSSAPI", see GSSAPI mechanism [12]. The Kerberos V5 | under the name "GSSAPI", see GSSAPI mechanism [12]. The Kerberos V5 | |||
| mechanism may also be used with the GS2 family. This causes an | mechanism may also be used with the GS2 family. This causes an | |||
| interopability problem, which is discussed and resolved below. | interopability problem, which is discussed and resolved below. | |||
| 10.1. The interoperability problem | 11.1. The interoperability problem | |||
| If a client (or server) only support Kerberos V5 under the "GSSAPI" | If a client (or server) only support Kerberos V5 under the "GSSAPI" | |||
| name and the server (or client) only support Kerberos V5 under the | name and the server (or client) only support Kerberos V5 under the | |||
| GS2 family, the authentication negotiation will fail. | GS2 family, the authentication negotiation will fail. | |||
| 10.2. Resolving the problem | 11.2. Resolving the problem | |||
| If the Kerberos V5 mechanism is supported under GS2 in a server, the | If the Kerberos V5 mechanism is supported under GS2 in a server, the | |||
| server SHOULD also support Kerberos V5 through the "GSSAPI" | server SHOULD also support Kerberos V5 through the "GSSAPI" | |||
| mechanism, to avoid interoperability problems with older clients. | mechanism, to avoid interoperability problems with older clients. | |||
| Reasons for violating this recommendation may include security | Reasons for violating this recommendation may include security | |||
| considerations regarding the absent features in the GS2 mechanism. | considerations regarding the absent features in the GS2 mechanism. | |||
| The Kerberos V5 "GSSAPI" SASL mechanism lack channel bindings, which | The Kerberos V5 "GSSAPI" SASL mechanism lack channel bindings, which | |||
| could enable certain tunnel attacks [17]. | could enable certain tunnel attacks [17]. | |||
| 10.3. Additional recommendations | 11.3. Additional recommendations | |||
| It is RECOMMENDED to negotiate Kerberos V5 through the GS2 mechanism | It is RECOMMENDED to negotiate Kerberos V5 through the GS2 mechanism | |||
| rather than through the "GSSAPI" mechanism, if both are available, | rather than through the "GSSAPI" mechanism, if both are available, | |||
| because of the additional features in the GS2 mechanism. | because of the additional features in the GS2 mechanism. | |||
| 11. Mechanisms that negotiate other mechanisms | 12. Mechanisms that negotiate other mechanisms | |||
| A GSS-API mechanism that negotiate other mechanisms interact badly | A GSS-API mechanism that negotiate other mechanisms interact badly | |||
| with the SASL mechanism negotiation. There are two problems. The | with the SASL mechanism negotiation. There are two problems. The | |||
| first is an interoperability problem and the second is a security | first is an interoperability problem and the second is a security | |||
| concern. The problems are described and resolved below. | concern. The problems are described and resolved below. | |||
| 11.1. The interoperability problem | 12.1. The interoperability problem | |||
| If a client implement GSS-API mechanism X, potentially negotiated | If a client implement GSS-API mechanism X, potentially negotiated | |||
| through a GSS-API mechanism Y, and the server also implement GSS-API | through a GSS-API mechanism Y, and the server also implement GSS-API | |||
| mechanism X negotiated through a GSS-API mechanism Z, the | mechanism X negotiated through a GSS-API mechanism Z, the | |||
| authentication negotiation will fail. | authentication negotiation will fail. | |||
| 11.2. Security problem | 12.2. Security problem | |||
| If a client's policy is to first prefer GSSAPI mechanism X, then non- | If a client's policy is to first prefer GSSAPI mechanism X, then non- | |||
| GSSAPI mechanism Y, then GSSAPI mechanism Z, and if a server supports | GSSAPI mechanism Y, then GSSAPI mechanism Z, and if a server supports | |||
| mechanisms Y and Z but not X, then if the client attempts to | mechanisms Y and Z but not X, then if the client attempts to | |||
| negotiate mechanism X by using a GSS-API mechanism that negotiate | negotiate mechanism X by using a GSS-API mechanism that negotiate | |||
| other mechanisms (such as SPNEGO), it may end up using mechanism Z | other mechanisms (such as SPNEGO), it may end up using mechanism Z | |||
| when it ideally should have used mechanism Y. For this reason, the | when it ideally should have used mechanism Y. For this reason, the | |||
| use of GSS-API mechanisms that negotiate other mechanisms are | use of GSS-API mechanisms that negotiate other mechanisms are | |||
| disallowed under GS2. | disallowed under GS2. | |||
| 11.3. Resolving the problems | 12.3. Resolving the problems | |||
| GSS-API mechanisms that negotiate other mechanisms MUST NOT be used | GSS-API mechanisms that negotiate other mechanisms MUST NOT be used | |||
| with the GS2 SASL mechanism. This specifically exclude negotiating | with the GS2 SASL mechanism. This specifically exclude negotiating | |||
| SPNEGO [11] under GS2. | SPNEGO [11] under GS2. | |||
| The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech() [16] | The GSS_C_MA_MECH_NEGO attribute of GSS_Inquire_attrs_for_mech() [16] | |||
| can be used to identify such mechanisms. | can be used to identify such mechanisms. | |||
| 12. IANA Considerations | 13. IANA Considerations | |||
| The IANA is advised that SASL mechanism names starting with "GS2-" | The IANA is advised that SASL mechanism names starting with "GS2-" | |||
| are reserved for SASL mechanisms which conform to this document. The | are reserved for SASL mechanisms which conform to this document. The | |||
| IANA is directed to place a statement to that effect in the sasl- | IANA is directed to place a statement to that effect in the sasl- | |||
| mechanisms registry. | mechanisms registry. | |||
| Subject: Registration of SASL mechanism GS2-* | Subject: Registration of SASL mechanism GS2-* | |||
| SASL mechanism prefix: GS2- | SASL mechanism prefix: GS2- | |||
| Security considerations: RFC [THIS-DOC] | Security considerations: RFC [THIS-DOC] | |||
| Published specification: RFC [THIS-DOC] | Published specification: RFC [THIS-DOC] | |||
| Person & email address to contact for further information: | Person & email address to contact for further information: | |||
| Simon Josefsson <simon@josefsson.org> | Simon Josefsson <simon@josefsson.org> | |||
| Intended usage: COMMON | Intended usage: COMMON | |||
| Owner/Change controller: iesg@ietf.org | Owner/Change controller: iesg@ietf.org | |||
| Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms. | Note: Compare with the GSSAPI and GSS-SPNEGO mechanisms. | |||
| 13. Security Considerations | 14. Security Considerations | |||
| Security issues are discussed throughout this memo. | Security issues are discussed throughout this memo. | |||
| When a server or client supports multiple authentication mechanisms, | The security provided by GS2 depends on the security provided by the | |||
| each of which has a different security strength, it is possible for | GSS-API mechanism. If the mechanism do not provide integrity | |||
| an active attacker to cause a party to use the least secure mechanism | protection, the authorization identity can be replaced by a man in | |||
| the middle, and channel bindings and security layers cannot be | ||||
| negotiated. Therefor, it is generally recommended against using any | ||||
| GSS-API mechanism widely on the Internet that do not support | ||||
| integrity. | ||||
| Because the negotiation of a GSS-API mechanism may be done in the | ||||
| clear, it is important for the GSS-API mechanisms to be designed such | ||||
| that an active attacker cannot obtain an authentication with weaker | ||||
| security properties by modifying the challenges and responses. | ||||
| When a server or client supports multiple GSS-API mechanisms, each of | ||||
| which has a different security strength, it is possible for an active | ||||
| attacker to cause a party to use the least secure mechanism | ||||
| supported. There are several ways to mitigate this problem: | supported. There are several ways to mitigate this problem: | |||
| 1. Integrity protected transports can be used, e.g., TLS [14]. To | 1. Integrity protected transports can be used, e.g., TLS [14]. To | |||
| protect against certain tunnel attacks [17] with that solution, a | protect against certain tunnel attacks [17] with that solution, | |||
| mechanism that support channel bindings that can bind the | the GSS-API mechanisms has to support integrity to provide | |||
| security layer (e.g., the TLS session id) to the authentication | support for channel bindings | |||
| is required. | ||||
| 2. A client or server which supports mechanisms of different | 2. A client or server which supports mechanisms of different | |||
| strengths should have a configurable minimum strength that it | strengths should have a configurable minimum strength that it | |||
| will use. It is not sufficient for this minimum strength check | will use. It is not sufficient for this minimum strength check | |||
| to only be on the server, since an active attacker can change | to only be on the server, since an active attacker can change | |||
| which mechanisms the client sees as being supported, causing the | which mechanisms the client sees as being supported, causing the | |||
| client to send authentication credentials for its weakest | client to send authentication credentials for its weakest | |||
| supported mechanism. | supported mechanism. | |||
| Because the negotiation of a GSS-API mechanism may be done in the | 3. Specify how to use the SPNEGO mechanism in SASL. | |||
| clear, it is important for the GSS-API mechanisms to be designed such | ||||
| that an active attacker cannot obtain an authentication with weaker | ||||
| security properties by modifying the challenges and responses. | ||||
| The channel binding is sent without privacy protection and knowledge | The channel binding is sent without privacy protection and knowledge | |||
| of it is assumed to provide no advantage to an attacker. This is a | of it is assumed to provide no advantage to an attacker. This is a | |||
| property that has to be considered when specifying channel bindings | property that has to be considered when specifying channel bindings | |||
| for a security protocol. | for a security protocol that will be used with GS2. | |||
| When constructing the input_name_string, the client should not | When constructing the input_name_string, the client should not | |||
| canonicalize the server's fully qualified domain name using an | canonicalize the server's fully qualified domain name using an | |||
| insecure or untrusted directory service, e.g., the Domain Name System | insecure or untrusted directory service, such as the Domain Name | |||
| [9] without DNSSEC [15]. | System [9] without DNSSEC [15]. | |||
| GS2 hard code the use of the SHA-1 algorithm to compute the mechanism | ||||
| names, and it is not possible to negotiate the use of other hash | ||||
| algorithms. However, no traditional cryptographic hash properties | ||||
| (such as collision resistance or pre-image resistance) are required | ||||
| nor assumed. The required and assumed property is that it is | ||||
| statistically unlikely that two different DER-encoded OID's share the | ||||
| same first 10 octets of the SHA-1 value. | ||||
| Additional security considerations are in the SASL and GSSAPI | Additional security considerations are in the SASL and GSSAPI | |||
| specifications. Additional security considerations for the Kerberos | specifications. Additional security considerations for the Kerberos | |||
| V5 GSSAPI mechanism can be found in [10]. We stress that service | V5 GSSAPI mechanism can be found in [10]. We stress that service | |||
| names should not be canonicalized using an unsecured directory | names should not be canonicalized using an unsecured directory | |||
| service such as the DNS without DNSSEC. | service such as the DNS without DNSSEC. | |||
| 14. Acknowledgements | 15. Acknowledgements | |||
| This document is a revision of RFC 2222. This version was derived | This document is a revision of RFC 2222. This version was derived | |||
| from draft-ietf-sasl-gssapi-02 which was prepared by Alexey Melnikov | from draft-ietf-sasl-gssapi-02 which was prepared by Alexey Melnikov | |||
| with significant contributions from John G. Myers, although the | with significant contributions from John G. Myers, although the | |||
| majority of this document has been rewritten by the current author. | majority of this document has been rewritten by the current author. | |||
| Contributions of many members of the SASL mailing list are gratefully | Contributions of many members of the SASL mailing list are gratefully | |||
| acknowledged. In particular, ideas and feedback from Sam Hartman, | acknowledged. In particular, ideas and feedback from Sam Hartman, | |||
| Jeffrey Hutzelman, Alexey Melnikov, Nicolas Williams, and Tom Yu | Jeffrey Hutzelman, Alexey Melnikov, Nicolas Williams, and Tom Yu | |||
| improved the document and the protocol. | improved the document and the protocol. | |||
| 15. References | 16. References | |||
| 15.1. Normative References | 16.1. Normative References | |||
| [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement | |||
| Levels", BCP 14, RFC 2119, March 1997. | Levels", BCP 14, RFC 2119, March 1997. | |||
| [2] Melnikov, A. and K. Zeilenga, "Simple Authentication and | [2] Melnikov, A. and K. Zeilenga, "Simple Authentication and | |||
| Security Layer (SASL)", RFC 4422, June 2006. | Security Layer (SASL)", RFC 4422, June 2006. | |||
| [3] Linn, J., "Generic Security Service Application Program | [3] Linn, J., "Generic Security Service Application Program | |||
| Interface Version 2, Update 1", RFC 2743, January 2000. | Interface Version 2, Update 1", RFC 2743, January 2000. | |||
| skipping to change at page 29, line 36 | skipping to change at page 31, line 36 | |||
| [7] Williams, N., "On the Use of Channel Bindings to Secure | [7] Williams, N., "On the Use of Channel Bindings to Secure | |||
| Channels", draft-ietf-nfsv4-channel-bindings-04 (work in | Channels", draft-ietf-nfsv4-channel-bindings-04 (work in | |||
| progress), June 2006. | progress), June 2006. | |||
| [8] International Organization for Standardization, "Information | [8] International Organization for Standardization, "Information | |||
| Processing Systems - Open Systems Interconnection - | Processing Systems - Open Systems Interconnection - | |||
| Specification of Abstract Syntax Notation One (ASN.1)", | Specification of Abstract Syntax Notation One (ASN.1)", | |||
| ISO Standard 8824, December 1990. | ISO Standard 8824, December 1990. | |||
| 15.2. Informative References | 16.2. Informative References | |||
| [9] Mockapetris, P., "Domain names - concepts and facilities", | [9] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, November 1987. | STD 13, RFC 1034, November 1987. | |||
| [10] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, | [10] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, | |||
| June 1996. | June 1996. | |||
| [11] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API | [11] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API | |||
| Negotiation Mechanism", RFC 2478, December 1998. | Negotiation Mechanism", RFC 2478, December 1998. | |||
| skipping to change at page 32, line 7 | skipping to change at page 34, line 7 | |||
| WWW http://www.saunalahti.fi/~asokan/research/mitm.html. | WWW http://www.saunalahti.fi/~asokan/research/mitm.html. | |||
| Author's Address | Author's Address | |||
| Simon Josefsson | Simon Josefsson | |||
| Email: simon@josefsson.org | Email: simon@josefsson.org | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The Internet Society (2006). | Copyright (C) The Internet Society (2007). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| contained in BCP 78, and except as set forth therein, the authors | contained in BCP 78, and except as set forth therein, the authors | |||
| retain all their rights. | retain all their rights. | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| End of changes. 65 change blocks. | ||||
| 126 lines changed or deleted | 198 lines changed or added | |||
This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||