60 likes | 317 Views
PKU2U – A peer2peer GSS-API mechanism based on PKINIT. Larry Zhu Microsoft IETF67. Motivation. PKINIT allows Kerberos to use asymmetric keys No hieratical trusts in peer-2-peer environments– aka no KDC No interoperable GSS-API mechanism using public keys. Previous/Related Work.
E N D
PKU2U – A peer2peer GSS-API mechanism based on PKINIT Larry Zhu Microsoft IETF67
Motivation • PKINIT allows Kerberos to use asymmetric keys • No hieratical trusts in peer-2-peer environments– aka no KDC • No interoperable GSS-API mechanism using public keys
Previous/Related Work • PKDA - Public key based Kerberos for Distributed Authentication • requires Kerberos extensions • PKTAPP - Public Key Utilizing Tickets for Application Servers • LTGS uses port 88
PKU2U • Public Key based User to User authentication protocols • Use PKINIT/RFC4556 and RFC4120 messages • Replace the KDC with the application server • All traffic tunneled using GSS-API messages • Uses RFC4121 for all GSS-API primitives
Progress and Open issues • A draft is available now (to be submitted) • A working prototype available • Works well with SPNEGO (RFC4178), useful for app migration • Supports the following name forms • Kerberos Principal Name/User Principal name • Host-based Service name • Additional name forms may be needed
PK-U2U as a TLS Mechanism • SPNEGO-TLS • Key exchange is SPNEGO/PKU2U • To be presented by Stefan Santesson in the TLS working group • Negotiations of GSS-API mechanisms handled by SPNEGO • New TLS cipher suites: TLS_SPNEGO_WITH_AES_128_CBC_SHA TLS_SPNEGO_WITH_AES_256_CBC_SHA