Network Working Group L. Zhu
Request for Comments: 4121 K. Jaganathan
Updates: 1964 Microsoft
Category: Standards Track S. Hartman
MIT
July 2005
The Kerberos Version 5
Generic Security Service Application Program Interface (GSS-API)
Mechanism: Version 2
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document defines protocols, procedures, and conventions to be
employed by peers implementing the Generic Security Service
Application Program Interface (GSS-API) when using the Kerberos
Version 5 mechanism.
RFC 1964 is updated and incremental changes are proposed in response
to recent developments such as the introduction of Kerberos
cryptosystem framework. These changes support the inclusion of new
cryptosystems, by defining new per-message tokens along with their
encryption and checksum algorithms based on the cryptosystem
profiles.
Zhu, et al. Standards Track [Page 1]
RFC 4121 Kerberos Version 5 GSS-API July 2005
Table of Contents
1. Introduction ....................................................2
2. Key Derivation for Per-Message Tokens ...........................4
3. Quality of Protection ...........................................4
4. Definitions and Token Formats ...................................5
4.1. Context Establishment Tokens ...............................5
4.1.1. Authenticator Checksum ..............................6
4.2. Per-Message Tokens .........................................9
4.2.1. Sequence Number .....................................9
4.2.2. Flags Field .........................................9
4.2.3. EC Field ...........................................10
4.2.4. Encryption and Checksum Operations .................10
4.2.5. RRC Field ..........................................11
4.2.6. Message Layouts ....................................12
4.3. Context Deletion Tokens ...................................13
4.4. Token Identifier Assignment Considerations ................13
5. Parameter Definitions ..........................................14
5.1. Minor Status Codes ........................................14
5.1.1. Non-Kerberos-specific Codes ........................14
5.1.2. Kerberos-specific Codes ............................15
5.2. Buffer Sizes ..............................................15
6. Backwards Compatibility Considerations .........................15
7. Security Considerations ........................................16
8. Acknowledgements................................................17
9. References .....................................................18
9.1. Normative References ......................................18
9.2. Informative References ....................................18
1. Introduction
[RFC3961] defines a generic framework for describing encryption and
checksum types to be used with the Kerberos protocol and associated
protocols.
[RFC1964] describes the GSS-API mechanism for Kerberos Version 5. It
defines the format of context establishment, per-message and context
deletion tokens, and uses algorithm identifiers for each cryptosystem
in per-message and context deletion tokens.
The approach taken in this document obviates the need for algorithm
identifiers. This is accomplished by using the same encryption
algorithm, specified by the crypto profile [RFC3961] for the session
key or subkey that is created during context negotiation, and its
required checksum algorithm. Message layouts of the per-message
tokens are therefore revised to remove algorithm indicators and to
add extra information to support the generic crypto framework
[RFC3961].
Zhu, et al. Standards Track [Page 2]
RFC 4121 Kerberos Version 5 GSS-API July 2005
datatracker.ietf.org