4 KERBEROS WORKING GROUP Johansson
5 Internet-Draft Stockholm university
6 Intended status: Standards Track November 3, 2008
10 An information model for Kerberos version 5
11 draft-ietf-krb-wg-kdc-model-03
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on May 7, 2009.
55 Johansson Expires May 7, 2009 [Page 1]
57 Internet-Draft KDC Information Model November 2008
62 This document describes an information model for Kerberos version 5
63 from the point of view of an administrative service. There is no
64 standard for administrating a kerberos 5 KDC. This document
65 describes the services exposed by an administrative interface to a
71 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
72 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
73 3. How to interpret RFC2119 terms . . . . . . . . . . . . . . . . 5
74 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
75 5. Information model demarcation . . . . . . . . . . . . . . . . 7
76 6. Information model specification . . . . . . . . . . . . . . . 8
77 6.1. Principal . . . . . . . . . . . . . . . . . . . . . . . . 8
78 6.1.1. Principal: Attributes . . . . . . . . . . . . . . . . 8
79 6.1.2. Principal: Associations . . . . . . . . . . . . . . . 9
80 6.1.3. Principal: Remarks . . . . . . . . . . . . . . . . . . 10
81 6.2. KeySet . . . . . . . . . . . . . . . . . . . . . . . . . . 10
82 6.2.1. KeySet: Attributes . . . . . . . . . . . . . . . . . . 10
83 6.2.2. KeySet: Associations . . . . . . . . . . . . . . . . . 10
84 6.2.3. KeySet: Remarks . . . . . . . . . . . . . . . . . . . 10
85 6.3. Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
86 6.3.1. Key: Attributes . . . . . . . . . . . . . . . . . . . 11
87 6.3.2. Key: Associations . . . . . . . . . . . . . . . . . . 12
88 6.3.3. Key: Remarks . . . . . . . . . . . . . . . . . . . . . 12
89 6.4. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 12
90 6.4.1. Policy: Attributes . . . . . . . . . . . . . . . . . . 12
91 6.4.2. Mandatory-to-implement Policy . . . . . . . . . . . . 13
92 7. Implementation Scenarios . . . . . . . . . . . . . . . . . . . 14
93 7.1. LDAP backend to KDC . . . . . . . . . . . . . . . . . . . 14
94 7.2. LDAP frontend to KDC . . . . . . . . . . . . . . . . . . . 14
95 7.3. SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
96 8. Security Considerations . . . . . . . . . . . . . . . . . . . 15
97 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
98 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
99 10.1. Normative References . . . . . . . . . . . . . . . . . . . 17
100 10.2. Informative References . . . . . . . . . . . . . . . . . . 17
101 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
102 Intellectual Property and Copyright Statements . . . . . . . . . . 19
111 Johansson Expires May 7, 2009 [Page 2]
113 Internet-Draft KDC Information Model November 2008
116 1. Requirements notation
118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
120 document are to be interpreted as described in [RFC2119].
167 Johansson Expires May 7, 2009 [Page 3]
169 Internet-Draft KDC Information Model November 2008
174 The Kerberos version 5 authentication service described in [RFC4120]
175 describes how a Key Distribution Service (KDC) provides
176 authentication to clients. The standard does not stipulate how a KDC
177 is managed and several "kadmin" servers have evolved. This document
178 describes the services required to administrate a KDC and the
179 underlying information model assumed by a kadmin-type service.
181 The information model is written in terms of "attributes" and
182 "services" or "interfaces" but the use of these particular words MUST
183 NOT be taken to imply any particular modeling paradigm so that
184 neither an object oriented model or an LDAP schema is intended. The
185 author has attempted to describe in natural language the intended
186 semantics and syntax of the components of the model. An LDAP schema
187 (for instance) based on this model will be more precise in the
188 expression of the syntax while preserving the semantics of this
191 Implementations of this document MAY decide to change the names used
192 (eg principalName). If so an implementation MUST provide a name to
193 name mapping to this document.
223 Johansson Expires May 7, 2009 [Page 4]
225 Internet-Draft KDC Information Model November 2008
228 3. How to interpret RFC2119 terms
230 This document describes an information model for kerberos 5 but does
231 not directly describe any mapping onto a particular schema- or
232 modelling language. Hence an implementation of this model consists
233 of a mapping to such a language - eg an LDAP or SQL schema. The
234 precise interpretation of terms from [RFC2119] therefore require some
235 extra explanation. The terms MUST, MUST NOT, REQUIRED, SHALL, SHALL
236 NOT mean that an implementation MUST provide a feature but does not
237 mean that this feature MUST be REQUIRED by the implementation - eg an
238 attribute is available in an LDAP schema but marked as OPTIONAL. If
239 a feature must be implemented and REQUIRED this is made explicit in
240 this model. The term MAY, OPTIONAL and RECOMMENDED means that an
241 implementation MAY need to REQUIRE the feature due to the particular
242 nature of the schema/modelling language. In some cases this is
243 expressly forbidden by this model (feature X MUST NOT be REQUIRED by
246 Note that any implementation of this model SHOULD be published as an
279 Johansson Expires May 7, 2009 [Page 5]
281 Internet-Draft KDC Information Model November 2008
286 Love Hoernquist-Aestrand <lha@it.su.se> for important contributions.
335 Johansson Expires May 7, 2009 [Page 6]
337 Internet-Draft KDC Information Model November 2008
340 5. Information model demarcation
342 The information model specified in the next chapter describes
343 objects, properties of those objects and relations between those
344 objects. These elements comprise an abstract view of the data
345 represented in a KDC. It is important to understand that the
346 information model is not a schema. In particular the way objects are
347 compared for equality beyond that which is implied by the
348 specification of a syntax is not part of this specification. Nor is
349 ordering specified between elements of a particular syntax.
351 Further work on Kerberos will undoubtedly prompt updates to this
352 information model to reflect changes in the functions performed by
353 the KDC. Such extensions to the information model MUST always use a
354 normative reference to the relevant RFCs detailing the change in KDC
391 Johansson Expires May 7, 2009 [Page 7]
393 Internet-Draft KDC Information Model November 2008
396 6. Information model specification
400 The fundamental entity stored in a KDC is the principal. The
401 principal is associated to keys and generalizes the "user" concept.
402 The principal MUST be implemented in full and MUST NOT be optional in
405 6.1.1. Principal: Attributes
407 6.1.1.1. principalName
409 The principalName MUST uniquely identify the principal within the
410 administrative context of the KDC. The type of the principalName is
411 not described in this document. It is a unique identifier and can be
412 viewed as an opaque byte string which can be compared for equality.
413 The attribute SHOULD be single valued. If an implementation supports
414 multiple values it MUST treat one of the values as special and allow
415 it to be fetched as if it was a single value.
417 6.1.1.2. principalNotUsedBefore
419 The principal may not be used before this date. The syntax of the
420 attribute MUST be semantically equivalent with the standard ISO date
421 format. The attribute MUST be single valued.
423 6.1.1.3. principalNotUsedAfter
425 The principal may not be used after this date. The syntax of the
426 attribute MUST be semantically equivalent with the standard ISO date
427 format. The attribute MUST be single valued.
429 6.1.1.4. principalIsDisabled
431 A boolean attribute used to (temporarily) disable a principal. The
432 attribute MUST default to false.
434 6.1.1.5. principalAliases
436 This multivalued attribute contains an unordered set of aliases for
437 the principal. Each alias SHOULD be unique within the administrative
438 domain represented by the KDC. The syntax of an alias is an opaque
439 identifier which can be compared for equality.
447 Johansson Expires May 7, 2009 [Page 8]
449 Internet-Draft KDC Information Model November 2008
452 6.1.1.6. principalNumberOfFailedAuthenticationAttempts
454 This single valued integer attribute contains a count of the number
455 of times an authentication attempt was unsuccessful for this
456 principal. Implementations SHOULD NOT allow this counter to be
459 6.1.1.7. principalLastFailedAuthentication
461 This single valued attribute contains the time and date for the last
462 failed authentication attempt for this principal.
464 6.1.1.8. principalLastSuccessfulAuthentication
466 This single valued attribute contains the time and date for the last
467 successful authentication attempt for this principal.
469 6.1.1.9. principalLastCredentialChange
471 This single valued attribute contains the time and date for the last
472 successful change of credential (eg password) this principal.
474 6.1.1.10. principalCreateTime
476 This single valued attribute contains the time and date when this
477 principal was created
479 6.1.1.11. principalModdifyTime
481 This single valued attribute contains the time and date when this
482 principal was modified excluding credentials change.
484 6.1.1.12. principalMaximumTicketLifetime
486 This single valued attribute contains the delta time in seconds
487 representing the maximum ticket lifetime for tickets issued for this
490 6.1.1.13. principalMaximumRenewableTicketLifetime
492 This single valued attribute contains the delta time in seconds
493 representing the maximum amount of time a ticket may be renewed for.
495 6.1.2. Principal: Associations
497 Each principal MAY be associated with 1 or more KeySet and MAY be
498 associated with 1 or more Policies. The KeySet is represented as an
499 object in this model since it has attributes associated with it (the
503 Johansson Expires May 7, 2009 [Page 9]
505 Internet-Draft KDC Information Model November 2008
508 key version number). In typical situations the principal is
509 associated with exactly 1 KeySet but implementations MUST NOT assume
510 this case, i.e an implemenation of this standard (e.g an LDAP schema)
511 MUST be able to handle the general case of multiple KeySet associated
514 6.1.3. Principal: Remarks
516 Traditionally a principal consists of a local-part and a realm
517 denoted in string form by local-part@REALM. The realm concept is
518 used to provide administrative boundaries and together with cross-
519 realm authentication provides scalability to Kerberos 5. However the
520 realm is not central to an administrative information model. For
521 instance the initialization or creation of a realm is equivalent to
522 creating a specific set of principals (krbtgt@REALM, etc) which is
523 covered by the model and services described in this document. A
524 realm is typically associated with policy covering (for instance)
525 keying and password management. The management of such policy and
526 their association to realms is beyond the scope of this document.
530 A KeySet is a set of keys associated with exactly one principal.
531 This object and its associations MUST NOT be REQUIRED by an
532 implementation. It is expected that most implementations of this
533 standard will use the set/change password protocol for all aspects of
534 key management [I-D.ietf-krb-wg-kerberos-set-passwd]. This
535 information model only includes these objects for the sake of
538 6.2.1. KeySet: Attributes
540 6.2.1.1. keySetVersionNumber
542 This is traditionally called the key version number (kvno). This is
543 a single valued attribute containing a positive integer.
545 6.2.2. KeySet: Associations
547 To each KeySet MUST be associated a set of 1 or more Keys.
549 6.2.3. KeySet: Remarks
551 The reason for separating the KeySet from the Principal is security.
552 The security of Kerberos 5 depends absolutely on the security of the
553 keys stored in the KDC. The KeySet type is provided to make this
554 clear and to make separation of keys from other parts of the model
559 Johansson Expires May 7, 2009 [Page 10]
561 Internet-Draft KDC Information Model November 2008
564 Implementations of this standard (eg an LDAP schema) MUST make a
565 clear separation between the representation of KeySet from other
570 Implementations of this model MUST NOT REQUIRE keys to be
573 6.3.1. Key: Attributes
575 6.3.1.1. keyEncryptionType
577 The enctype SHOULD be represented as an enumeration of the enctypes
578 supported by the KDC.
582 The binary representation of the key data. This MUST be a single
585 6.3.1.3. keySaltValue
587 The binary representation of the key salt. This MUST be a single
590 6.3.1.4. keyStringToKeyParameter
592 This MUST be a single valued octet string representing an opaque
593 parameter associated with the enctype.
595 6.3.1.5. keyNotUsedAfter
597 This key MUST NOT be used after this date. The syntax of the
598 attribute MUST be semantically equivalent with the standard ISO date
599 format. This MUST be a single-valued attribute.
601 6.3.1.6. keyNotUsedBefore
603 This key MUST NOT be used before this date. The syntax of the
604 attribute MUST be semantically equivalent with the standard ISO date
605 format. This MUST be a single-valued attribute.
607 6.3.1.7. keyIsDisabled
609 This is a boolean attribute which must be set to false by default.
610 If this attribute is true the key MUST NOT be used. This is used to
611 temporarily disable a key.
615 Johansson Expires May 7, 2009 [Page 11]
617 Internet-Draft KDC Information Model November 2008
620 6.3.2. Key: Associations
626 The security of the keys is an absolute requirement for the operation
627 of Kerberos 5. If keys are implemented adequate protection from
628 unauthorized modification and disclosure MUST be available and
629 REQUIRED by the implementation.
633 Implementations SHOULD implement policy but MAY allow them to be
634 OPTIONAL. The Policy should be thought of as a 'typed hole'. i.e an
635 opaque binary value paired with an identifier of type of data
636 contained in the binary value. Both attributes (type and value) must
639 6.4.1. Policy: Attributes
641 6.4.1.1. policyIdentifier
643 The policyIdentifier MUST be unique within the local administrative
644 context and MUST be globally unique. Possible types of identifiers
647 An Object Identifier (OID)
653 The use of OIDs is recommended for this purpose.
655 6.4.1.2. policyIsCritical
657 This boolean attribute indicates that the KDC MUST be able to
658 correctly interpret and apply this policy for the key to be used.
660 6.4.1.3. policyContent
662 This is an optional single opaque binary value used to store a
663 representation of the policy. In general a policy cannot be fully
664 expressed using attribute-value pairs. The policyContent is OPTIONAL
665 in the sense that an implementation MAY use it to store an opaque
666 value for those policy-types which are not directly representable in
671 Johansson Expires May 7, 2009 [Page 12]
673 Internet-Draft KDC Information Model November 2008
678 This is an optional single enumerated string value used to describe
679 the applicability of the policy. Implementations SHOULD provide this
680 attribute and MUST (if the attribute is implemented) describe the
681 enumerated set of possible values.
683 6.4.2. Mandatory-to-implement Policy
685 All implementations MUST be able to represent the policies listed in
686 this section. Implementations are not required to use the same
687 underlying data-representation for the policyContent binary value but
688 SHOULD use the same OIDs as the policyIdentifier.
690 6.4.2.1. Password Quality Policy
692 Password quality policy controls the requirements placed by the KDC
693 on new passwords. This policy SHOULD be identified by the OID <TBD>.
695 6.4.2.2. Password Management Policy
697 Password management policy controls how passwords are changed. This
698 policy SHOULD be identified by the OID <TBD>.
700 6.4.2.3. Keying Policy
702 A keying policy specifies the association of enctypes with new
703 principals, i.e when a principal is created one of the possibly many
704 applicable keying policies determine the set of keys to associate
705 with the principal. In general the expression of a keying policy may
706 require a Turing-complete language. This policy SHOULD be identified
727 Johansson Expires May 7, 2009 [Page 13]
729 Internet-Draft KDC Information Model November 2008
732 7. Implementation Scenarios
734 There are several ways to implement an administrative service for
735 Kerberos 5 based on this information model. In this section we list
738 7.1. LDAP backend to KDC
740 Given an LDAP schema implementation of this information model it
741 would be possible to build an administrative service by backending
742 the KDC to a directory server where principals and keys are stored.
743 Using the security mechanisms available on the directory server keys
744 are protected from access by anyone apart from the KDC.
745 Administration of the principals, policy and other non-key data is
746 done through the directory server while the keys are modified using
747 the set/change password protocol
748 [I-D.ietf-krb-wg-kerberos-set-passwd].
750 7.2. LDAP frontend to KDC
752 An alternative way to provide a directory interface to the KDC is to
753 implement an LDAP-frontend to the KDC which exposes all non-key
754 objects as entries and attributes. As in the example above all keys
755 are modified using the set/change password protocol
756 [I-D.ietf-krb-wg-kerberos-set-passwd]. In this scenario the
757 implementation would typically not use a traditional LDAP
758 implementation but treat LDAP as an access-protocol to data in the
763 Given an XML schema implementation of this information model it would
764 be possible to build a SOAP-interface to the KDC. This demonstrates
765 the value of creating an abstract information model which is mappable
766 to multiple schema representations.
783 Johansson Expires May 7, 2009 [Page 14]
785 Internet-Draft KDC Information Model November 2008
788 8. Security Considerations
790 This document describes an abstract information model for Kerberos 5.
791 The Kerberos 5 protocol depends on the security of the keys stored in
792 the KDC. The model described here assumes that keys MUST NOT be
793 transported in the clear over the network and furthermore that keys
794 are treated as write-only attributes that SHALL only be modified
795 (using the administrative interface) by the change-password protocol
796 [I-D.ietf-krb-wg-kerberos-set-passwd].
798 Exposing the object model of a KDC typically implies that objects can
799 be modified and/or deleted. In a KDC not all principals are created
800 equal, so that for instance deleting krbtgt/EXAMPLE.COM@EXAMPLE.COM
801 effectively disables the EXAMPLE.COM realm. Hence access control is
802 paramount to the security of any implementation. This document does
803 not (at the time of writing - leifj) mandate access control. This
804 only implies that access control is beyond the scope of the standard
805 information model, i.e that access control may not be accessible via
806 any protocol based on this model. If access control objects is
807 exposed via an extension to this model the presence of access control
808 may in itself provide points of attack by giving away information
809 about principals with elevated rights etc. etc.
839 Johansson Expires May 7, 2009 [Page 15]
841 Internet-Draft KDC Information Model November 2008
844 9. IANA Considerations
895 Johansson Expires May 7, 2009 [Page 16]
897 Internet-Draft KDC Information Model November 2008
902 10.1. Normative References
904 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
905 Requirement Levels", BCP 14, RFC 2119, March 1997.
907 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
908 Kerberos Network Authentication Service (V5)", RFC 4120,
911 10.2. Informative References
913 [I-D.ietf-krb-wg-kerberos-set-passwd]
914 Williams, N., "Kerberos Set/Change Key/Password Protocol
915 Version 2", draft-ietf-krb-wg-kerberos-set-passwd-07 (work
916 in progress), September 2007.
951 Johansson Expires May 7, 2009 [Page 17]
953 Internet-Draft KDC Information Model November 2008
960 Avdelningen foer IT och Media
963 Email: leifj@it.su.se
964 URI: http://people.su.se/~leifj/
1007 Johansson Expires May 7, 2009 [Page 18]
1009 Internet-Draft KDC Information Model November 2008
1012 Full Copyright Statement
1014 Copyright (C) The IETF Trust (2008).
1016 This document is subject to the rights, licenses and restrictions
1017 contained in BCP 78, and except as set forth therein, the authors
1018 retain all their rights.
1020 This document and the information contained herein are provided on an
1021 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1022 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1023 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1024 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1025 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1026 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1029 Intellectual Property
1031 The IETF takes no position regarding the validity or scope of any
1032 Intellectual Property Rights or other rights that might be claimed to
1033 pertain to the implementation or use of the technology described in
1034 this document or the extent to which any license under such rights
1035 might or might not be available; nor does it represent that it has
1036 made any independent effort to identify any such rights. Information
1037 on the procedures with respect to rights in RFC documents can be
1038 found in BCP 78 and BCP 79.
1040 Copies of IPR disclosures made to the IETF Secretariat and any
1041 assurances of licenses to be made available, or the result of an
1042 attempt made to obtain a general license or permission for the use of
1043 such proprietary rights by implementers or users of this
1044 specification can be obtained from the IETF on-line IPR repository at
1045 http://www.ietf.org/ipr.
1047 The IETF invites any interested party to bring to its attention any
1048 copyrights, patents or patent applications, or other proprietary
1049 rights that may cover technology that may be required to implement
1050 this standard. Please address the information to the IETF at
1063 Johansson Expires May 7, 2009 [Page 19]