Negotiation of Extra Security Context Tokens for Kerberos V5 Generic Security Services Mechanism

The Kerberos V5 AP protocol, and therefore the Kerberos V5 GSS mechanism security context token exchange, is a one-round trip protocol. Occasionally there are errors that the protocol could recover from by using an additional round trip, but until now there was no way to execute such an additional round trip. For many application protocols the failure of the Kerberos AP protocol is fatal, requiring closing TCP connections and starting over; often there is no automatic recovery. This document proposes a negotiation of additional security context tokens for automatic recovery from certain errors. This is done in a backwards-compatible way, thus retaining the existing mechanism OID for the Kerberos V5 GSS mechanism. Additionally we add support for user-to-user authentication and authenticated errors, and provide a way to avoid the need for replay caching.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

We introduce the following new protocol elements. A partial ASN.1 module (for inclusion in the base Kerberos ASN.1 module) is given in , and references to its contents are made below. a new ap-options flag for use in the clear-text part of AP-REQs to indicate the desire for an extra round trip if need be; a new Authorization-Data element for use in Authenticators for quoting back a challenge nonce from the acceptor; a new PDU: KRB-ERROR2, with additional fields and support for authenticated errors. No new interface is needed for GSS-API applications to use this feature. To use this feature, the Kerberos GSS mechanism MUST act as follows: To request this feature, initiators SHALL add the new ap-options flag to their AP-REQs. Acceptors that wish to request an additional security context token can only do so when initiators indicate support for it, and MUST do so by returning a KRB-ERROR2. The encrypted part of the KRB-ERROR2 SHALL be encrypted in one of the following keys: the sub-session key from the AP-REQ's Authenticator if it could be decrypted, else the session key from the Ticket, if it could be decrypted, else the null enc-type/key. The KRB-ERROR2 in this case SHALL have a the continue-needed e-flag set when the acceptor is willing to consume another security context token from the initiator; the acceptor SHALL also return GSS_S_CONTINUE_NEEDED to the application in this case. Initiators that request this feature and receive a KRB-ERROR2 SHOULD attempt to recover. Initiators that request this feature and receive a KRB-ERROR2 with the continue-needed e-flag set SHOULD attempt to recover and MAY produce a token to send to the acceptor: either a KRB-ERROR2 if the initiator failed to recover, or a new AP-REQ (with the traditional GSS-API pseudo-ASN.1 mechanism OID header). In the successful recovery case the initiator MUST quote the nonce from the KRB-ERROR2 using an AD-CHALLENGE-RESPONSE-NONCE (see below) authorization data element. When it consumes a KRB-ERROR2, GSS_Init_sec_context() can return an error (GSS_S_FAILURE), or attempt recovery and output a new AP-REQ security context token. When GSS_Init_sec_context() outputs a new AP-REQ security context token, it SHALL return GSS_S_CONTINUE_NEEDED if the application requested mutual authentication, else it SHALL return GSS_S_COMPLETE. When GSS_Init_sec_context() returns an error and the acceptor is awaiting a security context token, GSS_Init_sec_context() MAY generate a KRB-ERROR to send to the acceptor. Acceptors MUST reject additional AP-REQs which do not have a challenge response nonce matching the one sent by the acceptor in the previous KRB-ERROR2. Acceptors MUST reject initial security context tokens that contain a challenge response nonce.

The following Kerberos errors can be recovered from automatically using this protocol: KRB_AP_ERR_TKT_EXPIRED: the initiator should get a new service ticket; KRB_AP_ERR_TKT_NYV: the initiator should get a new service ticket; KRB_AP_ERR_REPEAT: the initiator should build a new AP-REQ; KRB_AP_ERR_SKEW: the initiator should build a new AP-REQ with time corrected for the offset between the initiator's and acceptor's clocks; KRB_AP_ERR_BADKEYVER: the initiator should get a new service ticket; KRB_AP_PATH_NOT_ACCEPTED: the initiator should get a new service ticket using a different transit path; KRB_AP_ERR_INAPP_CKSUM: the initiator should try again with a different checksum type. Error codes that denote PDU corruption (and/or an active attack) can also be recovered from by attempting a new AP-REQ: KRB_AP_ERR_BAD_INTEGRITY KRB_AP_ERR_BADVERSION KRB_AP_ERR_BADMATCH KRB_AP_ERR_MSG_TYPE KRB_AP_ERR_MODIFIED Other error codes that may be recovered from: KRB_AP_ERR_BADADDR; the acceptor SHOULD include a list of one or more client network addresses as reported by the operating system, but if the acceptor does not then the continue-needed e-flag MUST NOT be included and the error must be final.

The first AP-REQ may well result in an error; the second should not. Therefore acceptors SHOULD return a fatal error when a second error results in one security context establishment attempt, except when the first error is that the initiator should use user-to-user authentication. This limits the maximum number of round trips to two (not user-to-user) or three (user-to-user). Initiators and acceptors MUST impose some limit on the maximum number of security context tokens. For the time being that limit is six. An initiator that rejects an additional round trip MUST respond with a KRB-ERROR2. Note that in the user-to-user cases (see ) it's possible to have up to three round trips under normal conditions if, for example, the acceptor wishes to avoid the use of replay caches (see ), or if the initiator's clock is too skewed, for example.

It is REQUIRED that each AP-REQ in a security context token exchange replace the sub-session key to be used for PROT_READY per-message tokens. This can conceivably cause failure-to-verify/unwrap errors for some applications (e.g., using datagram transports), but none that they shouldn't have been prepared to handle.

Initiator applications that can negotiate security mechanisms and which have available an existing user-to-user mechanism as well as the Kerberos V5 GSS mechanism with the user-to-user extension defined here will have a problem: they may end up negotiating the use of the Kerberos V5 GSS mechanism and fail to establish a security context because the acceptor does not support the features defined in this document, but the application might have succeeded if it had selected the user-to-user mechanism. Question: how should we address this? We could say “give priority to the user-to-user mechanism”, but in some cases that might require changes to the acceptor side.

A partial ASN.1 module appears below. This ASN.1 is to be used as if it were part of the base Kerberos ASN.1 module (see RFC4120), therefore the encoding rules to be used are the Distinguished Encoding Rules (DER) , and the environment is one of explicit tagging.

APOptions ::= KerberosFlags -- reserved(0), -- use-session-key(1), -- mutual-required(2) -- continue-needed-ok(TBD) ad-continue-nonce Int32 ::= <TBD> -- ad-value is challenge nonce from KRB-ERROR2 KrbErrorEncPartFlags ::= KerberosFlags -- reserved(0) [XXX cargo cult!] -- use-initiator-subkey(1) -- use-ticket-session-key(2) -- use-null-enctype(3) KRB-ERROR2 ::= [APPLICATION <TBD>] SEQUENCE { pvno [0] INTEGER (5), msg-type [1] INTEGER (<TBD>), enc-part-key [2] KrbErrorEncPartFlags, enc-part [3] EncryptedData -- EncKRBErrorPart } ErrorFlags ::= KerberosFlags -- reserved(0) [XXX sounds like cargo cult!] -- continue-needed(1) EncKRBErrorPart ::= [APPLICATION <TBD>] SEQUENCE { challenge-nonce [0] OCTET STRING (16), stime [1] KerberosTime, susec [2] Microseconds, error-code [3] Int32, e-flags [4] ErrorFlags, e-text [5] KerberosString OPTIONAL, e-data [6] OCTET STRING OPTIONAL, e-typed-data [7] TYPED-DATA OPTIONAL, tgt [8] Ticket OPTIONAL, -- for user2user ... }

By using an additional AP-REQ and a challenge/response nonce, this protocol is immune to replays of AP-REQ PDUs and does not need a replay cache. Acceptor implementations MUST not insert Authenticators from extra round trips into a replay cache when there are no other old implementations on the same host (and with access to the same acceptor credentials) that ignore critical authorization data or which don't know to reject initial AP-REQs that contain a challenge response nonce. In the replay cache avoidance case where there's no actual error (e.g., time skew) the acceptor's KRB-ERROR2 will have KDC_ERR_NONE as the error code, with the continue-needed e-flag.

There are two user2user authentication cases: the KDC only allows a service principal to use user2user authentication, the service principal does not know its long-term keys or otherwise wants to use user2user authentication even though the KDC vended a service ticket. In the first case the initiator knows this because the KDC returns KDC_ERR_MUST_USE_USER2USER. The initiator cannot make a valid AP-REQ in this case, yet it must send an AP-REQ or fail to make even an initial security context token. For this case we propose that the initiator make an AP-REQ with a Ticket with zero-length enc-part (and null enctype) and a zero-length authenticator (and null enctype). The acceptor will fail to process the AP-REQ, of course, and SHOULD respond with a continue-needed KRB-ERROR2 (using the null enc-type for the enc-part) that includes a TGT for the acceptor. In the second case the initiator does manage to get a real service ticket for the acceptor but the acceptor nonetheless wishes to use user2user authentication. In both cases the acceptor responds with a KRB-ERROR2 with the KRB_AP_ERR_USER_TO_USER_REQUIRED error code and including a TGT for itself. In both cases the initiator then does a TGS request with a second ticket to get a new, user2user Ticket. Then the initiator makes a new AP-REQ using the new Ticket, and proceeds.

All error PDUs in an AP exchange where the AP-REQ has the continue-needed-ok ap-options flag MUST be KRB-ERROR2 PDUs. Whenever an acceptor is able to decrypt the Ticket from an AP-REQ and yet wishes or has to output a KRB-ERROR2, then the enc-part of the KRB-ERROR2 MUST be encrypted in either the initiator's sub-session key (from the Authenticator) or the Ticket's session key (if the acceptor could not decrypt the Authenticator).

This document deals with security. There are a number of unauthenticated protocol elements: the continue-needed-ok flag that the initiator uses to indicate its willingness to have more than one round trip, and some errors. This is unavoidable. The new KRB-ERROR2 PDU is cryptographically distinguished from the original mechanism's acceptor success security context token (AP-REQ). Not every KRB-ERROR2 can be integrity protected. Because in the base Kerberos V5 GSS-API security mechanism all errors are unauthenticated, and because even with this specification some elements are unauthenticated, it is possible for an attacker to cause one peer to think that the security context token exchange has failed while the other thinks it will continue. This can cause an acceptor to waste resources while waiting for additional security context tokens from the initiator. This is not really a new problem, however: acceptor applications should already have suitable timeouts on security context establishment.

Various allocations are required...