summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4178.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc4178.txt')
-rw-r--r--doc/rfc/rfc4178.txt1235
1 files changed, 1235 insertions, 0 deletions
diff --git a/doc/rfc/rfc4178.txt b/doc/rfc/rfc4178.txt
new file mode 100644
index 0000000..5c71d9e
--- /dev/null
+++ b/doc/rfc/rfc4178.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+Network Working Group L. Zhu
+Request for Comments: 4178 P. Leach
+Obsoletes: 2478 K. Jaganathan
+Category: Standards Track Microsoft Corporation
+ W. Ingersoll
+ Sun Microsystems
+ October 2005
+
+
+ The Simple and Protected
+ Generic Security Service Application Program Interface (GSS-API)
+ Negotiation Mechanism
+
+Status of This Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2005).
+
+
+Abstract
+
+ This document specifies a negotiation mechanism for the Generic
+ Security Service Application Program Interface (GSS-API), which is
+ described in RFC 2743. GSS-API peers can use this negotiation
+ mechanism to choose from a common set of security mechanisms. If
+ per-message integrity services are available on the established
+ mechanism context, then the negotiation is protected against an
+ attacker that forces the selection of a mechanism not desired by the
+ peers.
+
+ This mechanism replaces RFC 2478 in order to fix defects in that
+ specification and to describe how to inter-operate with
+ implementations of that specification that are commonly deployed on
+ the Internet.
+
+
+
+
+
+
+
+
+
+
+Zhu, et al. Standards Track [Page 1]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+Table of Contents
+
+ 1. Introduction ....................................................2
+ 2. Conventions Used in This Document ...............................3
+ 3. Negotiation Protocol ............................................3
+ 3.1. Negotiation Description ....................................4
+ 3.2. Negotiation Procedure ......................................5
+ 4. Token Definitions ...............................................7
+ 4.1. Mechanism Types ............................................7
+ 4.2. Negotiation Tokens .........................................7
+ 4.2.1. negTokenInit ........................................8
+ 4.2.2. negTokenResp ........................................9
+ 5. Processing of mechListMIC ......................................10
+ 6. Extensibility ..................................................13
+ 7. Security Considerations ........................................13
+ 8. Acknowledgments ................................................14
+ 9. References .....................................................14
+ 9.1. Normative References ......................................14
+ 9.2. Informative References ....................................15
+ Appendix A. SPNEGO ASN.1 Module ..................................16
+ Appendix B. GSS-API Negotiation Support API ......................17
+ B.1. GSS_Set_neg_mechs Call ...................................17
+ B.2. GSS_Get_neg_mechs Call ...................................18
+ Appendix C. Changes since RFC 2478 ...............................18
+ Appendix D. mechListMIC Computation Example ......................20
+
+1. Introduction
+
+ The GSS-API [RFC2743] provides a generic interface that can be
+ layered atop different security mechanisms such that, if
+ communicating peers acquire GSS-API credentials for the same security
+ mechanism, then a security context may be established between them
+ (subject to policy). However, GSS-API does not prescribe the method
+ by which GSS-API peers can establish whether they have a common
+ security mechanism.
+
+ The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism
+ defined here is a pseudo security mechanism that enables GSS-API
+ peers to determine in-band whether their credentials support a common
+ set of one or more GSS-API security mechanisms; if so, it invokes the
+ normal security context establishment for a selected common security
+ mechanism. This is most useful for applications that depend on GSS-
+ API implementations and share multiple mechanisms between the peers.
+
+ The SPNEGO mechanism negotiation is based on the following model: the
+ initiator proposes a list of security mechanism(s), in decreasing
+ preference order (favorite choice first), the acceptor (also known as
+ the target) either accepts the initiator's preferred security
+
+
+
+Zhu, et al. Standards Track [Page 2]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ mechanism (the first in the list) or chooses one of the available
+ mechanisms from the offered list; if neither is acceptable, the
+ acceptor rejects the proposed value(s). The target then informs the
+ initiator of its choice.
+
+ Once a common security mechanism is chosen, mechanism-specific
+ options MAY be negotiated as part of the selected mechanism's context
+ establishment. These negotiations (if any) are internal to the
+ mechanism and opaque to the SPNEGO protocol. As such, they are
+ outside the scope of this document.
+
+ If per-message integrity services [RFC2743] are available on the
+ established mechanism security context, then the negotiation is
+ protected to ensure that the mechanism list has not been modified.
+ In cases where an attacker could have materially influenced the
+ negotiation, peers exchange message integrity code (MIC) tokens to
+ confirm that the mechanism list has not been modified. If no action
+ of an attacker could have materially modified the outcome of the
+ negotiation, the exchange of MIC tokens is optional (see Section 5).
+ Allowing MIC tokens to be optional in this case provides
+ interoperability with existing implementations while still protecting
+ the negotiation. This interoperability comes at the cost of
+ increased complexity.
+
+ SPNEGO relies on the concepts developed in the GSS-API specification
+ [RFC2743]. The negotiation data is encapsulated in context-level
+ tokens. Therefore, callers of the GSS-API do not need to be aware of
+ the existence of the negotiation tokens, but only of the new pseudo-
+ security mechanism. A failure in the negotiation phase causes a
+ major status code to be returned: GSS_S_BAD_MECH.
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+3. Negotiation Protocol
+
+ When the established mechanism context provides integrity protection,
+ the mechanism negotiation can be protected. When acquiring
+ negotiated security mechanism tokens, per-message integrity services
+ are always requested by the SPNEGO mechanism.
+
+ When the established mechanism context supports per-message integrity
+ services, SPNEGO guarantees that the selected mechanism is mutually
+ preferred.
+
+
+
+
+Zhu, et al. Standards Track [Page 3]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ This section describes the negotiation process of this protocol.
+
+3.1. Negotiation Description
+
+ The first negotiation token sent by the initiator contains an ordered
+ list of mechanisms in decreasing preference order (favorite mechanism
+ first), and optionally the initial mechanism token for the preferred
+ mechanism of the initiator (i.e., the first in the list). (Note that
+ the list MUST NOT contain this SPNEGO mechanism itself or any
+ mechanism for which the client does not have appropriate
+ credentials.)
+
+ The target then processes the token from the initiator. This will
+ result in one of four possible states (as defined in Section 4.2.2)
+ being returned in the reply message: accept-completed, accept-
+ incomplete, reject, or request-mic. A reject state will terminate
+ the negotiation; an accept-completed state indicates that the
+ initiator-selected mechanism was acceptable to the target, and that
+ the security mechanism token embedded in the first negotiation
+ message was sufficient to complete the authentication; an accept-
+ incomplete state indicates that further message exchange is needed
+ but the MIC token exchange (as described in Section 5) is OPTIONAL; a
+ request-mic state (this state can only be present in the first reply
+ message from the target) indicates that the MIC token exchange is
+ REQUIRED if per-message integrity services are available.
+
+ Unless the preference order is specified by the application, the
+ policy by which the target chooses a mechanism is an implementation-
+ specific, local matter. In the absence of an application-specified
+ preference order or other policy, the target SHALL choose the first
+ mechanism in the initiator proposed list for which it has valid
+ credentials.
+
+ In case of a successful negotiation, the security mechanism in the
+ first reply message represents the value suitable for the target that
+ was chosen from the list offered by the initiator.
+
+ In case of an unsuccessful negotiation, the reject state is returned,
+ and the generation of a context-level negotiation token is OPTIONAL.
+
+ Once a mechanism has been selected, context establishment tokens
+ specific to the selected mechanism are carried within the negotiation
+ tokens.
+
+ Lastly, MIC tokens may be exchanged to ensure the authenticity of the
+ mechanism list received by the target.
+
+
+
+
+
+Zhu, et al. Standards Track [Page 4]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ To avoid conflicts with the use of MIC tokens by SPNEGO, partially-
+ established contexts MUST NOT be used for per-message calls. To
+ guarantee this, the prot_ready_state [RFC2743] MUST be set to false
+ on return from GSS_Init_sec_context() and GSS_Accept_sec_context(),
+ even if the underlying mechanism returned true.
+
+ Note that in order to avoid an extra round trip, the first context
+ establishment token of the initiator's preferred mechanism SHOULD be
+ embedded in the initial negotiation message (as defined in Section
+ 4.2). (This mechanism token is referred to as the optimistic
+ mechanism token in this document.) In addition, using the optimistic
+ mechanism token allows the initiator to recover from non-fatal errors
+ encountered when trying to produce the first mechanism token before a
+ mechanism can be selected. In cases where the initiator's preferred
+ mechanism is not likely to be selected by the acceptor because of the
+ significant cost of its generation, implementations MAY omit the
+ optimistic mechanism token.
+
+3.2. Negotiation Procedure
+
+ The basic form of the procedure assumes that per-message integrity
+ services are available on the established mechanism context, and it
+ is summarized as follows:
+
+ a) The GSS-API initiator invokes GSS_Init_sec_context() as normal,
+ but requests that SPNEGO be used. SPNEGO can either be explicitly
+ requested or accepted as the default mechanism.
+
+ b) The initiator GSS-API implementation generates a negotiation token
+ containing a list of one or more security mechanisms that are
+ available based on the credentials used for this context
+ establishment, and optionally on the initial mechanism token for
+ the first mechanism in the list.
+
+ c) The GSS-API initiator application sends the token to the target
+ application. The GSS-API target application passes the token by
+ invoking GSS_Accept_sec_context(). The acceptor will do one of
+ the following:
+
+ I) If none of the proposed mechanisms are acceptable, the
+ negotiation SHALL be terminated. GSS_Accept_sec_context
+ indicates GSS_S_BAD_MECH. The acceptor MAY output a
+ negotiation token containing a reject state.
+
+ II) If either the initiator's preferred mechanism is not accepted
+ by the target or this mechanism is accepted but is not the
+ acceptor's most preferred mechanism (i.e., the MIC token
+ exchange as described in Section 5 is required),
+
+
+
+Zhu, et al. Standards Track [Page 5]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED.
+ The acceptor MUST output a negotiation token containing a
+ request-mic state.
+
+ III) Otherwise, if at least one additional negotiation token from
+ the initiator is needed to establish this context,
+ GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED and
+ outputs a negotiation token containing an accept-incomplete
+ state.
+
+ IV) Otherwise, no additional negotiation token from the initiator
+ is needed to establish this context, GSS_Accept_sec_context()
+ indicates GSS_S_COMPLETE and outputs a negotiation token
+ containing an accept_complete state.
+
+ If the initiator's preferred mechanism is accepted, and an
+ optimistic mechanism token was included, this mechanism token MUST
+ be passed to the selected mechanism by invoking
+ GSS_Accept_sec_context(). If a response mechanism token is
+ returned, it MUST be included in the response negotiation token.
+ Otherwise, the target will not generate a response mechanism token
+ in the first reply.
+
+ d) The GSS-API target application returns the negotiation token to
+ the initiator application. The GSS-API initiator application
+ passes the token by invoking GSS_Init_sec_context(). The security
+ context initialization is then continued according to the standard
+ GSS-API conventions for the selected mechanism, where the tokens
+ of the selected mechanism are encapsulated in negotiation messages
+ (see Section 4) until GSS_S_COMPLETE is returned for both the
+ initiator and the target by the selected security mechanism.
+
+ e) MIC tokens are then either skipped or exchanged according to
+ Section 5.
+
+ Note that the *_req_flag input parameters for context establishment
+ are relative to the selected mechanism, as are the *_state output
+ parameters. That is, these parameters are not applicable to the
+ negotiation process per se.
+
+ On receipt of a negotiation token on the target side, a GSS-API
+ implementation that does not support negotiation would indicate the
+ GSS_S_BAD_MECH status as though a particular basic security mechanism
+ had been requested and was not supported.
+
+ When a GSS-API credential is acquired for the SPNEGO mechanism, the
+ implementation SHOULD produce a credential element for the SPNEGO
+ mechanism that internally contains GSS-API credential elements for
+
+
+
+Zhu, et al. Standards Track [Page 6]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ all mechanisms for which the principal has credentials available,
+ except for any mechanisms that are not to be negotiated, per
+ implementation-, site-, or application-specific policy. See Appendix
+ B for interfaces for expressing application policy.
+
+4. Token Definitions
+
+ The type definitions in this section assume an ASN.1 module
+ definition of the following form:
+
+ SPNEGOASNOneSpec {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanism(5) snego (2) modules(4) spec2(2)
+ } DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+ -- rest of definitions here
+
+ END
+
+ This specifies that the tagging context for the module will be
+ explicit and non-automatic.
+
+ The encoding of the SPNEGO protocol messages shall obey the
+ Distinguished Encoding Rules (DER) of ASN.1, as described in [X690].
+
+4.1. Mechanism Types
+
+ In this negotiation model, each OID represents one GSS-API mechanism
+ or one variant (see Section 6) of it, according to [RFC2743].
+
+ MechType ::= OBJECT IDENTIFIER
+ -- OID represents each security mechanism as suggested by
+ -- [RFC2743]
+
+ MechTypeList ::= SEQUENCE OF MechType
+
+4.2. Negotiation Tokens
+
+ The syntax of the initial negotiation tokens follows the
+ initialContextToken syntax defined in Section 3.1 of [RFC2743]. The
+ SPNEGO pseudo mechanism is identified by the Object Identifier
+ iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
+ Subsequent tokens MUST NOT be encapsulated in this GSS-API generic
+ token framing.
+
+ This section specifies the syntax of the inner token for the initial
+ message and the syntax of subsequent context establishment tokens.
+
+
+
+
+Zhu, et al. Standards Track [Page 7]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ NegotiationToken ::= CHOICE {
+ negTokenInit [0] NegTokenInit,
+ negTokenResp [1] NegTokenResp
+ }
+
+4.2.1. negTokenInit
+
+ NegTokenInit ::= SEQUENCE {
+ mechTypes [0] MechTypeList,
+ reqFlags [1] ContextFlags OPTIONAL,
+ -- inherited from RFC 2478 for backward compatibility,
+ -- RECOMMENDED to be left out
+ mechToken [2] OCTET STRING OPTIONAL,
+ mechListMIC [3] OCTET STRING OPTIONAL,
+ ...
+ }
+ ContextFlags ::= BIT STRING {
+ delegFlag (0),
+ mutualFlag (1),
+ replayFlag (2),
+ sequenceFlag (3),
+ anonFlag (4),
+ confFlag (5),
+ integFlag (6)
+ } (SIZE (32))
+
+ This is the syntax for the inner token of the initial negotiation
+ message.
+
+ mechTypes
+
+ This field contains one or more security mechanisms available for
+ the initiator, in decreasing preference order (favorite choice
+ first).
+
+ reqFlags
+
+ This field, if present, contains the service options that are
+ requested to establish the context (the req_flags parameter of
+ GSS_Init_sec_context()). This field is inherited from RFC 2478
+ and is not integrity protected. For implementations of this
+ specification, the initiator SHOULD omit this reqFlags field and
+ the acceptor MUST ignore this reqFlags field.
+
+ The size constraint on the ContextFlags ASN.1 type only applies to
+ the abstract type. The ASN.1 DER requires that all trailing zero
+ bits be truncated from the encoding of a bit string type whose
+ abstract definition includes named bits. Implementations should
+
+
+
+Zhu, et al. Standards Track [Page 8]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ not expect to receive exactly 32 bits in an encoding of
+ ContextFlags.
+
+ mechToken
+
+ This field, if present, contains the optimistic mechanism token.
+
+ mechlistMIC
+
+ This field, if present, contains an MIC token for the mechanism
+ list in the initial negotiation message. This MIC token is
+ computed according to Section 5.
+
+4.2.2. negTokenResp
+
+ NegTokenResp ::= SEQUENCE {
+ negState [0] ENUMERATED {
+ accept-completed (0),
+ accept-incomplete (1),
+ reject (2),
+ request-mic (3)
+ } OPTIONAL,
+ -- REQUIRED in the first reply from the target
+ supportedMech [1] MechType OPTIONAL,
+ -- present only in the first reply from the target
+ responseToken [2] OCTET STRING OPTIONAL,
+ mechListMIC [3] OCTET STRING OPTIONAL,
+ ...
+ }
+
+ This is the syntax for all subsequent negotiation messages.
+
+ negState
+
+ This field, if present, contains the state of the negotiation.
+ This can be:
+
+ accept-completed
+
+ No further negotiation message from the peer is expected, and
+ the security context is established for the sender.
+
+ accept-incomplete
+
+ At least one additional negotiation message from the peer is
+ needed to establish the security context.
+
+
+
+
+
+Zhu, et al. Standards Track [Page 9]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ reject
+
+ The sender terminates the negotiation.
+
+ request-mic
+
+ The sender indicates that the exchange of MIC tokens, as
+ described in Section 5, will be REQUIRED if per-message
+ integrity services are available on the mechanism context to be
+ established. This value SHALL only be present in the first
+ reply from the target.
+
+ This field is REQUIRED in the first reply from the target, and is
+ OPTIONAL thereafter. When negState is absent, the actual state
+ should be inferred from the state of the negotiated mechanism
+ context.
+
+ supportedMech
+
+ This field SHALL only be present in the first reply from the
+ target. It MUST be one of the mechanism(s) offered by the
+ initiator.
+
+ ResponseToken
+
+ This field, if present, contains tokens specific to the mechanism
+ selected.
+
+ mechlistMIC
+
+ This field, if present, contains an MIC token for the mechanism
+ list in the initial negotiation message. This MIC token is
+ computed according to Section 5.
+
+5. Processing of mechListMIC
+
+ If the mechanism selected by the negotiation does not support
+ integrity protection, then no mechlistMIC token is used.
+
+ Otherwise, if the accepted mechanism is the most preferred mechanism
+ of both the initiator and the acceptor, then the MIC token exchange,
+ as described later in this section, is OPTIONAL. A mechanism is the
+ acceptor's most preferred mechanism if there is no other mechanism
+ that the acceptor would have preferred over the accepted mechanism
+ had it been present in the mechanism list.
+
+ In all other cases, MIC tokens MUST be exchanged after the mechanism
+ context is fully established.
+
+
+
+Zhu, et al. Standards Track [Page 10]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ a) The mechlistMIC token (or simply the MIC token) is computed over
+ the mechanism list in the initial negotiation message by invoking
+ GSS_GetMIC() as follows: the input context_handle is the
+ established mechanism context, the input qop_req is 0, and the
+ input message is the DER encoding of the value of type
+ MechTypeList, which is contained in the "mechTypes" field of the
+ NegTokenInit. The input message is NOT the DER encoding of the
+ type "[0] MechTypeList".
+
+ b) If the selected mechanism exchanges an even number of mechanism
+ tokens (i.e., the acceptor sends the last mechanism token), the
+ acceptor does the following when generating the negotiation
+ message containing the last mechanism token: if the MIC token
+ exchange is optional, GSS_Accept_sec_context() either indicates
+ GSS_S_COMPLETE and does not include a mechlistMIC token, or
+ indicates GSS_S_CONTINUE_NEEDED and includes a mechlistMIC token
+ and an accept-incomplete state; if the MIC token exchange is
+ required, GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED
+ and includes a mechlistMIC token. Acceptors that wish to be
+ compatible with legacy Windows SPNEGO implementations, as
+ described in Appendix C, should not generate a mechlistMIC token
+ when the MIC token exchange is not required. The initiator then
+ processes the last mechanism token, and does one of the following:
+
+ I) If a mechlistMIC token was included and is correctly
+ verified, GSS_Init_sec_context() indicates GSS_S_COMPLETE.
+ The output negotiation message contains a mechlistMIC token
+ and an accept_complete state. The acceptor MUST then verify
+ this mechlistMIC token.
+
+ II) If a mechlistMIC token was included but is incorrect, the
+ negotiation SHALL be terminated. GSS_Init_sec_context()
+ indicates GSS_S_DEFECTIVE_TOKEN.
+
+ III) If no mechlistMIC token was included and the MIC token
+ exchange is not required, GSS_Init_sec_context() indicates
+ GSS_S_COMPLETE with no output token.
+
+ IV) If no mechlistMIC token was included but the MIC token
+ exchange is required, the negotiation SHALL be terminated.
+ GSS_Accept_sec_context() indicates GSS_S_DEFECTIVE_TOKEN.
+
+ c) In the case that the chosen mechanism exchanges an odd number of
+ mechanism tokens (i.e., the initiator sends the last mechanism
+ token), the initiator does the following when generating the
+ negotiation message containing the last mechanism token: if the
+ negState was request-mic in the first reply from the target, a
+ mechlistMIC token MUST be included; otherwise, the mechlistMIC
+
+
+
+Zhu, et al. Standards Track [Page 11]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ token is OPTIONAL. (Note that the MIC token exchange is required
+ if a mechanism other than the initiator's first choice is chosen.)
+ In the case that the optimistic mechanism token is the only
+ mechanism token for the initiator's preferred mechanism, the
+ mechlistMIC token is OPTIONAL. Whether the mechlistMIC token is
+ included, GSS_Init_sec_context() indicates GSS_S_CONTINUE_NEEDED.
+ Initiators that wish to be compatible with legacy Windows SPNEGO
+ implementations, as described in Appendix C, should not generate a
+ mechlistMIC token when the MIC token exchange is not required.
+ The acceptor then processes the last mechanism token and does one
+ of the following:
+
+ I) If a mechlistMIC token was included and is correctly
+ verified, GSS_Accept_sec_context() indicates GSS_S_COMPLETE.
+ The output negotiation message contains a mechlistMIC token
+ and an accept_complete state. The initiator MUST then verify
+ this mechlistMIC token.
+
+ II) If a mechlistMIC token was included but is incorrect, the
+ negotiation SHALL be terminated. GSS_Accept_sec_context()
+ indicates GSS_S_DEFECTIVE_TOKEN.
+
+ III) If no mechlistMIC token was included and the mechlistMIC
+ token exchange is not required, GSS_Accept_sec_context()
+ indicates GSS_S_COMPLETE. The output negotiation message
+ contains an accept_complete state.
+
+ IV) In the case that the optimistic mechanism token is also the
+ last mechanism token (when the initiator's preferred
+ mechanism is accepted by the target) and the target sends a
+ request-mic state but the initiator did not send a
+ mechlistMIC token, the target then MUST include a mechlistMIC
+ token in that first reply. GSS_Accept_sec_context()
+ indicates GSS_S_CONTINUE_NEEDED. The initiator MUST verify
+ the received mechlistMIC token and generate a mechlistMIC
+ token to send back to the target. The target SHALL, in turn,
+ verify the returned mechlistMIC token and complete the
+ negotiation.
+
+ V) If no mechlistMIC token was included and the acceptor sent a
+ request-mic state in the first reply message (the exchange of
+ MIC tokens is required), the negotiation SHALL be terminated.
+ GSS_Accept_sec_context() indicates GSS_S_DEFECTIVE_TOKEN.
+
+
+
+
+
+
+
+
+Zhu, et al. Standards Track [Page 12]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+6. Extensibility
+
+ Two mechanisms are provided for extensibility. First, the ASN.1
+ structures in this specification MAY be expanded by IETF standards
+ action. Implementations receiving unknown fields MUST ignore these
+ fields.
+
+ Secondly, OIDs corresponding to a desired mechanism attribute (i.e.,
+ mechanism variants) may be included in the set of preferred
+ mechanisms by an initiator. The acceptor can choose to honor this
+ request by preferring mechanisms that have the included attributes.
+ Future work within the Kitten working group is expected to
+ standardize common attributes that SPNEGO mechanisms may wish to
+ support. At this time, it is sufficient to say that initiators MAY
+ include OIDs that do not correspond to mechanisms. Such OIDs MAY
+ influence the acceptor's choice of mechanism. As discussed in
+ Section 5, if there are mechanisms that, if present in the
+ initiator's list of mechanisms, might be preferred by the acceptor
+ instead of the initiator's preferred mechanism, the acceptor MUST
+ demand the MIC token exchange. As the consequence, acceptors MUST
+ demand the MIC token exchange if they support negotiation of
+ attributes not available in the initiator's preferred mechanism,
+ regardless of whether the initiator actually requested these
+ attributes.
+
+7. Security Considerations
+
+ In order to produce the MIC token for the mechanism list, the
+ mechanism must provide integrity protection. When the selected
+ mechanism does not support integrity protection, the negotiation is
+ vulnerable: an active attacker can force it to use a security
+ mechanism that is not mutually preferred but is acceptable to the
+ target.
+
+ This protocol provides the following guarantees when per-message
+ integrity services are available on the established mechanism
+ context, and the mechanism list was altered by an adversary such that
+ a mechanism that is not mutually preferred could be selected:
+
+ a) If the last mechanism token is sent by the initiator, both peers
+ shall fail;
+
+ b) If the last mechanism token is sent by the acceptor, the acceptor
+ shall not complete and the initiator, at worst, shall complete
+ with its preferred mechanism being selected.
+
+ The negotiation may not be terminated if an alteration was made but
+ had no material impact.
+
+
+
+Zhu, et al. Standards Track [Page 13]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ The protection of the negotiation depends on the strength of the
+ integrity protection. In particular, the strength of SPNEGO is no
+ stronger than the integrity protection of the weakest mechanism
+ acceptable to GSS-API peers.
+
+ Note that where there exist multiple mechanisms with similar context
+ tokens, but different semantics, such that some or all of the
+ mechanisms' context tokens can be easily altered so that one
+ mechanism's context tokens may pass for another of the similar
+ mechanism's context tokens, then there may exist a downgrade or
+ similar attacks. For example, if a given family of mechanisms uses
+ the same context token syntax for two or more variants and depends on
+ the OID in the initial token's pseudo-ASN.1/DER wrapper, but does not
+ provide integrity protection for that OID, then there may exist an
+ attack against those mechanisms. SPNEGO does not generally defeat
+ such attacks.
+
+ In all cases, the communicating peers are exposed to the denial of
+ service threat.
+
+8. Acknowledgments
+
+ The authors wish to thank Sam Hartman, Nicolas Williams, Ken Raeburn,
+ Martin Rex, Jeff Altman, Tom Yu, Cristian Ilac, Simon Spero, and Bill
+ Sommerfeld for their comments and suggestions during the development
+ of this document.
+
+ Luke Howard provided a prototype of this protocol in Heimdal and
+ resolved several issues in the initial version of this document.
+
+ Eric Baize and Denis Pinkas wrote the original SPNEGO specification
+ [RFC2478] of which some of the text has been retained in this
+ document.
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2743] Linn, J., "Generic Security Service Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [X690] ASN.1 encoding rules: Specification of Basic Encoding Rules
+ (BER), Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER), ITU-T Recommendation X.690 (1997) |
+ ISO/IEC International Standard 8825-1:1998.
+
+
+
+Zhu, et al. Standards Track [Page 14]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+9.2. Informative References
+
+ [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
+ Negotiation Mechanism", RFC 2478, December 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Zhu, et al. Standards Track [Page 15]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+Appendix A. SPNEGO ASN.1 Module
+
+ SPNEGOASNOneSpec {
+ iso(1) identified-organization(3) dod(6) internet(1)
+ security(5) mechanism(5) snego (2) modules(4) spec2(2)
+ } DEFINITIONS EXPLICIT TAGS ::= BEGIN
+
+ MechType ::= OBJECT IDENTIFIER
+ -- OID represents each security mechanism as suggested by
+ -- [RFC2743]
+
+ MechTypeList ::= SEQUENCE OF MechType
+
+ NegotiationToken ::= CHOICE {
+ negTokenInit [0] NegTokenInit,
+ negTokenResp [1] NegTokenResp
+ }
+
+ NegTokenInit ::= SEQUENCE {
+ mechTypes [0] MechTypeList,
+ reqFlags [1] ContextFlags OPTIONAL,
+ -- inherited from RFC 2478 for backward compatibility,
+ -- RECOMMENDED to be left out
+ mechToken [2] OCTET STRING OPTIONAL,
+ mechListMIC [3] OCTET STRING OPTIONAL,
+ ...
+ }
+ NegTokenResp ::= SEQUENCE {
+ negState [0] ENUMERATED {
+ accept-completed (0),
+ accept-incomplete (1),
+ reject (2),
+ request-mic (3)
+ } OPTIONAL,
+ -- REQUIRED in the first reply from the target
+ supportedMech [1] MechType OPTIONAL,
+ -- present only in the first reply from the target
+ responseToken [2] OCTET STRING OPTIONAL,
+ mechListMIC [3] OCTET STRING OPTIONAL,
+ ...
+ }
+
+ ContextFlags ::= BIT STRING {
+ delegFlag (0),
+ mutualFlag (1),
+ replayFlag (2),
+ sequenceFlag (3),
+ anonFlag (4),
+
+
+
+Zhu, et al. Standards Track [Page 16]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ confFlag (5),
+ integFlag (6)
+ } (SIZE (32))
+
+ END
+
+Appendix B. GSS-API Negotiation Support API
+
+ In order to provide to a GSS-API caller (the initiator or the target
+ or both) with the ability to choose among the set of supported
+ mechanisms, a reduced set of mechanisms for negotiation and two
+ additional APIs are defined:
+
+ o GSS_Get_neg_mechs() indicates the set of security mechanisms
+ available on the local system to the caller for negotiation, for
+ which appropriate credentials are available.
+
+ o GSS_Set_neg_mechs() specifies the set of security mechanisms to be
+ used on the local system by the caller for negotiation, for the
+ given credentials.
+
+B.1. GSS_Set_neg_mechs Call
+
+ Inputs:
+
+ o cred_handle CREDENTIAL HANDLE, -- NULL specifies default
+ -- credentials
+ o mech_set SET OF OBJECT IDENTIFIER
+
+ Outputs:
+
+ o major_status INTEGER,
+ o minor_status INTEGER
+
+ Return major_status codes:
+
+ o GSS_S_COMPLETE indicates that the set of security mechanisms
+ available for negotiation has been set to mech_set.
+ o GSS_S_FAILURE indicates that the requested operation could not be
+ performed for reasons unspecified at the GSS-API level.
+
+ This allows callers to specify the set of security mechanisms that
+ may be negotiated with the credential identified by cred_handle.
+ This call is intended to support specialized callers who need to
+ restrict the set of negotiable security mechanisms from the set of
+ all security mechanisms available to the caller (based on available
+
+
+
+
+
+Zhu, et al. Standards Track [Page 17]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ credentials). Note that if more than one mechanism is specified in
+ mech_set, the order in which those mechanisms are specified implies a
+ relative preference.
+
+B.2. GSS_Get_neg_mechs Call
+
+ Input:
+
+ o cred_handle CREDENTIAL HANDLE -- NULL specifies default --
+ credentials
+
+ Outputs:
+
+ o major_status INTEGER,
+ o minor_status INTEGER,
+ o mech_set SET OF OBJECT IDENTIFIER
+
+ Return major_status codes:
+
+ o GSS_S_COMPLETE indicates that the set of security mechanisms
+ available for negotiation has been returned in mech_set.
+
+ o GSS_S_FAILURE indicates that the requested operation could not be
+ performed for reasons unspecified at the GSS-API level.
+
+ This allows callers to determine the set of security mechanisms
+ available for negotiation with the credential identified by
+ cred_handle. This call is intended to support specialized callers
+ who need to reduce the set of negotiable security mechanisms from the
+ set of supported security mechanisms available to the caller (based
+ on available credentials).
+
+ Note: The GSS_Indicate_mechs() function indicates the full set of
+ mechanism types available on the local system. Since this call has
+ no input parameter, the returned set is not necessarily available for
+ all credentials.
+
+Appendix C. Changes since RFC 2478
+
+ SPNEGO implementations in Microsoft Windows 2000/Windows XP/Windows
+ Server 2003 have the following behavior: no mechlistMIC is produced
+ and mechlistMIC is not processed if one is provided; if the initiator
+ sends the last mechanism token, the acceptor will send back a
+ negotiation token with an accept_complete state and no mechlistMIC
+ token. In addition, an incorrect OID (1.2.840.48018.1.2.2) can be
+ used to identify the GSS-API Kerberos Version 5 mechanism.
+
+
+
+
+
+Zhu, et al. Standards Track [Page 18]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ The following changes have been made to be compatible with these
+ legacy implementations.
+
+ * NegTokenTarg is changed to negTokenResp and is the message format
+ for all subsequent negotiation tokens.
+
+ * NegTokenInit is the message for the initial negotiation message,
+ and only that message.
+
+ * mechTypes in negTokenInit is not optional.
+
+ * If the selected mechanism is also the most preferred mechanism for
+ both peers, it is safe to omit the MIC tokens.
+
+ If at least one of the two peers implements the updated pseudo
+ mechanism in this document, the negotiation is protected.
+
+ The following changes are to address problems in RFC 2478.
+
+ * reqFlags is not protected, therefore it should not impact the
+ negotiation.
+
+ * DER encoding is required.
+
+ * GSS_GetMIC() input is clarified.
+
+ * Per-message integrity services are requested for the negotiated
+ mechanism.
+
+ * Two MIC tokens are exchanged, one in each direction.
+
+ An implementation that conforms to this specification will not
+ inter-operate with a strict RFC 2748 implementation. Even if the new
+ implementation always sends a mechlistMIC token, it will still fail
+ to inter-operate. If it is a server, it will fail because it
+ requests a mechlistMIC token using an option that older
+ implementations do not support. Clients will tend to fail as well.
+
+ As an alternative to the approach chosen in this specification, we
+ could have documented a correct behavior that is fully backward
+ compatible with RFC 2478 and included an appendix on how to inter-
+ operate with existing incorrect implementations of RFC 2478.
+
+ As a practical matter, the SPNEGO implementers within the IETF have
+ valued interoperability with the Microsoft implementations. We were
+ unable to choose to maintain reasonable security guarantees, to
+ maintain interoperability with the Microsoft implementations, and to
+ maintain interoperability with correct implementations of RFC 2478.
+
+
+
+Zhu, et al. Standards Track [Page 19]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ The working group was not aware of any RFC 2478 implementations
+ deployed on the Internet. Even if there are such implementations, it
+ is unlikely that they will inter-operate because of a critical flaw
+ in the description of the encoding of the mechanism list in RFC 2478.
+
+ With the approach taken in this specification, security is ensured
+ between new implementations all the time while maintaining
+ interoperability with the implementations deployed within the IETF
+ community. The working group believes that this justifies breaking
+ compatibility with a correct implementation of RFC 2478.
+
+Appendix D. mechListMIC Computation Example
+
+ The following is an example to illustrate how the mechListMIC field
+ would be computed.
+
+ The initial part of the DER encoding of NegTokenInit is constructed
+ as follows (the "nn" are length encodings, possibly longer than one
+ octet):
+
+ 30 -- identifier octet for constructed SEQUENCE (NegTokenInit)
+ nn -- length
+
+ -- contents octets of the SEQUENCE begin with
+ -- DER encoding of "[0] MechTypeList":
+ A0 -- identifier octet for constructed [0]
+ nn -- length
+
+ -- contents of the constructed [0] are DER encoding
+ -- of MechTypeList (which is a SEQUENCE):
+ 30 -- identifier octet for constructed SEQUENCE
+ nn -- length
+
+ -- contents octets of the SEQUENCE begin with
+ -- DER encoding of OBJECT IDENTIFIER:
+ 06 -- identifier octet for primitive OBJECT IDENTIFIER
+ 09 -- length
+ 2A 86 48 86 F7 12 01 02 02 -- Kerberos V5
+ -- {1 2 840 113554 1 2 2}
+
+ If a mechlistMIC needs to be generated (according to the rules in
+ Section 5), it is computed by using the DER encoding of the type
+ MechTypeList data from the initiator's NegTokenInit token as input to
+ the GSS_GetMIC() function. In this case, the MIC would be computed
+ over the following octets:
+
+ DER encoding of MechTypeList:
+ 30 nn 06 09 2A 86 48 86 F7 12 01 02 02 ...
+
+
+
+Zhu, et al. Standards Track [Page 20]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+ Note that the identifier octet and length octet(s) for constructed
+ [0] (A0 nn) are not included in the MIC computation.
+
+Authors' Addresses
+
+ Larry Zhu
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ EMail: lzhu@microsoft.com
+
+
+ Paul Leach
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ EMail: paulle@microsoft.com
+
+
+ Karthik Jaganathan
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+ US
+
+ EMail: karthikj@microsoft.com
+
+
+ Wyllys Ingersoll
+ Sun Microsystems
+ 1775 Wiehle Avenue, 2nd Floor
+ Reston, VA 20190
+ US
+
+ EMail: wyllys.ingersoll@sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+Zhu, et al. Standards Track [Page 21]
+
+RFC 4178 The GSS-API Negotiation Mechanism October 2005
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2005).
+
+ This document is subject to the rights, licenses and restrictions
+ contained in BCP 78, and except as set forth therein, the authors
+ retain all their rights.
+
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf-
+ ipr@ietf.org.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+Zhu, et al. Standards Track [Page 22]
+