| draft-ietf-kitten-2478bis-05.txt | rfc4178.txt | |||
|---|---|---|---|---|
| NETWORK WORKING GROUP L. Zhu | Network Working Group L. Zhu | |||
| Internet-Draft P. Leach | Request for Comments: 4178 P. Leach | |||
| Obsoletes: 2478 (if approved) K. Jaganathan | Obsoletes: 2478 K. Jaganathan | |||
| Expires: July 27, 2005 Microsoft Corporation | Category: Standards Track Microsoft Corporation | |||
| W. Ingersoll | W. Ingersoll | |||
| Sun Microsystems | Sun Microsystems | |||
| January 23, 2005 | October 2005 | |||
| The Simple and Protected GSS-API Negotiation Mechanism | ||||
| draft-ietf-kitten-2478bis-05 | ||||
| Status of this Memo | ||||
| This document is an Internet-Draft and is subject to all provisions | ||||
| of Section 3 of RFC 3667. By submitting this Internet-Draft, each | ||||
| author represents that any applicable patent or other IPR claims of | ||||
| which he or she is aware have been or will be disclosed, and any of | ||||
| which he or she become aware will be disclosed, in accordance with | ||||
| RFC 3668. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as | ||||
| Internet-Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | ||||
| and may be updated, replaced, or obsoleted by other documents at any | ||||
| time. It is inappropriate to use Internet-Drafts as reference | ||||
| material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | The Simple and Protected | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | Generic Security Service Application Program Interface (GSS-API) | |||
| Negotiation Mechanism | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | Status of This Memo | |||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on July 27, 2005. | This document specifies an Internet standards track protocol for the | |||
| Internet community, and requests discussion and suggestions for | ||||
| improvements. Please refer to the current edition of the "Internet | ||||
| Official Protocol Standards" (STD 1) for the standardization state | ||||
| and status of this protocol. Distribution of this memo is unlimited. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| This document specifies a negotiation mechanism for the Generic | This document specifies a negotiation mechanism for the Generic | |||
| Security Service Application Program Interface (GSS-API) which is | Security Service Application Program Interface (GSS-API), which is | |||
| described in RFC 2743. | described in RFC 2743. GSS-API peers can use this negotiation | |||
| mechanism to choose from a common set of security mechanisms. If | ||||
| GSS-API peers can use this negotiation mechanism to choose from a | per-message integrity services are available on the established | |||
| common set of security mechanisms. | ||||
| If per-message integrity services are available on the established | ||||
| mechanism context, then the negotiation is protected against an | mechanism context, then the negotiation is protected against an | |||
| attacker forcing the selection of a mechanism not desired by the | attacker that forces the selection of a mechanism not desired by the | |||
| peers. | peers. | |||
| This mechanism replaces RFC 2478 in order to fix defects in that | This mechanism replaces RFC 2478 in order to fix defects in that | |||
| specification and to describe how to inter-operate with | specification and to describe how to inter-operate with | |||
| implementations of that specification commonly deployed on the | implementations of that specification that are commonly deployed on | |||
| Internet. | the Internet. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction ....................................................2 | |||
| 2. Conventions Used in This Document . . . . . . . . . . . . . . 5 | 2. Conventions Used in This Document ...............................3 | |||
| 3. Negotiation Protocol . . . . . . . . . . . . . . . . . . . . . 6 | 3. Negotiation Protocol ............................................3 | |||
| 3.1 Negotiation Description . . . . . . . . . . . . . . . . . 6 | 3.1. Negotiation Description ....................................4 | |||
| 3.2 Negotiation Procedure . . . . . . . . . . . . . . . . . . 7 | 3.2. Negotiation Procedure ......................................5 | |||
| 4. Token Definitions . . . . . . . . . . . . . . . . . . . . . . 10 | 4. Token Definitions ...............................................7 | |||
| 4.1 Mechanism Types . . . . . . . . . . . . . . . . . . . . . 10 | 4.1. Mechanism Types ............................................7 | |||
| 4.2 Negotiation Tokens . . . . . . . . . . . . . . . . . . . . 10 | 4.2. Negotiation Tokens .........................................7 | |||
| 4.2.1 negTokenInit . . . . . . . . . . . . . . . . . . . . . 11 | 4.2.1. negTokenInit ........................................8 | |||
| 4.2.2 negTokenResp . . . . . . . . . . . . . . . . . . . . . 12 | 4.2.2. negTokenResp ........................................9 | |||
| 5. Processing of mechListMIC . . . . . . . . . . . . . . . . . . 14 | 5. Processing of mechListMIC ......................................10 | |||
| 6. Extensibility . . . . . . . . . . . . . . . . . . . . . . . . 17 | 6. Extensibility ..................................................13 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 7. Security Considerations ........................................13 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | 8. Acknowledgments ................................................14 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 | 9. References .....................................................14 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 9.1. Normative References ......................................14 | |||
| 10.1 Normative References . . . . . . . . . . . . . . . . . . . 21 | 9.2. Informative References ....................................15 | |||
| 10.2 Informative References . . . . . . . . . . . . . . . . . . 21 | Appendix A. SPNEGO ASN.1 Module ..................................16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21 | Appendix B. GSS-API Negotiation Support API ......................17 | |||
| A. SPNEGO ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 23 | B.1. GSS_Set_neg_mechs Call ...................................17 | |||
| B. GSS-API Negotiation Support API . . . . . . . . . . . . . . . 25 | B.2. GSS_Get_neg_mechs Call ...................................18 | |||
| B.1 GSS_Set_neg_mechs call . . . . . . . . . . . . . . . . . . 25 | Appendix C. Changes since RFC 2478 ...............................18 | |||
| B.2 GSS_Get_neg_mechs call . . . . . . . . . . . . . . . . . . 25 | Appendix D. mechListMIC Computation Example ......................20 | |||
| C. Changes since RFC2478 . . . . . . . . . . . . . . . . . . . . 27 | ||||
| D. mechListMIC Computation Example . . . . . . . . . . . . . . . 29 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . 30 | ||||
| 1. Introduction | 1. Introduction | |||
| The GSS-API [RFC2743] provides a generic interface which can be | The GSS-API [RFC2743] provides a generic interface that can be | |||
| layered atop different security mechanisms such that if communicating | layered atop different security mechanisms such that, if | |||
| peers acquire GSS-API credentials for the same security mechanism, | communicating peers acquire GSS-API credentials for the same security | |||
| then a security context may be established between them (subject to | mechanism, then a security context may be established between them | |||
| policy). However, GSS-API does not prescribe the method by which | (subject to policy). However, GSS-API does not prescribe the method | |||
| GSS-API peers can establish whether they have a common security | by which GSS-API peers can establish whether they have a common | |||
| mechanism. | security mechanism. | |||
| The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism | The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism | |||
| defined here is a pseudo security mechanism, which enables GSS-API | defined here is a pseudo security mechanism that enables GSS-API | |||
| peers to determine in-band whether their credentials support a common | peers to determine in-band whether their credentials support a common | |||
| set of one or more GSS-API security mechanisms, and if so, to invoke | set of one or more GSS-API security mechanisms; if so, it invokes the | |||
| the normal security context establishment for a selected common | normal security context establishment for a selected common security | |||
| security mechanism. This is most useful for applications which | mechanism. This is most useful for applications that depend on GSS- | |||
| depend on GSS-API implementations and share multiple mechanisms | API implementations and share multiple mechanisms between the peers. | |||
| between the peers. | ||||
| The SPNEGO mechanism negotiation is based on the following model: the | The SPNEGO mechanism negotiation is based on the following model: the | |||
| initiator proposes a list of security mechanism(s), in decreasing | initiator proposes a list of security mechanism(s), in decreasing | |||
| preference order (favorite choice first), the acceptor (also known as | preference order (favorite choice first), the acceptor (also known as | |||
| the target) either accepts the initiator's preferred security | the target) either accepts the initiator's preferred security | |||
| mechanism (the first in the list), or chooses one that is available | mechanism (the first in the list) or chooses one of the available | |||
| from the offered list, or rejects the proposed value(s). The target | mechanisms from the offered list; if neither is acceptable, the | |||
| then informs the initiator of its choice. | acceptor rejects the proposed value(s). The target then informs the | |||
| initiator of its choice. | ||||
| Once a common security mechanism is chosen, mechanism-specific | Once a common security mechanism is chosen, mechanism-specific | |||
| options MAY be negotiated as part of the selected mechanism's context | options MAY be negotiated as part of the selected mechanism's context | |||
| establishment. These negotiations (if any) are internal to the | establishment. These negotiations (if any) are internal to the | |||
| mechanism and opaque to the SPNEGO protocol. As such they are | mechanism and opaque to the SPNEGO protocol. As such, they are | |||
| outside the scope of this document. | outside the scope of this document. | |||
| If per-message integrity services are available on the established | If per-message integrity services [RFC2743] are available on the | |||
| mechanism security context, then the negotiation is protected to | established mechanism security context, then the negotiation is | |||
| ensure that the mechanism list has not been modified. In cases where | protected to ensure that the mechanism list has not been modified. | |||
| an attacker could have materially influenced the negotiation, peers | In cases where an attacker could have materially influenced the | |||
| exchange message integrity code (MIC) tokens to confirm the mechanism | negotiation, peers exchange message integrity code (MIC) tokens to | |||
| list has not been modified. If no action of an attacker could have | confirm that the mechanism list has not been modified. If no action | |||
| materially modified the outcome of the negotiation, the exchange of | of an attacker could have materially modified the outcome of the | |||
| MIC tokens is optional (see Section 5). Allowing MIC tokens to be | negotiation, the exchange of MIC tokens is optional (see Section 5). | |||
| optional in this case provides interoperability with existing | Allowing MIC tokens to be optional in this case provides | |||
| implementations while still protecting the negotiation. This | interoperability with existing implementations while still protecting | |||
| interoperability comes at the cost of increased complexity. | the negotiation. This interoperability comes at the cost of | |||
| increased complexity. | ||||
| SPNEGO relies on the concepts developed in the GSS-API specification | SPNEGO relies on the concepts developed in the GSS-API specification | |||
| [RFC2743]. The negotiation data is encapsulated in context-level | [RFC2743]. The negotiation data is encapsulated in context-level | |||
| tokens. Therefore, callers of the GSS-API do not need to be aware of | tokens. Therefore, callers of the GSS-API do not need to be aware of | |||
| the existence of the negotiation tokens but only of the new | the existence of the negotiation tokens, but only of the new pseudo- | |||
| pseudo-security mechanism. A failure in the negotiation phase causes | security mechanism. A failure in the negotiation phase causes a | |||
| a major status code to be returned: GSS_S_BAD_MECH. | major status code to be returned: GSS_S_BAD_MECH. | |||
| 2. Conventions Used in This Document | 2. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Negotiation Protocol | 3. Negotiation Protocol | |||
| When the established mechanism context provides integrity protection, | When the established mechanism context provides integrity protection, | |||
| the mechanism negotiation can be protected. When acquiring | the mechanism negotiation can be protected. When acquiring | |||
| negotiated security mechanism tokens, per-message integrity services | negotiated security mechanism tokens, per-message integrity services | |||
| are always requested by the SPNEGO mechanism. | are always requested by the SPNEGO mechanism. | |||
| When the established mechanism context supports per-message integrity | When the established mechanism context supports per-message integrity | |||
| services, SPNEGO guarantees that the selected mechanism is mutually | services, SPNEGO guarantees that the selected mechanism is mutually | |||
| preferred. | preferred. | |||
| This section describes the negotiation process of this protocol. | This section describes the negotiation process of this protocol. | |||
| 3.1 Negotiation Description | 3.1. Negotiation Description | |||
| The first negotiation token sent by the initiator contains an ordered | The first negotiation token sent by the initiator contains an ordered | |||
| list of mechanisms in decreasing preference order (favorite mechanism | list of mechanisms in decreasing preference order (favorite mechanism | |||
| first), and optionally the initial mechanism token for the preferred | first), and optionally the initial mechanism token for the preferred | |||
| mechanism of the initiator (i.e., the first in the list). (Note that | mechanism of the initiator (i.e., the first in the list). (Note that | |||
| the list MUST NOT contain either this SPNEGO mechanism itself or any | the list MUST NOT contain this SPNEGO mechanism itself or any | |||
| mechanism for which the client does not have appropriate | mechanism for which the client does not have appropriate | |||
| credentials.) | credentials.) | |||
| The target then processes the token from the initiator. This will | The target then processes the token from the initiator. This will | |||
| result in one of four possible states (as defined in Section 4.2.2) | result in one of four possible states (as defined in Section 4.2.2) | |||
| being returned in the reply message: accept-completed, | being returned in the reply message: accept-completed, accept- | |||
| accept-incomplete, reject, or request-mic. A reject state will | incomplete, reject, or request-mic. A reject state will terminate | |||
| terminate the negotiation; an accept-completed state indicates that | the negotiation; an accept-completed state indicates that the | |||
| not only was the initiator-selected mechanism acceptable to the | initiator-selected mechanism was acceptable to the target, and that | |||
| target, but also that the security mechanism token embedded in the | the security mechanism token embedded in the first negotiation | |||
| first negotiation message was sufficient to complete the | message was sufficient to complete the authentication; an accept- | |||
| authentication; an accept-incomplete state indicates that further | incomplete state indicates that further message exchange is needed | |||
| message exchange is needed but the MIC token exchange as described in | but the MIC token exchange (as described in Section 5) is OPTIONAL; a | |||
| Section 5 is OPTIONAL; a request-mic state (this state can only be | request-mic state (this state can only be present in the first reply | |||
| present in the first reply message from the target) indicates the MIC | message from the target) indicates that the MIC token exchange is | |||
| token exchange is REQUIRED if per-message integrity services are | REQUIRED if per-message integrity services are available. | |||
| available. | ||||
| Unless the preference order is specified by the application, the | Unless the preference order is specified by the application, the | |||
| policy by which the target chooses a mechanism is an | policy by which the target chooses a mechanism is an implementation- | |||
| implementation-specific local matter. In the absence of an | specific, local matter. In the absence of an application-specified | |||
| application specified preference order or other policy, the target | preference order or other policy, the target SHALL choose the first | |||
| SHALL choose the first mechanism in the initiator proposed list for | mechanism in the initiator proposed list for which it has valid | |||
| which it has valid credentials. | credentials. | |||
| In case of a successful negotiation, the security mechanism in the | In case of a successful negotiation, the security mechanism in the | |||
| first reply message represents the value suitable for the target, | first reply message represents the value suitable for the target that | |||
| chosen from the list offered by the initiator. | was chosen from the list offered by the initiator. | |||
| In case of an unsuccessful negotiation, the reject state is returned | In case of an unsuccessful negotiation, the reject state is returned, | |||
| and generating a context level negotiation token is OPTIONAL. | and the generation of a context-level negotiation token is OPTIONAL. | |||
| Once a mechanism has been selected, context establishment tokens | Once a mechanism has been selected, context establishment tokens | |||
| specific to the selected mechanism are carried within the negotiation | specific to the selected mechanism are carried within the negotiation | |||
| tokens. | tokens. | |||
| Lastly, MIC tokens may be exchanged to ensure the authenticity of the | Lastly, MIC tokens may be exchanged to ensure the authenticity of the | |||
| mechanism list received by the target. | mechanism list received by the target. | |||
| To avoid conflicts with the use of MIC tokens by SPNEGO, | To avoid conflicts with the use of MIC tokens by SPNEGO, partially- | |||
| partially-established contexts MUST NOT be used for per-message | established contexts MUST NOT be used for per-message calls. To | |||
| calls. To guarantee this, the prot_ready_state [RFC2743] MUST be set | guarantee this, the prot_ready_state [RFC2743] MUST be set to false | |||
| to false on return from GSS_Init_sec_context() and | on return from GSS_Init_sec_context() and GSS_Accept_sec_context(), | |||
| GSS_Accept_sec_context() even if the underlying mechanism returned | even if the underlying mechanism returned true. | |||
| true. | ||||
| Note that in order to avoid an extra round trip, the first context | Note that in order to avoid an extra round trip, the first context | |||
| establishment token of the initiator's preferred mechanism SHOULD be | establishment token of the initiator's preferred mechanism SHOULD be | |||
| embedded in the initial negotiation message (as defined in | embedded in the initial negotiation message (as defined in Section | |||
| Section 4.2). (This mechanism token is referred to as the optimistic | 4.2). (This mechanism token is referred to as the optimistic | |||
| mechanism token in this document.) In addition, using the optimistic | mechanism token in this document.) In addition, using the optimistic | |||
| mechanism token allows the initiator to recover from non-fatal errors | mechanism token allows the initiator to recover from non-fatal errors | |||
| encountered trying to produce the first mechanism token before a | encountered when trying to produce the first mechanism token before a | |||
| mechanism can be selected. Implementations MAY omit the optimistic | mechanism can be selected. In cases where the initiator's preferred | |||
| mechanism token in cases where the likelihood of the initiator's | mechanism is not likely to be selected by the acceptor because of the | |||
| preferred mechanism not being selected by the acceptor is significant | significant cost of its generation, implementations MAY omit the | |||
| given the cost of generating it. | optimistic mechanism token. | |||
| 3.2 Negotiation Procedure | 3.2. Negotiation Procedure | |||
| The basic form of the procedure assumes that per-message integrity | The basic form of the procedure assumes that per-message integrity | |||
| services are available on the established mechanism context, and it | services are available on the established mechanism context, and it | |||
| is summarized as follows: | is summarized as follows: | |||
| (a) The GSS-API initiator invokes GSS_Init_sec_context() as normal, | a) The GSS-API initiator invokes GSS_Init_sec_context() as normal, | |||
| but requests that SPNEGO be used. SPNEGO can either be explicitly | but requests that SPNEGO be used. SPNEGO can either be explicitly | |||
| requested or accepted as the default mechanism. | requested or accepted as the default mechanism. | |||
| (b) The initiator GSS-API implementation generates a negotiation | b) The initiator GSS-API implementation generates a negotiation token | |||
| token containing a list of one or more security mechanisms that | containing a list of one or more security mechanisms that are | |||
| are available based on the credentials used for this context | available based on the credentials used for this context | |||
| establishment, and optionally the initial mechanism token for the | establishment, and optionally on the initial mechanism token for | |||
| first mechanism in the list. | the first mechanism in the list. | |||
| (c) The GSS-API initiator application sends the token to the target | c) The GSS-API initiator application sends the token to the target | |||
| application. The GSS-API target application passes the token by | application. The GSS-API target application passes the token by | |||
| invoking GSS_Accept_sec_context(). The acceptor will do one of | invoking GSS_Accept_sec_context(). The acceptor will do one of | |||
| the following: | the following: | |||
| (I) If none of the proposed mechanisms are acceptable, the | I) If none of the proposed mechanisms are acceptable, the | |||
| negotiation SHALL be terminated. GSS_Accept_sec_context | negotiation SHALL be terminated. GSS_Accept_sec_context | |||
| indicates GSS_S_BAD_MECH. The acceptor MAY output a | indicates GSS_S_BAD_MECH. The acceptor MAY output a | |||
| negotiation token containing a reject state. | negotiation token containing a reject state. | |||
| (II) If either the initiator's preferred mechanism is not | II) If either the initiator's preferred mechanism is not accepted | |||
| accepted by the target or this mechanism is accepted but it | by the target or this mechanism is accepted but is not the | |||
| is not the acceptor's most preferred mechanism (i.e., the | acceptor's most preferred mechanism (i.e., the MIC token | |||
| MIC token exchange as described in Section 5 is required), | exchange as described in Section 5 is required), | |||
| GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED. | GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED. | |||
| The acceptor MUST output a negotiation token containing a | The acceptor MUST output a negotiation token containing a | |||
| request-mic state. | request-mic state. | |||
| (III) Otherwise if at least one additional negotiation token | III) Otherwise, if at least one additional negotiation token from | |||
| from the initiator is needed to establish this context, | the initiator is needed to establish this context, | |||
| GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED and | GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED and | |||
| outputs a negotiation token containing an accept-incomplete | outputs a negotiation token containing an accept-incomplete | |||
| state. | state. | |||
| (IV) Otherwise no additional negotiation token from the | IV) Otherwise, no additional negotiation token from the initiator | |||
| initiator is needed to establish this context, | is needed to establish this context, GSS_Accept_sec_context() | |||
| GSS_Accept_sec_context() indicates GSS_S_COMPLETE and | indicates GSS_S_COMPLETE and outputs a negotiation token | |||
| outputs a negotiation token containing an accept_complete | containing an accept_complete state. | |||
| state. | ||||
| If the initiator's preferred mechanism is accepted, and an | If the initiator's preferred mechanism is accepted, and an | |||
| optimistic mechanism token was included, this mechanism token MUST | optimistic mechanism token was included, this mechanism token MUST | |||
| be passed to the selected mechanism by invoking | be passed to the selected mechanism by invoking | |||
| GSS_Accept_sec_context() and if a response mechanism token is | GSS_Accept_sec_context(). If a response mechanism token is | |||
| returned, it MUST be included in the response negotiation token. | returned, it MUST be included in the response negotiation token. | |||
| Otherwise, the target will not generate a response mechanism token | Otherwise, the target will not generate a response mechanism token | |||
| in the first reply. | in the first reply. | |||
| (d) The GSS-API target application returns the negotiation token to | d) The GSS-API target application returns the negotiation token to | |||
| the initiator application. The GSS-API initiator application | the initiator application. The GSS-API initiator application | |||
| passes the token by invoking GSS_Init_sec_context(). The security | passes the token by invoking GSS_Init_sec_context(). The security | |||
| context initialization is then continued according to the standard | context initialization is then continued according to the standard | |||
| GSS-API conventions for the selected mechanism, where the tokens | GSS-API conventions for the selected mechanism, where the tokens | |||
| of the selected mechanism are encapsulated in negotiation messages | of the selected mechanism are encapsulated in negotiation messages | |||
| (see Section 4) until GSS_S_COMPLETE is returned for both the | (see Section 4) until GSS_S_COMPLETE is returned for both the | |||
| initiator and the target by the selected security mechanism. | initiator and the target by the selected security mechanism. | |||
| (e) MIC tokens are then either skipped or exchanged according to | e) MIC tokens are then either skipped or exchanged according to | |||
| Section 5. | Section 5. | |||
| Note that the *_req_flag input parameters for context establishment | Note that the *_req_flag input parameters for context establishment | |||
| are relative to the selected mechanism, as are the *_state output | are relative to the selected mechanism, as are the *_state output | |||
| parameters. i.e., these parameters are not applicable to the | parameters. That is, these parameters are not applicable to the | |||
| negotiation process per se. | negotiation process per se. | |||
| On receipt of a negotiation token on the target side, a GSS-API | On receipt of a negotiation token on the target side, a GSS-API | |||
| implementation that does not support negotiation would indicate the | implementation that does not support negotiation would indicate the | |||
| GSS_S_BAD_MECH status as if a particular basic security mechanism had | GSS_S_BAD_MECH status as though a particular basic security mechanism | |||
| been requested and was not supported. | had been requested and was not supported. | |||
| When a GSS-API credential is acquired for the SPNEGO mechanism the | When a GSS-API credential is acquired for the SPNEGO mechanism, the | |||
| implementation SHOULD produce a credential element for the SPNEGO | implementation SHOULD produce a credential element for the SPNEGO | |||
| mechanism which internally contains GSS-API credential elements for | mechanism that internally contains GSS-API credential elements for | |||
| all mechanisms for which the principal has credentials available, | all mechanisms for which the principal has credentials available, | |||
| except for any mechanisms which are not to be negotiated, either as | except for any mechanisms that are not to be negotiated, per | |||
| per implementation-, site- or application-specific policy. See | implementation-, site-, or application-specific policy. See Appendix | |||
| Appendix B for interfaces for expressing application policy. | B for interfaces for expressing application policy. | |||
| 4. Token Definitions | 4. Token Definitions | |||
| The type definitions in this section assume an ASN.1 module | The type definitions in this section assume an ASN.1 module | |||
| definition of the following form: | definition of the following form: | |||
| SPNEGOASNOneSpec { | SPNEGOASNOneSpec { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanism(5) snego (2) modules(4) spec2(2) | security(5) mechanism(5) snego (2) modules(4) spec2(2) | |||
| } DEFINITIONS EXPLICIT TAGS ::= BEGIN | } DEFINITIONS EXPLICIT TAGS ::= BEGIN | |||
| -- rest of definitions here | -- rest of definitions here | |||
| END | END | |||
| This specifies that the tagging context for the module will be | This specifies that the tagging context for the module will be | |||
| explicit and non-automatic. | explicit and non-automatic. | |||
| The encoding of SPNEGO protocol messages shall obey the Distinguished | The encoding of the SPNEGO protocol messages shall obey the | |||
| Encoding Rules (DER) of ASN.1 as described in [X690]. | Distinguished Encoding Rules (DER) of ASN.1, as described in [X690]. | |||
| 4.1 Mechanism Types | 4.1. Mechanism Types | |||
| In this negotiation model, each OID represents one GSS-API mechanism | In this negotiation model, each OID represents one GSS-API mechanism | |||
| or one variant (see Section 6) of it according to [RFC2743]. | or one variant (see Section 6) of it, according to [RFC2743]. | |||
| MechType ::= OBJECT IDENTIFIER | MechType ::= OBJECT IDENTIFIER | |||
| -- OID represents each security mechanism as suggested by | -- OID represents each security mechanism as suggested by | |||
| -- [RFC2743] | -- [RFC2743] | |||
| MechTypeList ::= SEQUENCE OF MechType | MechTypeList ::= SEQUENCE OF MechType | |||
| 4.2 Negotiation Tokens | 4.2. Negotiation Tokens | |||
| The syntax of the initial negotiation tokens follows the | The syntax of the initial negotiation tokens follows the | |||
| initialContextToken syntax defined in Section 3.1 of [RFC2743]. The | initialContextToken syntax defined in Section 3.1 of [RFC2743]. The | |||
| SPNEGO pseudo mechanism is identified by the Object Identifier | SPNEGO pseudo mechanism is identified by the Object Identifier | |||
| iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). | iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). | |||
| Subsequent tokens MUST NOT be encapsulated in this GSS-API generic | Subsequent tokens MUST NOT be encapsulated in this GSS-API generic | |||
| token framing. | token framing. | |||
| This section specifies the syntax of the inner token for the initial | This section specifies the syntax of the inner token for the initial | |||
| message and the syntax of subsequent context establishment tokens. | message and the syntax of subsequent context establishment tokens. | |||
| NegotiationToken ::= CHOICE { | NegotiationToken ::= CHOICE { | |||
| negTokenInit [0] NegTokenInit, | negTokenInit [0] NegTokenInit, | |||
| negTokenResp [1] NegTokenResp | negTokenResp [1] NegTokenResp | |||
| } | } | |||
| 4.2.1 negTokenInit | 4.2.1. negTokenInit | |||
| NegTokenInit ::= SEQUENCE { | NegTokenInit ::= SEQUENCE { | |||
| mechTypes [0] MechTypeList, | mechTypes [0] MechTypeList, | |||
| reqFlags [1] ContextFlags OPTIONAL, | reqFlags [1] ContextFlags OPTIONAL, | |||
| -- inherited from RFC 2478 for backward compatibility, | -- inherited from RFC 2478 for backward compatibility, | |||
| -- RECOMMENDED to be left out | -- RECOMMENDED to be left out | |||
| mechToken [2] OCTET STRING OPTIONAL, | mechToken [2] OCTET STRING OPTIONAL, | |||
| mechListMIC [3] OCTET STRING OPTIONAL, | mechListMIC [3] OCTET STRING OPTIONAL, | |||
| ... | ... | |||
| } | } | |||
| skipping to change at page 11, line 36 | skipping to change at page 8, line 36 | |||
| anonFlag (4), | anonFlag (4), | |||
| confFlag (5), | confFlag (5), | |||
| integFlag (6) | integFlag (6) | |||
| } (SIZE (32)) | } (SIZE (32)) | |||
| This is the syntax for the inner token of the initial negotiation | This is the syntax for the inner token of the initial negotiation | |||
| message. | message. | |||
| mechTypes | mechTypes | |||
| This field contains one or more security mechanisms available | This field contains one or more security mechanisms available for | |||
| for the initiator in decreasing preference order (favorite | the initiator, in decreasing preference order (favorite choice | |||
| choice first). | first). | |||
| reqFlags | reqFlags | |||
| This field, if present, contains the service options that are | This field, if present, contains the service options that are | |||
| requested to establish the context (the req_flags parameter of | requested to establish the context (the req_flags parameter of | |||
| GSS_Init_sec_context()). This field is inherited from RFC 2478 | GSS_Init_sec_context()). This field is inherited from RFC 2478 | |||
| and it is not integrity protected. For implementations of this | and is not integrity protected. For implementations of this | |||
| specification the initiator SHOULD omit this reqFlags field, | specification, the initiator SHOULD omit this reqFlags field and | |||
| and the acceptor MUST ignore this reqFlags field. | the acceptor MUST ignore this reqFlags field. | |||
| The size constraint on the ContextFlags ASN.1 type only applies to | ||||
| the abstract type. The ASN.1 DER requires that all trailing zero | ||||
| bits be truncated from the encoding of a bit string type whose | ||||
| abstract definition includes named bits. Implementations should | ||||
| not expect to receive exactly 32 bits in an encoding of | ||||
| ContextFlags. | ||||
| mechToken | mechToken | |||
| This field, if present, contains the optimistic mechanism | This field, if present, contains the optimistic mechanism token. | |||
| token. | ||||
| mechlistMIC | mechlistMIC | |||
| This field, if present, contains a MIC token for the mechanism | This field, if present, contains an MIC token for the mechanism | |||
| list in the initial negotiation message. This MIC token is | list in the initial negotiation message. This MIC token is | |||
| computed according to Section 5. | computed according to Section 5. | |||
| 4.2.2 negTokenResp | 4.2.2. negTokenResp | |||
| NegTokenResp ::= SEQUENCE { | NegTokenResp ::= SEQUENCE { | |||
| negState [0] ENUMERATED { | negState [0] ENUMERATED { | |||
| accept-completed (0), | accept-completed (0), | |||
| accept-incomplete (1), | accept-incomplete (1), | |||
| reject (2), | reject (2), | |||
| request-mic (3) | request-mic (3) | |||
| } OPTIONAL, | } OPTIONAL, | |||
| -- REQUIRED in the first reply from the target | -- REQUIRED in the first reply from the target | |||
| supportedMech [1] MechType OPTIONAL, | supportedMech [1] MechType OPTIONAL, | |||
| skipping to change at page 12, line 42 | skipping to change at page 9, line 43 | |||
| This is the syntax for all subsequent negotiation messages. | This is the syntax for all subsequent negotiation messages. | |||
| negState | negState | |||
| This field, if present, contains the state of the negotiation. | This field, if present, contains the state of the negotiation. | |||
| This can be: | This can be: | |||
| accept-completed | accept-completed | |||
| No further negotiation message from the peer is expected, | No further negotiation message from the peer is expected, and | |||
| and the security context is established for the sender. | the security context is established for the sender. | |||
| accept-incomplete | accept-incomplete | |||
| At least one more negotiation message from the peer is | At least one additional negotiation message from the peer is | |||
| needed to establish the security context. | needed to establish the security context. | |||
| reject | reject | |||
| The sender terminates the negotiation. | The sender terminates the negotiation. | |||
| request-mic | request-mic | |||
| The sender indicates that the exchange of MIC tokens, as | The sender indicates that the exchange of MIC tokens, as | |||
| described in Section 5, will be REQUIRED if per-message | described in Section 5, will be REQUIRED if per-message | |||
| integrity services are available on the mechanism context to | integrity services are available on the mechanism context to be | |||
| be established. This value SHALL only be present in the | established. This value SHALL only be present in the first | |||
| first reply from the target. | reply from the target. | |||
| This field is REQUIRED in the first reply from the target, and | This field is REQUIRED in the first reply from the target, and is | |||
| it is OPTIONAL thereafter. When negState is absent the actual | OPTIONAL thereafter. When negState is absent, the actual state | |||
| state should be inferred from the state of the negotiated | should be inferred from the state of the negotiated mechanism | |||
| mechanism context. | context. | |||
| supportedMech | supportedMech | |||
| This field SHALL only be present in the first reply from the | This field SHALL only be present in the first reply from the | |||
| target. It MUST be one of the mechanism(s) offered by the | target. It MUST be one of the mechanism(s) offered by the | |||
| initiator. | initiator. | |||
| ResponseToken | ResponseToken | |||
| This field, if present, contains tokens specific to the | This field, if present, contains tokens specific to the mechanism | |||
| mechanism selected. | selected. | |||
| mechlistMIC | mechlistMIC | |||
| This field, if present, contains a MIC token for the mechanism | This field, if present, contains an MIC token for the mechanism | |||
| list in the initial negotiation message. This MIC token is | list in the initial negotiation message. This MIC token is | |||
| computed according to Section 5. | computed according to Section 5. | |||
| 5. Processing of mechListMIC | 5. Processing of mechListMIC | |||
| If the mechanism selected by the negotiation does not support | If the mechanism selected by the negotiation does not support | |||
| integrity protection, then no mechlistMIC token is used. | integrity protection, then no mechlistMIC token is used. | |||
| Otherwise, if the accepted mechanism is the most preferred mechanism | Otherwise, if the accepted mechanism is the most preferred mechanism | |||
| of both the initiator and the acceptor, then the MIC token exchange, | of both the initiator and the acceptor, then the MIC token exchange, | |||
| as described later in this section, is OPTIONAL. A mechanism is the | as described later in this section, is OPTIONAL. A mechanism is the | |||
| acceptor's most preferred mechanism if there is no other mechanism | acceptor's most preferred mechanism if there is no other mechanism | |||
| which, had it been present in the mechanism list, the acceptor would | that the acceptor would have preferred over the accepted mechanism | |||
| have preferred over the accepted mechanism. | had it been present in the mechanism list. | |||
| In all other cases, MIC tokens MUST be exchanged after the mechanism | In all other cases, MIC tokens MUST be exchanged after the mechanism | |||
| context is fully established. | context is fully established. | |||
| a) The mechlistMIC token (or simply the MIC token) is computed over | a) The mechlistMIC token (or simply the MIC token) is computed over | |||
| the mechanism list in the initial negotiation message by invoking | the mechanism list in the initial negotiation message by invoking | |||
| GSS_GetMIC() as follows: the input context_handle is the | GSS_GetMIC() as follows: the input context_handle is the | |||
| established mechanism context, the input qop_req is 0, and the | established mechanism context, the input qop_req is 0, and the | |||
| input message is the DER encoding of the value of type | input message is the DER encoding of the value of type | |||
| MechTypeList which is contained in the "mechTypes" field of the | MechTypeList, which is contained in the "mechTypes" field of the | |||
| NegTokenInit. The input message is NOT the DER encoding of the | NegTokenInit. The input message is NOT the DER encoding of the | |||
| type "[0] MechTypeList". | type "[0] MechTypeList". | |||
| b) If the selected mechanism exchanges an even number of mechanism | b) If the selected mechanism exchanges an even number of mechanism | |||
| tokens (i.e., the acceptor sends the last mechanism token), the | tokens (i.e., the acceptor sends the last mechanism token), the | |||
| acceptor does the following when generating the negotiation | acceptor does the following when generating the negotiation | |||
| message containing the last mechanism token: if the MIC token | message containing the last mechanism token: if the MIC token | |||
| exchange is optional, GSS_Accept_sec_context() either indicates | exchange is optional, GSS_Accept_sec_context() either indicates | |||
| GSS_S_COMPLETE and does not include a mechlistMIC token, or | GSS_S_COMPLETE and does not include a mechlistMIC token, or | |||
| indicates GSS_S_CONTINUE_NEEDED and includes a mechlistMIC token | indicates GSS_S_CONTINUE_NEEDED and includes a mechlistMIC token | |||
| and an accept-incomplete state; if the MIC token exchange is | and an accept-incomplete state; if the MIC token exchange is | |||
| required, GSS_Accept_sec_context() indicates | required, GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED | |||
| GSS_S_CONTINUE_NEEDED, and includes a mechlistMIC token. | and includes a mechlistMIC token. Acceptors that wish to be | |||
| Acceptors that wish to be compatible with legacy Windows SPNEGO | compatible with legacy Windows SPNEGO implementations, as | |||
| implementations as described in Appendix C should not generate a | described in Appendix C, should not generate a mechlistMIC token | |||
| mechlistMIC token when the MIC token exchange is not required. | when the MIC token exchange is not required. The initiator then | |||
| The initiator then processes the last mechanism token, and does | processes the last mechanism token, and does one of the following: | |||
| one of the following: | ||||
| (I) If a mechlistMIC token was included, and is correctly | I) If a mechlistMIC token was included and is correctly | |||
| verified, GSS_Init_sec_context() indicates GSS_S_COMPLETE. The | verified, GSS_Init_sec_context() indicates GSS_S_COMPLETE. | |||
| output negotiation message contains a mechlistMIC token, and an | The output negotiation message contains a mechlistMIC token | |||
| accept_complete state. The acceptor MUST then verify this | and an accept_complete state. The acceptor MUST then verify | |||
| mechlistMIC token. | this mechlistMIC token. | |||
| (II) If a mechlistMIC token was included but is incorrect, the | II) If a mechlistMIC token was included but is incorrect, the | |||
| negotiation SHALL be terminated. GSS_Init_sec_context() | negotiation SHALL be terminated. GSS_Init_sec_context() | |||
| indicates GSS_S_DEFECTIVE_TOKEN. | indicates GSS_S_DEFECTIVE_TOKEN. | |||
| (III) If no mechlistMIC token was included, and the MIC token | III) If no mechlistMIC token was included and the MIC token | |||
| exchange is not required, GSS_Init_sec_context() indicates | exchange is not required, GSS_Init_sec_context() indicates | |||
| GSS_S_COMPLETE with no output token. | GSS_S_COMPLETE with no output token. | |||
| (IV) If no mechlistMIC token was included, but the MIC token | IV) If no mechlistMIC token was included but the MIC token | |||
| exchange is required, the negotiation SHALL be terminated. | exchange is required, the negotiation SHALL be terminated. | |||
| GSS_Accept_sec_context() indicates GSS_S_DEFECTIVE_TOKEN. | GSS_Accept_sec_context() indicates GSS_S_DEFECTIVE_TOKEN. | |||
| c) In the case that the chosen mechanism exchanges an odd number of | c) In the case that the chosen mechanism exchanges an odd number of | |||
| mechanism tokens (i.e., the initiator sends the last mechanism | mechanism tokens (i.e., the initiator sends the last mechanism | |||
| token), the initiator does the following when generating the | token), the initiator does the following when generating the | |||
| negotiation message containing the last mechanism token: if the | negotiation message containing the last mechanism token: if the | |||
| negState was request-mic in the first reply from the target, a | negState was request-mic in the first reply from the target, a | |||
| mechlistMIC token MUST be included, otherwise the mechlistMIC | mechlistMIC token MUST be included; otherwise, the mechlistMIC | |||
| token is OPTIONAL. (Note that the MIC token exchange is required | token is OPTIONAL. (Note that the MIC token exchange is required | |||
| if a mechanism other than the initiator's first choice is chosen.) | if a mechanism other than the initiator's first choice is chosen.) | |||
| In the case that the optimistic mechanism token is the only | In the case that the optimistic mechanism token is the only | |||
| mechanism token for the initiator's preferred mechanism, the | mechanism token for the initiator's preferred mechanism, the | |||
| mechlistMIC token is OPTIONAL. Whether or not the mechlistMIC | mechlistMIC token is OPTIONAL. Whether the mechlistMIC token is | |||
| token is included, GSS_Init_sec_context() indicates | included, GSS_Init_sec_context() indicates GSS_S_CONTINUE_NEEDED. | |||
| GSS_S_CONTINUE_NEEDED. Initiators that wish to be compatible with | Initiators that wish to be compatible with legacy Windows SPNEGO | |||
| legacy Windows SPNEGO implementations as described in Appendix C | implementations, as described in Appendix C, should not generate a | |||
| should not generate a mechlistMIC token when the MIC token | mechlistMIC token when the MIC token exchange is not required. | |||
| exchange is not required. The acceptor then processes the last | The acceptor then processes the last mechanism token and does one | |||
| mechanism token and does one of the following: | of the following: | |||
| (I) If a mechlistMIC token was included and is correctly verified, | I) If a mechlistMIC token was included and is correctly | |||
| GSS_Accept_sec_context() indicates GSS_S_COMPLETE. The output | verified, GSS_Accept_sec_context() indicates GSS_S_COMPLETE. | |||
| negotiation message contains a mechlistMIC token and an | The output negotiation message contains a mechlistMIC token | |||
| accept_complete state. The initiator MUST then verify this | and an accept_complete state. The initiator MUST then verify | |||
| mechlistMIC token. | this mechlistMIC token. | |||
| (II) If a mechlistMIC token was included but is incorrect, the | II) If a mechlistMIC token was included but is incorrect, the | |||
| negotiation SHALL be terminated. GSS_Accept_sec_context() | negotiation SHALL be terminated. GSS_Accept_sec_context() | |||
| indicates GSS_S_DEFECTIVE_TOKEN. | indicates GSS_S_DEFECTIVE_TOKEN. | |||
| (III) If no mechlistMIC token was included and the mechlistMIC | III) If no mechlistMIC token was included and the mechlistMIC | |||
| token exchange is not required, GSS_Accept_sec_context() | token exchange is not required, GSS_Accept_sec_context() | |||
| indicates GSS_S_COMPLETE. The output negotiation message | indicates GSS_S_COMPLETE. The output negotiation message | |||
| contains an accept_complete state. | contains an accept_complete state. | |||
| (IV) In the case that the optimistic mechanism token is also the | IV) In the case that the optimistic mechanism token is also the | |||
| last mechanism token (when the initiator's preferred mechanism | last mechanism token (when the initiator's preferred | |||
| is accepted by the target) and the target sends a request-mic | mechanism is accepted by the target) and the target sends a | |||
| state but the initiator did not send a mechlistMIC token, the | request-mic state but the initiator did not send a | |||
| target then MUST include a mechlistMIC token in that first | mechlistMIC token, the target then MUST include a mechlistMIC | |||
| reply. GSS_Accept_sec_context() indicates | token in that first reply. GSS_Accept_sec_context() | |||
| GSS_S_CONTINUE_NEEDED. The initiator MUST verify the received | indicates GSS_S_CONTINUE_NEEDED. The initiator MUST verify | |||
| mechlistMIC token and generate a mechlistMIC token to send back | the received mechlistMIC token and generate a mechlistMIC | |||
| to the target. The target SHALL in turn verify the returned | token to send back to the target. The target SHALL, in turn, | |||
| mechlistMIC token and complete the negotiation. | verify the returned mechlistMIC token and complete the | |||
| negotiation. | ||||
| (V) If no mechlistMIC token was included and the acceptor sent a | V) If no mechlistMIC token was included and the acceptor sent a | |||
| request-mic state in the first reply message (the exchange of | request-mic state in the first reply message (the exchange of | |||
| MIC tokens is required), the negotiation SHALL be terminated. | MIC tokens is required), the negotiation SHALL be terminated. | |||
| GSS_Accept_sec_context() indicates GSS_S_DEFECTIVE_TOKEN. | GSS_Accept_sec_context() indicates GSS_S_DEFECTIVE_TOKEN. | |||
| 6. Extensibility | 6. Extensibility | |||
| Two mechanisms are provided for extensibility. First, the ASN.1 | Two mechanisms are provided for extensibility. First, the ASN.1 | |||
| structures in this specification MAY be expanded by IETF standards | structures in this specification MAY be expanded by IETF standards | |||
| action. Implementations receiving unknown fields MUST ignore these | action. Implementations receiving unknown fields MUST ignore these | |||
| fields. | fields. | |||
| Secondly, OIDs corresponding to a desired mechanism attribute (i.e., | Secondly, OIDs corresponding to a desired mechanism attribute (i.e., | |||
| mechanism variants) may be included in the set of preferred | mechanism variants) may be included in the set of preferred | |||
| mechanisms by an initiator. The acceptor can choose to honor this | mechanisms by an initiator. The acceptor can choose to honor this | |||
| request by preferring mechanisms that have the included attributes. | request by preferring mechanisms that have the included attributes. | |||
| Future work within the Kitten working group is expected to | Future work within the Kitten working group is expected to | |||
| standardize common attributes that SPNEGO mechanisms may wish to | standardize common attributes that SPNEGO mechanisms may wish to | |||
| support. At this time it is sufficient to say that initiators MAY | support. At this time, it is sufficient to say that initiators MAY | |||
| include OIDs that do not correspond to mechanisms. Such OIDs MAY | include OIDs that do not correspond to mechanisms. Such OIDs MAY | |||
| influence the acceptor's choice of mechanism. As discussed in | influence the acceptor's choice of mechanism. As discussed in | |||
| Section 5, if there are mechanisms that if present in the initiator's | Section 5, if there are mechanisms that, if present in the | |||
| list of mechanisms might be preferred by the acceptor to the | initiator's list of mechanisms, might be preferred by the acceptor | |||
| initiator's preferred mechanism, the acceptor MUST demand the MIC | instead of the initiator's preferred mechanism, the acceptor MUST | |||
| token exchange. As the consequence, acceptors MUST demand the MIC | demand the MIC token exchange. As the consequence, acceptors MUST | |||
| token exchange if they support negotiation of attributes not | demand the MIC token exchange if they support negotiation of | |||
| available in the initiator's preferred mechanism regardless of | attributes not available in the initiator's preferred mechanism, | |||
| whether the initiator actually requested these attributes. | regardless of whether the initiator actually requested these | |||
| attributes. | ||||
| 7. Security Considerations | 7. Security Considerations | |||
| In order to produce the MIC token for the mechanism list, the | In order to produce the MIC token for the mechanism list, the | |||
| mechanism must provide integrity protection. When the selected | mechanism must provide integrity protection. When the selected | |||
| mechanism does not support integrity protection, the negotiation is | mechanism does not support integrity protection, the negotiation is | |||
| vulnerable: an active attacker can force it to use a security | vulnerable: an active attacker can force it to use a security | |||
| mechanism that is not mutually preferred but is acceptable to the | mechanism that is not mutually preferred but is acceptable to the | |||
| target. | target. | |||
| This protocol provides the following guarantees when per-message | This protocol provides the following guarantees when per-message | |||
| integrity services are available on the established mechanism context | integrity services are available on the established mechanism | |||
| and the mechanism list was altered by an adversary such that a | context, and the mechanism list was altered by an adversary such that | |||
| mechanism which is not mutually preferred could be selected: | a mechanism that is not mutually preferred could be selected: | |||
| a) If the last mechanism token is sent by the initiator, both peers | a) If the last mechanism token is sent by the initiator, both peers | |||
| shall fail; | shall fail; | |||
| b) If the last mechanism token is sent by the acceptor, the acceptor | b) If the last mechanism token is sent by the acceptor, the acceptor | |||
| shall not complete and the initiator at worst shall complete with | shall not complete and the initiator, at worst, shall complete | |||
| its preferred mechanism being selected. | with its preferred mechanism being selected. | |||
| The negotiation may not be terminated if an alteration was made but | The negotiation may not be terminated if an alteration was made but | |||
| it had no material impact. | had no material impact. | |||
| The protection of the negotiation depends on the strength of the | The protection of the negotiation depends on the strength of the | |||
| integrity protection. In particular, the strength of SPNEGO is no | integrity protection. In particular, the strength of SPNEGO is no | |||
| stronger than the integrity protection of the weakest mechanism | stronger than the integrity protection of the weakest mechanism | |||
| acceptable to GSS-API peers. | acceptable to GSS-API peers. | |||
| Note that where there exist multiple mechanisms with similar context | Note that where there exist multiple mechanisms with similar context | |||
| tokens, but different semantics, such that some or all of the | tokens, but different semantics, such that some or all of the | |||
| mechanisms' context tokens can be easily altered so that one | mechanisms' context tokens can be easily altered so that one | |||
| mechanism's context tokens may pass for another of the similar | mechanism's context tokens may pass for another of the similar | |||
| mechanism's context tokens, then there may exist downgrade or similar | mechanism's context tokens, then there may exist a downgrade or | |||
| attacks. For example, if a given family of mechanisms uses the same | similar attacks. For example, if a given family of mechanisms uses | |||
| context token syntax for two or more variants and depends on the OID | the same context token syntax for two or more variants and depends on | |||
| in the initial token's pseudo-ASN.1/DER wrapper, but does not provide | the OID in the initial token's pseudo-ASN.1/DER wrapper, but does not | |||
| integrity protection for that OID, then there may exist an attack | provide integrity protection for that OID, then there may exist an | |||
| against those mechanisms. SPNEGO does not generally defeat such | attack against those mechanisms. SPNEGO does not generally defeat | |||
| attacks. | such attacks. | |||
| In all cases, the communicating peers are exposed to the denial of | In all cases, the communicating peers are exposed to the denial of | |||
| service threat. | service threat. | |||
| 8. IANA Considerations | 8. Acknowledgments | |||
| This document has no actions for IANA. | ||||
| 9. Acknowledgments | ||||
| The authors wish to thank Sam Hartman, Nicolas Williams, Ken Raeburn, | The authors wish to thank Sam Hartman, Nicolas Williams, Ken Raeburn, | |||
| Martin Rex, Jeff Altman, Tom Yu, Cristian Ilac, Simon Spero and Bill | Martin Rex, Jeff Altman, Tom Yu, Cristian Ilac, Simon Spero, and Bill | |||
| Sommerfeld for their comments and suggestions during development of | Sommerfeld for their comments and suggestions during the development | |||
| this document. | of this document. | |||
| Luke Howard provided a prototype of this protocol in Heimdal and | Luke Howard provided a prototype of this protocol in Heimdal and | |||
| resolved several issues in the initial draft. | resolved several issues in the initial version of this document. | |||
| Eric Baize and Denis Pinkas wrote the original SPNEGO specification | Eric Baize and Denis Pinkas wrote the original SPNEGO specification | |||
| [RFC2478] of which some of the text has been retained in this | [RFC2478] of which some of the text has been retained in this | |||
| document. | document. | |||
| 10. References | 9. References | |||
| 10.1 Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2743] Linn, J., "Generic Security Service Application Program | [RFC2743] Linn, J., "Generic Security Service Application Program | |||
| Interface Version 2, Update 1", RFC 2743, January 2000. | Interface Version 2, Update 1", RFC 2743, January 2000. | |||
| [X690] ASN.1 encoding rules: Specification of Basic Encoding | [X690] ASN.1 encoding rules: Specification of Basic Encoding Rules | |||
| Rules (BER), Canonical Encoding Rules (CER) and | (BER), Canonical Encoding Rules (CER) and Distinguished | |||
| Distinguished Encoding Rules (DER), ITU-T Recommendation | Encoding Rules (DER), ITU-T Recommendation X.690 (1997) | | |||
| X.690 (1997) | ISO/IEC International Standard 8825-1:1998. | ISO/IEC International Standard 8825-1:1998. | |||
| 10.2 Informative References | 9.2. Informative References | |||
| [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API | [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API | |||
| Negotiation Mechanism", RFC 2478, December 1998. | Negotiation Mechanism", RFC 2478, December 1998. | |||
| Authors' Addresses | ||||
| Larry Zhu | ||||
| Microsoft Corporation | ||||
| One Microsoft Way | ||||
| Redmond, WA 98052 | ||||
| US | ||||
| Email: lzhu@microsoft.com | ||||
| Paul Leach | ||||
| Microsoft Corporation | ||||
| One Microsoft Way | ||||
| Redmond, WA 98052 | ||||
| US | ||||
| Email: paulle@microsoft.com | ||||
| Karthik Jaganathan | ||||
| Microsoft Corporation | ||||
| One Microsoft Way | ||||
| Redmond, WA 98052 | ||||
| US | ||||
| Email: karthikj@microsoft.com | ||||
| Wyllys Ingersoll | ||||
| Sun Microsystems | ||||
| 1775 Wiehle Avenue, 2nd Floor | ||||
| Reston, VA 20190 | ||||
| US | ||||
| Email: wyllys.ingersoll@sun.com | ||||
| Appendix A. SPNEGO ASN.1 Module | Appendix A. SPNEGO ASN.1 Module | |||
| SPNEGOASNOneSpec { | SPNEGOASNOneSpec { | |||
| iso(1) identified-organization(3) dod(6) internet(1) | iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanism(5) snego (2) modules(4) spec2(2) | security(5) mechanism(5) snego (2) modules(4) spec2(2) | |||
| } DEFINITIONS EXPLICIT TAGS ::= BEGIN | } DEFINITIONS EXPLICIT TAGS ::= BEGIN | |||
| MechType ::= OBJECT IDENTIFIER | MechType ::= OBJECT IDENTIFIER | |||
| -- OID represents each security mechanism as suggested by | -- OID represents each security mechanism as suggested by | |||
| -- [RFC2743] | -- [RFC2743] | |||
| skipping to change at page 25, line 7 | skipping to change at page 17, line 12 | |||
| sequenceFlag (3), | sequenceFlag (3), | |||
| anonFlag (4), | anonFlag (4), | |||
| confFlag (5), | confFlag (5), | |||
| integFlag (6) | integFlag (6) | |||
| } (SIZE (32)) | } (SIZE (32)) | |||
| END | END | |||
| Appendix B. GSS-API Negotiation Support API | Appendix B. GSS-API Negotiation Support API | |||
| In order to provide to a GSS-API caller (either the initiator or the | In order to provide to a GSS-API caller (the initiator or the target | |||
| target or both) the ability to choose among the set of supported | or both) with the ability to choose among the set of supported | |||
| mechanisms a reduced set of mechanisms for negotiation, two | mechanisms, a reduced set of mechanisms for negotiation and two | |||
| additional APIs are defined: | additional APIs are defined: | |||
| o GSS_Get_neg_mechs() indicates the set of security mechanisms | o GSS_Get_neg_mechs() indicates the set of security mechanisms | |||
| available on the local system to the caller for negotiation, for | available on the local system to the caller for negotiation, for | |||
| which appropriate credentials are available. | which appropriate credentials are available. | |||
| o GSS_Set_neg_mechs() specifies the set of security mechanisms to be | o GSS_Set_neg_mechs() specifies the set of security mechanisms to be | |||
| used on the local system by the caller for negotiation, for the | used on the local system by the caller for negotiation, for the | |||
| given credentials. | given credentials. | |||
| B.1 GSS_Set_neg_mechs call | B.1. GSS_Set_neg_mechs Call | |||
| Inputs: | Inputs: | |||
| o cred_handle CREDENTIAL HANDLE, -- NULL specifies default | o cred_handle CREDENTIAL HANDLE, -- NULL specifies default | |||
| -- credentials | -- credentials | |||
| o mech_set SET OF OBJECT IDENTIFIER | o mech_set SET OF OBJECT IDENTIFIER | |||
| Outputs: | Outputs: | |||
| o major_status INTEGER, | o major_status INTEGER, | |||
| o minor_status INTEGER | o minor_status INTEGER | |||
| Return major_status codes: | Return major_status codes: | |||
| o GSS_S_COMPLETE indicates that the set of security mechanisms | o GSS_S_COMPLETE indicates that the set of security mechanisms | |||
| available for negotiation has been set to mech_set. | available for negotiation has been set to mech_set. | |||
| o GSS_S_FAILURE indicates that the requested operation could not be | o GSS_S_FAILURE indicates that the requested operation could not be | |||
| performed for reasons unspecified at the GSS-API level. | performed for reasons unspecified at the GSS-API level. | |||
| Allows callers to specify the set of security mechanisms that may be | This allows callers to specify the set of security mechanisms that | |||
| negotiated with the credential identified by cred_handle. This call | may be negotiated with the credential identified by cred_handle. | |||
| is intended for support of specialized callers who need to restrict | This call is intended to support specialized callers who need to | |||
| the set of negotiable security mechanisms from the set of all | restrict the set of negotiable security mechanisms from the set of | |||
| security mechanisms available to the caller (based on available | all security mechanisms available to the caller (based on available | |||
| credentials). Note that if more than one mechanism is specified in | credentials). Note that if more than one mechanism is specified in | |||
| mech_set, the order in which those mechanisms are specified implies a | mech_set, the order in which those mechanisms are specified implies a | |||
| relative preference. | relative preference. | |||
| B.2 GSS_Get_neg_mechs call | B.2. GSS_Get_neg_mechs Call | |||
| Input: | Input: | |||
| o cred_handle CREDENTIAL HANDLE -- NULL specifies default | o cred_handle CREDENTIAL HANDLE -- NULL specifies default -- | |||
| -- credentials | credentials | |||
| Outputs: | Outputs: | |||
| o major_status INTEGER, | o major_status INTEGER, | |||
| o minor_status INTEGER, | o minor_status INTEGER, | |||
| o mech_set SET OF OBJECT IDENTIFIER | o mech_set SET OF OBJECT IDENTIFIER | |||
| Return major_status codes: | Return major_status codes: | |||
| o GSS_S_COMPLETE indicates that the set of security mechanisms | o GSS_S_COMPLETE indicates that the set of security mechanisms | |||
| skipping to change at page 26, line 18 | skipping to change at page 18, line 25 | |||
| Outputs: | Outputs: | |||
| o major_status INTEGER, | o major_status INTEGER, | |||
| o minor_status INTEGER, | o minor_status INTEGER, | |||
| o mech_set SET OF OBJECT IDENTIFIER | o mech_set SET OF OBJECT IDENTIFIER | |||
| Return major_status codes: | Return major_status codes: | |||
| o GSS_S_COMPLETE indicates that the set of security mechanisms | o GSS_S_COMPLETE indicates that the set of security mechanisms | |||
| available for negotiation has been returned in mech_set. | available for negotiation has been returned in mech_set. | |||
| o GSS_S_FAILURE indicates that the requested operation could not be | o GSS_S_FAILURE indicates that the requested operation could not be | |||
| performed for reasons unspecified at the GSS-API level. | performed for reasons unspecified at the GSS-API level. | |||
| Allows callers to determine the set of security mechanisms available | This allows callers to determine the set of security mechanisms | |||
| for negotiation with the credential identified by cred_handle. This | available for negotiation with the credential identified by | |||
| call is intended for support of specialized callers who need to | cred_handle. This call is intended to support specialized callers | |||
| reduce the set of negotiable security mechanisms from the set of | who need to reduce the set of negotiable security mechanisms from the | |||
| supported security mechanisms available to the caller (based on | set of supported security mechanisms available to the caller (based | |||
| available credentials). | on available credentials). | |||
| Note: The GSS_Indicate_mechs() function indicates the full set of | Note: The GSS_Indicate_mechs() function indicates the full set of | |||
| mechanism types available on the local system. Since this call has | mechanism types available on the local system. Since this call has | |||
| no input parameter, the returned set is not necessarily available for | no input parameter, the returned set is not necessarily available for | |||
| all credentials. | all credentials. | |||
| Appendix C. Changes since RFC2478 | Appendix C. Changes since RFC2478 | |||
| SPNEGO implementations in Microsoft Windows 2000/Windows | SPNEGO implementations in Microsoft Windows 2000/Windows XP/Windows | |||
| XP/Windows Server 2003 have the following behavior: no mechlistMIC | Server 2003 have the following behavior: no mechlistMIC is produced | |||
| is produced and mechlistMIC is not processed if one is provided; | and mechlistMIC is not processed if one is provided; if the initiator | |||
| if the initiator sends the last mechanism token, the acceptor will | sends the last mechanism token, the acceptor will send back a | |||
| send back a negotiation token with an accept_complete state and no | negotiation token with an accept_complete state and no mechlistMIC | |||
| mechlistMIC token. In addition, an incorrect OID | token. In addition, an incorrect OID (1.2.840.48018.1.2.2) can be | |||
| (1.2.840.48018.1.2.2) can be used to identify the GSS-API Kerberos | used to identify the GSS-API Kerberos Version 5 mechanism. | |||
| Version 5 mechanism. | ||||
| The following changes have been made to be compatible with these | The following changes have been made to be compatible with these | |||
| legacy implementations. | legacy implementations. | |||
| * NegTokenTarg is changed to negTokenResp and it is the message | * NegTokenTarg is changed to negTokenResp and is the message format | |||
| format for all subsequent negotiation tokens. | for all subsequent negotiation tokens. | |||
| * NegTokenInit is the message for the initial negotiation message | ||||
| and that message only. | * NegTokenInit is the message for the initial negotiation message, | |||
| and only that message. | ||||
| * mechTypes in negTokenInit is not optional. | * mechTypes in negTokenInit is not optional. | |||
| * If the selected mechanism is also the most preferred mechanism | ||||
| for both peers, it is safe to omit the MIC tokens. | * If the selected mechanism is also the most preferred mechanism for | |||
| both peers, it is safe to omit the MIC tokens. | ||||
| If at least one of the two peers implements the updated pseudo | If at least one of the two peers implements the updated pseudo | |||
| mechanism in this document, the negotiation is protected. | mechanism in this document, the negotiation is protected. | |||
| The following changes are to address problems in RFC 2478. | The following changes are to address problems in RFC 2478. | |||
| * reqFlags is not protected therefore it should not impact the | * reqFlags is not protected, therefore it should not impact the | |||
| negotiation. | negotiation. | |||
| * DER encoding is required. | * DER encoding is required. | |||
| * GSS_GetMIC() input is clarified. | * GSS_GetMIC() input is clarified. | |||
| * Per-message integrity services are requested for the negotiated | * Per-message integrity services are requested for the negotiated | |||
| mechanism. | mechanism. | |||
| * Two MIC tokens are exchanged, one in each direction. | * Two MIC tokens are exchanged, one in each direction. | |||
| An implementation that conforms to this specification will not | An implementation that conforms to this specification will not | |||
| inter-operate with a strict 2748 implementation. Even if the new | inter-operate with a strict RFC 2748 implementation. Even if the new | |||
| implementation always sends a mechlistMIC token, it will still fail | implementation always sends a mechlistMIC token, it will still fail | |||
| to inter-operate. If it is a server, it will fail because it | to inter-operate. If it is a server, it will fail because it | |||
| requests a mechlistMIC token using an option that older | requests a mechlistMIC token using an option that older | |||
| implementations simply do not support. Clients will tend to fail as | implementations do not support. Clients will tend to fail as well. | |||
| well. | ||||
| As an alternative to the approach chosen in this specification, we | As an alternative to the approach chosen in this specification, we | |||
| could have documented a correct behavior that is fully backward | could have documented a correct behavior that is fully backward | |||
| compatible with RFC 2478 and included an appendix on how to | compatible with RFC 2478 and included an appendix on how to inter- | |||
| inter-operate with existing incorrect implementations of RFC 2478. | operate with existing incorrect implementations of RFC 2478. | |||
| As a practical matter, the SPNEGO implementers within the IETF have | As a practical matter, the SPNEGO implementers within the IETF have | |||
| valued interoperability with the Microsoft implementations. We were | valued interoperability with the Microsoft implementations. We were | |||
| unable to choose to maintain reasonable security guarantees, maintain | unable to choose to maintain reasonable security guarantees, to | |||
| interoperability with the Microsoft implementations and maintain | maintain interoperability with the Microsoft implementations, and to | |||
| interoperability with correct implementations of RFC 2478. The | maintain interoperability with correct implementations of RFC 2478. | |||
| working group was not aware of any RFC 2478 implementations deployed | ||||
| on the Internet. Even if there are such implementations, it is | The working group was not aware of any RFC 2478 implementations | |||
| unlikely that they will inter-operate because of a critical flaw in | deployed on the Internet. Even if there are such implementations, it | |||
| the description of the encoding of the mechanism list in RFC 2478. | is unlikely that they will inter-operate because of a critical flaw | |||
| in the description of the encoding of the mechanism list in RFC 2478. | ||||
| With the approach taken in this specification, security is ensured | With the approach taken in this specification, security is ensured | |||
| between new implementations all the time while maintaining | between new implementations all the time while maintaining | |||
| interoperability with the implementations deployed within the IETF | interoperability with the implementations deployed within the IETF | |||
| community. The working group believes that this justifies breaking | community. The working group believes that this justifies breaking | |||
| compatibility with a correct implementation of RFC 2478. | compatibility with a correct implementation of RFC 2478. | |||
| Appendix D. mechListMIC Computation Example | Appendix D. mechListMIC Computation Example | |||
| The following is an example to illustrate how the mechListMIC field | The following is an example to illustrate how the mechListMIC field | |||
| skipping to change at page 30, line 5 | skipping to change at page 21, line 8 | |||
| MechTypeList data from the initiator's NegTokenInit token as input to | MechTypeList data from the initiator's NegTokenInit token as input to | |||
| the GSS_GetMIC() function. In this case, the MIC would be computed | the GSS_GetMIC() function. In this case, the MIC would be computed | |||
| over the following octets: | over the following octets: | |||
| DER encoding of MechTypeList: | DER encoding of MechTypeList: | |||
| 30 nn 06 09 2A 86 48 86 F7 12 01 02 02 ... | 30 nn 06 09 2A 86 48 86 F7 12 01 02 02 ... | |||
| Note that the identifier octet and length octet(s) for constructed | Note that the identifier octet and length octet(s) for constructed | |||
| [0] (A0 nn) are not included in the MIC computation. | [0] (A0 nn) are not included in the MIC computation. | |||
| Intellectual Property Statement | Authors' Addresses | |||
| Larry Zhu | ||||
| Microsoft Corporation | ||||
| One Microsoft Way | ||||
| Redmond, WA 98052 | ||||
| US | ||||
| EMail: lzhu@microsoft.com | ||||
| Paul Leach | ||||
| Microsoft Corporation | ||||
| One Microsoft Way | ||||
| Redmond, WA 98052 | ||||
| US | ||||
| EMail: paulle@microsoft.com | ||||
| Karthik Jaganathan | ||||
| Microsoft Corporation | ||||
| One Microsoft Way | ||||
| Redmond, WA 98052 | ||||
| US | ||||
| EMail: karthikj@microsoft.com | ||||
| Wyllys Ingersoll | ||||
| Sun Microsystems | ||||
| 1775 Wiehle Avenue, 2nd Floor | ||||
| Reston, VA 20190 | ||||
| US | ||||
| EMail: wyllys.ingersoll@sun.com | ||||
| Full Copyright Statement | ||||
| Copyright (C) The Internet Society (2005). | ||||
| This document is subject to the rights, licenses and restrictions | ||||
| contained in BCP 78, and except as set forth therein, the authors | ||||
| retain all their rights. | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Intellectual Property | ||||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
| found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
| Copies of IPR disclosures made to the IETF Secretariat and any | Copies of IPR disclosures made to the IETF Secretariat and any | |||
| assurances of licenses to be made available, or the result of an | assurances of licenses to be made available, or the result of an | |||
| attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at | this standard. Please address the information to the IETF at ietf- | |||
| ietf-ipr@ietf.org. | ipr@ietf.org. | |||
| Disclaimer of Validity | ||||
| This document and the information contained herein are provided on an | ||||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | ||||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | ||||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ||||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | ||||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | ||||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| Copyright Statement | ||||
| Copyright (C) The Internet Society (2005). This document is subject | ||||
| to the rights, licenses and restrictions contained in BCP 78, and | ||||
| except as set forth therein, the authors retain all their rights. | ||||
| Acknowledgment | Acknowledgement | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 109 change blocks. | ||||
| 374 lines changed or deleted | 361 lines changed or added | |||
This html diff was produced by rfcdiff 1.27, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||