datatracker.ietf.org
Sign in
Version 5.6.2.p2, 2014-07-24
Report a bug

The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
RFC 4121

Document type: RFC - Proposed Standard (July 2005; No errata)
Updates RFC 1964
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4121 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: <jhutz+@cmu.edu>

Network Working Group                                             L. Zhu
Request for Comments: 4121                                 K. Jaganathan
Updates: 1964                                                  Microsoft
Category: Standards Track                                     S. Hartman
                                                                     MIT
                                                               July 2005

                        The Kerberos Version 5
   Generic Security Service Application Program Interface (GSS-API)
                         Mechanism: Version 2

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document defines protocols, procedures, and conventions to be
   employed by peers implementing the Generic Security Service
   Application Program Interface (GSS-API) when using the Kerberos
   Version 5 mechanism.

   RFC 1964 is updated and incremental changes are proposed in response
   to recent developments such as the introduction of Kerberos
   cryptosystem framework.  These changes support the inclusion of new
   cryptosystems, by defining new per-message tokens along with their
   encryption and checksum algorithms based on the cryptosystem
   profiles.

Zhu, et al.                 Standards Track                     [Page 1]
RFC 4121               Kerberos Version 5 GSS-API              July 2005

Table of Contents

   1. Introduction ....................................................2
   2. Key Derivation for Per-Message Tokens ...........................4
   3. Quality of Protection ...........................................4
   4. Definitions and Token Formats ...................................5
      4.1. Context Establishment Tokens ...............................5
           4.1.1. Authenticator Checksum ..............................6
      4.2. Per-Message Tokens .........................................9
           4.2.1. Sequence Number .....................................9
           4.2.2. Flags Field .........................................9
           4.2.3. EC Field ...........................................10
           4.2.4. Encryption and Checksum Operations .................10
           4.2.5. RRC Field ..........................................11
           4.2.6. Message Layouts ....................................12
      4.3. Context Deletion Tokens ...................................13
      4.4. Token Identifier Assignment Considerations ................13
   5. Parameter Definitions ..........................................14
      5.1. Minor Status Codes ........................................14
           5.1.1. Non-Kerberos-specific Codes ........................14
           5.1.2. Kerberos-specific Codes ............................15
      5.2. Buffer Sizes ..............................................15
   6. Backwards Compatibility Considerations .........................15
   7. Security Considerations ........................................16
   8. Acknowledgements................................................17
   9. References .....................................................18
      9.1. Normative References ......................................18
      9.2. Informative References ....................................18

1.  Introduction

   [RFC3961] defines a generic framework for describing encryption and
   checksum types to be used with the Kerberos protocol and associated
   protocols.

   [RFC1964] describes the GSS-API mechanism for Kerberos Version 5.  It
   defines the format of context establishment, per-message and context
   deletion tokens, and uses algorithm identifiers for each cryptosystem
   in per-message and context deletion tokens.

   The approach taken in this document obviates the need for algorithm
   identifiers.  This is accomplished by using the same encryption
   algorithm, specified by the crypto profile [RFC3961] for the session
   key or subkey that is created during context negotiation, and its
   required checksum algorithm.  Message layouts of the per-message
   tokens are therefore revised to remove algorithm indicators and to
   add extra information to support the generic crypto framework
   [RFC3961].

Zhu, et al.                 Standards Track                     [Page 2]
RFC 4121               Kerberos Version 5 GSS-API              July 2005

[include full document text]