Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension

The Kerberos PKINIT extension defines two schemes for using asymmetric cryptography in a Kerberos preauthenticator. One uses Diffie-Hellman key exchange and the other depends on public key encryption. The public key encryption scheme is less commonly used for two reasons: Elliptic Curve Cryptography (ECC) Support for PKINIT only specified Elliptic Curve Diffie-Hellman (ECDH) key agreement, so it cannot be used for public key encryption. Public key encryption requires certificates with an encryption key, that is not deployed on many existing smart cards. In the Diffie-Hellman exchange, the client uses its private key only to sign the AuthPack structure (specified in Section 3.2.1 of ), that is performed before any traffic is sent to the KDC. Thus a client can generate requests with future times in the PKAuthenticator, and then send those requests at those future times. Unless the time is outside the validity period of the client's certificate, the KDC will validate the PKAuthenticator and return a TGT the client can use without possessing the private key. As a result, a client performing PKINIT with the Diffie-Hellman key exchange does not prove current possession of the private key being used for authentication. It proves only prior use of that key. Ensuring that the client has current possession of the private key requires that the signed PKAuthenticator data include information that the client could not have predicted.

Today, password-based AS exchanges often begin with the client sending a KRB_AS_REQ without pre-authentication. When the principal requires pre-authentication, the KDC responds with a KRB_ERROR containing information needed to complete an AS exchange, such as the supported encryption types and salt values. This message flow is illustrated below:

<---- AS-REQ AS-REP ----> <---- TGS-REQ TGS-REP ----> ]]> We can use a similar message flow with PKINIT, allowing the KDC to provide a token for the client to include in its KRB_AS_REQ to ensure that the PA_PK_AS_REQ was not pregenerated.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

The following summarizes the message flow with extensions to and required to support a KDC-provided freshness token during the initial request for a ticket: The client generates a KRB_AS_REQ as specified in Section 2.9.3 that contains no PA_PK_AS_REQ and includes a freshness token request. The KDC generates a KRB_ERROR as specified in Section 3.1.3 of providing a freshness token. The client receives the error as specified in Section 3.1.4 of , extracts the freshness token, and includes it as part of the KRB_AS_REQ as specified in and . The KDC receives and validates the KRB_AS_REQ as specified in Section 3.2.2 , then additionally validates the freshness token. The KDC and client continue as specified in and .

The client indicates support of freshness tokens by adding a padata element with padata-type PA_AS_FRESHNESS and padata-value of an empty octet string.

The KDC will respond with a KRB_ERROR message with the error-code KDC_ERR_PREAUTH_REQUIRED adding a padata element with padata-type PA_AS_FRESHNESS and padata-value of the freshness token to the METHOD-DATA object.

After the client receives the KRB-ERROR message containing a freshness token, it extracts the PA_AS_FRESHNESS padata-value field of the PA-DATA structure as an opaque data blob. The PA_AS_FRESHNESS padata-value field of the PA-DATA structure SHALL then be added as an opaque blob in the freshnessToken field when the client generates the PKAuthenticator for the PA_PK_AS_REQ message. This ensures that the freshness token value will be included in the signed data portion of the KRB_AS_REQ value.

If the realm requires freshness and the PA_PK_AS_REQ message does not contain the freshness token, the KDC MUST return a KRB_ERROR message with the error-code KDC_ERR_PREAUTH_FAILED with a padata element with padata-type PA_AS_FRESHNESS and padata-value of the freshness token to the METHOD-DATA object. When the PA_PK_AS_REQ message contains a freshness token, after validating the PA_PK_AS_REQ message normally, the KDC will validate the freshnessToken value in the PKAuthenticator in an implementation-specific way. If the freshness token is not valid, the KDC MUST return a KRB_ERROR message with the error-code KDC_ERR_PREAUTH_EXPIRED . The e-data field of the error contains a METHOD-DATA object which specifies a valid PA_AS_FRESHNESS padata-value. Since the freshness tokens are validated by KDCs in the same realm, standardizing the contents of the freshness token is not a concern for interoperability.

If a client receives a KDC_ERR_PREAUTH_EXPIRED KRB_ERROR message that includes a freshness token, it MUST retry using the new freshness token.

The following are the new PreAuthentication data types: Padata and Data Type Padata-type Value PA_AS_FRESHNESS TBD

The PKAuthenticator structure specified in Section 3.2.1 is extended to include a new freshnessToken as follows:

Douglas E. Engert, Sam Hartman, Henry B. Hotz, Nikos Mavrogiannopoulos, Martin Rex, Nico Williams, and Tom Yu were key contributors to the discovery of the freshness issue in PKINIT. Sam Hartman, Greg Hudson, Jeffrey Hutzelman, Nathan Ide, Benjamin Kaduk, Bryce Nordgren, Magnus Nystrom, Nico Williams and Tom Yu reviewed the document and provided suggestions for improvements.

IANA is requested to assign numbers for PA_AS_FRESHNESS listed in the Kerberos Parameters registry Pre-authentication and Typed Data as follows: Type Value Reference TBD PA_AS_FRESHNESS [This RFC]

The freshness token SHOULD include signing, encrypting or sealing data from the KDC to determine authenticity and prevent tampering. Freshness tokens serve to guarantee that the client had the key when constructing the AS-REQ. They are not required to be single use tokens or bound to specific AS exchanges. Part of the reason the token is opaque is to allow KDC implementers the freedom to add additional functionality as long as the "freshness" guarantee remains.

Since the client treats the KDC provided data blob as opaque, changing the contents will not impact existing clients. Thus extensions to the freshness token do not impact client interoperability. Clients SHOULD NOT reuse freshness tokens across multiple exchanges. There is no guarantee that a KDC will allow a once-valid token to be used again. Thus clients that do not retry with a new freshness token may not be compatible with KDCs depending on how they choose to implement "freshness" validation. Since upgrading clients takes time, implementers may consider allowing both freshness-token based exchanges as well as "legacy" exchanges without use of freshness tokens. However, until freshness tokens are required by the realm, existing risks of pre-generated PKAuthenticators will remain.