Description of PKINIT
(As of http://www.ietf.org/internet-drafts/draft-ietf-cat-kerberos-pk-init-25.txt)
[ Common symbols
| PKINIT with fresh DH
| PKINIT with reused DH
| PKINIT with public-key encryption
| Mapping to specs
]
Common Symbols
See also the mapping to the specifications
| Principals: | C | Client |
| K | Key Authentication Server (KAS) |
| T | Ticket Granting Server (TGS) |
| |
| Keys: | skC | Client secret signature key |
| skK | KAS secret signature key |
| AK | Authentication key (symmetric, shared between Client and TGS) |
| k | Temporary key (symmetric, shared between Client
and KAS, protects AK, replaces password-derived kC of [CLAR]) |
| kT | Long term symmetric key shared between KAS and TGS |
| |
| Certificates: | CertC | Client certificates |
| TrustC | Client's trusted Certification Authorities (CAs) |
| CertPath | Certificate path followed by KAS to validate client's credentials |
| CertK | KAS certificates |
| |
| Nonces: | n1,n2 | Nonces generated by Client |
| |
| Timestamps: | tC | Timestamp generated by Client |
| tK | Timestamp generated by KAS |
| |
| Operations: | m1,m2 | Concatenation of m1 and m2 |
| [m]sk | Signature of m with secret key sk (corresponds to SignedData, i.e.,
abstracts both eContent and SignerInfo fields) |
| {m}k | Encryption of m with key sk (symmetric or asymmetric) |
PKINIT with fresh Diffie-Hellman key distribution
Additional Symbols:
| Diffie-Hellman data: | DHpar | Domain parameters |
| DHpubC | Public value of Client |
| DHprvC | Private value of Client |
| DHpubK | Public value of KAS |
| DHprvK | Private value of KAS |
| DHsecret | Shared secret (generated from
DHpubC and DHprvK by KAS, and from
DHpubK and DHprvC by Client) |
(see also the mapping to the specifications)
Process:
C: generate (DHprvC, DHpubC)
C --> K: CertC, [tC,n2,DHpar,DHpubC]skC, TrustC, C, T, n1
K: generate (DHprvK, DHpubK)
compute DHsecret using DHpubC and DHprvK
compute k = Hash(DHsecret)
generate AK
K --> C: CertK, [DHpubK,n2]skK, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k
C: compute DHsecret using DHpubK and DHprvC
compute k = Hash(DHsecret)
Messages:
C K
CertC, [tC,n2,DHpar,DHpubC]skC, TrustC, C, T, n1
---------------------------------------------------------------------->
|
CertK, [DHpubK,n2]skK, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k |
<----------------------------------------------------------------------
PKINIT with reused Diffie-Hellman keys
Additional Symbols:
| Diffie-Hellman data: | DHpubC | Cached Client public value |
| DHpubK | Cached KAS Public value |
| DHsecret | Cached shared secret |
| |
| Nonces: | nC | Nonce generated by Client |
| nK | Nonce generated by KAS |
| |
| Timestamps: | tDH | Expiration time provided by KAS |
(see also the mapping to the specifications)
Process:
C: generate nC
C --> K: CertC, [tC,n2,DHpar,DHpubC,nC]skC, TrustC, C, T, n1
K: lookup (DHpubC, DHpubK, DHsecret)
generate nK
compute k = Hash(DHsecret, nC, nK)
generate AK
K --> C: CertK, [DHpubK,0,nK,tDH]skK, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k
C: compute k = Hash(DHsecret, nC, nK)
Messages:
C K
CertC, [tC,n2,DHpar,DHpubC,nC]skC, TrustC, C, T, n1
----------------------------------------------------------------------------->
|
CertK, [DHpubK,0,nK,tDH]skK, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k |
<-----------------------------------------------------------------------------
PKINIT with server-generated key distribution
Additional Symbols:
| |
| Keys: | pkC | Public key of Client |
(see also the mapping to the specifications)
Process:
C --> K: CertC, [tC,n2]skC, TrustC, C, T, n1
K: generate k
generate AK
K --> C: {CertK, [k,n2]skK}pkC, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k
Messages:
C K
CertC, [tC,n2]skC, TrustC, C, T, n1
------------------------------------------------------------------->
|
{CertK, [k,n2]skK}pkC, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k |
<-------------------------------------------------------------------
PKINIT with server-generated key distribution
- ATTACK
Process:
C --> K: CertC, [tC,n2]skC, TrustC, C, T, n1
I: intercep
I --> K: CertI, [tC,n2]skI, TrustI, I, T, n1
K: generate k
generate AK
K --> I: {CertK, [k,n2]skK}pkI, I, {AK,I,tK,CertPath}kT, {AK,n1,tK,T}k
I --> C: {CertK, [k,n2]skK}pkC, C, {AK,I,tK,CertPath}kT, {AK,n1,tK,T}k
Messages:
C I K
CertC, [tC,n2]skC, TrustC, C, T, n1
------------------------------------------------------------------->
|
| CertI, [tC,n2]skI, TrustI, I, T, n1
------------------------------------------------------------------->
|
{CertK, [k,n2]skK}pkI, I, {AK,I,tK,CertPath}kT, {AK,n1,tK,T}k |
<-------------------------------------------------------------------
|
{CertK, [k,n2]skK}pkC, C, {AK,I,tK,CertPath}kT, {AK,n1,tK,T}k |
<-------------------------------------------------------------------
PKINIT with server-generated key distribution
- Larry Zhu's fix
Additional Symbols:
| |
| Checksums: | cksm | Checksum over AS_REQ |
Process:
C --> K: CertC, [tC,n2]skC, TrustC, C, T, n1
K: generate k
generate AK
compute cksm = KEYED-CHECKSUM(k, 6, (CertC, [tC,n2]skC, TrustC, C, T, n1))
K --> C: {CertK, [k,cksm]skK}pkC, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k
Messages:
C K
CertC, [tC,n2]skC, TrustC, C, T, n1
--------------------------------------------------------------------->
|
{CertK, [k,cksm]skK}pkC, C, {AK,C,tK,CertPath}kT, {AK,n1,tK,T}k |
<---------------------------------------------------------------------
Comments:
- cksm is the checksum of the whole request
message CertC, [tC,n2]skC, TrustC, C, T, n1
keyed with the key k
- The function KEYED-CHECKSUM can be any
collision-free keyed checksum. Current candidates include
hmac-sha1-96-aes128. The recently discovered weaknesses of
HMAC-MD5 led to discarding rc4-hmac-md5. Future strong keyed
checksums can be used for cksm.
- The proposal corrects the binding deficiency that caused the attack. In particular,
- It always ensures the weak binding of C's name
and realm in the message exchange. A principal that is not identified as
C cannot impersonate
C.
- It ensures the strong binding of C's name,
realm and role if the certificates
CertC include role information, as recently
proposed. Only the specific instances of C
in that role will be authenticated.
Specified vs. Modeled Fields
| Official Name |
Remarks
|
Used Abbreviation
|
|---|
pvno
| Omitted |
|
msg-type
| Omitted |
|
padata
| (some subfields included) |
|
padata-type
| Omitted |
|
padata-value
| (some subfields included) |
|
signedAuthPack
| (some subfields included) |
|
contentType
| Omitted |
|
content
| (some subfields included) |
|
version
| Omitted |
|
digestAlgorithms
| Omitted |
|
encapContentInfo
| (some subfields included) |
|
eContentType
| Omitted |
|
eContent
| (some subfields included) |
|
pkAuthenticator
| (some subfields included) |
|
cusec
|
|
tC
|
ctime
| (merged with cusec) |
|
nonce
|
|
n2
|
paChecksum
| Omitted |
|
clientPublicValue
| (included for DH) |
|
algorithm
|
|
DHpar
|
subjectPublicKey
|
|
DHpubC
|
supportedCMSTypes
| Omitted (optional) |
|
clientDHNonce
| (included for DH reuse) |
nC
|
certificates
|
|
CertC
|
crls
| Omitted |
|
signerInfos
| (some subfields included) |
|
version
| Omitted |
|
sid
| Omitted |
|
digestAlgorithm
| Omitted |
|
signedAttrs
| Omitted (optional) |
|
signatureAlgorithm
| Omitted |
|
signature
|
|
[...]skC over eContent
|
unsignedAttrs
| Omitted (optional) |
|
trustedCertifiers
| (optional) |
TrustC
|
kdcPkId
| Omitted (optional) |
|
req-body
| (some subfields included) |
|
kdc-options
| Omitted |
|
cname
|
|
C
|
sname
|
|
T
|
from
| Omitted |
|
till
| Omitted |
|
rtime
| Omitted |
|
nonce
|
|
n1
|
etype
| Omitted |
|
addresses
| Omitted |
|
enc-authorization-data
| Omitted |
|
additional-tickets
| Omitted |
|
Fields and subfields in the AS_REQ message.
| Official Name |
Remarks
|
Used Abbreviation |
|---|
pvno
| Omitted |
|
msg-type
| Omitted |
|
padata
| (some subfields included) |
|
padata-type
| Omitted |
|
padata-value
| (some subfields included) |
|
dhInfo
| (some subfields included) |
|
dhSignedData
| (some subfields included) |
|
contentType
| Omitted |
|
content
| (some subfields included) |
|
version
| Omitted |
|
digestAlgorithms
| Omitted |
|
encapContentInfo
| (some subfields included) |
|
eContentType
| Omitted |
|
eContent
|
|
|
subjectPublicKey
|
|
DHpubK
|
nonce
|
|
n2 (fresh) | 0 (reuse)
|
dhKeyExpiration
| (included for DH reuse) |
tDH
|
certificates
|
|
CertK
|
crls
| Omitted |
|
signerInfos
| (some subfields included) |
|
version
| Omitted |
|
sid
| Omitted |
|
digestAlgorithm
| Omitted |
|
signedAttrs
| Omitted (optional) |
|
signatureAlgorithm
| Omitted |
|
signature
|
|
[...]skK over eContent
|
unsignedAttrs
| Omitted (optional) |
|
serverDHNonce
| (included for DH reuse) |
nK
|
crealm
| Omitted |
|
cname
|
|
C
|
ticket
| (some subfields included) |
|
tkt-vno
| Omitted |
|
realm
| Omitted |
|
sname
| Omitted |
|
enc-part
| (some subfields included) |
|
flags
| Omitted |
|
key
|
|
AKey
|
crealm
| Omitted |
|
cname
|
|
C
|
transited
| Omitted |
|
authtime
|
|
tK
|
starttime
| Omitted (optional) |
|
endtime
| Omitted |
|
renew-till
| Omitted (optional) |
|
caddr
| Omitted (optional) |
|
authorization-data
| (some subfields included) |
|
ad-type
| Omitted |
|
ad-data
|
|
certPath
|
enc-part
| (some subfields included) |
|
key
|
|
AKey
|
last-req
| Omitted |
|
nonce
|
|
n1
|
key-expiration
| Omitted (optional) |
|
flags
| Omitted |
|
authtime
|
|
tK
|
starttime
| Omitted (optional) |
|
endtime
| Omitted |
|
renew-till
| Omitted (optional) |
|
srealm
| Omitted |
|
sname
|
|
T
|
caddr
| Omitted (optional) |
|
Fields and subfields in the AS_REP message (DH).
| Official Name |
Remarks
|
Used Abbreviation
|
|---|
pvno
| Omitted |
|
msg-type
| Omitted |
|
padata
| (some subfields included) |
|
padata-type
| Omitted |
|
padata-value
| (some subfields included) |
|
encKeyPack
| (some subfields included) |
|
contentType
| Omitted |
|
content
| (some subfields included) |
|
version
| Omitted |
|
originatorInfo
| Omitted (optional) |
|
recipientInfos
| Omitted |
|
encryptedContentInfo
| (some subfields included) |
|
contentType
| Omitted |
|
contentEncryptionAlgorithm
| Omitted |
|
encryptedContent
| (some subfields included) |
|
version
| Omitted |
|
digestAlgorithms
| Omitted |
|
encapContentInfo
| (some subfields included) |
|
eContentType
| Omitted |
|
eContent
|
|
|
replyKey
|
|
k
|
nonce / as-checksum
|
|
n2 / cksm
|
certificates
|
|
CertK
|
crls
| Omitted |
|
signerInfos
| (some subfields included) |
|
version
| Omitted |
|
sid
| Omitted |
|
digestAlgorithm
| Omitted |
|
signedAttrs
| Omitted (optional) |
|
signatureAlgorithm
| Omitted |
|
signature
|
|
[...]skK over eContent
|
unsignedAttrs
| Omitted (optional) |
|
unprotectedAttrs
| Omitted (optional) |
|
crealm
| Omitted |
|
cname
|
|
C
|
ticket
| (some subfields included) |
|
tkt-vno
| Omitted |
|
realm
| Omitted |
|
sname
| Omitted |
|
enc-part
| (some subfields included) |
|
flags
| Omitted |
|
key
|
|
AKey
|
crealm
| Omitted |
|
cname
|
|
C
|
transited
| Omitted |
|
authtime
|
|
tK
|
starttime
| Omitted (optional) |
|
endtime
| Omitted |
|
renew-till
| Omitted (optional) |
|
caddr
| Omitted (optional) |
|
authorization-data
| (some subfields included) |
|
ad-type
| Omitted |
|
ad-data
|
|
certPath
|
enc-part
| (some subfields included) |
|
key
|
|
AKey
|
last-req
| Omitted |
|
nonce
|
|
n1
|
key-expiration
| Omitted (optional) |
|
flags
| Omitted |
|
authtime
|
|
tK
|
starttime
| Omitted (optional) |
|
endtime
| Omitted |
|
renew-till
| Omitted (optional) |
|
srealm
| Omitted |
|
sname
|
|
T
|
caddr
| Omitted (optional) |
|
Fields and subfields in the AS_REP message (non-DH) and fix.