1 / 9

GSSAPI-CFX

GSSAPI-CFX. Larry Zhu Microsoft Corporation IETF 58. Goals. Support cryptosystem framework Support AES enctypes in GSSAPI Backward compatible with existing apps Interoperability. Status of the draft. Latest revision draft-ietf-krb-wg-gssapi-cfx-03.txt Submitted on 10/26/2003

amity
Download Presentation

GSSAPI-CFX

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GSSAPI-CFX Larry Zhu Microsoft Corporation IETF 58

  2. Goals • Support cryptosystem framework • Support AES enctypes in GSSAPI • Backward compatible with existing apps • Interoperability

  3. Status of the draft • Latest revision • draft-ietf-krb-wg-gssapi-cfx-03.txt • Submitted on 10/26/2003 • Design team Ken Raeburn, Nicolas Williams, Sam Hartman, Karthik Jaganathan, Larry Zhu, Paul Leach et al

  4. Open issues in draft -03 • Generic token framing in per-message tokens (call for consensus) • MUST vs SHOULD: acceptor-asserted-subkey (resolved) • List of “not-newer” enctypes: name and values (resolved)

  5. Questions and Comments

  6. Kcrypto Enctypes des-cbc-crc 1 6.2.3 des-cbc-md4 2 6.2.2 des-cbc-md5 3 6.2.1 [reserved] 4 des3-cbc-md5 5 [reserved] 6 des3-cbc-sha1 7 dsaWithSHA1-CmsOID 9 (pkinit) md5WithRSAEncryption-CmsOID 10 (pkinit) sha1WithRSAEncryption-CmsOID 11 (pkinit) rc2CBC-EnvOID 12 (pkinit) rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5) rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0) des-ede3-cbc-Env-OID 15 (pkinit) des3-cbc-sha1-kd 16 6.3 * aes128-cts-hmac-sha1-96 17 [KRB5-AES] * aes256-cts-hmac-sha1-96 18 [KRB5-AES] rc4-hmac 23 (Microsoft)

  7. What is new (from 1964) • Directional keys • 64bit sequence numbers • Generic token framing • New token IDs 0404 for MIC tokens, 0504 for Wrap tokens • Direction indicator as a single flag bit • “Extra Count” • Right Rotation Count • Empty context deletion tokens

  8. What is new (cont’d) • Acceptor asserted subkey • Token ID assignment considerations • Handling of unknown token IDs

  9. Inherited from 1964 Everything else, with minor improvements: • Delegation KRB_CRED MUST be encrypted in session key • Channel binding encoding clarified

More Related