draft-ietf-tls-kerb-cipher-suites-01.txt   draft-ietf-tls-kerb-cipher-suites-02.txt 
INTERNET-DRAFT Ari Medvinsky INTERNET-DRAFT Ari Medvinsky
Transport Layer Security Working Group Matthew Hur Transport Layer Security Working Group Matthew Hur
draft-ietf-tls-kerb-cipher-suites-01.txt CyberSafe Corporation draft-ietf-tls-kerb-cipher-suites-02.txt CyberSafe Corporation
July 97 (Expires Feb-98) February 20, 1998 (Expires August 25, 1998)
Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
0. Status Of this Memo 0. Status Of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its documents of the Internet Engineering Task Force (IETF), its
areas, and its working groups. Note that other groups may also areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts. distribute working documents as Internet-Drafts.
skipping to change at line 91 skipping to change at line 90
FIGURE 1: The TLS protocol. All messages followed by a star are FIGURE 1: The TLS protocol. All messages followed by a star are
optional. Note: This figure was taken from an IETF draft [1]. optional. Note: This figure was taken from an IETF draft [1].
The TLS security context is negotiated in the client and server hello The TLS security context is negotiated in the client and server hello
messages. For example: TLS_RSA_WITH_RC4_MD5 means the initial messages. For example: TLS_RSA_WITH_RC4_MD5 means the initial
authentication will be done using the RSA public key algorithm, RC4 will authentication will be done using the RSA public key algorithm, RC4 will
be used for the session key, and MACs will be based on the MD5 be used for the session key, and MACs will be based on the MD5
algorithm. Thus, to facilitate the Kerberos authentication option, we algorithm. Thus, to facilitate the Kerberos authentication option, we
must start by defining new cipher suites including (but not limited to): must start by defining new cipher suites including (but not limited to):
CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1C }; CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E };
CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1D }; CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F };
CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x1E }; CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 };
CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x1F }; CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 };
CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x20 }; CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 };
CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x21 }; CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 };
CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x22 }; CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 };
CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x23 }; CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 };
CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x24 }; CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x25 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x26 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28 };
CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x27 }; CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x28 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A };
CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x29 }; CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B };
To establish a Kerberos-based security context, one or more of the above To establish a Kerberos-based security context, one or more of the above
cipher suites must be specified in the client hello message. If the TLS cipher suites must be specified in the client hello message. If the TLS
server supports the Kerberos authentication option, the server hello server supports the Kerberos authentication option, the server hello
message, sent to the client, will confirm the Kerberos cipher suite message, sent to the client, will confirm the Kerberos cipher suite
selected by the server. The server's certificate, the client selected by the server. The server's certificate, the client
CertificateRequest, and the ServerKeyExchange shown in Figure 1 will be CertificateRequest, and the ServerKeyExchange shown in Figure 1 will be
omitted since authentication and the establishment of a master secret omitted since authentication and the establishment of a master secret
will be done using the client's Kerberos credentials for the TLS server. will be done using the client's Kerberos credentials for the TLS server.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/