One document matched: draft-ietf-krb-wg-clear-text-cred-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc1964 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.1964.xml'>
<!ENTITY rfc4120 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4120.xml'>
<!ENTITY rfc5246 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml'>
<!ENTITY SAML20 SYSTEM "http://xml.resource.org/public/rfc/bibxml2/reference.OASIS.saml-core-2.0-os.xml">
]>
<rfc ipr="trust200902" docName="draft-ietf-krb-wg-clear-text-cred-00"
category="std">
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="no" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes" ?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<front>
<title abbrev="Kerberos 5 Unencrypted KRB-CRED">The Unencrypted Form Of Kerberos 5 KRB-CRED Message</title>
<author initials='R.J.Y.' surname="Yount" fullname='Russell J. Yount'>
<organization>Carnegie Mellon University</organization>
<address>
<postal>
<street>5000 Forbes Avenue</street>
<city>Pittsburgh</city>
<region>Pennsylvania</region>
<code>15213</code>
<country>US</country>
</postal>
<phone>+1 412 268 8391</phone>
<email>rjy@cmu.edu</email>
</address>
</author>
<date day="28" month="June" year="2011" />
<area>Security</area>
<keyword>Kerberos</keyword>
<abstract>
<t>
The Kerberos 5 KRB-CRED message is used to transfer Kerberos credentials between
applications.
When used with a secure transport the unencrypted form of the KRB-CRED message may be desirable.
This document describes the unencrypted form of the KRB-CRED message.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
There are applications which need to transfer Kerberos credentials between
them without having a prior relationship with established Kerberos keys.
When tranferred over a transport that provides confidentiality and integrity the unencrypted form
of the KRB-CRED message MAY be used.
One application employing this method is the <xref target="OASIS.saml-core-2.0-os">Security Assertion Markup Language (SAML) 2.0</xref> attribute transport.
</t>
<t>
In the SAML application, the Identity Provider (IdP) somehow obtains a
Kerberos service ticket from the Kerberos Key Distribution Center (KDC)
when required by the SAML system
and transfers the credential to a Service Provider (SP)
within an attribute statement.
The SP can then use the credential to access a Kerberos protected service.
</t>
<t>
The Kerberos 5 specification as described in <xref target="RFC4120"/> mentions the
non-standard legacy use of unencypted KRB-CRED with
Generic Security Services Application Programming Interface (GSS-API) <xref target="RFC1964"/>
by the MIT, Heimdal, and Microsoft Kerberos
implementations. This document provides a formal specification of the unencrypted form of the KRB-CRED message.
</t>
</section>
<section title="Requirements notation">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in <xref target="RFC2119"/>.</t>
</section>
<section title="The Unencrypted Form Of The KRB-CRED">
<t>
The unencrypted form of the KRB-CRED contains EncryptedData as defined
in Section 5.2.9 <xref target="RFC4120"/>.
The encryption type (etype) MUST BE specified as 0.
The optional key version number (kvno) SHOULD NOT be present.
The cipher text (cipher) is a copy of the EncKrbCredPart as defined in Section 5.8.1
<xref target="RFC4120"/>
which is in clear text.
</t>
</section>
<section title="Security Considerations">
<t>
The KRB-CRED message contains sensitive information related to
Kerberos credentials being transferred, such as their secret
session keys, client and server principal names, and validity
period. Possession of this information, along with the ticket
itself, would allow an attacker to impersonate the client named
in the ticket. The possibility of modification of the KRB-CRED enables
the substitution of a credential by the attacker which can result in the
recipients use the credentials of a client which was not intended.
As a result, the KRB-CRED message must be carefully safeguarded.
</t>
<t>
The use of an unencrypted form of the KRB-CRED message MUST only be used with a transport where
sender and recipient identities can been established be known to each other
and provides confidentiality and integrity.
Examples of transports which MAY be securely used to transport an unencrypted KRB-CRED message
would include Transport Layer Security (TLS) <xref target="RFC5246"/> where mutual authentication has been established
and those encoded within encrypted and signed
SAML <xref target="OASIS.saml-core-2.0-os">Security Assertion Markup Language (SAML) 2.0</xref>
statement.
</t>
</section>
<section anchor="Acknowledgements" title="Acknowledgements">
<t>The following individuals have contributed to the development of this specification.</t>
<t>Thomas HardJono, Massachusetts Institute of Technology</t>
<t>Josh Howlett, Individual</t>
<t>Jeffrey Hutzelman, Carnegie Mellon University</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This memo includes no request to IANA.</t>
</section>
</middle>
<back>
<references title='Normative References'>
&rfc2119;
&rfc1964;
&rfc4120;
&rfc5246;
&SAML20;
</references>
</back>
<!-- Change Log
v00 2010-09-02 RJY Initial version
v01 2010-12-06 RJY Wording cleanup
v03 2011-06-28 RJY Renamed from draft-yount-krb-cred-clear-text-01
-->
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 05:48:47 |