--- 1/draft-ietf-tls-kerb-cipher-suites-01.txt 2006-02-05 02:00:56.000000000 +0100 +++ 2/draft-ietf-tls-kerb-cipher-suites-02.txt 2006-02-05 02:00:56.000000000 +0100 @@ -1,15 +1,14 @@ - INTERNET-DRAFT Ari Medvinsky Transport Layer Security Working Group Matthew Hur -draft-ietf-tls-kerb-cipher-suites-01.txt CyberSafe Corporation - July 97 (Expires Feb-98) +draft-ietf-tls-kerb-cipher-suites-02.txt CyberSafe Corporation +February 20, 1998 (Expires August 25, 1998) Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) 0. Status Of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. @@ -81,35 +80,35 @@ FIGURE 1: The TLS protocol. All messages followed by a star are optional. Note: This figure was taken from an IETF draft [1]. The TLS security context is negotiated in the client and server hello messages. For example: TLS_RSA_WITH_RC4_MD5 means the initial authentication will be done using the RSA public key algorithm, RC4 will be used for the session key, and MACs will be based on the MD5 algorithm. Thus, to facilitate the Kerberos authentication option, we must start by defining new cipher suites including (but not limited to): -CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1C }; -CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1D }; -CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x1E }; -CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x1F }; -CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x20 }; -CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x21 }; -CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x22 }; -CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x23 }; +CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E }; +CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F }; +CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 }; +CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 }; +CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 }; +CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 }; +CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 }; +CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 }; -CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x24 }; -CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x25 }; -CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x26 }; -CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x27 }; -CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x28 }; -CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x29 }; +CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26 }; +CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27 }; +CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28 }; +CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29 }; +CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A }; +CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B }; To establish a Kerberos-based security context, one or more of the above cipher suites must be specified in the client hello message. If the TLS server supports the Kerberos authentication option, the server hello message, sent to the client, will confirm the Kerberos cipher suite selected by the server. The server's certificate, the client CertificateRequest, and the ServerKeyExchange shown in Figure 1 will be omitted since authentication and the establishment of a master secret will be done using the client's Kerberos credentials for the TLS server.