• Use of X.509v3 Public Key Certificates for DCE client authentication to the KDC.
  
• Use of Cryptographic Message Standard (CMS) for digitally signing and enveloping parts of Kerberos authentication flows.
  
• Isolation of the public key certificate and CMS functionality under a pluggable (DLL) component, the pkinit_cms_* functions.
  
• Support for smart cards and delivery of a software smart card in the reference implementation of pkinit_cms_*.
  
• "PKI-neutral" implementation that supports multiple PKIs.

1. Introduction *

2. Target *

3. Goals and Non-Goals *

4. Terminology *

5. Requirements *

6. Functional Definition *

7. Data Structures *

8. User Interfaces *

9. APIs and Interfaces *

10. Remote Interfaces *

11. Management Interfaces *

12. Restrictions and Limitations *

13. Other Component Dependencies *

14. Compatibility *

15. Standards *

16. Open Issues *

References *

Authors' Addresses *

Figure 1: SIMC Example *

The authentication information and protocol are based on the PK-INIT Kerberos protocol [DRAFT-PKINIT]. The reference implementation of this RFC requires that the authenticating user’s or programmatic entity’s signature and encryption certificates and corresponding private keys be stored in a smart card. This provides a standard place to look for the certificates and keys, thus avoiding several problems associated with proprietary "key ring" implementations. In addition to acting as a secure store for the certificates and keys, the smart card is used to perform the cryptographic operations required for certificate-based login. That is, signature generation and verification operations, and public key "wrapping" of symmetric cryptographic keys. The reference implementation of this RFC will provide a software implementation of a smart card that is accessed through the Common Data Security Architecture [CDSA] framework. CDSA supports smart cards that support the Public-Key Cryptographic Standard (PKCS) Number 11 [PKCS 11]. Note that the smart card support is embedded in the reference implementation’s pkinit_cms_* DLL.

Public key certificate-based signed and encrypted (a.k.a. enveloped) messages that are transported in the [DRAFT-PKINIT] protocol are formatted using the Cryptographic Message Syntax (CMS—see [DRAFT-CMS]). CMS is an open standard derived from PKCS Number 7 Version 1.5. CMS standardization is under the charter of the IETF Secure/MIME Working Group. CMS software development kits (SDKs) are available in the public domain and multiple vendors. This RFC defines a pkinit_cms_* abstraction layer that handles all required CMS functions. The reference implementation of this RFC provides a pkinit_cms_* based on the S/MIME Freeware Library (see [DRAFT-SFL]) and CDSA.

1. The public key login protocol is one of the protocols specified in [DRAFT-PKINIT], extended with support for Cryptographic Message Syntax (CMS) formatted messages. This enhancement to [DRAFT-PKINIT] was submitted to the IETF Common Authentication Technology (CAT) Working Group at the IETF’s meeting in March 1998. The CAT WG accepted the proposal and is incorporating it into [DRAFT-PKINIT].
   
2. CMS functions are provided by the new pkinit_cms_* function. The reference implementation of pkinit_cms_* is built using a combination of the S/MIME Freeware Library [DRAFT-SFL] that uses the CDSA Framework for its underlying cryptographic, certificate and data services, including smart card-based services.

 

3. Users’ public keys are no longer stored in the DCE Registry. They are obtained from users’ X.509v3 public key certificates.

 

4. A secure credential acquisition service is introduced to enable flexible mapping of users’ Distinguished Names (DNs) [IETF 1779] embodied in their certificates to DCE Extended Privilege Attribute Certificates (EPACs).

 

5. Asymmetric key-pair generation, certificate creation, revocation, etc. are to be handled by an installation’s PKI. DCE is "PKI-neutral" though its use of the pkinit_cms_* function.

1. Allow users to use an X.509v3 signature certificate and its associated private key rather than a shared secret to prove their identity to the DCE Key Distribution Center.
   
2. Provide a standards-based mutual authentication protocol between the user and the DCE Key Distribution Center.
   
3. The protocol must not require private keys to be stored in the DCE Registry or to be transmitted across the wire protected by a password-derived key.
   
4. Ease recovery from a compromise of the DCE Key Distribution Center.
   
5. Allow for use of public key algorithms that need not be RSA through the use of the pkinit_cms_* component.
   
6. Allow for integration with multiple PKIs by isolating PKI-specifics underneath the pkinit_cms_*.
   
7. Implement the certificate-based DCE Login in such a manner as to be fully exportable without requiring a separate export version of keys and/or cryptographic mechanisms.
   
8. Improve the scalability of public key certificate-based authentication systems.
   

The DCE login APIs (sec_login_validate_identity(), sec_login_valid_and_cert_ident(), and sec_login_validate_first()) attempt to use this protocol initially by default as long as Public Key authentication information can be constructed. If Public Key authentication information can not be constructed, then the default for the initial attempt is the OSF DCE Third Party protocol. If OSF DCE Third Party authentication information can not be constructed, then the default for the initial attempt is the Timestamps protocol (for which information can always be constructed).

If the initial public key login attempt fails, then the sec_login code falls back to the existing symmetric key password-based authentication, unless the KDC error information indicates that the principal is required to use public key pre-authentication. Sites that do not wish to allow any fall-back must not have a principal defined in the DCE Registry (Rgy). The value of such a principal name would be equal to the Common Name (CN) portion of the client’s DN. Therefore, it can be seen that a potential for "name space collisions" is possible. However, this is a transient problem. As an installation moves towards certificates for authentication and LDAP for holding credentials, old-style principals will be eliminated from Rgy.

The authentication information is transmitted in the pre-authentication data fields of the standard Kerberos V5 KRB_AS_REQ and KRB_AS_REP messages [IETF 1510] as new PA-PK-AS-REQ (Type 14) and PA-PK-AS-REP (Type 15) pre-authentication data types.

The "TP can be built" column indicates whether a Third-Party PADATA structure can be built by the sec_login client code.

The "PK can be built" column indicates whether Public Key Protocol information can be built by the sec_login client code. This can be built only if the client has a smart card and if the supplied passphrase is valid for gaining access to that smart card.

The "PADATA sent" column indicates which PADATA types are sent in the KRB_AS_REQ, and in what order.

The "PADATA verified" column indicates which PADATA type must pass verification in order for a TGT to be returned and which protocol will be used for the PADATA in the KRB_AS_REP. If there is no possibility of a TGT to be returned, the column indicates "None".

The client process creates a CMS SignedData object, using the pkinit_cms_sign_as_req function. The encapsulated signed message (PkAuthenticator) includes the identity of the KDC, a time stamp and a nonce. The signature is done with the client’s private digital signature key. This SignedData object is sent to the KDC along with the client’s signature and encryption certificates as the contents of the PADATA (Type 14) field of a standard KRB_AS_REQ message. The client’s identity is part of the existing KRB_AS_REQ message. It is an [IETF 1779] Distinguished Name (DN).

The KDC uses pkinit_cms_* functions to:

The KDC verifies that the client’s signature certificate matches the signerInfos.issuerAndSerialNumber. The KDC then checks the time stamp. If the time stamp is sufficiently current, the KDC builds the Kerberos KRB_AS_REP message in which the PA-PK-AS-REP (Type 15) PADATA field contains a random symmetric reply key (replyKey) and the client’s nonce. The reply key and client nonce are first signed using the KDC’s private digital signature key, then encrypted using a temporary random symmetric key (tmpKey). This temporary random symmetric key is encrypted with the client’s public key-encipherment key. The combination of symmetrically encrypted signed data and asymmetrically encrypted key is called digital enveloping. The reply key is used to encrypt the encrypted portion of the standard KRB_AS_REP, which includes the symmetric session key associated with the TGT. The KDC includes its signature certificate in the PADATA field of the response. The client’s verified DN is returned in the cname field of the ticket.

Note that it is the intent of the authors to register a new authorization data type (ad-type) with the IETF CAT WG, tentatively named OSF-DCE-PKI-CRED, that can be used in conjunction with tickets for future use. It is also the intent to ensure that DCE properly handles the optional authorization-data field of Kerberos tickets. The ASN.1 definition is

DCE should ensure that it processes those ad-types it understands, and passes through those it does not.

pkinit_cms_* functions will be used to construct both encSignedReplyKeyPack and encTmpKeyPack.

The TGT is passed in the standard KRB_AS_REP ticket field. The TGT is returned without additional encryption (portions of it were encrypted by the KDC) since it is subsequently used in the clear by the client. The symmetric session key used in association with the TGT is returned in the standard EncKDCRepPart field of the KRB_AS_REP message. This EncKDCRepPart field is encrypted using the reply key (replyKey) returned in the signed and encrypted authentication data from the KDC.

During login operations, including dce_login and dcecp> login, the string entered as the password value is used first as a passphrase in an attempt to access the pkinit_cms_* functions. If this failsthen the string is used as a DCE shared-secret password.

Except for login operations, the dcecp -password option always refers to a user’s DCE shared-secret password.

A user’s pkinit_cms_* passphrase values may or may not match the DCE shared-secret password value.

The pkinit_cms_* set of APIs provide an abstraction layer for all Cryptographic Message Syntax (CMS) services required to build and consume all CMS-formatted content with the PA-PK-AS-REQ/REP PADATA portions of the Kerberos KRB_AS_REQ/REP messages. It is a design and implementation goal to package the pkinit_cms_* APIs in a DLL for maximum flexibility. As shown in "Figure 5: pkinit_cms_* Overview" below, the reference implementation provides a pkinit_cms_* built using the S/MIME Freeware Library and CDSA. Other pkinit_cms_* DLLs could be created using other CMS SDKs and used to augment or replace the reference implementation’s version. Note that the DLL packaging question depends on a satisfactory resolution of theTCB and exportability issues described in "16. O" below.

This API is called from the "CMS-ized" sec_psm_open() to unlock and initialize the underlying CMS functions, including the creation and return of a CMS handle that points to the CMS context.

This API is called from sec_psm_close() to perform cleanup operations, including deletion of the CMS context.

This API is called by the client’s krb5_pkinit_sign_as_req() to generate the CMS SignedData object as shown in "Figure 3: Detail of pkcs7SignedAuthPack (a CMS SignedData object)" above.

This server is called by the KDC’s krb5_pkinit_decode_as_req() to verify and parse the client’s CMS SignedData object.

This API is called by the KDC’s krb5_pkinit_sign_as_rep() to produce the CMS-formatted contents of the PA-PK-AS-REP portion of the Kerberos KRB_AS_REP message, as shown in "Figure 4: KDC-to-client response overview" above.

This API is called by the client’s krb5_pkinit_decode_as_rep() to decrypt and verify the output from the KDC’s pkinit_cms_sign_enc_as_rep().

By default, all OSF DCE v.r.m features are disabled in a cell originally configured with a release prior to OSF DCE v.r.m. Once software supporting DCE Public Key Login has been installed on all DCE Security Server replicas, public key functionality, along with other OSF DCE v.r.m functionality, can be enabled using the following dcecp command:

12.1.1. Export of Binary (Executable) Code

The S/MIME Freeware Library (SFL) is produced by J.G. Van Dyke & Associates, Inc. (http://www.jgvandyke.com). It’s available to organizations without paying any royalties or licensing fees.

1. Work is needed to ascertain feasibility of current DCE servers using shared secret key DCE Keytab files being able to use public key certificate-based login in addition to the current support.
   
2. Are current smart cards capable of holding at least two (potentially large) public key certificates and their corresponding private keys?
   
3. Work required to ensure integrity of Credential Acquisiion service as part of the Trusted Computing Base (TCB).
   
4. If the pkinit_cms_* function is implemented as a dynamic link library (DLL) in order to provide flexibility, there is no standard method across all DCE platforms to provide a "secure program load" facility to ensure the integrity of the pkinit_cms_* function. This is not a problem unique to pkinit_cms_*.
   
5. Exportability issues need to be investigated in the light of current S/MIME offerings. If pkinit_cms_* is packaged as a DLL, applications would have access to its encryption capabilities. Current S/MIME SDKs use 40-bit RC2 and 512-bit RSA keys for their exportable versions. This is insufficient for purposes of DCE authentication. The minimum should probably be set at Triple DES with 2048-bit RSA keys.
   
6. Need to verify smart card PKCS#11 (Cryptoki) functions to identify and select certificates and integrate with the sec_login+pkinit_cms_* process.
   
7. Need to investigate using the [XSSO-PAM] APIs for any identity mapping and credential acquisition functions.
   
8. Might want to consider building a "centralized smart card server" for the software smart card.