|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
|
Last Update: May 05, 2008
-- Color Legend: RFC Editor Queue
/ Processed by IESG
/ ID Exists
/ Recently Expired
-- Each I-D name is a link to an I-D description, which points to a text version, a two-page and fit-in-window PDF version, as well as the IETF Tools' HTML version.
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
|
|
|
|
|
|
| The charter of the KRB-WG working group
is reported below.
|
|
|
|
Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary
implementations. Kerberos evolution has continued in recent years,
with the development of a new crypto framework, publication of a new
version of the Kerberos specification, support for initial
authentication using public keys, and numerous extensions developed in
and out of the IETF.
However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, particularly with regard to
making initial authentication of users to the Kerberos system both
convenient and secure. In addition, several key features remain
undefined.
The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to improving the process of client authentication, and produce
specifications for missing functionality.
Specifically, the Working Group will:
|
|
| o |
Complete existing work:
|
|
| - |
ECC for PKINIT (draft-zhu-pkinit-ecc-03.txt)
|
| - |
Set/Change Password
(draft-ietf-krb-wg-kerberos-set-passwd-05.txt)
|
| - |
Naming Constraints (draft-ietf-krb-wg-naming-02.txt)
|
| - |
Anonymity (draft-ietf-krb-wg-anon-03.txt)
|
| - |
Hash agility for GSS-KRB5
(draft-ietf-krb-wg-gss-cb-hash-agility-00.txt)
|
| - |
Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-01.txt)
|
| - |
Referrals (draft-ietf-krb-wg-kerberos-referrals-08.txt)
|
|
| o |
Prepare and advance a specification for an updated, backward-
compatible version of the Kerberos version 5 protocol which supports
non-ASCII principal and realm names, salt strings, and passwords;
insures that those portions of the protocol which are not encrypted
are nonetheless authenticated whenever possible; and enables future
protocol revisions and extensions.
|
| o |
Develop extensions which reduce or eliminate exposure of Kerberos
clients' long-term keys to attack and enable the use of alternate
mechanisms for initial authentication. This task will comprise the
following items:
|
|
| - |
A model and framework for preauthentication mechanisms
|
| - |
A mechanism for providing a protected channel for carrying
preauthentication data and/or a reply key between a Kerberos
client and KDC, within the KDC_REQ/KDC_REP exchange.
|
| - |
Support for One-Time Passwords
|
| - |
Support for hardware authentication tokens
|
| - |
Support for using TLS to secure communications with Kerberos KDCs.
|
|
| o |
Examine issues related to the current cross-realm model, produce a
list of problems to be solved, and evaluate approaches to solving them.
|
| o |
Develop extensions to Kerberos and a GSS-API mechanism (IAKERB) to
enable Kerberos clients to communicate with a KDC by using a GSS-API
acceptor as a proxy.
|
| o |
Produce a data model for information needed by the KDC, and an LDAP
schema for management of that data.
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
|
|
| | |
RFC3961
02/2005
(50 p.)
[html]
[pdf(2)] |
K. Raeburn |
|
Encryption and Checksum Specifications |
|
This document describes a framework for defining encryption and
checksum mechanisms for use with the Kerberos protocol, defining an
abstraction layer between the Kerberos protocol and related
protocols, and the actual mechanisms themselves. The document also
defines several mechanisms. Some are taken from RFC 1510, modified
in form to fit this new framework and occasionally modified in
content when the old specification was incorrect. New mechanisms are
presented here as well. This document does NOT indicate which
mechanisms may be considered "required to implement".
|
|
|
| |
| Up List |
Status: | Proposed Standard |
|
|
|
|
|
|
|
|
|
| | |
RFC3962
02/2005
(16 p.)
[html]
[pdf(2)] |
K. Raeburn |
|
Advanced Encryption Standard (AES) Encryption for Kerberos 5 |
|
The United States National Institute of Standards and Technology
(NIST) has chosen a new Advanced Encryption Standard (AES), which is
significantly faster and (it is believed) more secure than the old
Data Encryption Standard (DES) algorithm. This document is a
specification for the addition of this algorithm to the Kerberos
cryptosystem suite.
|
|
|
| |
| Up List |
Status: | Proposed Standard |
|
|
|
|
|
|
|
|
|
| | |
RFC4120
07/2005
(138 p.)
[html]
[pdf(2)] |
C. Neuman
T. Yu
S. Hartman
K. Raeburn |
|
The Kerberos Network Authentication Service (V5) |
|
This document provides an overview and specification of Version 5 of
the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects
of the protocol and its intended use that require more detailed or
clearer explanation than was provided in RFC 1510. This document is
intended to provide a detailed description of the protocol, suitable
for implementation, together with descriptions of the appropriate use
of protocol messages and fields within those messages.
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC4121
07/2005
(20 p.)
[html]
[pdf(2)] |
L. Zhu
K. Jaganathan
S. Hartman |
|
The Kerberos Version 5
Generic Security Service Application Program Interface (GSS-API)
Mechanism: Version 2 |
This document defines protocols, procedures, and conventions to be
employed by peers implementing the Generic Security Service
Application Program Interface (GSS-API) when using the Kerberos
Version 5 mechanism.
RFC 1964 is updated and incremental changes are proposed in response
to recent developments such as the introduction of Kerberos
cryptosystem framework. These changes support the inclusion of new
cryptosystems, by defining new per-message tokens along with their
encryption and checksum algorithms based on the cryptosystem
profiles.
|
|
|
| |
| Up List |
Status: | Proposed Standard |
|
|
|
|
|
|
|
|
|
| | |
RFC4537
06/2006
(6 p.)
[html]
[pdf(2)] |
L. Zhu
P. Leach
K. Jaganathan |
|
Kerberos Cryptosystem Negotiation Extension |
|
This document specifies an extension to the Kerberos protocol as
defined in RFC 4120, in which the client can send a list of supported
encryption types in decreasing preference order, and the server then
selects an encryption type that is supported by both the client and
the server.
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC4556
06/2006
(42 p.)
[html]
[pdf(2)] |
L. Zhu
B. Tung |
|
Public Key Cryptography for
Initial Authentication in Kerberos (PKINIT) |
|
This document describes protocol extensions (hereafter called PKINIT)
to the Kerberos protocol specification. These extensions provide a
method for integrating public key cryptography into the initial
authentication exchange, by using asymmetric-key signature and/or
encryption algorithms in pre-authentication data fields.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
| -
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
|
|
| | |
krb-wg-anon-05
Waiting for
AD Go-Ahead
Jan 27, 2008
(11 p.)
[pdf(2)]
[html]
|
L. Zhu
P. Leach |
|
Anonymity Support for Kerberos |
|
This document defines extensions to the Kerberos protocol for the
Kerberos client to authenticate the Kerberos Key Distribution Center
and the Kerberos server, without revealing the client's identity. It
updates RFC 4120. These extensions can be used to secure
communication between the anonymous client and the server.
|
|
|
| |
| Up List |
Intended Status: | Proposed Standard |
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Proposed Standard |
|
|
|
|
|
|
|
|
| | |
zhu-pkinit-ecc-04
Waiting for
AD Go-Ahead
Oct 24, 2007
(11 p.)
[pdf(2)]
[html]
|
L. Zhu
K. Jaganathan
K. Lauter |
|
ECC Support for PKINIT |
|
This document describes the use of Elliptic Curve certificates,
Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman
(ECDH) key agreement within the framework of PKINIT - the Kerberos
Version 5 extension that provides for the use of public key
cryptography.
|
|
|
| |
| Up List |
Intended Status: | Informational |
|
|
|
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Informational |
|
|
|
|
|
|
|
|
| | |
krb-wg-gss-cb-
hash-agility-03
ID Exists
Nov 9, 2007
(12 p.)
[pdf(2)]
[html]
|
S. Emery |
|
Kerberos Version 5 GSS-API Channel Binding Hash Agility |
|
Currently, the Kerberos Version 5 Generic Security Services
Application Programming Interface (GSS-API) mechanism [RFC4121] does
not have the ability to utilize better hash algorithms used to
generate channel binding identities. The current mechanism for doing
this is hard coded to use MD5 only. The purpose of this document is
to outline changes required to update the protocol so that more
secure algorithms can be used to create channel binding identities.
The extensibility of this solution also provides an eventual
replacement of identities based solely on hash algorithms.
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
| | |
krb-wg-kerberos-
referrals-10
ID Exists
Feb 25, 2008
(18 p.)
[pdf(2)]
[html]
|
K. Raeburn
L. Zhu |
|
Generating KDC Referrals to Locate Kerberos Realms |
|
The memo documents a method for a Kerberos Key Distribution Center
(KDC) to respond to client requests for Kerberos tickets when the
client does not have detailed configuration information on the realms
of users or services. The KDC will handle requests for principals in
other realms by returning either a referral error or a cross-realm
TGT to another realm on the referral path. The clients will use this
referral information to reach the realm of the target principal and
then receive the ticket.
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
| | |
krb-wg-otp-
preauth-04
ID Exists
Apr 30, 2008
(33 p.)
[pdf(2)]
[html]
|
G. Richards |
|
OTP Pre-authentication |
|
The Kerberos protocol provides a framework authenticating a client
using the exchange of pre-authentication data. This document
describes the use of this framework to carry out One Time Password
(OTP) authentication.
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
| | |
krb-wg-preauth-
framework-07
ID Exists
Feb 24, 2008
(40 p.)
[pdf(2)]
[html]
|
L. Zhu
S. Hartman |
|
A Generalized Framework for Kerberos Pre-Authentication |
Kerberos is a protocol for verifying the identity of principals
(e.g., a workstation user or a network server) on an open network.
The Kerberos protocol provides a mechanism called pre-authentication
for proving the identity of a principal and for better protecting the
long-term secret of the principal.
This document describes a model for Kerberos pre-authentication
mechanisms. The model describes what state in the Kerberos request a
pre-authentication mechanism is likely to change. It also describes
how multiple pre-authentication mechanisms used in the same request
will interact.
This document also provides common tools needed by multiple pre-authentication
mechanisms. One of these tools is a secure channel
between the client and the KDC with a reply key delivery mechanism;
this secure channel can be used to protect the authentication
exchange thus eliminate offline dictionary attacks. With these
tools, it is relatively straightforward to chain multiple
authentication mechanisms, utilize a different key management system,
or support a new key agreement algorithm.
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
|
|
|
|
##
##
##
##
##
##
##
##
##
##
##
##
## KRBwg
##
##
##
##
##
##
|
|
|
|
|
|
|
|
|
|
| | |
kamada-krb-
client-friendly-
cross-03
ID Exists
Nov 16, 2007
(14 p.)
[pdf(2)]
[html]
|
K. Kamada
S. Sakane |
|
Client-Friendly Cross-Realm Model for Kerberos 5 |
|
This document proposes a cross-realm traversal model, which is
suitable for resource-limited clients, for Kerberos Version 5. This
model relieves the clients of the traversal cost by two means. One
moves the cost of consecutive Ticket-Granting Service (TGS) exchanges
from clients to Key Distribution Centers (KDCs). The other reduces
the traversal cost itself by generating a direct inter-realm
relationship between two realms. The document describes behavior of
clients and KDCs, but does not specify any wire format, which need to
be specified separately.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
