draft-ietf-kitten-gssapi-channel-bindings-02.txt   draft-ietf-kitten-gssapi-channel-bindings-03.txt 
KITTEN WG N. Williams KITTEN WG N. Williams
Internet-Draft Sun Internet-Draft Sun
Expires: December 28, 2006 June 26, 2006 Expires: August 28, 2008 February 25, 2008
Clarifications and Extensions to the GSS-API for the Use of Channel Clarifications and Extensions to the GSS-API for the Use of Channel
Bindings Bindings
draft-ietf-kitten-gssapi-channel-bindings-02.txt draft-ietf-kitten-gssapi-channel-bindings-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 34
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 28, 2006. This Internet-Draft will expire on August 28, 2008.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document clarifies and generalizes the GSS-API "channel This document clarifies and generalizes the Generic Security Services
bindings" facility. This document also specifies the format of the Application Programming Interface (GSS-API) "channel bindings"
various types of channel bindings. facility, and imposes requirements on future GSS-API mechanisms and
programming language bindings of the GSS-API.
Table of Contents Table of Contents
1. Conventions used in this document . . . . . . . . . . . . . . 3 1. Conventions used in this document . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. New Requirements for GSS-API Mechanisms . . . . . . . . . . . . 4
3. Generic Structure for GSS-API Channel Bindings . . . . . . . . 5 3. Generic Structure for GSS-API Channel Bindings . . . . . . . . 5
3.1. Proper Mechanism Use of Channel Bindings . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
4. Channel Bindings for SSHv2 . . . . . . . . . . . . . . . . . . 6 5. Normative References . . . . . . . . . . . . . . . . . . . . . 7
4.1. GSS_Make_sshv2_channel_bindings() . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . 7 Intellectual Property and Copyright Statements . . . . . . . . . . 9
5. Channel Bindings for TLS . . . . . . . . . . . . . . . . . . . 8
5.1. GSS_Make_tls_channel_bindings() . . . . . . . . . . . . . 8
5.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . 9
6. Channel Bindings for IPsec . . . . . . . . . . . . . . . . . . 10
6.1. GSS_Make_ipsec_channel_bindings() . . . . . . . . . . . . 10
6.1.1. C-Bindings . . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. Normative . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . . . 15
1. Conventions used in this document 1. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Introduction 2. New Requirements for GSS-API Mechanisms
The concept of "channel bindings" and the abstract construction of
channel bindings for several types of channels are described in
[I-D.ietf-nfsv4-channel-bindings]
To actually use channel bindings in GSS-API aplications additional
details are required that are given below.
First the structure given to channel bindings data in [RFC2744] is
generalized to all of the GSS-API, not just its C-Bindings.
Then the actual construction of channel bindings to SSHv2, TLS and Given the publication of RFC5056 we now assert that all new GSS-API
IPsec channels is given. mechanisms that support channel binding MUST conform to [RFC5056].
3. Generic Structure for GSS-API Channel Bindings 3. Generic Structure for GSS-API Channel Bindings
The base GSS-API v2, update 1 specification [RFC2743]describes The base GSS-API v2, update 1 specification [RFC2743] provides a
channel bindings as an OCTET STRING and leaves it to the GSS-API v2, facility for channel binding. It models channel bindings as an OCTET
update 1 C-Bindings specification to specify the structure of the STRING and leaves it to the GSS-API v2, update 1 C-Bindings
contents of the channel bindings OCTET STRINGs. The C-Bindings specification to specify the structure of the contents of the channel
specification [RFC2744]then defines, in terms of C, what should be bindings OCTET STRINGs. The C-Bindings specification [RFC2744]then
generic structure for channel bindings. The Kerberos V GSS mechanism defines, in terms of C, what should have been a generic structure for
[RFC1964]then defines a method for encoding GSS channel bindings in a channel bindings. The Kerberos V GSS mechanism [RFC1964]then defines
way that is independent of the C-Bindings! a method for encoding GSS channel bindings in a way that is
independent of the C-Bindings -- otherwise the mechanism's channel
binding facility would not be useable with other language bindings.
In other words, the structure of GSS channel bindings given in In other words, the structure of GSS channel bindings given in
[RFC2744] is actually generic, rather than specific to the C [RFC2744] is actually generic, rather than specific to the C
programming language. programming language.
Here, then, is a generic re-statement of this structure, in pseudo- Here, then, is a generic re-statement of this structure, in pseudo-
ASN.1: ASN.1:
GSS-CHANNEL-BINDINGS := SEQUENCE { GSS-CHANNEL-BINDINGS := SEQUENCE {
initiator-address-type INTEGER, initiator-address-type INTEGER,
initiator-address OCTET STRING, initiator-address OCTET STRING,
acceptor-address-type INTEGER, acceptor-address-type INTEGER,
acceptor-address OCTET STRING, acceptor-address OCTET STRING,
application-data OCTET STRING, application-data OCTET STRING,
} }
The values for the address fields are described in [RFC2744]. The values for the address fields are described in [RFC2744].
Language-specific bindings of the GSS-API should specify a language- New language-specific bindings of the GSS-API SHOULD specify a
specific formulation of this structure. language-specific formulation of this structure.
3.1. Proper Mechanism Use of Channel Bindings
As described in [I-D.ietf-nfsv4-channel-bindings], GSS mechanisms
should exchange integrity protected proofs of channel bindings, where
the proof is obtained by running a strong hash of the channel
bindings data (encoded as per some mechanism-specific, such as in
[RFC1964]) and a binary value to represent the initiator->acceptor,
and opposite, direction.
The encoding of channel bindings used in [RFC1964], with the addition
of a binary value as described above, and the substitution of
stronger hash functions (or even the identity function) for MD5 is a
reasonable, generic encoding of GSS-CHANNEL-BINDINGS that any future
GSS mechanisms can use.
4. Channel Bindings for SSHv2
The SSHv2 channel bindings are constructed as an octet string for the
'application-data' field of the channel bindings by concatenating the
following values and in this order:
1. The ASCII string "GSS SSHv2 CB:"
2. Four octet network byte order length of the SSHv2 session ID
3. The SSHv2 session ID
4. Any additional application-provided data, encoded as the DER
encoding of an ASN.1 OCTET STRING
4.1. GSS_Make_sshv2_channel_bindings()
Inputs:
o session_id OCTET STRING,
o additional_app_data OCTET STRING
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o channel_bindings_app_data OCTET STRING
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates failure to construct the channel bindings
as a result, perhaps, of a memory management, or similar failure.
This function constructs an OCTET STRING for use as the value of the
application-data field of the GSS-CHANNEL-BINDINGS structure
described above.
4.1.1. C-Bindings
OM_uint32 gss_make_sshv2_channel_bindings(
OM_uint32 *minor_status,
const gss_buffer_t session_id,
const gss_buffer_t additional_app_data,
gss_buffer_t channel_bindings_app_data
);
5. Channel Bindings for TLS
The TLS channel bindings are constructed as an octet string for the
'application-data' field of the channel bindings by concatenating the
following values and in this order:
1. The ASCII string "GSS TLSv1.0 CB:"
2. The output of the TLS PRF as applied to a constant octet string
(TBD) (number of octets also to be determined).
3. Any additional application-provided data, encoded as the DER
encoding of an ASN.1 OCTET STRING
5.1. GSS_Make_tls_channel_bindings()
Inputs:
o prf_output OCTET STRING,
o additional_app_data OCTET STRING
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o channel_bindings_app_data OCTET STRING
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates failure to construct the channel bindings
as a result, perhaps, of a memory management, or similar failure.
This function constructs an OCTET STRING for use as the value of the
application-data field of the GSS-CHANNEL-BINDINGS structure
described above.
5.1.1. C-Bindings
OM_uint32 gss_make_tls_channel_bindings(
OM_uint32 *minor_status,
const gss_buffer_t prf_octets,
const gss_buffer_t additional_app_data,
gss_buffer_t channel_bindings_app_data
);
6. Channel Bindings for IPsec
The IPsec channel bindings are constructed as an octet string for the
'application-data' field of the channel bindings by concatenating the
following values and in this order:
1. The ASCII string "GSS IPsec CB:"
2. The transform ID for encryption, as a 16-bit big-endian word
3. The transform ID for integrity protection, as 16-bit in big-
endian word
4. Length (four octet, network byte order) and value of the local
IKE ID (may be a PUBLICKEY ID[I-D.ietf-btns-core])
5. Length (four octet, network byte order) and value of the peer IKE
(may be a PUBLICKEY ID [I-D.ietf-btns-core]
6. Any additional application-provided data, encoded as the DER
encoding of an ASN.1 OCTET STRING
See also: [I-D.ietf-btns-connection-latching]
Note that traffic selectors are not included. Inclusion of
confidentiality/integrity algorithms protects against MITMs that can
compromise weaker algorithms that policy might permit, for the same
peers, for other traffic.
6.1. GSS_Make_ipsec_channel_bindings()
Inputs:
o encr_alg INTEGER,
o integ_alg INTEGER,
o initiator_id OCTET_STRING,
o acceptor_id OCTET_STRING,
o additional_app_data OCTET STRING
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o channel_bindings_app_data OCTET STRING
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_FAILURE indicates failure to construct the channel bindings
as a result, perhaps, of a memory management, or similar failure.
This function constructs an OCTET STRING for use as the value of the
application-data field of the GSS-CHANNEL-BINDINGS structure
described above.
6.1.1. C-Bindings Where a language binding of the GSS-API models channel bindings as
OCTET STRINGs (or the language's equivalent), then the implementation
MUST assume that the given bindings correspond only to the
application-data field of GSS-CHANNEL-BINDINGS as shown above, rather
than some encoding of GSS-CHANNEL-BINDINGS.
OM_uint32 gss_make_ipsec_channel_bindings( GSS-API mechanisms MAY use the [RFC1964] encoding of channel
OM_uint32 *minor_status, bindings.
OM_uint32 encr_alg,
OM_uint32 integ_alg,
const gss_buffer_t initiator_id,
const gss_buffer_t acceptor_id,
const gss_buffer_t additional_app_data,
gss_buffer_t channel_bindings_app_data
);
7. Security Considerations 4. Security Considerations
For general security considerations relating to channel bindings see For general security considerations relating to channel bindings see
[I-D.ietf-nfsv4-channel-bindings] [RFC5056].
8. Normative
[I-D.ietf-btns-connection-latching]
Williams, N., "IPsec Channels: Connection Latching",
draft-ietf-btns-connection-latching-00 (work in progress),
February 2006.
[I-D.ietf-btns-core] Language bindings that use OCTET STRING (or equivalent) for channel
Williams, N., "Better-Than-Nothing-Security: An bindings will not support the use of network addresses as channel
Unauthenticated Mode of IPsec", draft-ietf-btns-core-00 bindings. This should not cause any security problems, as the use of
(work in progress), February 2006. network addresses as channel bindings is not generally secure.
However, it is important that "end-point channel bindings" not be
modelled as network addresses, otherwise such channel bindings may
not be useable with all language bindings of the GSS-API.
[I-D.ietf-nfsv4-channel-bindings] 5. Normative References
Williams, N., "On the Use of Channel Bindings to Secure
Channels", draft-ietf-nfsv4-channel-bindings-03 (work in
progress), February 2005.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
RFC 1964, June 1996. RFC 1964, June 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : [RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
Appendix A. Acknowledgments [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
The author would like to thank Mike Eisler for his work on the
Channel Conjunction Mechanism I-D and for bringing the problem to a
head, Sam Hartman for pointing out that channel bindings provide a
general solution to the channel binding problem, Jeff Altman for his
suggestion of using the TLS finished messages as the TLS channel
bindings, Bill Sommerfeld, for his help in developing channel
bindings for IPsec, and Radia Perlman for her most helpful comments.
Author's Address Author's Address
Nicolas Williams Nicolas Williams
Sun Microsystems Sun Microsystems
5300 Riata Trace Ct 5300 Riata Trace Ct
Austin, TX 78727 Austin, TX 78727
US US
Email: Nicolas.Williams@sun.com Email: Nicolas.Williams@sun.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 15, line 29 skipping to change at page 9, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 21 change blocks. 
278 lines changed or deleted 65 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/