1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
|
Network Working Group E. Baize
Request for Comments: 2478 D. Pinkas
Category: Standards Track Bull
December 1998
The Simple and Protected GSS-API Negotiation Mechanism
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
1. ABSTRACT
This document specifies a Security Negotiation Mechanism for the
Generic Security Service Application Program Interface (GSS-API)
which is described in [1].
The GSS-API provides a generic interface which can be layered atop
different security mechanisms such that if communicating peers
acquire GSS-API credentials for the same security mechanism, then a
security context may be established between them (subject to policy).
However, GSS-API doesn't prescribe the method by which GSS-API peers
can establish whether they have a common security mechanism.
The Simple and Protected GSS-API Negotiation Mechanism defined here
is a pseudo-security mechanism, represented by the object identifier
iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) which
enables GSS-API peers to determine in-band whether their credentials
share common GSS-API security mechanism(s), and if so, to invoke
normal security context establishment for a selected common security
mechanism. This is most useful for applications that are based on
GSS-API implementations which support multiple security mechanisms.
This allows to negotiate different security mechanisms, different
options within a given security mechanism or different options from
several security mechanisms.
Baize & Pinkas Standards Track [Page 1]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
Once the common security mechanism is identified, the security
mechanism may also negotiate mechanism-specific options during its
context establishment. This will be inside the mechanism tokens, and
invisible to the SPNEGO protocol.
The simple and protected GSS-API mechanism negotiation is based on
the following negotiation model : the initiator proposes one security
mechanism or an ordered list of security mechanisms, the target
either accepts the proposed security mechanism, or chooses one from
an offered set, or rejects the proposed value(s). The target then
informs the initiator of its choice.
In its basic form this protocol requires an extra-round trip. Network
connection setup is a critical performance characteristic of any
network infrastructure and extra round trips over WAN links, packet
radio networks, etc. really make a difference. In order to avoid such
an extra round trip the initial security token of the preferred
mechanism for the initiator may be embedded in the initial token. If
the target preferred mechanism matches the initiator's preferred
mechanism, no additional round trips are incurred by using the
negotiation protocol.
The simple and protected GSS-API mechanism negotiation provides a
technique to protect the negotiation that must be used when the
underlying mechanism selected by the target is capable of integrity
protection.
When all the mechanisms proposed by the initiator support integrity
protection or when the selected mechanism supports integrity
protection, then the negotiation mechanism becomes protected since
this guarantees that the appropriate mechanism supported by both
peers has been selected.
The Simple and Protected GSS-API Negotiation Mechanism uses the
concepts developed in the GSS-API specification [1]. The negotiation
data is encapsulated in context-level tokens. Therefore, callers of
the GSS-API do not need to be aware of the existence of the
negotiation tokens but only of the new pseudo-security mechanism. A
failure in the negotiation phase causes a major status code to be
returned: GSS_S_BAD_MECH.
Baize & Pinkas Standards Track [Page 2]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
2. NEGOTIATION MODEL
2.1. Negotiation description
The model for security mechanism negotiation reuses a subset of the
concepts specified in [2].
Each OID represents one GSS-API mechanism or one variant of it.
- When one security mechanism is proposed by the initiator, it
represents the only security mechanism supported or selected
(when the additional APIs defined in the Annex A are used) by the
initiator.
- When several security mechanisms are proposed by the initiator,
they represent a set of security mechanisms supported or selected
(when the additional APIs defined in the Annex A are used) by the
initiator.
The first negotiation token sent by the initiator contains an ordered
list of mechanisms, a set of options (e.g. deleg, replay, conf flags)
that should be supported by the selected mechanism and optionally the
initial security token for the desired mechanism of the initiator
(i.e. the first of the list).
The first negotiation token sent by the target contains the result of
the negotiation (accept_completed, accept_incomplete or reject) and,
in case of accept, the agreed security mechanism. It may also include
the response to the initial security token from the initiator, when
the first proposed mechanism of the initiator has been selected. When
the first mechanism is acceptable to the target,it should respond to
the initial security token for the desired mechanism of the initiator
when it is present. However, if this is not possible, the target can
simply ignore it and omit the responseToken from the first reply.
Implementations that can piggyback the initial token will be rewarded
by faster connection setup.
In case of a successful negotiation, the security mechanism
represents the value suitable for the target, and picked up from the
list offered by the initiator. The policy by which the target
chooses a mechanism is an implementation-specific local matter. In
the absence of other policy, the target should chose the first
mechanism in the list for which valid credentials are available.
Once a mechanism has been selected, the tokens specific to the
selected mechanism are carried within the negotiation tokens (in the
mechToken for the initiator and in the responseToken for the target).
Baize & Pinkas Standards Track [Page 3]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
2.2. Negotiation procedure
The negotiation procedure is summarised as follows:
(a) the GSS-API initiator invokes GSS_Init_sec_context as normal, but
requests (either explicitly, with the negotiation mechanism, or
through accepting a default, when the default is the negotiation
mechanism) that the Simple and Protected GSS-API Negotiation
Mechanism be used;
(b) the initiator GSS-API implementation emits a negotiation token
containing a list of supported security mechanisms for the
credentials used for this context establishment, and optionally
an initial security token for the first mechanism from that list
(i.e. the preferred mechanism), and indicates
GSS_S_CONTINUE_NEEDED status;
(c) The GSS-API initiator sends the token to the target application;
(d) The GSS-API target deposits the token through invoking
GSS_Accept_sec_context. The target GSS-API implementation emits a
negotiation token containing which if any of the proposed
mechanisms it supports (or has selected).
If the mechanism selected by the target matches the preferred
mechanism identified by the initiator and the initiator provides a
mechToken, the negotiation token response may contain also an initial
security token from that mechanism.
If the preferred mechanism is accepted, GSS_Accept_sec_context()
indicates GSS_S_COMPLETE when unilateral or mutual authentication has
been performed and involves a single token in either direction.
If a proposed mechanism is accepted, and it was not the preferred
mechanism, or if the first negotiation token sent by the initiator
did not included a mechToken, then the negotiation token response
sent by the target may contain also a response token from that
mechanism which transmits mechanism-specific information (e.g. to
transmit a certificate). The initiator may ignore such an initial
token if it is not prepared to process it.
If a proposed mechanism other than the preferred mechanism is
accepted, or the preferred mechanism is accepted but involves
multiple exchanges (e.g. challenge-response authentication), then
GSS_Accept_sec_context() indicates GSS_S_CONTINUE_NEEDED status.
Baize & Pinkas Standards Track [Page 4]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
If the proposed mechanism(s) are rejected, GSS_Accept_sec_context()
indicates GSS_S_BAD_MECH status. The security context initialisation
has failed.
(e) The GSS-API target returns the token to the initiator
application;
(f) The GSS-API initiator deposits the token through invoking
GSS_Init_sec_context.
GSS_Init_sec_context() may then indicate GSS_S_CONTINUE_NEEDED,
GSS_S_COMPLETE or GSS_S_BAD_MECH status.
The GSS_S_BAD_MECH status is returned when the negotiation token
carries a reject result or when the negotiation token carries an
accept result and the mechanism selected by the target is not
included in the initial list sent by the initiator.
The GSS_S_BAD_MIC status is returned when the selected mechanism
supports a MIC token but the MIC computed over the list of
mechanisms sent by the initiator is missing or incorrect.
If the negotiation token carries a reject result, the context
establishment is impossible. For example, a rejection will occur
if the target doesn't support the initiator's proposed mechanism
type(s). Upon failure of the mechanism negotiation procedure, the
mech_type output parameter value is the negotiation mechanism
type.
The GSS_S_CONTINUE_NEEDED status is returned when the negotiation
token carries an accept result and further tokens must be
transferred in order to complete context establishment for the
selected mechanism. In that case GSS_Init_sec_context() returns an
initial context token as output_token (with the selected
mechanism's context token encapsulated within that output_token).
The initiator then sends the output_token to the target. The
security context initialisation is then continued according to the
standard GSS-API conventions for the selected mechanism, where the
tokens of the selected mechanism are encapsulated until the
GSS_S_COMPLETE is returned for both the initiator and the target.
When GSS_S_CONTINUE_NEEDED is returned, the mech_type output
parameter is not yet valid.
When GSS_S_COMPLETE is returned, the mech_type output parameter
indicates the selected mechanism. When the final negotiation token
does not contain a MIC, the initiator GSS-API implementation must
check the returned/selected mechanism is on the originally
Baize & Pinkas Standards Track [Page 5]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
submitted list of mechanisms and also verify that the selected
mechanism is not able to support a MIC. When the final negotiation
token contains a MIC over the initial mechanisms list sent by the
initiator, the MIC must be verified.
Note that the *_req_flag input parameters for context establishment
are relative to the selected mechanism, as are the *_state output
parameters. i.e., these parameters are not applicable to the
negotiation process per se.
The initiator GSS-API calling application may need to know when the
negotiation exchanges were protected or not. For this, when
GSS_S_COMPLETE is returned, it can simply test the integ_avail flag.
When this flag is set it indicates that the negotiation was
protected.
On receipt of a negotiation token on the target side, a GSS-API
implementation that does not support negotiation would indicate the
GSS_S_BAD_MECH status as if a particular basic security mechanism had
been requested but was not supported.
When GSS_Acquire_cred is invoked with the negotiation mechanism as
desired_mechs, an implementation-specific default credential is used
to carry on the negotiation. A set of mechanisms as specified locally
by the system administrator is then available for negotiation. If
there is a desire for the caller to make its own choice, then an
additional API has to be used (see Appendix A).
3. DATA ELEMENTS
3.1. Mechanism Type
MechType::= OBJECT IDENTIFIER
mechType
Each security mechanism is as defined in [1].
3.2. Negotiation Tokens
The syntax of the negotiation tokens follows the InitialContextToken
syntax defined in [1]. The security mechanism of the initial
negotiation token is identified by the Object Identifier
iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
Baize & Pinkas Standards Track [Page 6]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
3.2.1. Syntax
This section specifies the syntax of the corresponding
"innerContextToken" field for the first token and subsequent
negotiation tokens. During the mechanism negociation, the
"innerContextToken" field contains the ASN.1 structure
"NegociationToken" given below, encoded using the DER encoding
conventions.
NegotiationToken ::= CHOICE {
negTokenInit [0] NegTokenInit,
negTokenTarg [1] NegTokenTarg }
MechTypeList ::= SEQUENCE OF MechType
NegTokenInit ::= SEQUENCE {
mechTypes [0] MechTypeList OPTIONAL,
reqFlags [1] ContextFlags OPTIONAL,
mechToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
ContextFlags ::= BIT STRING {
delegFlag (0),
mutualFlag (1),
replayFlag (2),
sequenceFlag (3),
anonFlag (4),
confFlag (5),
integFlag (6)
}
negTokenInit
Negotiation token sent by the initiator to the target, which
contains, for the first token sent, one or more security mechanisms
supported by the initiator (as indicated in the field mechTypes)
and the service options (reqFlags) that are requested to establish
the context. The context flags should be filled in from the
req_flags parameter of init_sec_context().
The mechToken field is optional for the first token sent that all
target implementations would not have to support. However for those
targets that do support piggybacking the initial mechToken, an
optimistic negotiation response is possible. Otherwise the
mechToken is used to carry the tokens specific to the mechanism
selected.
Baize & Pinkas Standards Track [Page 7]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
The mechListMIC is an optional field. In the case that the chosen
mechanism supports integrity, the initiator may optionally include
a mechListMIC which is the result of a GetMIC of the MechTypes in
the initial NegTokenInit and return GSS_S_COMPLETE.
When the chosen mechanism uses an odd number of messages, the final
mechanism token will be sent from the initiator to the acceptor. In
this case, there is a tradeoff between using the optimal number of
messages, or using an additional message from the acceptor to the
initiator in order to give the initiator assurance that no
modification of the initiator's mechanism list occurred. The
implementation can choose which tradeoff to make (see section 4.2.2
for further details for the processing of that field).
NegTokenTarg ::= SEQUENCE {
negResult [0] ENUMERATED {
accept_completed (0),
accept_incomplete (1),
reject (2) } OPTIONAL,
supportedMech [1] MechType OPTIONAL,
responseToken [2] OCTET STRING OPTIONAL,
mechListMIC [3] OCTET STRING OPTIONAL
}
negTokenTarg
Negotiation token returned by the target to the initiator which
contains, for the first token returned, a global negotiation result
and the security mechanism selected (if any).
negResult
The result accept_completed indicates that a context has been
successfully established, while the result accept_incomplete
indicates that additional token exchanges are needed.
Note: For the case where (a) a single-token context setup is
used and (b) the preferred mechanism does not support the
integrity facility which would cause a mechListMIC to be
generated and enclosed, this feature allows to make a
difference between a mechToken sent by the initiator but not
processed by the target (accept_incomplete) and a mechToken
sent by the initiator and processed by the target
(accept_completed).
For those targets that support piggybacking the initial mechToken,
an optimistic negotiation response is possible and includes in that
case a responseToken which may continue the authentication exchange
(e.g. when mutual authentication has been requested or when
unilateral authentication requires several round trips). Otherwise
Baize & Pinkas Standards Track [Page 8]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
the responseToken is used to carry the tokens specific to the
mechanism selected. For subsequent tokens (if any) returned by the
target, negResult, and supportedMech are not present.
For the last token returned by the target, the mechListMIC, when
present, is a MIC computed over the MechTypes using the selected
mechanism.
negResult
Result of the negotiation exchange, specified by the target.
This can be either :
accept_completed
The target accepts the preferred security mechanism,
and the context is established for the target or,
accept_incomplete
The target accepts one of the proposed security
mechanisms and further exchanges are necessary, or,
reject
The target rejects all the proposed security
mechanisms.
supportedMech
This field has to be present when negResult is "accept_completed"
or "accept_incomplete". It is a choice from the mechanisms offered
by the initiator.
responseToken
This field may be used either to transmit the response to the
mechToken when sent by the initiator and when the first mechanism
from the list has been selected by the target or to carry the
tokens specific to the selected security mechanism.
mechListMIC
If the selected mechanism is capable of integrity protection, this
field must be present in the last message of the negotiation,
(i.e., when the underlying mechanism returns a non-empty token and
a major status of GSS_S_COMPLETE); it contains the result of a
GetMIC of the MechTypes field in the initial NegTokenInit. It
allows to verify that the list initially sent by the initiator has
been received unmodified by the target.
Baize & Pinkas Standards Track [Page 9]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
3.2.2. Processing of mechListMIC.
If the mechanism selected by the negotiation does not support
integrity, then no mechListMIC is included, otherwise a mechListMIC
must be used and validated as indicated below.
If the mechanism supports integrity and uses an even number of
messages, then the target must compute a MIC as described above, and
send this in the final NegTokenTarg along with the final mechToken.
The initiator when receiving the last token must require that the
mechListMIC field be present and valid. In the absence of a valid
mechListMIC, the negotiation must fail as if the last context
establishment token was invalid.
In the case that the chosen mechanism supports integrity and uses an
odd number of messages, the final mechanism token will be sent from
the initiator to the target. In this case, there is a tradeoff
between using the optimal number of messages, or using an additional
message from the target to the initiator in order to give the
initiator assurance that no modification of the initiator's mechanism
list occurred. The implementation can choose which tradeoff to make.
When generating the final NegTokenInit message, the NegTokenInit may
optionally include a mechListMIC which is the result of a GetMIC of
the MechTypes in the initial NegTokenInit and return GSS_S_COMPLETE.
The target must check the presence of the MIC computed over the
mechList sent in the initial NegTokenInit. Three cases may then be
considered:
1) If the mechListMIC is present and correct, then
GSS_S_COMPLETE is returned to the target with no token; the
context is established by the target.
2) If the mechListMIC is present but invalid, then the context
establishment must fail. An error major status code is
returned to the target.
3) If the mechListMIC is not included in the final NegTokenInit,
then GSS_S_COMPLETE must be returned to the target with a
token. This token must be a NegTokenTarg, with a MIC included
as described above, and no responseToken. The application will
then send this token back to the initiator, which must verify
that the mechListMIC field is present and valid.
Baize & Pinkas Standards Track [Page 10]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
Note: If the MIC was originally sent by the initiator, but
thenafter deleted by an attacker, the target will send
back a token according to the description above, but the
initiator will be unable to process that returned token
and the context establishment must then fail.
4. EXAMPLES : SECURITY MECHANISM NEGOTIATION
Here are some examples of security mechanism negotiation between an
initiator (I) and a target (T).
4.1. Initial steps
(I) supports two security mechanism types (GSS-MECH1 and GSS-MECH2).
(I) invokes GSS_Init_sec_context() with :
Input
mech_type = OID for negotiation mechanism or NULL, if the
negotiation mechanism is the default mechanism.
Output
major_status = GSS_S_CONTINUE_NEEDED
output_token = negTokenInit
The negotiation token (negTokenInit) contains two security mechanisms
with :
mechType = GSS-MECH1 or
mechType = GSS-MECH2
(I) sends to (T) the negotiation token.
4.2 Successful negotiation steps
(T) supports GSS-MECH2
(T) receives the negotiation token (negTokenInit) from (I)
(T) invokes GSS_Accept_sec_context() with :
Input
input_token = negTokenInit
Output
major_status = GSS_S_CONTINUE_NEEDED
output_token = negTokenTarg
The negotiation token (negTokenTarg) contains :
negResult = accept (the negotiation result)
supportedMech : mechType = GSS-MECH2
Baize & Pinkas Standards Track [Page 11]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
(T) returns the negotiation token (negTokenTarg) to (I)
(I) invokes GSS_Init_sec_context() with :
Input
input_token = negTokenTarg
Output
major_status = GSS_S_COMPLETE
output_token = initialContextToken (initial context token
for GSS-MECH2)
mech_type = GSS-MECH2
The subsequent steps are security mechanism specific, and work as
specified in [1]. The output tokens from the security mechanism are
encapsulated in a NegTokenTarg message (with the supportedMech field
omitted, and the mechListMIC included with the last token).
4.3. Failed negotiation steps
(T) supports GSS-MECH3.
(T) receives the negotiation token (negTokenInit) from (I)
(T) invokes GSS_Accept_sec_context() with :
Input
input_token = negTokenInit
Output
major_status = GSS_S_BAD_MECH
output_token = negTokenTarg
The negotiation token (negTokenTarg) contains :
negResult = reject (the negotiation result)
(T) returns the negotiation token (negTokenTarg) to (I)
(I) invokes GSS_Init_sec_context() with :
Input
input_token = negTokenTarg
Output
major_status = GSS_S_BAD_MECH
The security context establishment has failed.
Baize & Pinkas Standards Track [Page 12]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
4.4 Successful Negotiation with preferred mechanism info
(I) supports two security mechanism types (GSS-MECH1 and GSS-MECH2).
(I) invokes GSS_Init_sec_context() with :
Input
mech_type = OID for negotiation mechanism or NULL, if the
negotiation mechanism is the default mechanism.
Output
major_status = GSS_S_CONTINUE_NEEDED
output_token = negTokenInit
The negotiation token (negTokenInit) contains two security mechanisms
with :
mechType = GSS-MECH1 or
mechType = GSS-MECH2
mechToken = output_token from GSS_Init_sec_context
( first mechType) as described in [1]
(I) sends to (T) the negotiation token.
(T) supports GSS-MECH1.
(T) receives the negotiation token (negTokenInit) from (I)
(T) invokes GSS_Accept_sec_context() with :
Input
input_token = negTokenInit
Output
major_status = GSS_S_CONTINUE_NEEDED
output_token = negTokenTarg
The negotiation token (negTokenTarg) contains :
negResult = accept (the negotiation result)
supportedMech : mechType = GSS-MECH1
mechToken = output_token from
GSS_Accept_sec_context(mechToken )
(T) returns the negotiation token (negTokenTarg) to (I)
(I) invokes GSS_Init_sec_context() with :
Input
input_token = negTokenTarg
Baize & Pinkas Standards Track [Page 13]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
Output
major_status = GSS_S_COMPLETE or GSS_S_CONTINUE_NEEDED as needed
output_token = ContextToken (initial or subsequent context token
for GSS-MECH1)
mech_type = GSS-MECH1
Specific implementations of the protocol can support the optimistic
negotiation by completing the security context establishment using the
agreed upon mechanism as described in [1]. As described above in
section 5.2, the output tokens from the security mechanisms are
encapsulated in a NegTokenTarg message (with the negResult and
supportedMech fields omitted, and the mechListMIC included with the
last token).
5. SECURITY CONSIDERATIONS
When the mechanism selected by the target from the list supplied by
the initiator supports integrity protection, then the negotiation is
protected.
When one of the mechanisms proposed by the initiator does not support
integrity protection, then the negotiation is exposed to all threats
a non secured service is exposed. In particular, an active attacker
can force to use a security mechanism which is not the common
preferred one (when multiple security mechanisms are shared between
peers) but which is acceptable anyway to the target.
In any case, the communicating peers may be exposed to the denial of
service threat.
6. ACKNOWLEDGMENTS
Acknowledgments are due to Stephen Farrell of SSE, Marc Horowitz of
Stonecast, John Linn of RSA Laboratories, Piers McMahon of Platinum
Technology, Tom Parker of ICL and Doug Rosenthal of EINet, for
reviewing earlier versions of this document and for providing useful
inputs. Acknowledgments are also due to Peter Brundrett of Microsoft
for his proposal for an optimistic negotiation, and for Bill
Sommerfeld of Epilogue Technology for his proposal for protecting the
negotiation.
Baize & Pinkas Standards Track [Page 14]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
APPENDIX A
GSS-API NEGOTIATION SUPPORT API
In order to provide to a GSS-API caller (either the initiator or the
target or both) the ability to choose among the set of supported
mechanisms a reduced set of mechanisms for negotiation, two
additional APIs are defined:
GSS_Get_neg_mechs() indicates the set of security mechanisms
available on the local system to the caller for negotiation.
GSS_Set_neg_mechs() specifies the set of security mechanisms to be
used on the local system by the caller for negotiation.
A.1. GSS_Set_neg_mechs call
Input:
cred_handle CREDENTIAL HANDLE
- NULL specifies default credentials
mech_set SET OF OBJECT IDENTIFIER
Outputs:
major_status INTEGER,
minor_status INTEGER,
Return major_status codes :
GSS_S_COMPLETE indicates that the set of security mechanisms
available for negotiation has been set to mech_set. GSS_S_FAILURE
indicates that the requested operation could not be performed for
reasons unspecified at the GSS-API level.
Allows callers to specify the set of security mechanisms that may be
negotiated with the credential identified by cred_handle. This call
is intended for support of specialised callers who need to restrict
the set of negotiable security mechanisms from the set of all
security mechanisms available to the caller (based on available
credentials). Note that if more than one mechanism is specified in
mech_set, the order in which those mechanisms are specified implies a
relative mechanism preference for the target.
Baize & Pinkas Standards Track [Page 15]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
A.2. GSS_Get_neg_mechs call
Input:
cred_handle CREDENTIAL HANDLE
- NULL specifies default credentials
Outputs:
major_status INTEGER,
minor_status INTEGER,
mech_set SET OF OBJECT IDENTIFIER
Return major_status codes :
GSS_S_COMPLETE indicates that the set of security mechanisms
available for negotiation has been returned in
mech_option_set.
GSS_S_FAILURE indicates that the requested operation could not
be performed for reasons unspecified at the GSS-API level.
Allows callers to determine the set of security mechanisms available
for negotiation with the credential identified by cred_handle. This
call is intended for support of specialised callers who need to
reduce the set of negotiable security mechanisms from the set of
supported security mechanisms available to the caller (based on
available credentials).
Note: The GSS_Indicate_mechs() function indicates the full set of
mechanism types available on the local system. Since this call has no
input parameter, the returned set is not necessarily available for
all credentials.
REFERENCES
[1] Linn, J., "Generic Security Service Application Program
Interface", RFC 2078, January 1997.
[2] Standard ECMA-206, "Association Context Management including
Security Context Management", December 1993. Available on
http://www.ecma.ch
Baize & Pinkas Standards Track [Page 16]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
AUTHORS' ADDRESSES
Eric Baize
Bull - 300 Concord Road
Billerica, MA 01821 - USA
Phone: +1 978 294 61 37
Fax: +1 978 294 61 09
EMail: Eric.Baize@bull.com
Denis Pinkas
Bull
Rue Jean-Jaures
BP 68
78340 Les Clayes-sous-Bois - FRANCE
Phone: +33 1 30 80 34 87
Fax: +33 1 30 80 33 21
EMail: Denis.Pinkas@bull.net
Baize & Pinkas Standards Track [Page 17]
^L
RFC 2478 GSS-API Negotiation Mechanism December 1998
Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Baize & Pinkas Standards Track [Page 18]
^L
|