[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09

NETWORK WORKING GROUP                                             L. Zhu
Internet-Draft                                     Microsoft Corporation
Intended status: Standards Track                               J. Altman
Expires: July 30, 2008                                  Secure Endpoints
                                                        January 27, 2008

  Public Key Cryptography Based User-to-User Authentication - (PKU2U)

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on July 30, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2008).


   This document defines the public key cryptography based user-to-user
   authentication protocol - PKU2U. This mechanism provides security
   services in peer to peer networking environments without requiring a
   Kerberos Key Distribution Center (KDC).  Furthermore, the binding of
   PKU2U for the Generic Security Service Application Program Interface
   (GSS-API) per RFC2743 is defined based on RFC4121.

Zhu & Altman              Expires July 30, 2008                 [Page 1]

Internet-Draft                    PKU2U                     January 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
   3.  The PKU2U Realm Name . . . . . . . . . . . . . . . . . . . . .  3
   4.  PKU2U Principal Names  . . . . . . . . . . . . . . . . . . . .  4
   5.  The Protocol Description and the Context Establishment
       Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
   6.  The GSS-API Binding for PKU2U  . . . . . . . . . . . . . . . .  7
   7.  Guidelines for Credentials Selection . . . . . . . . . . . . .  8
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     11.1.  Normative References  . . . . . . . . . . . . . . . . . . 10
     11.2.  Informative References  . . . . . . . . . . . . . . . . . 10
   Appendix A.  PKU2U ASN.1 Module  . . . . . . . . . . . . . . . . . 11
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
   Intellectual Property and Copyright Statements . . . . . . . . . . 12

Zhu & Altman              Expires July 30, 2008                 [Page 2]

Internet-Draft                    PKU2U                     January 2008

1.  Introduction

   Peer-to-peer systems are increasingly popular today.  In a peer-to-
   peer system, all clients provide resources that contribute positively
   to the total capacity of the overall system and there is no single
   point of failure.  This distributed nature makes such systems highly
   scalable and robust.

   A true peer-to-peer system is self-organized, typically there is no
   trusted third party in such environments.  Consequently the Kerberos
   protocol as defined in [RFC4120] and [RFC4556] is inadequate to
   provide security services.  Currently there is no interoperable GSS-
   API mechanism for establishing trust in the information received from
   the peer.  The inability to authenticate the messages exchanged among
   peers enables many attacks such as poisoning (e.g. providing data
   contents are different from the description) and polluting (e.g.
   inserting "bad" packets).

   To remedy this, the PKU2U protocol extends [RFC4120] and [RFC4556] to
   support peer-to-peer authentication without the help of a Key
   Distribution Center (KDC) [RFC4120].  This mechanism can act as a
   bridge between Public Key Infrastructure (PKI) and GSS-API for such

   In addition, the binding of PKU2U for GSS-API is defined based on

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

   In this document, the GSS-API initiator or acceptor is referred to as
   the peer when the description is applicable to both the initiator and
   the acceptor.

3.  The PKU2U Realm Name

   The PKU2U realm name is defined as a reserved Kerberos realm name per
   [KRB-NAME], and it has the value of "WELLKNOWN:PKU2U".

   Unless otherwise specified, the realm name in any Kerberos message
   used by PKU2U is the PKU2U realm name.

Zhu & Altman              Expires July 30, 2008                 [Page 3]

Internet-Draft                    PKU2U                     January 2008

4.  PKU2U Principal Names

   PKU2U Principal names can be constructed as follows:

   o  If the X.509 certificate [RFC3280] of a peer contains an id-
      pkinit-san Subject Alternative Name (SAN) as defined in Section
      3.2.2 of [RFC4556] or an id-ms-sc-logon-upn SAN as defined in
      [REFERALS], then the Kerberos Principal Name for the peer is as
      specified in that SAN in the certificate.  If the realm in the
      KRB5PrincipalName structure is specified, it MUST be the PKU2U

   o  If the X.509 certificate of the peer contains a dNSName SAN
      [RFC3280], then unless otherwise specified the peer's Kerberos
      principal name is a two-component NT-SRV-HST type name as defined
      in Section 6.2.1 of [RFC4120], with the first component as "host"
      and the second component as the name in the dNSName SAN of the
      certificate, and the realm of this Kerberos principal is the PKU2U

   It should be noted that a certificate that does not have any of the
   above name attributes can be used in PKU2U as long as there is a
   binding between the key pair and the peer principal that can be
   verified, and such bindings can be maintained via a trusted table
   such as a database that the peers learn via leap-of-faith ways, or
   via PKI where the certificate is the binding.

   A Distinguished Name (DN) can be transformed into a string and
   represented as the NT-X500-PRINCIPAL name type, but the current
   definition of this name type in [RFC4120] does not guarantee a
   canonical form.  Additional work is anticipated to start with
   [RFC4514] but add further constraints: require Distinguished Encoding
   Rules (DER) [X680] [X690] for values of unknown syntax, restrict the
   use of escape characters, force the case of case-insensitive string
   values, etc.  It is anticipated that any name that appears in a
   certificate, either as its DN or as a SAN, can be used via
   GSS_Import_name() and GSS_Acquire_cred().  In order to do that, a
   GSS-API name type is expected to be defined for each kind of PKI name
   (DN, and every kind of SAN that may be useful), and a generic human-
   readable syntax is expected to be defined for each such name-type.
   The DN remains, however, as the canonical principal name.  This work
   is out of the scope to this document and it is generic to integrating
   Distinguished Names into GSS-API.

   Implementations conforming to this document MUST support the binding
   schema specified in this section.

   The rest of this document assumes there is a binding between a

Zhu & Altman              Expires July 30, 2008                 [Page 4]

Internet-Draft                    PKU2U                     January 2008

   Kerberos principal name and the asymmetric key pair used for
   authentication.  The Kerberos principal name is returned by GSS-API
   primitives such as GSS_Export_name() and GSS_Display_name().

5.  The Protocol Description and the Context Establishment Tokens

   The PKU2U protocol is based on [RFC4120], and it can only be used in
   conjunction with GSS-API.

   This section describes how PKU2U works and how it differs from

   If initially the initiator has a service ticket to the acceptor, the
   initiator, acting as the client in the parlance of [RFC4120],
   performs the client-server authentication exchange according to
   [RFC4121] and Section 3.2 of [RFC4120], with the acceptor acting as
   the server.

   When the initiator does not have a service ticket to the acceptor, it
   requests a ticket from the acceptor instead of the KDC by
   constructing a KRB_AS_REQ message, where the acceptor is identified
   as the server and the initiator is identified as the client,
   according to Section 3.1.1 of [RFC4120].  The initiator always
   includes the PA_PK_AS_REQ pre-authentication data computed according
   to Section 3.2.1 of [RFC4556].  In a modification to [RFC4120], the
   KRB_AS_REQ message is not sent directly to the acceptor, but instead
   returned within the output GSS-API token.  GSS_Init_sec_context()
   returns GSS_S_CONTINUE_NEEDED status [RFC2743] indicating at least
   one more token is needed in order to establish the context, and the
   KRB_AS_REQ message is returned as the innerContextToken defined in
   Section 3.1 of [RFC2743], in the output token.

   This output token that contains the KRB_AS_REQ message is then passed
   to GSS_Accept_security_context() as the input token in accordance
   with GSS-API.  The acceptor processes the KRB_AS_REQ request
   according to Section 3.1.2 of [RFC4120].  The acceptor MUST verify
   that the server name in the request is that of the acceptor itself.
   The acceptor validates the pre-authentication data in the request
   according to Section 3.2.2 of [RFC4556].  The acceptor MUST verify
   the binding between the initiator's name and the initiator's public
   key.  Unless otherwise specified, the initiator's X.509 certificate
   MUST contain either the id-pkinit-KPClientAuth [RFC4556] Extended Key
   Usage (EKU) extension or the id-kp-clientAuth EKU [RFC3280].

   If all goes well, processing the KRB_AS_REQ message will result in
   the creation of a ticket for the initiator to present to the acceptor
   and the response is a KRB_AS_REP message generated according to

Zhu & Altman              Expires July 30, 2008                 [Page 5]

Internet-Draft                    PKU2U                     January 2008

   Section 3.1.3 of [RFC4120].

   If an error occurs, however, the response is a KRB_ERROR message
   generated according to Section 3.1.4 of [RFC4120].

   In other words, the output token of GSS_Accept_security_context() is
   a KRB_AS_REP message if a ticket was created or a KRB_ERROR message
   if there was an error while processing the request or the local
   policy prevented a ticket from being issued.  The reply token is then
   passed to the initiator as the input token to GSS_Init_sec_context().

   The initiator then processes the reply token according to Section
   3.1.5 of [RFC4120] if a ticket has been returned.  Upon receipt of
   the KRB_AS_REP message, the initiator MUST validate the PA_PK_AS_REP
   pre-authentication data in the reply according to Section 3.2.4 of
   [RFC4556].  The inclusion of the EKU KeyPurposeId [RFC3280] id-
   pkinit-KPKdc in the X.509 certificate in the response is not
   applicable when PKU2U is used because there is no KDC involved in
   this protocol.  The initiator MUST verify the binding between the
   acceptor's name and the acceptor's public key.

   Furthermore, PKU2U differs from [RFC4556] in that it allows the use
   of self-signed certificates given the binding between the named
   principal and the public key can be verified and cannot be spoofed.

   The GSS-API acceptor is identified using the targ_name parameter of
   the GSS_Init_sec_context() call, the initiator MUST verify the
   binding between the targ_name and the acceptor in order to
   authenticate the acceptor.  In addition, unless otherwise specified
   the acceptor's X.509 certificate MUST contain either the id-kp-
   serverAuth EKU [RFC3280] or the id-pkinit-KPClientAuth EKU [RFC4556].

   If an error message was returned, the initiator processes the
   response according to Section 3.1.6 of [RFC4120].

   With the obtained ticket, the initiator then, acting as the client in
   the parlance of [RFC4120], performs the client-server authentication
   exchange according to [RFC4121] and Section 3.2 of [RFC4120], with
   the acceptor acting as the server.

   To recapitulate, the acceptor and the initiator communicate by
   tunneling the authentication service exchange messages through the
   use of the GSS-API tokens and application traffic.  The reliable
   delivery of the authentication service exchange messages at the GSS-
   API token level is mandatory.  In the event of message loss, message
   duplication, or out of order message delivery, the security context
   MUST fail to establish.

Zhu & Altman              Expires July 30, 2008                 [Page 6]

Internet-Draft                    PKU2U                     January 2008

   The syntax of the initial context establishment token follows the
   initialContextToken syntax defined in Section 3.1 of [RFC2743].
   PKU2U is identified by the Objection Identifier (OID) id-kerberos-

      id-kerberos-pku2u ::=
        { iso(1) org(3) dod(6) internet(1) security(5) kerberosV5(2)
          pku2u(7) }

   Subsequent context establishment tokens MUST NOT be encapsulated in
   this GSS-API generic token framing.

   The innerToken described in section 3.1 of [RFC2743] and subsequent
   GSS-API mechanism tokens have the following formats: it starts with a
   two-octet token-identifier (TOK_ID), followed by a Kerberos message.
   The TOK_ID values for the KRB_AS_REQ message and the KRB_AS_REP
   message are defined in the table blow:

              Token         TOK_ID Value in Hex
             KRB_AS_REQ          05 00
             KRB_AS_REP          06 00

   The TOK_ID values for all other Kerberos messages are the same as
   defined in [RFC4121].

   By using anonymous PKINIT [KRB-ANON], PKU2U can provide server-
   authentication without revealing the client's identity.

6.  The GSS-API Binding for PKU2U

   Section 5 defines the context establishment tokens.  PKU2U per-
   message tokens are defined as the per-message tokens in [RFC4121].

   The Kerberos principal name form and the host-based service Name
   described in [RFC1964] MUST be supported by implementations
   conforming to this specification.

   For implementations comforming to this specification, the
   authenticator subkey in the AP-REQ [RFC4120] [RFC4121] MUST alway be
   present, and the Exts field in the GSS-API authenticator [GSS-EXTS]
   MUST contain an extension of the type GSS_EXTS_FINISHED and the
   extension data contains the ASN.1 DER encoding of the structure KRB-

Zhu & Altman              Expires July 30, 2008                 [Page 7]

Internet-Draft                    PKU2U                     January 2008

           GSS_EXTS_FINISHED             TBA
                --- The type for the checksum extension.

           KRB-FINISHED ::= SEQUENCE {
                gss-mic [1] Checksum,
                    -- Contains the checksum of the GSS-API tokens
                    -- exchanged between the initiator and the acceptor,
                    -- and prior to the containing AP-REQ GSS-API token.
                    -- The checksum is performed over the GSS-API
                    -- tokens in the order that the tokens were sent.

   The gss-mic field contains a checksum of all the GSS-API tokens sent
   from the initiator to the acceptor in the order they were sent, prior
   to the current token.  This checksum is performed over these GSS-API
   tokens in the order that the tokens were sent by the initiator and
   the acceptor.  In the parlance of [RFC3961], the checksum type is the
   required checksum type for the enctype of the subkey in the
   authenticator, the protocol key for the checksum operation is the
   authenticator subkey, and the key usage number is KEY_USAGE_FINISHED.

           KEY_USAGE_FINISHED            41

   The GSS-API acceptor MUST then verify the checksum contained in the
   GSS_EXTS_FINISHED extension.  This checksum provides integrity
   protection for the messages exchanged including the unauthenticated
   clear texts in the Kerberos messages exchanged between the two

7.  Guidelines for Credentials Selection

   If a peer, either the initiator or the acceptor, has multiple pairs
   of public-key private keys, a choice is to be made in choosing the
   best fit.  The trustedCertifiers field in the PA-PK-AS-REQ structure
   [RFC4556] SHOULD be filled by the initiator, to provide hints for
   guiding the selection of an appropriate certificate chain by the
   acceptor.  If the initiator's X.509 certificate cannot be validated
   according to [RFC3280], the acceptor SHOULD send back the TD-TRUSTED-
   CERTIFIERS structure [RFC4556] that provides hints for guiding the
   selection of an appropriate certificate by the initiator.

   It is RECOMMENDED that implementations of this protocol expose
   sufficient information based on the hints described above to the
   users and allow the certificates to be selected interactively.

   If the certificates cannot be selected interactively, and multiple

Zhu & Altman              Expires July 30, 2008                 [Page 8]

Internet-Draft                    PKU2U                     January 2008

   certificates can be used, it is RECOMMENDED that implementations fail
   the context establishment thus avoid confusions caused by an
   unexpected programmatic selection.

8.  Security Considerations

   The security considerations in [RFC4556] apply here.  It is crucial
   that both the initiator and the acceptor MUST be able to verify the
   binding between the signing key and the associated identity.

9.  Acknowledgements

   The authors would like to thank Jeffrey Hutzelman for his insightful
   comments on the earlier revisions of this document.

   In addition, the following individuals have provided review comments
   for this document: Nicolas Williams, Sam Hartman, Leif Johansson,
   Olga Kornievskaia, Martin Rex, and Sunil Gottumukkala.

   Ari Medvinsky provided help in editing the initial revisions of this

   The text for the DN mapping is compiled directly from the email
   discussions among the following individuals: Howard Chu, Martin Rex,
   Nicolas Williams, Jeffrey Hutzelman, Kevin Coffman, Henry B. Hotz,
   Leif Johansson, and Olga Kornievskaia.  Howard and Jeffery clearly
   illustrated the challenges in creating a unique mapping, while
   Nicolas and Martin demonstrated the relevance and interactions to
   GSS-API and Kerberos.

10.  IANA Considerations

   Section 3 defines the PKU2U realm.  The IANA registry for the
   reserved names should be updated to reference this document.

   This document defines GSS_EXTS_FINISHED extension type.  The
   corresponding IANA registry need to be updated to reference this

11.  References

Zhu & Altman              Expires July 30, 2008                 [Page 9]

Internet-Draft                    PKU2U                     January 2008

11.1.  Normative References

              Emery, S., "Kerberos Version 5 GSS-API Channel Binding
              Hash Agility", draft-ietf-krb-wg-gss-cb-hash-agility,
              work in progress.

              Zhu, L. and P. Leach, "Kerberos Anonymity Support",
              draft-ietf-krb-wg-anon, work in progress.

   [KRB-NAME] L. Zhu, "Additional Kerberos Naming Constraints",
              draft-ietf-krb-wg-naming, work in progress.

   [REFERALS] Raeburn, K. and L. Zhu, "Generating KDC Referrals to
              Locate Kerberos Realms,
              draft-ietf-krb-wg-kerberos-referrals, work in progress.

   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
              RFC 1964, June 1996.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2743]  Linn, J., "Generic Security Service Application Program
              Interface Version 2, Update 1", RFC 2743, January 2000.

   [RFC3280]  Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
              X.509 Public Key Infrastructure Certificate and
              Certificate Revocation List (CRL) Profile", RFC 3280,
              April 2002.

   [RFC3961]  Raeburn, K., "Encryption and Checksum Specifications for
              Kerberos 5", RFC 3961, February 2005.

   [RFC4120]  Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
              Kerberos Network Authentication Service (V5)", RFC 4120,
              July 2005.

   [RFC4121]  Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
              Version 5 Generic Security Service Application Program
              Interface (GSS-API) Mechanism: Version 2", RFC 4121,
              July 2005.

   [RFC4556]  Zhu, L. and B. Tung, "Public Key Cryptography for Initial
              Authentication in Kerberos (PKINIT)", RFC 4556, June 2006.

Zhu & Altman              Expires July 30, 2008                [Page 10]

Internet-Draft                    PKU2U                     January 2008

11.2.  Informative References

              Zhu, L. and P. Leach, "Kerberos Anonymity Support",
              draft-ietf-krb-wg-anon-04.txt (work in progress), 2007.

   [RFC4514]  Zeilenga, K., "Lightweight Directory Access Protocol
              (LDAP): String Representation of Distinguished Names",
              RFC 4514, June 2006.

   [X680]     ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
              Information technology - Abstract Syntax Notation One
              (ASN.1): Specification of basic notation.

   [X690]     ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
              Information technology - ASN.1 encoding Rules:
              Specification of Basic Encoding Rules (BER), Canonical
              Encoding Rules (CER) and Distinguished Encoding Rules

Appendix A.  PKU2U ASN.1 Module

        PKU2U-SPEC {
            iso(1) identified-organization(3) dod(6) internet(1)
                security(5) kerberosV5(2) modules(4) pku2u(TBA)


                FROM KerberosV5Spec2 { iso(1) identified-organization(3)
                  dod(6) internet(1) security(5) kerberosV5(2)
                  modules(4) krb5spec2(2) };
                  -- as defined in RFC 4120.

              gss-mic [1] Checksum,
                  -- Contains the checksum of the GSS-API tokens
                  -- exchanged between the initiator and the acceptor,
                  -- and prior to the containing AP-REQ GSS-API token.
                  -- The checksum is performed over the GSS-API
                  -- tokens in the order that the tokens were sent.


Authors' Addresses

   Larry Zhu
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA  98052

   Email: lzhu@microsoft.com

   Jeffery Altman
   Secure Endpoints
   255 W 94th St
   New York, NY  10025

   Email: jaltman@secure-endpoints.com

Zhu & Altman              Expires July 30, 2008                [Page 11]

Internet-Draft                    PKU2U                     January 2008

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at


   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).

Zhu & Altman              Expires July 30, 2008                [Page 12]

Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/