Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFs   Ti+SearchTech-invite World Map Symbol

RFC 1507


DASS - Distributed Authentication Security Service

Part 2 of 4, p. 25 to 55
Prev RFC Part       Next RFC Part


prevText      Top      Up      ToC       Page 25 
2. Services Used

   Aside from operating system services needed to maintain its internal
   state, DASS relies on a global distributed database in which to store
   its certificates, a reliable source of time, and a source of random
   numbers for creating cryptographic keys.

2.1 Time Service

   DASS requires access to the current time in several of its
   algorithms.  Some of its uses of time are security critical.  In
   others, network synchronization of clocks is required.  DASS does
   not, however, depend on having a single source of time which is both
   secure and tightly synchronized.

   The requirements on system provided time are:

    - For purposes of validating certificates and tickets, the
      system needs access to know the date and time accurate to
      within a few hours with no particular synchronization
      requirements.  If this time is inaccurate, then valid requests
      may be rejected and expired messages may be accepted.
      Certificate expiration is a backup revocation mechanism, so
      this can only cause a security compromise in the event of
      multiple failures.  In theory, this could be provided by
      having a local clock on every node accurate to within a few
      hours over the life of the product to provide this function.

Top      Up      ToC       Page 26 
      If an insecure network time service is used to provide this
      time, there are theoretical security threats, but they are
      expected to be logistically impractical to exploit.

    - For purposes of detecting replay of authentication tokens, the
      system needs access to a  strictly monotonic time source which
      is reasonably synchronized across the network (within a few
      minutes) for the system to work, but inaccuracy does not
      present a security threat except as noted below. It may
      constitute an availability threat because valid requests may
      be rejected.  In order to get strict monotonicity in the
      presence of a rapid series of requests, time must be returned
      with high precision.  There is no requirement for a high
      degree of accuracy.  Inaccurate time could present a security
      threat in the following scenario: if a client's clock is made
      sufficiently fast that its tokens are rejected, someone
      harvesting those tokens from the wire could replay them later
      and impersonate the client.  In some environments, this might
      be an easier threat than harvesting tokens and preventing
      their delivery.

    - For purposes of aging stale entries from caches, DASS requires
      reasonably accurate timing of intervals.  To the extent that
      intervals are reported as shorter than the actually were,
      revocation of certificates from the naming service may not be
      as timely as it should be.

2.2 Random Numbers

   In order to generate keys, DASS needs a source of "cryptographic
   quality" random numbers.  Cryptographic quality means that
   knowing any of the "random numbers" returned from a series and
   knowing all state information which is not protected, an attacker
   cannot predict any of the other numbers in the series.  Hardware
   sources are ideal, but there are alternative techniques which may
   also be acceptable. A 56 bit "truly random" seed (say from a
   series of coin tosses) could be used as a DES key to encrypt an
   infinite length known text block in CBC mode to produce a pseudo-rand
   sequence provided the key and current point in the sequence were
   adequately protected.  There is considerable controversy
   surrounding what constitutes cryptographic quality random
   numbers, and it is not a goal of this document to resolve it.

2.3 Naming Service

   DASS stores creates and uses "certificates" associated with every
   principal in the system, and encrypted credentials associated
   with most.  This information is stored in an on-line service

Top      Up      ToC       Page 27 
   associated with the principal being certified.  The long term
   vision is for DASS to use an X.500 naming service, and DASS will
   from its inception authenticate X.500 names.  To avoid a
   dependence on having an X.500 naming service available (and to
   gain the benefits of a "login agent" that controls password
   guessing), an alternative certificate  distribution center
   protocol is also described.

   The specific requirements DASS places on the naming service are:

    - It must be highly available.  A user's naming service entry
      must be available to any node where the user is to obtain
      services (or service will be denied).  A server's naming
      service entry must be available from any node from which the
      service is to be invoked (or service will be denied).

    - It must be timely.  The presence of "stale" information in the
      naming service may cause some problems.  When a password
      changes, the old password may remain valid (and the new
      password invalid) to the extent the naming service provides
      stale information.  When a user or server is added to the
      network, it will not be able to participate in authentication
      until the information added to the naming service is available
      at the node doing the authentication.  In the unusual
      circumstance that a key changes, the entity whose key has
      changed will not be able to use the new key until the new
      certificate is uniformly available.

    - It must be secure with regard to certain specific properties.
      In general, the security of DASS protected applications does
      not depend on the security of the naming service.  It is
      expected that the availability needs of the naming service
      will prevent it from being as secure as some applications need
      to be.  There are two aspects of DASS security which do depend
      on the security of the naming service: timely revocation of
      certificates and protection of user secrets against dictionary
      based password guessing. DASS depends on the removal of
      certificates from the naming service in order to revoke them
      more quickly than waiting for them to time out.  For this
      mechanism to provide any actual security, it must not be
      possible for a network entity to "impersonate" the naming
      service and the naming service must be able to enforce access
      controls which prevent a revoked certificate from being
      reinstated by an unauthorized entity.  In the long run, it is
      expected that DASS itself will be used to secure the naming
      service, which presents certain potential recursion problems
      (to be addressed in the naming service design).  If the naming
      service is not authenticated (as is expected in early

Top      Up      ToC       Page 28 
      versions) attacks where a revoked certificate is "reinstated"
      through impersonation of the naming service are possible.

   The specific functions DASS requests of the naming service are

    - Given an X.500 name, store a set of certificates associated
      with that name.

    - Given an X.500 name, retrieve the set of certificates
      associated with that name.

    - Given an X.500 name, store a set of encrypted credentials
      associated with that name.

    - Given and X.500 name, retrieve a set of encrypted credentials
      associated with that name.

   Implementation over a particular naming service may implement more
   specialized functions for reasons of efficiency.  For example, the
   certificates associated with a name may be separated into several
   sets (child, parent, cross, self) so that only the relevant ones may
   be retrieved.  In order that access to the naming service itself be
   secure, the protocols should be authenticated.  Certificates should
   generally be readable without authentication in order to avoid
   recursion problems.  Requests to read encrypted credentials should be
   specialized and should include proof of knowledge of the password in
   order that the naming service can audit and slow down false password

   The following sections describe the interfaces to specific naming

2.3.1 Interface to X.500

   Certificates associated with a particular name are stored as
   attributes of the entry as specified in X.509.  X.509 defines
   attributes appropriate for parent and cross certificates
   (CrossCertificatePair, CACertificate) for some principals; we will
   have to define a DASSUserPrincipal object class including these
   attributes in order to properly use them with ordinary users.
   Retrieval is via normal X.500 protocols.  Certificates should be
   world readable and modifiable only by appropriate authorities.

   Encrypted credentials are stored with the entry of the principal
   under a yet to be defined attribute.  The credentials should be
   encoded as specified in section 4.  In the absence of extensions to
   the X.500 protocol to control password guessing, the encrypted

Top      Up      ToC       Page 29 
   credentials should be world readable and updatable only by the named
   principal and other appropriate authorities.

2.3.2 Interface to CDC

   The CDC (Certificate Distribution Center) is a special purpose name
   server created to service DASS until an X.500 service is available in
   all of the environments where DASS needs to operate.  The CDC uses a
   special purpose protocol to communicate with DASS clients.  The
   protocol was designed for efficiency, simplicity, and security.  CDCs
   use DASS as an authentication mechanism and to protect encrypted
   credentials from unaudited password guessing.

   Each DASS client maintains a list of CDCs and the portion of the
   namespace served by that CDC.  Each directory has a master replica
   which is the only one which will accept updates.  The CDCs maintain
   consistency with one another using protocols beyond the scope of this
   document.  When a DASS client wishes to make a request of a CDC, it
   opens a TCP or DECnet connection to the CDC and sends an ASN.1 (BER)
   encoded request and receives a corresponding ASN.1 (BER) encoded
   response.  Clients are expected to learn the IP or DECnet address and
   port number of the CDC supporting a particular name from a local
   configuration file.  To maximize performance, the requests bundle
   what would be several requests if made in terms of requests for
   individual certificates.  It is intended that all certificates needed
   for an authentication operation be retrievable with at most two CDC
   requests/responses (one to the CDC of the client and one to the CDC
   of the server).

   Documented here is the protocol a DASS client would use to retrieve
   certificates and credentials from a CDC and update a user password.
   This protocol does not provide for updates to the certificate and
   credential databases.  Such updates must be supported for a practical
   system, but could be done either by extensions to this protocol or by
   local security mechanisms implemented on nodes supporting the CDC.
   Similarly, availability can be enhanced by replicating the CDC.
   Automating the replication of updates could be implemented by
   extensions to this protocol or by some other mechanism.  This
   specification assumes that updates and replication are local matters
   solved by individual CA/CDC implementations.

   Requests and responses are encoded as follows: ReadPrinCertRequest

   This request asks the CDC to return the child certificates and
   selected incoming cross certificates for the specified object.  The
   format of the request is:

Top      Up      ToC       Page 30 
        ReadPrinCertRequest ::= [4] IMPLICIT SEQUENCE {
             flags [0] BIT STRING DEFAULT {},
             index [1] IMPLICIT INTEGER DEFAULT 0,
             resolveFrom [2] Name OPTIONAL,
             principal Name,
             crossCertIssuers ListOfIssuers OPTIONAL
        ListOfIssuers ::= SEQUENCE OF Name

   The first 24 bits of flags, if present, contain a protocol version
   number.  Clients following this spec should place the value 2.0.0 in
   the three bytes.  Servers following this spec should accept any value
   of the form 1.x.x or 2.x.x.  flags bits beyond the first 24 are
   reserved for future use (should not be supplied by clients and should
   be ignored by servers).

   index is only used if the response exceeds the size of a single
   message; in that case, the query is repeated with index set to the
   value that was returned by ReadPrinCertResponse.  resolveFrom and
   principal imply a set of entities for which certificates should be
   retrieved.  resolveFrom (if present) must be an ancestor of principal
   and child certificates will be retrieved for principal and all names
   which are ancestors of principal but descendants of resolveFrom.  The
   encoding of names is per X.500 and is specified in more detail in
   section 4.  The CDC returns the certificates in order of the object
   they came from, parents before children.

   crossCertIssuers is a list of cross certifiers that would be believed
   in the context of this authentication.  If supplied, the CDC may
   return a chain of certificates starting with one of the named
   crossCertIssuers and ending with the named principal.  One of
   resolveFrom or crossCertIssuers must be present in any request; if
   both are present, the CDC may return either chain. ReadPrinCertResponse

   This is the response a CDC sends to a ReadPrinCertRequest.  Its
   syntax is:

        ReadPrinCertResponse ::= [5] IMPLICIT SEQUENCE {
             status [0] IMPLICIT CDCstatus DEFAULT success,
             index [1] INTEGER OPTIONAL,
             resolveTo [2] Name OPTIONAL,
             certSequence [3] IMPLICIT CertSequence,
             indexInvalidator [4] OCTET STRING (SIZE(8)) OPTIONAL,
             flags [5] BIT STRING OPTIONAL
        CertSequence ::= SEQUENCE OF Certificate

Top      Up      ToC       Page 31 
   status indicates success or the cause of the failure.

   index if present indicates that the request could not be fully
   satisfied in a single request because of size limitations.  The
   request should be repeated with this index supplied in the request to
   get more.

   resolveTo will be present if index is present and should be supplied
   in the request for more certificates.  certSequence contains
   certificates found matching the search criteria.

   indexInvalidator may be present and indicates the version of the
   database being read.  If a set of certificates is being read in
   multiple requests (because there were too many to return in a single
   message), the reader should check that the value for indexInvalidator
   is the same on each request.  If it is not, the server may have
   skipped or duplicated some certificates.  This field must not be
   present if the version number in the request was missing or version

   The first 24 bits of flags, if present, indicate the protocol version
   number.  Implementers of this version of the spec should supply 2.0.0
   and should accept any version number of the form 1.x.x or 2.x.x. ReadOutgoingCertRequest

   This requests from the CDC a list of all parent and outgoing cross
   certificates for a specified object.  A CDC is capable of storing
   cross certificates either with the subject or the issuer of the cross
   certificate.  In response to this request, the CDC will return all
   parent and cross certificates stored with the issuer for the named
   principal and all of its ancestors. Its syntax is:

        ReadOutgoingCertRequest ::= [6] IMPLICIT SEQUENCE {
             flags [0] BIT STRING DEFAULT {},
             index [1] IMPLICIT INTEGER DEFAULT 0,
             principal Name

   The first 24 bits of flags is a protocol version number and should
   contain 2.0.0 for clients implementing this version of the spec.
   Servers implementing this version of the spec should accept any
   version number of the form 1.x.x or 2.x.x.  The remaining bits are
   reserved for future use (they should not be supplied by clients and
   they should be ignored by servers).

   index is used for continuation (see ReadPrinCertRequest).

Top      Up      ToC       Page 32 
   principal is the name for which certificates are requested. ReadOutgoingCertResponse

   This is the response to a ReadOutgoingCertRequest.  Its syntax is:

        ReadOutgoingCertResponse::= [7] IMPLICIT SEQUENCE {
             status [0] IMPLICIT CDCStatus DEFAULT success,
             index [1] INTEGER OPTIONAL,
             certSequence [2] IMPLICIT CertSequence,
             indexInvalidator [3] OCTET STRING (SIZE(8))
             flags [4] BIT STRING OPTIONAL

        CertSequence ::= SEQUENCE OF Certificate

   status indicates success of the cause of failure of the operation.

   index is used for continuation; see ReadPrinCertRequest.

   certSequence is the list of parent and outgoing cross certificates.

   indexInvalidator is used for continuation; see ReadPrinCertResponse
   (the same rules apply with respect to version numbers).

   The first 24 bits of flags, if present, contain the protocol version
   number.  Clients implementing this version of the spec should supply
   the value 2.0.0.  Servers should accept any values of the form 1.x.x
   or 2.x.x.  The remaining bits are reserved for future use (they
   should not be supplied by clients and should be ignored by servers). ReadCredentialRequest

   This request is made to retrieve an principal's encrypted
   credentials.  To prevent unaudited password guessing, this structure
   includes an encrypted value that proves that the requester knows the
   password that will decrypt the structure.  The syntax of the request

        ReadCredentialRequest ::= [2] IMPLICIT SEQUENCE {
             flags [0] BIT STRING DEFAULT {}
             principal Name,
             logindata [2] BIT STRING DEFAULT {},
             token [3] BIT STRING OPTIONAL

Top      Up      ToC       Page 33 
   The first 24 bits of flags contains the version number of the
   protocol.  The value 2.0.0 should be supplied. Any value of the form
   1.x.x or 2.x.x should be accepted. Any additional bits are reserved
   for future use (should not be supplied by clients and should be
   ignored by servers).

   principal is the name of the principal for whom encrypted credentials
   are desired.

   logindata is an encrypted value.  It may only be present if the
   version number is 2.0.0 or higher.  It must be present to read
   credentials which are protected by the login agent functionality of
   the CDC.  It is constructed as a single RSA block encrypted under the
   public key of the CDC.  The public key of the CDC is learned by some
   local means.  Possibilities include a local configuration file or by
   using DASS to read and verify a chain of certificates ending with the
   CDC [the CDC serving a directory should have its public key listed
   under a name consisting of the directory name with the RDN
   "CSS=X509"; the OID for the type CSS is].  The contents of
   the block are as follows:

    - The low order eight bytes contain a randomly generated DES key
      with the last byte of the DES key placed in the last byte of
      the RSA block.  This DES key will be used by the CDC to
      encrypt the response.  Key parity bits are ignored.

    - The next to last eight bytes contain a long Posix time with
      the integer time encoded as a byte string using big endian

    - The next eight bytes (from the end) contain a hash of the
      password.  The algorithm for computing this hash is listed in
      section 4.4.2.  The CDC never computes this hash; it simply
      compares the value it receives with the value associated with
      the credentials.

    - The next sixteen bytes (from the end) contain zero.

    - The remainder of the RSA block (which should be the same size
      as the public modulus of the CDC) contains a random number.
      The first byte should be chosen to be non-zero but so the
      value in the block does not exceed the RSA modulus.  Servers
      should ignore these bits.  This random number need not be of
      cryptographic strength, but should not be the same value for
      all encryptions.  Repeating the DES key would be adequate.

    - The byte string thus constructed is encrypted using the RSA
      algorithm by treating the string of bytes as a "big endian"

Top      Up      ToC       Page 34 
      integer and treating the integer result as "big endian" to
      make a string of bytes.

   token will not be present in the initial implementation but a space
   is reserved in case some future implementation wants to authenticate
   and audit the node from which a user is logging in. ReadCredentialProtectedResponse

   This is the second possible response to a ReadPrinLoginRequest.  It
   is returned when the encrypted credentials are protected from
   password guessing by the CDC acting as a login agent.  Its syntax is:

   ReadCredentialProtectedResponse::=[16] IMPLICIT SEQUENCE {
           status [0] IMPLICIT CDCStatus DEFAULT success,
           encryptedCredential [1] BIT STRING,
           flags [2] BIT STRING OPTIONAL

   status indicates that the request succeeded or the cause of the

   encryptedCredential contains the DASSPrivateKey structure (defined in
   section 4.1) encrypted under a DES key computed from the user's name
   and password as specified in section 4.4.2 and then reencrypted under
   the DES key provided in the ReadPrinLoginRequest.

   The first 24 bits of flags, if present, contains the version number
   of the protocol.  Implementers of this version of the spec should
   supply 2.0.0 and should accept any version number of the form 2.x.x.
   Other bits are reserved for future use (they should not be supplied
   and they should be ignored). WriteCredentialRequest

   This is a request to update the encrypted credential structure.  It
   is used when a user's key or password changes.  The syntax of the
   request is:

        WriteCredentialRequest ::= [17] IMPLICIT SEQUENCE {
             flags [0] BIT STRING DEFAULT {},
             authtoken [2] BIT STRING OPTIONAL,
             principal [3] Name,
             logindata [4] BIT STRING DEFAULT {},
             furtherSensitiveStuff [5] BIT STRING

   The first 24 bits of flags is a version number.  Clients implementing

Top      Up      ToC       Page 35 
   this version of the spec should supply 2.0.0.  Servers should accept
   any value of the form 2.x.x.  Additional bits are reserved for future
   use (clients should not supply them and servers should ignore them).

   token, if present, authenticates the entity making the request.  A
   request will be accepted either from a principal proving knowledge of
   the password (see logindata below) or a principal presenting a token
   in this field and satisfying the authorization policy of the CDC.
   This field need not be present if logindata includes the hash2 of the
   password (anyone knowing the old password may set a new one).

   principal is the name of the object for which encrypted credentials
   should be updated.

   logindata is encrypted as in ReadPrinLoginRequest.  It proves that
   the requester knows the old password of the principal to be updated
   (unless the token supplied is from the user's CA) and includes the
   key which encrypts furtherSensitiveStuff.

   furtherSensitiveStuff is an encrypted field constructed as follows:

    - The first eight bytes consist of the hash2 defined in section
      4.4.2 with the last byte of the hash2 value stored first.  The
      CDC stores this value and compares it with the values supplied
      in future requests of ReadCredentialRequest and

    - The next (variable number of) bytes contains a DASSPrivateKey
      structure (defined in section 4.1).  This is the new
      credential structure that will be returned by the CDC on
      future ReadCredentialRequests.

    - The result is padded with zero bytes to a multiple of eight

    - The entire padded string is encrypted using the key from
      logindata or token using DES in CBC mode with zero IV.

   the new eight byte "hash2" defined in section 4.4.2 concatenated with
   the DASSPrivateKey structure encrypted under the new "hash1" all
   encrypted under the DES key included in logindata. HereIsStatus

   This is the response message to ill-formed requests and requests that
   only return a status and no data.  It's syntax is:

Top      Up      ToC       Page 36 
        HereIsStatus ::= [1] IMPLICIT SEQUENCE {
             status [0] IMPLICIT CDCStatus DEFAULT success

   status indicates success or the cause of the failure. Status Codes

   The following are the CDCStatus codes that can be returned by
   servers.  Not all of these values are possible with all calls, and
   some of the status codes are not possible with any of the calls
   described in this document.

        CDCStatus ::= INTEGER {


             wrongCDC(2),     --this CDC does not store the
                              --requested information


             decodeRequestError(5),--invalid BER
             illegalRequest(6),    --request not recognised


             notPrimaryCDC(9),--write requests not accepted
                              --at this CDC replica







Top      Up      ToC       Page 37 



3. Services Provided

   This section specifies the services provided by DASS in terms of
   abstract interfaces and a model implementation.  A particular
   implementation may support only a subset of these services and may
   provide them through interfaces which combine functions and supply
   some parameters implicitly. The specific calling interfaces are in
   some cases language and operating system specific.  An actual
   implementation may choose, for example, to structure interfaces so
   that security contexts are established and then passed implicitly in
   calls rather than explicitly including them in every call.  It might
   also bundle keys into opaque structures to be used with supplied
   encryption and decryption routines in order to enhance security and
   modularity and better comply with export regulations. Annex B
   describes a Portable API designed so that applications using a
   limited subset of the capabilities of DASS can be easily ported
   between operating systems and between DASS and Kerberos based
   environments.  The model implementation describes data structures
   which include cached values to enhance performance.  Implementations
   may choose different contents or different caching strategies so long
   as the same sequence of calls would produce the same output for some
   caching policy.

   DASS operates on four kinds of data structures: Certificates,
   Credentials, Tokens, and Certification Authority State.  Certificates
   and Tokens are passed between implementations and thus their exact
   format must be architecturally specified. This detailed bit-for-bit
   specification is in section 4. Credentials generally exist only
   within a single node and their format is therefore not specified
   here. The contents of all of these data structures is listed below
   followed by the algorithms for manipulating them.

   There are three kinds of services provided by DASS: Certificate
   Maintenance, Credential Maintenance, and Authentication. The first
   two kinds exist only in support of the third. Certificate maintenance
   functions maintain the database of public keys in the naming service.
   These functions tend to be fairly specialized and may not be
   supported on all platforms. Before authentication can take place,
   both authenticating principals must have constructed credentials
   structures. These are built using the Credential Maintenance calls.

Top      Up      ToC       Page 38 
   The Authentication functions use credential information and
   certificates, produce and consume authentication tokens and tell the
   two communicating parties one another's names.

3.1 Certificate Contents

   For purposes of this architecture, a certificate is a data structure
   posted in the naming service which proclaims that knowledge of the
   private key associated with a stated public key authenticates a named
   principal. Certificates are "signed" by some authority, are readable
   by anyone, and can be verified by anyone knowing the public key of
   the authority.  DASS organizes the CA trust hierarchy around the
   naming hierarchy. There exists a trusted authority associated with
   each directory in the naming hierarchy. Generally, each authority
   creates certificates stating the public keys of each of its children
   (in the naming hierarchy) and the public key of its parent (in the
   naming hierarchy). In this way, anyone knowing the public key of any
   authority can learn the public key of any other by "walking the
   tree". In order that principals may authenticate even when all of
   their ancestor directories do not participate in DASS, authorities
   may also create "cross-certificates" which certify the public key of
   a named entity which is not a descendent.  Rules for finding and
   following these cross-certificates are described in the Get_Pub_Keys
   routines.  Every principal is expected to know the public key of the
   CA of the directory in which it is named. This must be securely
   learned when the principal is initialized and may be maintained in
   some form of local storage or by having the principal sign a
   certificate listing the name and public key of its parent and posting
   that certificate in the naming service.

   The syntax and content of DASS certificates are defined in terms of
   X.509 (Directory - Authentication Framework).  While that standard
   prescribes a single syntax for certificates, DASS considers
   certificates to be of one of six types:

    - Normal Principal certificates are signed by a CA and certify
      the name and public key of a principal where the name of the
      CA is a prefix of the name of the principal and is one
      component shorter.

    - Trusted Authority certificates are signed by an ordinary
      principal and certify the name and public key of the
      principal's CA (i.e., the CA whose name is a prefix of the
      principal's name and is one component shorter).

    - Child certificates are signed by a CA and certify the name and
      public key of a CA of a descendent directory (i.e., where the
      name of the issuing CA is a prefix of the name of the subject

Top      Up      ToC       Page 39 
      CA and is one component shorter).

    - Parent certificates are signed by a CA and certify the name
      and public key of the CA of its parent directory (i.e., whose
      name is a prefix of the name of the issuer and is one
      component shorter).

    - Cross certificates are signed by a CA and certify the name and
      public key of a CA of a directory where neither name is a
      prefix of the other.

    - Self certificates are signed by a principal or a CA and the
      issuer and subject name are the same.  They are not used in
      this version of the architecture but are defined as a
      convenient data structure in which in which implementations
      may insecurely pass public keys and they may be used in the
      future in certain key roll-over procedures.

   It is intended that some future version of the architecture relax the
   restrictions above where prefixes must be one component shorter.
   Being able to handle certificates where prefixes are two or more
   components shorter complicates the logic of treewalking somewhat and
   is not immediately necessary, so such certificates are disallowed for

   The syntax of certificates is defined in section 4. For purposes of
   the algorithms which follow, the following is the portion of the
   content which is used (names in brackets refer to the field names in
   the ASN.1 encoded structure):

    - UID of the issuer (optional)

    - Full name of the issuer (the authority or principal signing)

    - UID of the subject (optional)

    - Full name of the subject (the authority or principal whose key
      is being certified) [subject]

    - Public Key of the subject [subjectPublicKey]

    - Period of validity (effective date and expiration date)

    - Signature over the entire content of the certificate created
      using the private key of the issuer.

Top      Up      ToC       Page 40 
   When parsing a certificate, the reader compares the two name fields
   to determine what type of certificate it is. For Parent and Trusted
   Authority certificates, the names are ignored for purposes of all
   further processing. For Child and Normal Principal certificates, only
   the suffix by which the child's name is longer than the parent's is
   used for further processing. The reason for this is so that if a
   branch of the namespace is renamed, all of the certificates in the
   moved branch remain valid for purposes of DASS processing. The only
   purposes of having full names in these certificates are (1) to comply
   with X.509, (2) for possible interoperability with other
   architectures using different algorithms, and (3) to allow principals
   to securely store their own names in trusted authority certificates
   in the case where they do not have enough local storage to keep it.

3.2 Encrypted Private Key Structure

   In order that humans need only remember a password rather than a full
   set of credentials, and also to make installation of nodes and
   servers easier, there is a defined format for encrypting RSA secrets
   under a password and posting in the naming service. This structure
   need only exist when passwords are used to protect RSA secrets; for
   servers which keep their secrets in non-volatile memory or users who
   carry smart cards, they are unnecessary.

   This structure includes the RSA private/public key pair encrypted
   under a DES key. The DES key is computed as a one-way hash of the
   password.  This structure also optionally includes the UID of the
   principal.  It is needed only if a single RSA key is shared by
   multiple principals (with multiple UIDs).

   Since this structure is posted in the name service and may be used by
   multiple implementations, its format must be architecturally defined.
   The exact encoding is listed in section 4.

3.3 Authentication Tokens

   This section of the document defines the contents of the
   authentication tokens which are produced and consumed by Create_token
   and Accept_token. With DASS, the token passed from the client to the
   server is complex, with a large number of optional parts, while the
   token passed from server to client (in the case of mutual
   authentication only) is small and simple.

   The authentication token potentially contains a large number of
   parts, most of which are optional depending on the type of
   authentication. The following defines the content and purpose of each
   of the parts, but does not describe the actual encoding (in the
   belief that such details would be distracting). The encoding is in

Top      Up      ToC       Page 41 
   section 4.

   The authentication process begins when the initiator calls
   Create_token with the name of the target. This routine returns an
   authentication token, which is sent to the target. The target calls
   Accept_token passing it the token. Both routines produce a second
   "mutual authentication token". The target returns this to the
   initiator to prove that it received the token.

3.3.1 Initial Authentication Token

   The components of the initial authentication token are (names in
   brackets refer to the field names within the ASN.1 encoded structures
   defined in section 4):

    a) Encrypted Shared Key - [authenticatingKey] - This is a Shared
       (DES) key encrypted under the public key of the target. Also
       included in the encrypted structure is a validity interval and
       a recognizable pattern so that the receiver can tell whether
       the decryption was successful.

    b) Login Ticket - [sourcePrincipal.userTicket] - This is a
       "delegation certificate" signed by a principal's long term
       private key delegating to a short term public key. Its "active
       ingredients" are:

      1) UID of delegating principal [subjectUID]

      2) Period of validity [validity]

      3) Delegation public key [delegatingPublicKey]

      4) Signature by private key of principal
         The existence of this signature is testimony that the
         private key corresponding to the delegation public key
         speaks for the user during the validity interval.
         This data structure is optional and will be missing if the
         authentication is only on behalf of a Local Username on a
         node (i.e., proxy) rather than on behalf of a real principal
         with a real key.

    c) Shared Key Ticket - [sourcePrincipal.sharedKeyTicketSignature]
       - This is a signature of the Encrypted Shared Key by the
       Delegation Public key in the Login Ticket.  The existence of
       this signature is testimony that  the DES key in the encrypted
       shared key speaks for the user.

       This data structure is optional and will be missing if the

Top      Up      ToC       Page 42 
       authentication is only on behalf of a Local Username on a node
       (i.e., proxy) rather than on behalf of a real principal with a
       real key. It will also be missing if delegation is taking

    d) Node Ticket - [sourceNode.nodeTicketSignature] - This is a
       signature of the Encrypted Shared key and a "Local Username"
       on the host node by the node's private key.  The existence of
       this signature is testimony by the node that the DES key in
       the encrypted shared key speaks for the named account on that

    e) Delegator - [sourcePrincipal.delegator] - This data structure
       contains the private login key encrypted under the Shared key.
       It is optional and is present only if the initiator is
       delegating to the destination.

    f) Authenticator - [authenticatorData] - This data structure
       contains a timestamp and a message digest of the channel
       bindings signed by the Shared Key. It is always present.

    g) Principal name - [sourcePrincipal.userName] - This is the name
       of the initiating principal. It is optional and will be
       missing for strong proxy where bits on the wire are at a
       premium and where the destination is capable of independently
       constructing the name.

    h) Node name - [sourceNode.nodeName] - This is the name of the
       initiating node. It is optional and will be missing for strong
       proxy where bits on the wire are at a premium and the name is
       present elsewhere in the message being passed.

    i) Local Username - [sourceNode.username] - This is the local
       user name on the initiating node. It is optional and will be
       missing for strong proxy where bits on the wire are at a
       premium and where the name is present elsewhere in the message
       being passed.

3.3.2 Mutual Authentication Token

   The authentication buffer sent from the target to the initiator (in
   the case of mutual authentication) is much simpler. It contains only
   the timestamp taken from the authenticator encrypted under the Shared
   Key.  It is ASN.1 encoded to allow for future extensions.

Top      Up      ToC       Page 43 
3.4 Credentials

   DASS organizes its internal state with Credentials structures.  There
   are many kinds of information which can be stored in credentials.
   Rather than making a different kind of data structure for each kind
   of data, DASS provides a single credentials structure where most of
   its fields are optional.  Operating systems must provide some
   mechanism for having several processes share credentials. An example
   of a mechanism for doing this would be for credentials to be stored
   in a file and the name of the file is used as a "handle" by all
   processes which use those credentials. Some of the calls which follow
   cause credentials structures to be updated. It is important to the
   performance of a system that updates to credentials (such as occur
   during the routines Verify_Principal_Name and Verify_Node_Name, where
   the caches are updated) be visible to all processes sharing those

   In many of the calls which follow, the credentials passed may be
   labeled: claimant credentials, verifier credentials or some such.
   This indicates whose credentials are being passed rather than a type
   of credentials. DASS supports only one type of credentials, though
   the fields present in the credentials of one sort of principal may be
   quite different from those present in the credentials of another.

   An implementation may choose to support multiple kinds of credentials
   structures each of which will support only a subset of the functions
   available if it is not implementing the full architecture.  This
   would be the case, for example, if an implementation did not support
   the case where a server both received requests from other principals
   and made requests on its own behalf using a single set of

   The following are a list of the fields that may be contained in a
   credentials structure. They are grouped according to common usage.

3.4.1 Claimant information

   This is the information used when the holder of these credentials is
   requesting something. It includes:

    a) Full X.500 name of the principal

    b) Public Key of the principal

    c) Login Ticket - a login ticket contains:

      1) the UID of the principal

Top      Up      ToC       Page 44 
      2) a period of validity (effective date & expiration date)

      3) a delegation public key

      4) a signature of the ticket contents by the principal's long
         term key

    d) Delegation Private Key (corresponding to the public key in c3)

    e) Encrypted Shared Key (present only when credentials were
       created by accept_token; this information is needed to verify
       a node ticket after credentials are accepted)

3.4.2 Verifier information

   This is the information needed by a server to decrypt incoming
   requests. It is also used by generate_server_ticket to generate a
   login ticket.

    a) RSA private key.

3.4.3 Trusted Authority

   This is information used to seed the walk of the CA hierarchy to
   reliably find the public key(s) associated with a name.
   Normally, the trusted authority in a set of credentials will be
   the directory parent of the principal named in Claimant
   information.  In some circumstances, it may instead be the
   directory parent of the node on which the credentials reside.

    a) Full X.500 name of a CA

    b) Corresponding RSA Public Key

    c) Corresponding UID

3.4.4 Remote node authentication

   This information is present only for credentials generated by
   "Accept_token". It includes information about any remote node which
   vouched for the request.

    a) Full X.500 name of the node

    b) Local Username on the node

    c) Node ticket.

Top      Up      ToC       Page 45 
3.4.5 Local node credentials

   This information is added by Combine_credentials, and is used by
   Create_token to add a node signature to outbound requests.

    a) Full X.500 name of the node

    b) Local Username on the node

    c) RSA private key of the node

3.4.6 Cached outgoing contexts

   There may be one (or more) such structures for each server for which
   this principal has created authentication tokens. These represent a
   cache: they may be discarded at any time with no effect except on
   performance. For each association, the following information is kept:

    a) Destination RSA Public Key (index)

    b) Encrypted Shared key

    c) Shared Key Ticket (optional, included if there has been a
       non-delegating connection)

    d) Node Ticket

    e) Delegator (optional, included if there has been a delegating

    f) Validity interval

    g) Shared Key

3.4.7 Cached Incoming Contexts

   There may be one such structure for each client from which this server
   has received an authentication token.  These represent a cache: they
   may be discarded at any time with no effect except on performance. (An
   implementation may choose to keep one System-wide Cache (and list of
   incoming timestamps). While it is unlikely that the same Encrypted
   Shared Key will result from encryption of Shared keys generated by
   different clients or for different servers, an implementation must
   ensure that an entry made for one client/server can not be reused by
   another client/server.  Similarly an implementation may choose to keep
   separate caches for the Shared Key/Validity Interval/Delegation Public
   Key, the Nodename/UID/key/username and the Principal name/UID/key.)
   For each association, the following information is kept:

Top      Up      ToC       Page 46 
    a) Encrypted Shared key (index)

    b) Shared Key

    c) Validity Interval

    d) Full X.500 name of Client Principal

    e) UID of Client Principal

    f) Public Key of Client Principal

    g) Name of Client Node

    h) UID of Client Node

    i) Public Key of Client Node

    j) Local Username on Client node

    k) Delegation Public key of Client Principal's Login Ticket

   The Name, UID and Public key of the Principal are all entered
   together once the Login Ticket has been verified. Similarly the Node
   name, Node key and Username are entered together once the Node Ticket
   has been verified. These pieces of information are only present if
   they have been verified.

3.4.8 Received Authenticators

   A record of all the authenticators received is kept. This is used to
   detect replayed messages. (This list must be common to all targets
   that could accept the same authenticator (channel bindings will
   prevent other targets from accepting the same authenticator). This
   includes different `servers' sharing the same key.)  The entries in
   this list may be deleted when the timestamp is old enough that they
   would no longer be accepted. This list is kept separate from the
   Cached incoming context in order that the information in the cached
   incoming context can be discarded at any time. An implementation
   could choose to save these timestamps with the cached incoming
   context if it ensures that it can never purge entries from the cache
   before the timestamp has aged sufficiently. This list is accessed
   based on an extract from the signature from the Authenticator. The
   extract must be at least 64 bits, to ensure that it is very unlikely
   that 2 authenticators will be received with matching signatures.

    a) Extract from Signature from Authenticator

Top      Up      ToC       Page 47 
    b) Timestamp

   If an implementation runs out of space to store additional
   authenticators, it may either reject the token which would have
   overflowed the table or it may temporarily narrow the allowed clock
   skew to allow it to free some of the space used to hold "old"
   authenticators.  The first strategy will always falsely reject
   tokens; the second may cause false rejection of tokens if the allowed
   clock skew gets narrowed beyond the actual clock skew in the network.

3.5 CA State

   The CA needs to maintain some internal state in order to generate
   certificates. This internal state must be protected at all times, and
   great care must be taken to prevent its being disclosed. A CA may
   choose to maintain additional state information in order to enhance
   security.  In particular, it is the responsibility of the CA to
   assure that the same UID is not serially reused by two holders of a
   single name.  In most cases, this can be done by creating the UID at
   the time the user is registered.  To securely permit users to keep
   their UIDs when transferring from another CA, the CA must keep a
   record of any UIDs used by previous holders of the name. Since
   actions of a CA are so security sensitive, the CA should also
   maintain an audit trail of all certificates signed so that a history
   can be reconstructed in the event of a compromise.  Finally, for the
   convenience of the CA operator, the CA should record a list of the
   directories for which it is responsible and their UIDs so that these
   need not be entered whenever the CA is to be used.  The state
   includes at least the following information:

    - Public Key of CA

    - Private Key of CA

    - Serial number of next certificate to be issued

3.6 Data types used in the routines

   There are several abstract data types used as parameters to the
   routines described in this section. These are listed here

    a) Integer

    b) Name
       Names unless otherwise noted are always X.500 names.  While
       most of the design of DASS is naming service independent, the
       syntax of certificates and tokens only permits X.500 names to
       be used.  If DASS is to be used in an environment where some

Top      Up      ToC       Page 48 
       other form of name is used, those names must be translated
       into something syntactically compliant with X.500 using some
       mechanism which is beyond the scope of this architecture.  The
       only other form of name appearing in this architecture is a
       "local user name", which corresponds to the simple name of an
       "account" on a node.  As a type, such names appear in
       parameter lists as "Strings".

    c) String
       A String is a sequence of printable characters.

    d) Absolute Time
       A UTC time. The precision of these Times is not stated. A
       precision of the order of one second in all times is

    e) Time Interval
       A Time interval is composed of 2 times. A Start Time and an
       End Time, both of which are Absolute Times

    f) Timestamp
       A Timestamp is a time in POSIX format. I.e., two 32 bit
       Integers. The first representing seconds, and the second
       representing nanoseconds.

    g) Duration
       A Duration is the length of a time interval.

    h) Octet String
       A sequence of bytes containing binary data

    i) Boolean
       A value of either True or False

    j) UID
       A UID is an bit string of 128 bits.

    k) OID
       An OID is an ISO Object Identifier.

    l) Shared key
       A Shared key is a DES key, a sequence of 8 bytes

    m) CA State
       A structure of the form described in '3.5

    n) Credentials
       A structure of the form described in '3.4

Top      Up      ToC       Page 49 
    o) Certificate
       An ASN.1 encoding of the structure described in '3.1

    p) Authentication Token
       An ASN.1 encoding of the structure described in '3.3.1

    q) Mutual Authentication Token
       An ASN.1 encoding of the structure described in '3.3.2

    r) Encrypted Credentials
       An ASN.1 encoding of  the  structure described in '3.2

    s) Public key
       A representation of an RSA Public key, including all the
       information needed to encode the public key in a certificate.

    t) Set of Public key/UID pairs
       A set of Public key/UID pairs. This Data type is only used
       internally in DASS - it does not appear in any interface used
       to other architectures.

3.7 Error conditions

   These routines can return the following error conditions (an
   implementation may indicate errors with more or less precision):

    a) Incomplete chain of trustworthy CAs

    b) Target has no keys which can be trusted.

    c) Invalid Authentication Token

    d) Login Ticket Expired

    e) Invalid Password

    f) Invalid Credentials

    g) Invalid Authenticator

    h) Duplicate Authenticator

3.8 Certificate Maintenance Functions

   Authentication services depend on a set of data structures maintained
   in the naming service. There are two kinds of information:
   Certificates, which associate names and public keys and are signed by
   off-line Certification Authorities; and Encrypted Credentials, which

Top      Up      ToC       Page 50 
   contain RSA Private Keys and certain context information encrypted
   under passwords. Encrypted Credentials are only necessary in
   environments where passwords are used. Credentials may alternatively
   be stored in some other secure manner (for example on a smart card).

   The certificate maintenance services are designed so that the most
   sensitive - the actual signing of certificates - may be done by an
   off-line authority.  Once signed, certificates must be posted in the
   naming service to be believed.  The precise mechanisms for moving
   certificates between off-line CAs and the on-line naming service are
   implementation dependent.  For the off-line mechanisms to provide any
   actual security, the CAs must be told what to sign in some reliable
   manner.  The mechanisms for doing this are implementation dependent.
   The abstract interface says that the CA is given all of the
   information that goes into a certificate and it produces the signed
   certificate.  There are requirements surrounding the auditing of a
   CA's actions. The details of what actions are audited, where the
   audit trail is maintained, and what utilities exist to search that
   audit trail are not specified here. The functions a CA must provide

3.8.1 Install CA

                       keysize               Integer,   --inputs
                       CA_state              CA State,  --outputs
                       CA_Public_Key         Public Key)

   This routine need only generate a public/private key pair of the
   requested size. Keysize is likely to be in implementation constant
   rather than a parameter.  The value is likely to be either 512 or
   640.  Key sizes throughout will have to increase over time as
   factoring technology and CPU speeds improve.  Both keys are stored as
   part of the CA_state; the public key is returned so that other CAs
   may cross-certify this one. The `Next Serial number' in the CA state
   is set to 1.

3.8.2 Create Certificate

                       Renewal               Boolean,
                       Include_UID           Boolean,
                       Issuer_name           Name,
                       Issuer_UID            UID,
                       Effective_date        Absolute Time,
                       Expiration_date       Absolute Time,
                       Subject_name          Name,

Top      Up      ToC       Page 51 
                       Subject_UID           UID,
                       Subject_public_key    Public Key,
                       CA_state              CA State,
                       Certificate           Certificate)

   This procedure creates and signs a certificate.  Note that the
   various contents of the certificate must be communicated to the CA in
   some reliable fashion.  The Issuer_name and UID are the name and UID
   of the directory on whose behalf the certificate is being signed.

   This routine formats and signs a certificate with the private key in
   CA_state. It audits the creation of the certificate and updates the
   sequence number which is part of CA_state. The Issuer and Subject
   names are X.500 names.  If the CA state includes a history of what
   UIDs have previously been used by what names, this call will only
   succeed in the collision case if the Renewal boolean is set true.  If
   the Include_UID boolean is set true, this routine will generate a
   1992 format X.509 certificate; otherwise it will generate a 1988
   format X.509 certificate.

3.8.3 Create Principal

                       Password              String,
                       keysize               Integer,
                       Principal_name        Name,
                       Principal_UID         UID,
                       Parent_Public_key     Public Key,
                       Parent_UID            UID,
                       Encrypted_Credentials Encrypted Credentials,
                       Trusted_authority_certificate Certificate)

   This procedure creates a new principal by generating a new
   public/private key pair, encrypting the public and private keys under
   the password, and signing a trusted authority certificate for the
   parent CA.  In an implementation not using passwords (e.g., smart
   cards), an alternative mechanism must be used for initially creating
   principals.  If a principal has protected storage for trusted
   authority information, it is not necessary to create a trusted
   authority certificate and store it in the naming service.  Some
   procedure analogous to this one must be executed, however, in which
   the principal learns the public key and UID of its CA and its own

Top      Up      ToC       Page 52 
   This routine creates two output structures with the following steps:

    a) Generate a public/private key pair using the indicated
       keysize. An implementation will likely fix the keysize as an
       implementation constant, most likely 512 or 640 bits, rather
       than accepting it as a parameter.  Key sizes generally will
       have to increase over time as factoring technology and CPU
       speeds improve.

    b) Form the encrypted credentials by using the public key,
       private key, and Principal_UID and encrypting them using a
       hash of the password as the key.

    c) Generate a trusted authority certificate (which is identical
       in format to a "parent" certificate) getting fields as

      1) Certificate version is X.509 1992.

      2) Issuer name is the Principal name (which is an X.500 name).

      3) Issuer UID is the Principal UID.

      4) Validity is for all time.

      5) Subject name is constructed from the Principal name by
         removing the last simple name from the hierarchical name.

      6) Subject UID is the CA_UID.

      7) Subject Public Key is the CA_Public_Key

      8) Sequence number is 1.

      9) Sign the certificate with the newly generated private key of
         the principal.

3.8.4 Change Password

   Change_password(                                 --inputs
                       Encrypted_credentials Encrypted Credentials,
                       Old_password          String,
                       New_password          String,
                       Encrypted_credentials Encrypted Credentials)

   If credentials are stored encrypted under a password, it is possible
   to change the password if the old one is known.  Note that it is

Top      Up      ToC       Page 53 
   insufficient to just change a user's password if the password has
   been disclosed.  Anyone knowing the old password may have already
   learned the user's private key.  If a password has been disclosed,
   the secure recovery procedure is to call create_principal again
   followed by create_certificate to certify the new key.

   Using DASS, it may not be appropriate for users to periodically
   change their passwords as a precaution unless they also change their
   private keys by the procedure above.  The only likely use of the
   change_password procedure is to handle the case where an
   administrator has chosen a password for the user in the course of
   setting up the account and the user wishes to change it to something
   the user can remember.  A future version of the architecture may
   smooth key roll-over by having the change_password command also
   generate a new key and sign a "self" certificate in which the old key
   certifies the new one.  As a separate step, a CA which notices a self
   certificate posted in the naming service could certify the new key
   instead of the old one when the user's certificate is renewed.  While
   this procedure is not as rapid or as reliable as having the user
   directly interact with the CA, it offers a reasonable tradeoff
   between security and convenience when there is no evidence of
   password compromise.

   This routine simply decrypts the encrypted credentials structure
   supplied using the password supplied. It returns a bad status if the
   format of the decrypted information is bad (indicating an incorrect
   password). Otherwise, it creates a new encrypted credentials
   structure by encrypting the same data with the new password. It would
   be highly desirable for the user interface to this function to
   provide the capability to randomly generate passwords and prohibit
   easily guessed user chosen passwords using length, character set, and
   dictionary lookup rules, but such capabilities are beyond the scope
   of this document.  If encrypted credentials are stored in some local
   secure storage, the above function is all that is necessary (in fact,
   if the storage is sufficiently secure, no password is needed;
   credentials could be stored unenciphered).  If they are stored in a
   naming service, this function must be coupled with one which
   retrieves the old encrypted credentials from the naming service and
   stores the new.  The full protocol is likely to include access
   control checks that require the principal to acquire credentials and
   produce tokens.  For best security, the encrypted credentials should
   be accessible only through a login agent.  The role of the login
   agent is to audit and limit the rate of password guessing.  If
   passwords are well chosen, there is no significant threat from
   password guessing because searching the space is computationally
   infeasible.  In the context of a login agent, change password will be
   implemented with a specialized protocol requiring knowledge of the
   password and (for best security) a trusted authority from which the

Top      Up      ToC       Page 54 
   public key of the login agent can be learned.  See section 2.3.2 for
   the plans for the non-X.500 credential storage facility.

3.8.5 Change Name

                       Claimant_Credentials  Credentials,
                       New_name              Name,
                       CA_Public_Key         Public Key,
                       CA_UID                UID,
                       Trusted_Authority_Certificate Certificate)

   DASS permits a principal to have many current aliases, but only one
   current name.  A principal can authenticate itself as any of its
   aliases but verifies the names of others relative to the name by
   which it knows itself.  Aliases can be created simply by using the
   create_certificate function once for each alias.  To change the name
   of a principal, however, requires that the principal securely learn
   the public key and UID of its new parent CA.  As with
   create_principal, if a principal has secure private storage for its
   trusted authority information, it need not create a certificate, but
   some analogous procedure must be able to install new naming

   This routine produces a new Trusted Authority Certificate with
   contents as follows:

    a) Issuer name is New_name (an X.500 name)

    b) Issuer_UID is Principal UID from Credentials.

    c) Validity is for all time.

    d) Subject name is constructed from the Issuer name by removing
       the last simple name from the hierarchical name, and
       converting to an X.500 name.

    e) Subject UID is CA_UID

    f) Subject Public Key is CA_Public_Key

    g) Sequence number is 1.

    h) The certificate is signed with the private key of the
       principal from the credentials. Note that this call will only
       succeed if the principal's private key is in the credentials,

Top      Up      ToC       Page 55 
       which will only be true if the credentials were created by
       calling Create_server_credentials.

(page 55 continued on part 3)

Next RFC Part