draft-ietf-tls-kerb-cipher-suites-03.txt   draft-ietf-tls-kerb-cipher-suites-04.txt 
INTERNET-DRAFT Ari Medvinsky INTERNET-DRAFT Ari Medvinsky
Transport Layer Security Working Group Matthew Hur Transport Layer Security Working Group Excite
draft-ietf-tls-kerb-cipher-suites-03.txt CyberSafe Corporation draft-ietf-tls-kerb-cipher-suites-04.txt Matthew Hur
September 18, 1998 (Expires March 18, 1999) August 21, 1999 (Expires January 22, 2000) CyberSafe Corporation
Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
0. Status Of this Memo 0. Status Of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft and is in full conformance with
documents of the Internet Engineering Task Force (IETF), its all provisions of section 10 of RFC 2026. Internet-Drafts are
areas, and its working groups. Note that other groups may also working documents of the Internet Engineering Task Force (IETF),
distribute working documents as Internet-Drafts. its areas, and its working groups. Note that other groups may
also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet- documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as Drafts as reference material or to cite them other than as
``work in progress.'' ``work in progress.''
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
To learn the current status of any Internet-Draft, please check To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the Internet- the ``1id-abstracts.txt'' listing contained in the Internet-
Drafts Shadow Directories on ftp.is.co.za (Africa), Drafts Shadow Directories on ftp.is.co.za (Africa),
nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast).
1. Abstract 1. Abstract
This document proposes the addition of new cipher suites to the TLS This document proposes the addition of new cipher suites to the TLS
protocol [1] to support Kerberos-based authentication. Kerberos protocol [1] to support Kerberos-based authentication. Kerberos
credentials are used to achieve mutual authentication and to establish credentials are used to achieve mutual authentication and to establish
a master secret which is subsequently used to secure client-server a master secret which is subsequently used to secure client-server
communication. communication.
2. Introduction 2. Introduction
skipping to change at line 193 skipping to change at line 200
concerned about the protection domain on a particular machine. concerned about the protection domain on a particular machine.
- "MachineName" is the particular instance of the service. - "MachineName" is the particular instance of the service.
- The Kerberos "Realm" is the domain name of the machine. - The Kerberos "Realm" is the domain name of the machine.
5. Summary 5. Summary
The proposed Kerberos authentication option is added in exactly the The proposed Kerberos authentication option is added in exactly the
same manner as a new public key algorithm would be added to TLS. same manner as a new public key algorithm would be added to TLS.
Furthermore, it establishes the master secret in exactly the same manner. Furthermore, it establishes the master secret in exactly the same manner.
6. Acknowledgements 6. Security Considerations
Kerberos ciphersuites are subject to the same security considerations as
the TLS protocol. In addition, just as a public key implementation must
take care to protect the private key (for example the PIN for a
smartcard), a Kerberos implementation must take care to protect the long
lived secret that is shared between the principal and the KDC. In
particular, a weak password may be subject to a dictionary attack. In
order to strengthen the initial authentication to a KDC, an implementor
may choose to utilize secondary authentication via a token card, or one
may utilize initial authentication to the KDC based on public key
cryptography (commonly known as PKINIT - a product of the Common
Authentication Technology working group of the IETF).
7. Acknowledgements
We would like to thank Clifford Neuman for his invaluable comments on We would like to thank Clifford Neuman for his invaluable comments on
earlier versions of this document. earlier versions of this document.
7. References 8. References
[1] T. Dierks, C. Allen. [1] T. Dierks, C. Allen.
The TLS Protocol, Version 1.0 - IETF Draft. The TLS Protocol, Version 1.0 - RFC 2246.
[2] J. Kohl and C. Neuman [2] J. Kohl and C. Neuman
The Kerberos Network Authentication Service (V5) RFC 1510. The Kerberos Network Authentication Service (V5) RFC 1510.
Authors' Addresses Authors' Addresses
Ari Medvinsky <arim@cybersafe.com> Ari Medvinsky
Matthew Hur <matth@cybersafe.com> Excite
555 Broadway
Redwood City, CA 94063
Phone +1 650 569 2119
E-mail: amedvins@excitecorp.com
http://www.excite.com
Matthew Hur
CyberSafe Corporation CyberSafe Corporation
1605 NW Sammamish Raod 1605 NW Sammamish Road
Suite 310 Issaquah WA 98027-5378
Issaquah, WA 98027-5378 Phone: +1 425 391 6000
Phone: (206) 391-6000 E-mail: matt.hur@cybersafe.com
Fax: (206) 391-0508
http://www.cybersafe.com http://www.cybersafe.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/