--- 1/draft-ietf-tls-kerb-cipher-suites-03.txt 2006-02-05 02:00:58.000000000 +0100 +++ 2/draft-ietf-tls-kerb-cipher-suites-04.txt 2006-02-05 02:00:58.000000000 +0100 @@ -1,35 +1,42 @@ INTERNET-DRAFT Ari Medvinsky -Transport Layer Security Working Group Matthew Hur -draft-ietf-tls-kerb-cipher-suites-03.txt CyberSafe Corporation -September 18, 1998 (Expires March 18, 1999) +Transport Layer Security Working Group Excite +draft-ietf-tls-kerb-cipher-suites-04.txt Matthew Hur +August 21, 1999 (Expires January 22, 2000) CyberSafe Corporation Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) 0. Status Of this Memo -This document is an Internet-Draft. Internet-Drafts are working -documents of the Internet Engineering Task Force (IETF), its -areas, and its working groups. Note that other groups may also -distribute working documents as Internet-Drafts. +This document is an Internet-Draft and is in full conformance with +all provisions of section 10 of RFC 2026. Internet-Drafts are +working documents of the Internet Engineering Task Force (IETF), +its areas, and its working groups. Note that other groups may +also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' +The list of current Internet-Drafts can be accessed at +http://www.ietf.org/ietf/1id-abstracts.txt + +The list of Internet-Draft Shadow Directories can be accessed at +http://www.ietf.org/shadow.html. + To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), -ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). +ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). 1. Abstract This document proposes the addition of new cipher suites to the TLS protocol [1] to support Kerberos-based authentication. Kerberos credentials are used to achieve mutual authentication and to establish a master secret which is subsequently used to secure client-server communication. 2. Introduction @@ -183,35 +190,54 @@ concerned about the protection domain on a particular machine. - "MachineName" is the particular instance of the service. - The Kerberos "Realm" is the domain name of the machine. 5. Summary The proposed Kerberos authentication option is added in exactly the same manner as a new public key algorithm would be added to TLS. Furthermore, it establishes the master secret in exactly the same manner. -6. Acknowledgements +6. Security Considerations + +Kerberos ciphersuites are subject to the same security considerations as +the TLS protocol. In addition, just as a public key implementation must +take care to protect the private key (for example the PIN for a +smartcard), a Kerberos implementation must take care to protect the long +lived secret that is shared between the principal and the KDC. In +particular, a weak password may be subject to a dictionary attack. In +order to strengthen the initial authentication to a KDC, an implementor +may choose to utilize secondary authentication via a token card, or one +may utilize initial authentication to the KDC based on public key +cryptography (commonly known as PKINIT - a product of the Common +Authentication Technology working group of the IETF). + +7. Acknowledgements We would like to thank Clifford Neuman for his invaluable comments on earlier versions of this document. -7. References +8. References [1] T. Dierks, C. Allen. -The TLS Protocol, Version 1.0 - IETF Draft. +The TLS Protocol, Version 1.0 - RFC 2246. [2] J. Kohl and C. Neuman The Kerberos Network Authentication Service (V5) RFC 1510. Authors' Addresses -Ari Medvinsky -Matthew Hur + Ari Medvinsky + Excite + 555 Broadway + Redwood City, CA 94063 + Phone +1 650 569 2119 + E-mail: amedvins@excitecorp.com + http://www.excite.com + Matthew Hur CyberSafe Corporation -1605 NW Sammamish Raod -Suite 310 -Issaquah, WA 98027-5378 -Phone: (206) 391-6000 -Fax: (206) 391-0508 + 1605 NW Sammamish Road + Issaquah WA 98027-5378 + Phone: +1 425 391 6000 + E-mail: matt.hur@cybersafe.com http://www.cybersafe.com