The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
RFC 4121

 
Document Type RFC - Proposed Standard (July 2005; No errata)
Updates RFC 1964
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4121 (Proposed Standard)
Telechat date
Responsible AD Russ Housley
Send notices to <jhutz+@cmu.edu>

Email authors IPR References Referenced by Nits Search lists

Network Working Group                                             L. Zhu
Request for Comments: 4121                                 K. Jaganathan
Updates: 1964                                                  Microsoft
Category: Standards Track                                     S. Hartman
                                                                     MIT
                                                               July 2005

                        The Kerberos Version 5
   Generic Security Service Application Program Interface (GSS-API)
                         Mechanism: Version 2

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document defines protocols, procedures, and conventions to be
   employed by peers implementing the Generic Security Service
   Application Program Interface (GSS-API) when using the Kerberos
   Version 5 mechanism.

   RFC 1964 is updated and incremental changes are proposed in response
   to recent developments such as the introduction of Kerberos
   cryptosystem framework.  These changes support the inclusion of new
   cryptosystems, by defining new per-message tokens along with their
   encryption and checksum algorithms based on the cryptosystem
   profiles.

Zhu, et al.                 Standards Track                     [Page 1]
RFC 4121               Kerberos Version 5 GSS-API              July 2005

Table of Contents

   1. Introduction ....................................................2
   2. Key Derivation for Per-Message Tokens ...........................4
   3. Quality of Protection ...........................................4
   4. Definitions and Token Formats ...................................5
      4.1. Context Establishment Tokens ...............................5
           4.1.1. Authenticator Checksum ..............................6
      4.2. Per-Message Tokens .........................................9
           4.2.1. Sequence Number .....................................9
           4.2.2. Flags Field .........................................9
           4.2.3. EC Field ...........................................10
           4.2.4. Encryption and Checksum Operations .................10
           4.2.5. RRC Field ..........................................11
           4.2.6. Message Layouts ....................................12
      4.3. Context Deletion Tokens ...................................13
      4.4. Token Identifier Assignment Considerations ................13
   5. Parameter Definitions ..........................................14
      5.1. Minor Status Codes ........................................14
           5.1.1. Non-Kerberos-specific Codes ........................14
           5.1.2. Kerberos-specific Codes ............................15
      5.2. Buffer Sizes ..............................................15
   6. Backwards Compatibility Considerations .........................15
   7. Security Considerations ........................................16
   8. Acknowledgements................................................17
   9. References .....................................................18
      9.1. Normative References ......................................18
      9.2. Informative References ....................................18

1.  Introduction

   [RFC3961] defines a generic framework for describing encryption and
   checksum types to be used with the Kerberos protocol and associated
   protocols.

   [RFC1964] describes the GSS-API mechanism for Kerberos Version 5.  It
   defines the format of context establishment, per-message and context
   deletion tokens, and uses algorithm identifiers for each cryptosystem
   in per-message and context deletion tokens.

   The approach taken in this document obviates the need for algorithm
   identifiers.  This is accomplished by using the same encryption
   algorithm, specified by the crypto profile [RFC3961] for the session
   key or subkey that is created during context negotiation, and its
   required checksum algorithm.  Message layouts of the per-message
   tokens are therefore revised to remove algorithm indicators and to
   add extra information to support the generic crypto framework
   [RFC3961].

Zhu, et al.                 Standards Track                     [Page 2]
RFC 4121               Kerberos Version 5 GSS-API              July 2005
Show full document text