90 likes | 256 Views
Preauth Framework and Common Extensions. Larry Zhu (Microsoft) Sam Hartman (MIT) IETF67. Information Model for Preauth. The reply key used to encrypt the KDC reply The strength of client authentication Whether the reply key has been used Whether the reply key has been replaced
E N D
Preauth Framework and Common Extensions Larry Zhu (Microsoft) Sam Hartman (MIT) IETF67
Information Model for Preauth • The reply key used to encrypt the KDC reply • The strength of client authentication • Whether the reply key has been used • Whether the reply key has been replaced • Whether the contents of the KDC reply can be verified by the client principal • Whether the contents of the KDC reply can be verified by the client machine
Preauth Facilities • Client-authentication • Strengthening reply key • Replacing reply key • KDC-authentication
Common Extensions • Combining keys • KDC state management • Pre-Authentication set • Kerb FAST • Authentication strength indication
Combining Keys • KRB-FX-CF1() • KRB-FX-CF2()
KDC state management • cookie, it is specific to a KDC • Distributed cookie for replicated KDCs
Preauth set • PA-AUTHENTICATION-SET ::= SEQUENCE OF PA-AUTHENTICATION-SET-ELEM • PA-AUTHENTICATION-SET-ELEM ::= SEQUENCE { pa-type [1] Int32, -- same as padata-type. pa-hint [2] OCTET STRING, -- hint data. ... }
KERB FAST • KrbFastReq ::= SEQUENCE { fast-options [0] FastOptions, padata [1] SEQUENCE OF PA-DATA, timestamp [2] KerberosTime, usec [3] Microseconds, req-nonce [4] OCTET STRING, ... }
KERB-FAST continued KrbFastResponse ::= SEQUENCE { padata [1] SEQUENCE OF PA-DATA, finish [2] KrbFastFinish OPTIONAL, rep-nonce [3] OCTET STRING, ... }