+++ /dev/null
-\r
-\r
-NETWORK WORKING GROUP L. Zhu\r
-Internet-Draft K. Damour\r
-Updates: 4178 (if approved) D. McPherson\r
-Intended status: Informational Microsoft Corporation\r
-Expires: January 15, 2009 July 14, 2008\r
-\r
-\r
- The Extended GSS-API Negotiation Mechanism (NEGOEX)\r
- draft-zhu-negoex-01\r
-\r
-Status of this Memo\r
-\r
- By submitting this Internet-Draft, each author represents that any\r
- applicable patent or other IPR claims of which he or she is aware\r
- have been or will be disclosed, and any of which he or she becomes\r
- aware will be disclosed, in accordance with Section 6 of BCP 79.\r
-\r
- Internet-Drafts are working documents of the Internet Engineering\r
- Task Force (IETF), its areas, and its working groups. Note that\r
- other groups may also distribute working documents as Internet-\r
- Drafts.\r
-\r
- Internet-Drafts are draft documents valid for a maximum of six months\r
- and may be updated, replaced, or obsoleted by other documents at any\r
- time. It is inappropriate to use Internet-Drafts as reference\r
- material or to cite them other than as "work in progress."\r
-\r
- The list of current Internet-Drafts can be accessed at\r
- http://www.ietf.org/ietf/1id-abstracts.txt.\r
-\r
- The list of Internet-Draft Shadow Directories can be accessed at\r
- http://www.ietf.org/shadow.html.\r
-\r
- This Internet-Draft will expire on January 15, 2009.\r
-\r
-Abstract\r
-\r
- This document defines the Extended Generic Security Service\r
- Application Program Interface (GSS-API) Negotiation Mechanism\r
- (NegoEx). NegoEx is a pseudo-security mechanism that logically\r
- extends the SPNEGO protocol as defined in RFC4178.\r
-\r
- The NegoEx protocol itself is a security mechanism negotiated by\r
- SPNEGO. When selected as the common mechanism, NegoEx OPTIONALLY\r
- adds a pair of meta-data messages for each negotiated security\r
- mechanism. The meta-data exchange allows security mechanisms to\r
- exchange auxiliary information such as trust configurations, thus\r
- NegoEx provides additional flexibility than just exchanging object\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 1]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- identifiers in SPNEGO.\r
-\r
- NegoEx preserves the optimistic token semantics of SPNEGO and applies\r
- that recursively. Consequently a context establishment mechanism\r
- token can be included in the initial NegoEx message, and NegoEx does\r
- not require an extra round-trip when the initiator's optimistic token\r
- is accepted by the target.\r
-\r
- Similar to SPNEGO, NegoEx defines a few new GSS-API extensions that a\r
- security mechanism MUST support in order to be negotiated by NegoEx.\r
- This document defines these GSS-API extensions.\r
-\r
- Unlike SPNEGO however, NegoEx defines its own way for signing the\r
- protocol messages in order to protect the protocol negotiation. The\r
- NegoEx message signing or verification can occur before the security\r
- context for the negotiated real security mechanism is fully\r
- established.\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 2]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
-Table of Contents\r
-\r
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4\r
- 2. Requirements Terminology . . . . . . . . . . . . . . . . . . . 6\r
- 3. Presentation Language and Primitive Data Types . . . . . . . . 6\r
- 3.1. Basic Block Size . . . . . . . . . . . . . . . . . . . . . 7\r
- 3.2. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 7\r
- 3.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 7\r
- 3.4. Numbers . . . . . . . . . . . . . . . . . . . . . . . . . 7\r
- 3.5. Enum Types . . . . . . . . . . . . . . . . . . . . . . . . 7\r
- 3.6. Typedef Declarations . . . . . . . . . . . . . . . . . . . 8\r
- 3.7. Array Types . . . . . . . . . . . . . . . . . . . . . . . 8\r
- 3.8. Vector Types . . . . . . . . . . . . . . . . . . . . . . . 8\r
- 3.9. Constructed Types . . . . . . . . . . . . . . . . . . . . 9\r
- 4. Cryptographic Computations . . . . . . . . . . . . . . . . . . 10\r
- 5. The NegoEx Protocol . . . . . . . . . . . . . . . . . . . . . 11\r
- 5.1. Generation of the Initiator Initial Token . . . . . . . . 11\r
- 5.2. Receipt of the Initial Initiator Token and Generation\r
- of the Initial Acceptor Response . . . . . . . . . . . . . 13\r
- 5.3. Receipt of the Acceptor Initial Response and\r
- Completion of Authentication after the Negotiation\r
- Phrase . . . . . . . . . . . . . . . . . . . . . . . . . . 14\r
- 5.4. Finalizing Negotiation . . . . . . . . . . . . . . . . . . 15\r
- 5.5. High-level NegoEx Message Flow . . . . . . . . . . . . . . 15\r
- 6. Supporting GSS-API Extensions . . . . . . . . . . . . . . . . 16\r
- 6.1. GSS_Query_meta_data . . . . . . . . . . . . . . . . . . . 16\r
- 6.2. GSS_Exchange_meta_data . . . . . . . . . . . . . . . . . . 16\r
- 6.3. GSS_Query_mechanism_info . . . . . . . . . . . . . . . . . 16\r
- 6.4. GSS_Query_context_attr . . . . . . . . . . . . . . . . . . 16\r
- 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16\r
- 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17\r
- 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17\r
- 10. Normative References . . . . . . . . . . . . . . . . . . . . . 17\r
- Appendix A. Protocol Data Structures and Constant Values . . . . 17\r
- Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21\r
- Intellectual Property and Copyright Statements . . . . . . . . . . 22\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 3]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
-1. Introduction\r
-\r
- If more than one GSS-API mechanism is shared between the initator and\r
- the acceptor, the Simple and Protected (GSS-API) Negotiation\r
- Mechanism (SPNEGO) as defined in [RFC4178] can be deployed to choose\r
- a mutually preferred one. This pseudo mechanism does well in the\r
- most basic scenarios but suffers from a couple of drawbacks, notably:\r
-\r
- o First, the SPNEGO negotiation model is inefficient when\r
- negotiating based on mechanism specific configuration information.\r
- SPNEGO negotiation is based on exchanging object identifiers only,\r
- and it does not allow exchange of auxiliary information in any\r
- other from. This is inefficient and often impractical in that one\r
- object identifier effectively conveys only one bit of information.\r
-\r
- o Secondly, the SPNEGO negotiation model is inadequate when the\r
- choice cannot be made by the acceptor in the initial response. In\r
- SPNEGO, the negotiation information is sent one-way from the\r
- initiator for the acceptor to make a choice, and the acceptor must\r
- choose one when it makes the initial response. This negotiation\r
- model is counter intuitive. The selection of a security mechanism\r
- is typically the result of selecting one type of credentials from\r
- the available set, and the initiator typically does not wish to\r
- reveal credentials information often associated with user\r
- identities. In practice, in order to operate in this model, the\r
- Kerberos GSS-API mechanism [RFC4121] must acquire the context\r
- establishment token in the initial call to GSS_Init_sec_context().\r
- If the initiator fails to acquire the initial Kerberos GSS-API\r
- context token, it must not offer Kerberos; otherwise the SPNEGO\r
- context negotiation will fail without being able to select the\r
- next available mechanism that could work. Obtaining the initial\r
- Kerberos GSS-API context token may require multiple round-trips of\r
- network calls and the cost of the operation can be substantial.\r
- It is suboptimal when multiple GSS-API mechanisms have to add the\r
- extra cost that would not exist if the negotiated security\r
- mechanism were selected based on configuration.\r
-\r
- The Extended Generic Security Service Application Program Interface\r
- (GSS-API) Negotiation Mechanism (NegoEx) is defined to address these\r
- concerns. NegoEx is a pseudo security mechanism that is negotiated\r
- by SPNEGO, and when negotiated, it can recursively negotiate real\r
- security mechanisms.\r
-\r
- Any security mechanism negotiated by NegoEx MUST support integrity\r
- protection.\r
-\r
- The basic form of NegoEx works as follows:\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 4]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- 1. The initiator proposes a list of mechanisms in decreasing\r
- preference order. For each of these mechanism, NegoEx\r
- OPTIOINALLY includes a mechanism specific meta-data token. GSS-\r
- API extensions are defined later in this document for NegoEx to\r
- query the meta-data token for inclusion in the NegoEx message.\r
-\r
- 2. The acceptor then passes the meta-data token from the initiator\r
- to the intended security mechanism. A meta-data token for a\r
- security mechanism not supported on the acceptor side is ignored.\r
- New GSS-API extensions are defined later in this document for a\r
- security mechanism to consume the meta-data token. When\r
- processing the received meta-data tokens, a security mechanism\r
- that reports a failure is removed from the set of mutually\r
- supported mechanisms. The acceptor then responds with the list\r
- of mutually supported mechanisms in decreasing preference order.\r
- For each of these mechanism, NegoEx again OPTIOINALLY supplies a\r
- mechanism specific meta-data token in the response. These meta-\r
- data tokens are returned to NegoEx via new GSS-API extensions as\r
- described in the initial step.\r
-\r
- 3. The initiator then passes the meta-data tokens to the intended\r
- security mechanisms by invoking the new GSS-API extensions. When\r
- processing the received meta-data token, a security mechanism\r
- that reports a failure is removed from the set of mutually\r
- supported mechanisms for this negotiation context. The initiator\r
- then selects one from the set of mutually-supported mechanisms.\r
- If more than one security mechanism is available, unless\r
- otherwise specified, the preferred one in the acceptor's\r
- preference order SHOULD be selected. Once the common security\r
- mechanism is identified, the security mechanism may also\r
- negotiate mechanism-specific options during its context\r
- establishments. This will be inside the mechanism tokens, and\r
- invisible to the NegoEx protocol.\r
-\r
- 4. The selected security mechanism provides keying materials to\r
- NegoEx, and NegoEx then signs and verifies the negotiation NegoEx\r
- messages to protect the negotiation.\r
-\r
- 5. The initiator and the acceptor proceed to exchange tokens until\r
- the GSS-API context for selected security mechanism is\r
- established. Once the security context is established, the per-\r
- message tokens are generated and verified in accordance with the\r
- selected security mechanism.\r
-\r
- NegoEx does not work outside of SPNEGO. When negotiated by SPNEGO,\r
- NegoEx uses the concepts developed in the GSS-API specification\r
- [RFC2743]. The negotiation data is encapsulated in context-level\r
- tokens. Therefore, callers of the GSS-API do not need to be aware of\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 5]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- the existence of the negotiation tokens but only of the SPENGO\r
- pseudo-security mechanism.\r
-\r
- In its basic form NegoEx requires at least one extra round-trip.\r
- Network connection setup is a critical performance characteristic of\r
- any network infrastructure and extra round trips over WAN links,\r
- packet radio networks, etc. really make a difference. In order to\r
- avoid such an extra round trip the initial security token of the\r
- preferred mechanism for the initiator may be embedded in the initial\r
- NegoEx token. The optimistic mechanism token may be accompanied by\r
- the meta-data tokens and the optimistic mechanism token MUST be that\r
- of the first mechanism in the list of the mechanisms proposed by the\r
- initiator. The NegoEx message that contains signatures for\r
- protecting the NegoEx negotiation can also be included along with the\r
- mechanism token. If the target preferred mechanism matches the\r
- initiator's preferred mechanism, and when the NegoEx negotiation\r
- protection messages are included along with the mechanism token, no\r
- additional round trips are incurred by using the NegoEx protocol with\r
- SPNEGO.\r
-\r
- NegoEx does not update the ASN.1 structures of SPNEGO in that a large\r
- deployment of SPNEGO does not have the ASN.1 extensibility marker in\r
- the message definition. There is no change to the SPNEGO messages.\r
-\r
- NegoEx does not use ASN.1 encoding and it uses simple C structures\r
- encoded in little endian for all its messages.\r
-\r
- The rest of the document is organized as follows: Section 3 defines\r
- the encoding of NegoEx data structures and all the primitive data\r
- types. Section 4 describes the cryptographic framework required by\r
- the NegoEx for protecting the NegoEx negotiation. Section 5 defines\r
- the NegoEx messages and the NegoEx protocol. Section 6 defines the\r
- new GSS-API extensions that a security mechanism MUST support in\r
- order to be negotiated by NegoEx. These then are followed by the\r
- security considerations section. Lastly Appendix A contains all the\r
- protocol constructs and constants.\r
-\r
-\r
-2. Requirements Terminology\r
-\r
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",\r
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this\r
- document are to be interpreted as described in [RFC2119].\r
-\r
-\r
-3. Presentation Language and Primitive Data Types\r
-\r
- The following very basic and somewhat casually defined presentation\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 6]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- syntax will be used in all NegoEx messages. Although it resembles\r
- the programming language "C" in its syntax, it would be risky to draw\r
- too many parallels. The purpose of this presentation language is to\r
- document NegoEx only; it has no general application beyond that\r
- particular goal.\r
-\r
- This section also defines all the primitive data types. The\r
- semantics of the data types is explained in the next section.\r
-\r
-3.1. Basic Block Size\r
-\r
- The representation of all data items is explicitly specified. The\r
- basic data block size is one octet. Multiple octet data items are\r
- concatenations of octets, from left to right, from top to bottom\r
- Unless otherwise specific a multi-octet numeric is in little endian\r
- order with the least significant octet first.\r
-\r
-3.2. Miscellaneous\r
-\r
- Comments start with "//"' and continue until the end of the line.\r
-\r
-3.3. Constants\r
-\r
- Constants are denoted using "#define" followed by the symbolic name\r
- and then the constant value.\r
-\r
-3.4. Numbers\r
-\r
- UCHAR is the data type for a one-octet number.\r
-\r
- ULONG is the data type for a 4-octet number encoded in little enidan.\r
-\r
- USHORT is the data type for a 2-octet number encoded in little\r
- endian.\r
-\r
- ULONG64 is the data type for a 8-octet number encoded in little\r
- endian.\r
-\r
- GUID is the data type for a 16-octet number encoded in little endian.\r
-\r
-3.5. Enum Types\r
-\r
- An enum type is the data type for a number with a small number of\r
- permissible values. An instance of an enum type is a 4-octet number\r
- encoded in little endian.\r
-\r
- The definition of an enum type follows the simple "C" convention.\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 7]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- MESSAGE_TYPE is an enum type defined as follows:\r
-\r
- enum\r
- {\r
- MESSAGE_TYPE_INITIATOR_NEGO = 0,\r
- MESSAGE_TYPE_ACCEPTOR_NEGO,\r
- MESSAGE_TYPE_INITIATOR_META_DATA,\r
- MESSAGE_TYPE_ACCEPTOR_META_DATA,\r
- MESSAGE_TYPE_CHALLENGE,\r
- // an exchange message from the acceptor\r
- MESSAGE_TYPE_AP_REQUEST,\r
- // an exchange message from the initiator\r
- MESSAGE_TYPE_VERIFY,\r
- MESSAGE_TYPE_ALERT,\r
- } MESSAGE_TYPE;\r
-\r
- MESSAGE_TYPE_INITIATOR_NEGO has the value 0, and MESSAGE_TYPE_ALERT\r
- has the value 7.\r
-\r
-3.6. Typedef Declarations\r
-\r
- A typedef creates a synonym for the type. This is used to create\r
- more meaningful names for existing types.\r
-\r
- The following two type synonyms are defined.\r
-\r
- typedef GUID AUTH_SCHEME;\r
- typedef GUID CONVERSATION_ID;\r
-\r
-3.7. Array Types\r
-\r
- Arrays are a data structure which holds multiple variables of the\r
- same data type consecutively and the number of elements is fixed. An\r
- array is declared using "C" convention. For example, the following\r
- defines an array of 32 octets.\r
-\r
- UCHAR Random[32];\r
-\r
-3.8. Vector Types\r
-\r
- Vectors are a data structure which holds multiple variables of the\r
- same data type consecutively and the number of elements is not fixed.\r
- A vector contains a fixed length header followed by a variable length\r
- payload. The header of a vector structure contains the count of\r
- elements and the offset to the payload. In this document all the\r
- offset fields start from the beginning of the containing NegoEx\r
- message. The size of each element is specified by the vector type\r
- definition.\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 8]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- The following vector types are defined.\r
-\r
- struct\r
- {\r
- ULONG ByteArrayOffset; // each element contains an octet/byte\r
- ULONG ByteArrayLength;\r
- } BYTE_VECTOR;\r
-\r
- BYTE_VECTOR encapsulates a variable length array of octets (or bytes)\r
- that are stored consecutively. Each element in is a byte (8 bits).\r
-\r
- struct\r
- {\r
- ULONG AuthSchemeArrayOffset;\r
- // each element contains an AUTH_SCHEME\r
- USHORT AuthSchemeCount;\r
- } AUTH_SCHEME_VECTOR;\r
-\r
- AUTH_SCHEME_VECTOR encapsulates a variable length array of\r
- AUTH_SCHEMEs that are stored consecutively. Each element is a\r
- structure of the type AUTH_SCHEME.\r
-\r
- struct\r
- {\r
- ULONG ExtensionArrayOffset;\r
- // each element contains an EXTENSION\r
- USHORT ExtensionCount;\r
- } EXTENSION_VECTOR;\r
-\r
- EXTENSION_VECTOR encapsulates a variable length array of EXTENSIONs\r
- that are stored consecutively. Each element is a structure of the\r
- type EXTENSION.\r
-\r
-3.9. Constructed Types\r
-\r
- Structure types may be constructed from primitive types for\r
- convenience. Each specification declares a new, unique type. The\r
- syntax for definition is much like that of C.\r
-\r
- struct {\r
- T1 f1;\r
- T2 f2;\r
- ...\r
- Tn fn;\r
- } T;\r
-\r
-\r
- Structure definitions may be embedded.\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 9]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- The following types are defined as constructed types:\r
-\r
- struct\r
- {\r
- ULONG ExtensionType; // negative extensions are critical\r
- BYTE_VECTOR ExtensionValue;\r
- } EXTENSION;\r
-\r
- An extension has two fields. The ExtensionType field indicates how\r
- the extension data should be interpreted. The ExtensionValue field\r
- contains the extension data.\r
-\r
- //\r
- // schemes defined for the checksum in the VERIFY message\r
- //\r
-\r
- struct\r
- {\r
- ULONG cbHeaderLength;\r
- ULONG ChecksumScheme;\r
- ULONG ChecksumType; // in the case of RFC3961 scheme, this is\r
- // the RFC3961 checksum type\r
- BYTE_VECTOR ChecksumValue;\r
- } CHECKSUM;\r
-\r
- The CHECKSUM structure contains 4 fields. The cbHeaderLength length\r
- contains the length of the structure defintion in octets, and this\r
- field has a value of 20.\r
-\r
- The ChecksumScheme field describes how checksum is computed and\r
- verified. Currently only one value is defined.\r
-\r
- #define CHECKSUM_SCHEME_RFC3961 1\r
-\r
- When the value of the ChecksumScheme field is 1\r
- (CHECKSUM_SCHEME_RFC3961), the ChecksumValue field contains a\r
- sequence of octets computed according to [RFC3961] and the\r
- ChecksumType field contains the checksum type value defined according\r
- to [RFC3961].\r
-\r
-\r
-4. Cryptographic Computations\r
-\r
- The message signing and verification in NegoEx is based on [RFC3961].\r
- [RFC3961] is used here as a generic framework and this application is\r
- not Kerberos specific.\r
-\r
- A security mechanism MUST support [RFC3961] in order to be negotiated\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 10]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- by NegoEx.\r
-\r
-\r
-5. The NegoEx Protocol\r
-\r
- This section describes the NegoEx protocol and it defines NegoEx\r
- messages in the order that the messages can appear on the wire. The\r
- enum type MESSAGE_TYPE defined in Section 3.5 lists all NegoEx\r
- message types. A GSS-API context token for NegoEx consists of one or\r
- more NegoEx messages. If there are more than one NegoEx message,\r
- these messages are concatenated together. The smallest data unit for\r
- NegoEx to compute the checksum for negotiation protection is a NegoEx\r
- message. Note that NegoEx is not a GSS-API mechanism itself and the\r
- initial NegoEx context establishment token does not follow the\r
- mechanism-independent token format defined in Section 3.1 of\r
- [RFC2743].\r
-\r
- A security mechanism negotiated by NegoEx is identified by a unique\r
- identifier of the data type AUTH_SCHEME defined in Section 3.5. The\r
- value of the security mechanism is returned to NegoEx via the\r
- GSS_Query_mechanism_info() GSS-API extension as defined in Section 6.\r
-\r
- The object identifier of the NegoEx within SPNEGO is iso(1)\r
- identified-organization(3) dod(6) internet(1) private(4)\r
- enterprise(1) microsoft (311) security(2) mechanisms(2) negoex(30).\r
- Note that NegoEx does not work outside of SPNEGO and it is not GSS-\r
- API mechanism.\r
-\r
-5.1. Generation of the Initiator Initial Token\r
-\r
- The GSS-API initiator makes the first call to GSS_Init_sec_context()\r
- with no input token, and the output token starts as a NEGO_MESSAGE\r
- message with the MESSAGE_TYPE_INITIATOR_NEGO message type.\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 11]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- struct\r
- {\r
- ULONG64 Signature; // contains MESSAGE_SIGNATURE\r
- MESSAGE_TYPE MessageType;\r
- ULONG SequenceNum; // the message sequence number of this,\r
- // conversation, starting with 0 and sequentially\r
- // incremented\r
- ULONG cbHeaderLength; // the header length of this message,\r
- // including the message specific header, excluding the\r
- // payload\r
- ULONG cbMessageLength; // the length of this message\r
- CONVERSATION_ID ConversationId;\r
- } MESSAGE_HEADER;\r
-\r
- struct\r
- {\r
- MESSAGE_HEADER Header;\r
- // MESSAGE_TYPE_INITIATOR_NEGO for the initiator,\r
- // MESSAGE_TYPE_ACCEPTOR_NEGO for the acceptor\r
- UCHAR Random[32];\r
- ULONG64 ProtocolVersion;\r
- // version of the protocol, this contains 0\r
- AUTH_SCHEME_VECTOR AuthSchemes;\r
- EXTENSION_VECTOR Extensions;\r
- } NEGO_MESSAGE;\r
-\r
- The initiator randomly generates a ConversationID and fills the\r
- common header. The ConversationID in subsequent NegoEx messages MUST\r
- remain the same. The initiator also fills the Random field using a\r
- secure random number generator. The initiator fills the AuthSchemes\r
- with available security mechanisms supported by the initiator in\r
- decreasing preference order.\r
-\r
- The extensions field contains NegoEx extensions for future\r
- extensibility. There is no extension defined in this document. All\r
- negative extension types (the highest bit is set to 1) are critical.\r
- If the receiver does not understand a critical extension, the\r
- authentication attempt must be rejected.\r
-\r
- The initiator can OPTIONALLY include a meta-data token, one for each\r
- available security mechanism.\r
-\r
- A meta-data token is returned to NegoEx for a security mechanism\r
- using GSS_Query_meta_data() extension as defined in Section 6. A\r
- meta-data token is encapsulated in an EXCHANGE message with the\r
- message type MESSAGE_TYPE_INITIATOR_META_DATA.\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 12]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- struct\r
- {\r
- MESSAGE_HEADER Header;\r
- // MESSAGE_TYPE_CHALLENGE for the acceptor,\r
- // or MESSAGE_TYPE_AP_REQUEST for the initiator\r
- // MESSAGE_TYPE_INITIATOR_META_DATA for\r
- // the initiator metadata\r
- // MESSAGE_TYPE_ACCEPTOR_META_DATA for\r
- // the acceptor metadata\r
- AUTH_SCHEME AuthScheme;\r
- BYTE_VECTOR Exchange;\r
- // contains the opaque handshake message for the\r
- // authentication scheme\r
- } EXCHANGE_MESSAGE;\r
-\r
- The AuthScheme field signifies the security mechanism for which the\r
- EXCHANGE message is targeted. If a security mechanism fails to\r
- produce the metadata token, it should be removed from the list of\r
- supported security mechanism for this negotiation context.\r
-\r
- If there are more than one exchange messages, the order in which the\r
- exchange message is included bears no significance. In other words,\r
- the exchange messages are in an unordered set. The NEGO_MESSAGE MAY\r
- be followed by a set of MESSAGE_TYPE_INITIATOR_META_DATA messages as\r
- described above, in which case all the NegoEx messages concatenated\r
- are returned as a single input token.\r
-\r
- The first mechanism in the initiator proposed list can OPTIONALLY\r
- include its initial context context in an AP_REQUEST message.\r
-\r
- Both an AP_REQUSET(short for MESSAGE_TYPE_AP_REQUEST) message and a\r
- INITIATOR_META_DATA(short for MESSAGE_TYPE_INITIATOR_META_DATA)\r
- message are instances of the EXCHANGE_MESSAGE structure with\r
- different message type values. An AP_REQUEST message contains the\r
- type MESSAGE_TYPE_AP_REQUEST while an INITIATOR_META_DATA message\r
- contains the type MESSAGE_TYPE_INITIATOR_META_DATA.\r
-\r
-5.2. Receipt of the Initial Initiator Token and Generation of the\r
- Initial Acceptor Response\r
-\r
- Upon receipt of the NEGO_MESSAGE from the initiator, the acceptor\r
- verifies the NEGO_MESSAGE to make sure it is well-formed. The\r
- acceptor then computes the list of authentication schemes that are\r
- mutually supported by examining the set of security mechanisms\r
- proposed by the initiator and the meta-data tokens from the\r
- initiator. The meta-data tokens are passed to the security mechanism\r
- via GSS_Exchange_meta_data() as defined in Section 6.\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 13]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- The acceptor MUST examine the NegoEx extensions in the NEGO_MESSAGE.\r
- If there is an unknown critical extension, the authentication must be\r
- rejected.\r
-\r
- The acceptor's response starts as a NEGO_MESSAGE but with the\r
- MESSAGE_TYPE_ACCEPTOR_NEGO. The AuthSchemes field contains the list\r
- of mutually supported security mechanism in decreasing preference\r
- order of the acceptor. The acceptor does not need to honor the\r
- preference order proposed by the initiator when computing its\r
- preference list.\r
-\r
- The acceptor can OPTIONALLY include a meta-data token, one for each\r
- available security mechanism.\r
-\r
- A meta-data token is returned to NegoEx for a security mechanism\r
- using GSS_Query_meta_data() extension as defined in Section 6. A\r
- meta-data token is encapsulated in an EXCHANGE message with the\r
- message type MESSAGE_TYPE_ACCEPTOR_META_DATA. For a given security\r
- mechanism if a meta-token is received from the initiator,\r
- GSS_Query_meta_data() MUST be invoked on the acceptor side for that\r
- security mechanism, and the output meta-data token, if present, MUST\r
- be included in the NegoEx reply.\r
-\r
-5.3. Receipt of the Acceptor Initial Response and Completion of\r
- Authentication after the Negotiation Phrase\r
-\r
- Upon receipt of the initial response from the acceptor, the initial\r
- verifies the NEGO_MESSAGE to make sure it is well-formed. The\r
- initiator then computes the list of authentication schemes that are\r
- mutually supported by examining the set of security mechanisms\r
- returned by the acceptor and the meta-data tokens from the acceptor\r
- The meta-data tokens are passed to the security mechanism via\r
- GSS_Exchange_meta_data() as defined in Section 6.\r
-\r
- The initiator MUST examine the NegoEx extensions in the NEGO_MESSAGE.\r
- If there is an unknown critical extension, the authentication must be\r
- rejected.\r
-\r
- After the initial exchange of NEGO_MESSAGE messages, the initiator\r
- MUST choose the negotiated security mechanism. The negotiated\r
- security mechanism cannot be changed once it is selected.\r
-\r
- The initiator and the acceptor can then proceed to exchange handshake\r
- messages as determined by the negotiated security mechanism until its\r
- authentication context is established. The context tokens of the\r
- negotiated security mechanism are encapsulated in an\r
- EXCHANGE_MESSAGE. If the context token is from the initiator, the\r
- EXCHANGE_MESSAGE message has the message type\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 14]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- MESSAGE_TYPE_AP_REQUEST; otherwise, the message type is\r
- MESSAGE_TYPE_CHALLENGE.\r
-\r
-5.4. Finalizing Negotiation\r
-\r
- Whenever there is a shared key established returned by\r
- GSS_Query_context_attr(NEGOEX_SESSION_KEYS) as defined in Section 6,,\r
- a VERIFY message is produced and included in the output token. The\r
- returned protocol key is used as the base key in the parlance of\r
- RFC3961 to sign all the NegoEx messages in the negotiation context.\r
-\r
- A VERIFY message is a VERIFY_MESSAGE structure. The AuthScheme field\r
- signifies from which security mechanism the protocol key was\r
- obtained. The checksum is computed based on RFC3961 and the key\r
- usage number is 23 for the message is signed by the initiator, 25\r
- otherwise. The checksum is performed over all the previous NegoEx\r
- messages in the context negotiation.\r
-\r
- struct\r
- {\r
- MESSAGE_HEADER Header; // MESSAGE_TYPE_VERIFY\r
- AUTH_SCHEME AuthScheme;\r
- CHECKSUM Checksum;\r
- // contains the checksum of all the previously\r
- // exchanged messages in the order they were sent.\r
- } VERIFY_MESSAGE;\r
-\r
- Note that the VERIFY_MESSAGE message can be included before the\r
- security context for the negotiated security mechanism is fully\r
- established.\r
-\r
-5.5. High-level NegoEx Message Flow\r
-\r
- The following text art summarizes the protocol message flow:\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 15]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- INITIATOR_NEGO\r
- *INITIATOR_META_DATA\r
- *AP_REQUEST\r
- --------->\r
- ACCEPTOR_NEGO\r
- ACCEPTOR_META_DATA*+\r
- --------- CHALLENGE*\r
-\r
- .\r
- .\r
- *AP_REQUEST\r
- VERIFY --------->\r
- CHALLENGE*\r
- -------- VERIFY\r
- * Indicates optional or situation-dependent messages that are\r
- not always sent.\r
- + Indicates there can be more than one instance.\r
-\r
-\r
-6. Supporting GSS-API Extensions\r
-\r
- This section defined all the required GSS-API extensions required by\r
- NegoEx.\r
-\r
-6.1. GSS_Query_meta_data\r
-\r
- TBD.\r
-\r
-6.2. GSS_Exchange_meta_data\r
-\r
- TBD.\r
-\r
-6.3. GSS_Query_mechanism_info\r
-\r
- TBD.\r
-\r
-6.4. GSS_Query_context_attr\r
-\r
- TBD.\r
-\r
-\r
-7. Security Considerations\r
-\r
- TBD.\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 16]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
-8. Acknowledgements\r
-\r
- TBD.\r
-\r
-\r
-9. IANA Considerations\r
-\r
- There is no action required for IANA.\r
-\r
-\r
-10. Normative References\r
-\r
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate\r
- Requirement Levels", BCP 14, RFC 2119, March 1997.\r
-\r
- [RFC2743] Linn, J., "Generic Security Service Application Program\r
- Interface Version 2, Update 1", RFC 2743, January 2000.\r
-\r
- [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for\r
- Kerberos 5", RFC 3961, February 2005.\r
-\r
- [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The\r
- Kerberos Network Authentication Service (V5)", RFC 4120,\r
- July 2005.\r
-\r
- [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos\r
- Version 5 Generic Security Service Application Program\r
- Interface (GSS-API) Mechanism: Version 2", RFC 4121,\r
- July 2005.\r
-\r
- [RFC4178] Zhu, L., Leach, P., Jaganathan, K., and W. Ingersoll, "The\r
- Simple and Protected Generic Security Service Application\r
- Program Interface (GSS-API) Negotiation Mechanism",\r
- RFC 4178, October 2005.\r
-\r
-\r
-Appendix A. Protocol Data Structures and Constant Values\r
-\r
- This section complies all the protocol data structures and constant\r
- values.\r
-\r
- #define MESSAGE_SIGNATURE 0x535458454f47454ei64\r
- // "NEGOEXTS"\r
-\r
- struct\r
- {\r
- ULONG ByteArrayOffset; // each element contains a byte\r
- ULONG ByteArrayLength;\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 17]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- } BYTE_VECTOR;\r
-\r
- struct\r
- {\r
- ULONG AuthSchemeArrayOffset;\r
- // each element contains an AUTH_SCHEME\r
- USHORT AuthSchemeCount;\r
- } AUTH_SCHEME_VECTOR;\r
-\r
- struct\r
- {\r
- ULONG ExtensionArrayOffset;\r
- // each element contains an EXTENSION\r
- USHORT ExtensionCount;\r
- } EXTENSION_VECTOR;\r
-\r
- struct\r
- {\r
- ULONG ExtensionType; // negative extensions are critical\r
- BYTE_VECTOR ExtensionValue;\r
- } EXTENSION;\r
-\r
- //\r
- // schemes defined for the checksum in the VERIFY message\r
- //\r
-\r
- #define CHECKSUM_SCHEME_RFC3961 1\r
-\r
- struct\r
- {\r
- ULONG cbHeaderLength;\r
- ULONG ChecksumScheme;\r
- ULONG ChecksumType; // in the case of RFC3961 scheme, this is\r
- // the RFC3961 checksum type\r
- BYTE_VECTOR ChecksumValue;\r
- } CHECKSUM;\r
-\r
- typedef GUID AUTH_SCHEME;\r
- typedef GUID CONVERSATION_ID;\r
-\r
- enum\r
- {\r
- MESSAGE_TYPE_INITIATOR_NEGO = 0,\r
- MESSAGE_TYPE_ACCEPTOR_NEGO,\r
- MESSAGE_TYPE_INITIATOR_META_DATA,\r
- MESSAGE_TYPE_ACCEPTOR_META_DATA,\r
- MESSAGE_TYPE_CHALLENGE,\r
- // an exchange message from the acceptor\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 18]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- MESSAGE_TYPE_AP_REQUEST,\r
- // an exchange message from the initiator\r
- MESSAGE_TYPE_VERIFY,\r
- MESSAGE_TYPE_ALERT,\r
- } MESSAGE_TYPE;\r
-\r
- struct\r
- {\r
- ULONG64 Signature; // contains MESSAGE_SIGNATURE\r
- MESSAGE_TYPE MessageType;\r
- ULONG SequenceNum; // the message sequence number of this,\r
- // conversation, starting with 0 and sequentially\r
- // incremented\r
- ULONG cbHeaderLength; // the header length of this message,\r
- // including the message specific header, excluding the\r
- // payload\r
- ULONG cbMessageLength; // the length of this message\r
- CONVERSATION_ID ConversationId;\r
- } MESSAGE_HEADER;\r
-\r
- struct\r
- {\r
- MESSAGE_HEADER Header;\r
- // MESSAGE_TYPE_INITIATOR_NEGO for the initiator,\r
- // MESSAGE_TYPE_ACCEPTOR_NEGO for the acceptor\r
- UCHAR Random[32];\r
- ULONG64 ProtocolVersion;\r
- // version of the protocol, this contains 0\r
- AUTH_SCHEME_VECTOR AuthSchemes;\r
- EXTENSION_VECTOR Extensions;\r
- } NEGO_MESSAGE;\r
-\r
- struct\r
- {\r
- MESSAGE_HEADER Header;\r
- // MESSAGE_TYPE_CHALLENGE for the acceptor,\r
- // or MESSAGE_TYPE_AP_REQUEST for the initiator\r
- // MESSAGE_TYPE_INITiATOR_META_DATA for\r
- // the initiator metadata\r
- // MESSAGE_TYPE_ACCEPTOR_META_DATA for\r
- // the acceptor metadata\r
- AUTH_SCHEME AuthScheme;\r
- BYTE_VECTOR Exchange;\r
- // contains the opaque handshake message for the\r
- // authentication scheme\r
- } EXCHANGE_MESSAGE;\r
-\r
- struct\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 19]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
- {\r
- MESSAGE_HEADER Header; // MESSAGE_TYPE_VERIFY\r
- AUTH_SCHEME AuthScheme;\r
- CHECKSUM Checksum;\r
- // contains the checksum of all the previously\r
- // exchanged messages in the order they were sent.\r
- } VERIFY_MESSAGE;\r
-\r
- struct\r
- {\r
- ULONG AlertType;\r
- BYTE_VECTOR AlertValue;\r
- } ALERT;\r
-\r
- //\r
- // alert types\r
- //\r
-\r
- #define ALERT_TYPE_PULSE 1\r
-\r
- //\r
- // reason codes for the heartbeat message\r
- //\r
-\r
- #define ALERT_VERIFY_NO_KEY 1\r
-\r
- struct\r
- {\r
- ULONG cbHeaderLength;\r
- ULONG Reason;\r
- } ALERT_PULSE;\r
-\r
- struct\r
- {\r
- ULONG AlertArrayOffset; // the element is an ALERT\r
- USHORT AlertCount; // contains the number of alerts\r
- } ALERT_VECTOR;\r
-\r
- struct\r
- {\r
- MESSAGE_HEADER Header;\r
- AUTH_SCHEME AuthScheme;\r
- ULONG ErrorCode; // an NTSTATUS code\r
- ALERT_VECTOR Alerts;\r
- } ALERT_MESSAGE;\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 20]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
-Authors' Addresses\r
-\r
- Larry Zhu\r
- Microsoft Corporation\r
- One Microsoft Way\r
- Redmond, WA 98052\r
- US\r
-\r
- Email: lzhu@microsoft.com\r
-\r
-\r
- Kevin Damour\r
- Microsoft Corporation\r
- One Microsoft Way\r
- Redmond, WA 98052\r
- US\r
-\r
- Email: kdamour@microsoft.com\r
-\r
-\r
- Dave McPherson\r
- Microsoft Corporation\r
- One Microsoft Way\r
- Redmond, WA 98052\r
- US\r
-\r
- Email: davemm@microsoft.com\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 21]\r
-\f\r
-Internet-Draft NEGOEX July 2008\r
-\r
-\r
-Full Copyright Statement\r
-\r
- Copyright (C) The IETF Trust (2008).\r
-\r
- This document is subject to the rights, licenses and restrictions\r
- contained in BCP 78, and except as set forth therein, the authors\r
- retain all their rights.\r
-\r
- This document and the information contained herein are provided on an\r
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS\r
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND\r
- THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS\r
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF\r
- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED\r
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.\r
-\r
-\r
-Intellectual Property\r
-\r
- The IETF takes no position regarding the validity or scope of any\r
- Intellectual Property Rights or other rights that might be claimed to\r
- pertain to the implementation or use of the technology described in\r
- this document or the extent to which any license under such rights\r
- might or might not be available; nor does it represent that it has\r
- made any independent effort to identify any such rights. Information\r
- on the procedures with respect to rights in RFC documents can be\r
- found in BCP 78 and BCP 79.\r
-\r
- Copies of IPR disclosures made to the IETF Secretariat and any\r
- assurances of licenses to be made available, or the result of an\r
- attempt made to obtain a general license or permission for the use of\r
- such proprietary rights by implementers or users of this\r
- specification can be obtained from the IETF on-line IPR repository at\r
- http://www.ietf.org/ipr.\r
-\r
- The IETF invites any interested party to bring to its attention any\r
- copyrights, patents or patent applications, or other proprietary\r
- rights that may cover technology that may be required to implement\r
- this standard. Please address the information to the IETF at\r
- ietf-ipr@ietf.org.\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-\r
-Zhu, et al. Expires January 15, 2009 [Page 22]\r
-\f\r
-\r