Internet-Draft ERIC BAIZE, BULL
IETF Common Authentication Technology WG STEPHEN FARRELL, SSE
Expire in six months TOM PARKER, ICL
<draft-ietf-cat-sesamemech-01.txt> November 22, 1996
The SESAME V5 GSS-API Mechanism
STATUS OF THIS MEMO
This specification is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as
"work in progress."
To learn the current status of any Internet Draft, please check the
"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Comments on this specification should be sent to "cat-ietf@mit.edu", the
IETF Common Authentication Technology WG discussion list.
ABSTRACT
This specification defines protocols, data elements, and
conventions to be employed by peers implementing the Generic
Security Service Application Program Interface (as specified in
RFCs 1508 and 1509) when using the SESAME Version 5 Mechanism.
1. BACKGROUND
Although the Kerberos Version 5 GSS-API mechanism [KRB5] is becoming
well-established in many environments, it is important in some
applications to have a GSS-API mechanism, which is able to support
privileges rather than only a single identity, which is scalable
because it supports public key technology and which is flexible
in a distributed environment due to its fine granularity delegation
properties.
The mechanism described in this specification has been designed
to provide the following features.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 1]
internet-draft November 22, 1996
1) SESAME allows both unilateral and mutual authentication
to be accomplished using loosely synchronous clocks. One key
advantage of this feature is that, when unilateral
authentication is used, no additional message (as in a
challenge-response mechanism) is needed and thus it is
possible to concatenate in a single message, for example,
an "init-sec token", a "wrapped token" and a "close token".
2) In addition to authentication, SESAME supports the
transmission of the access control privileges of a user.
These privileges are carried in a data structure called the
PAC (Privileges Attribute Certificate). Privileges supported
in SESAME V5 are group-memberships, roles and administration
defined local types. In the future support for clearances or
capabilities is envisaged. SESAME supports the "push model"
where the privileges are pushed towards the target. This
allows the principle of least privilege to be supported,
where only the privileges that are necessary for performing
an operation are presented and disclosed to the target.
3) Privileges are always directly guaranteed by the
authority which originally vouched for them. This allows
the concept of "direct trust" to be supported because no
intermediate security domain is needed to translate the
original guaranteed privileges when they are delegated, even
across security domains. In practice, this is made possible
because the privileges are placed in a data structure that is
signed by the issuing domain authority, and thus is directly
verifiable.
4) The scheme used to transmit privileges is
independent of the scheme used for key management. This
allows several key management schemes and their extensions
to be supported. In practice, SESAME allows each security
domain manager to chose its own key management scheme.
Cross-domain relationships can either be based on public
key technology or on secret key technology.
5) The control of delegation is a key feature of SESAME. This
allows privileges to be transmitted and their use to be
restricted to nominated targets or groups of targets.
6) The SESAME GSS-API protocols re-use data structures developed
in Kerberos V5 [Kerberos] and SPKM [SPKM] for key management
and authentication. SESAME has merged these into a wider
framework supporting distributed access control and
delegation features.
A more complete overview of SESAME is available in [SESOV].
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 2]
internet-draft November 22, 1996
1.1 Table of Contents
1. BACKGROUND 1
2. THE SESAME TECHNOLOGY 4
2.1. Overview 4
2.2. SESAME Concepts 5
2.2.1. Access Control Concepts 5
2.2.1.1. Domains 5
2.2.1.2. Identities 5
2.2.1.3. Privilege Attributes 5
2.2.1.4. Delegation 6
2.2.1.5. Application Trust Groups (ATGs) 6
2.2.2. Target Access Enforcement Function (targetAEF) 6
2.2.3. SESAME Key Distribution 7
2.2.3.1. Basic keys and dialogue keys 7
2.2.3.2. Basic symmetric key distribution scheme (symmIntradomain) 7
2.2.3.3. Hybrid key distribution scheme (hybridInterdomain) 8
2.2.3.4. Full public key distribution scheme (asymmetric) 8
2.2.3.5. Derivation of Dialogue Keys 8
2.2.4. Use of Cryptography in SESAME 8
3. GSS-API TOKEN FORMATS 9
3.1. Token framings 9
3.2. InitialContextToken format 10
3.3. TargetResultToken 14
3.4. ErrorToken 15
3.5. Per Message Token formats 15
3.5.1. MICToken 17
3.5.2. WrapToken 17
3.6 ContextDeleteToken format 18
4. DATA ELEMENT DEFINITIONS 18
4.1. Access Control Data Elements 19
4.1.1. Generalised certificate (GeneralisedCertificate) 19
4.1.1.1. Common Contents fields (CommonContents) 19
4.1.1.2. PAC Specific Certificate Contents (PACSpecificContents) 20
4.1.1.3. Check value (CheckValue) 21
4.1.2. Security Attributes (SecurityAttribute) 21
4.1.3. Protection Methods 22
4.1.3.1. "Control/Protection Values" protection method 22
4.1.3.2. "Primary Principal Qualification" protection method 23
4.1.3.3. "Target Qualification" protection method 24
4.1.3.4. "Delegate/Target Qualification" protection method 24
4.1.3.5. Combining the methods 25
4.1.4. External Control Values Construct (ECV) 25
4.2. Basic Key Distribution 26
4.2.1. Data elements for the Symmetric Intradomain kd-scheme 28
4.2.2. Data elements for the Hybrid interdomain kd-scheme. 29
4.2.3. Data elements for the asymmetric kd-scheme 30
4.3. Dialogue Key Block 30
4.4. Attribute Definitions 31
4.4.1. Privilege attributes 31
4.4.1.1. Access Identity 31
4.4.1.2. Group 31
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 3]
internet-draft November 22, 1996
4.4.1.3. Primary group 32
4.4.1.4. Role attribute 32
4.4.2. Miscellaneous attributes 32
4.4.2.1. Audit Identity 32
4.4.3. Qualifier Attributes 32
4.4.3.1. Target Attributes 32
4.4.3.2. Application Trust Groups 32
5. ALGORITHMS AND CIPHERTEXT FORMATS 32
6. SESAME MECHANISM NEGOTIATION 35
7. NAME TYPES 36
7.1. Kerberos naming 36
7.2. Directory Naming 37
8. SECURITY CONSIDERATIONS 38
9. PATENTS 38
9.1. BULL PATENT 38
9.2. ICL PATENTS 39
9.2.1. PAC USE MONITOR (C1167 ) 39
9.2.2. PROXY CONTROL (C1179) 39
10. ACKNOWLEDGEMENTS 39
11. REFERENCES 40
12. AUTHOR'S ADDRESSES 41
APPENDIX A: ASN.1 MODULE DEFINITIONS 42
A.1. SESAME ASN.1 Definitions 42
A.2. Kerberos ASN.1 Definitions 51
A.3. SPKM ASN.1 Definitions 53
APPENDIX B: Profiling of KD-schemes 57
B.1. Profile of Ticket as used in symmIntradomain scheme 57
B.2. Profile of PublicTicket as used in hybridInterdomain scheme 57
B.3. Profile of SPKM_REQ as used in asymmetric scheme 58
APPENDIX C: ECMA BACKGROUND MATERIAL. 60
2. THE SESAME TECHNOLOGY
2.1. Overview
The tokens defined in SESAME are intended to be used by application
programs according to the GSS API "operational paradigm" (see
[RFC-1508] for further details):
The operational paradigm in which GSS-API operates is as follows.
A typical GSS-API caller is itself a communications protocol [or
is an application program which uses a communications protocol],
calling on GSS-API in order to protect its communications with
authentication, integrity, and/or confidentiality security
services. A GSS-API caller accepts tokens provided to it by its
local GSS-API implementation [i.e., its GSS-API mechanism] and
transfers the tokens to a peer on a remote system; that peer
passes the received tokens to its local GSS-API implementation for
processing.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 4]
internet-draft November 22, 1996
Some extensions to the base GSS-API are required in order for
applications to take full advantage of the access control and
delegation capabilities of SESAME. As these extensions are
independent of the SESAME mechanism they are specified in a
separate draft [XGSSAPI].
2.2. SESAME Concepts
2.2.1. Access Control Concepts
2.2.1.1. Domains
A `security domain' is a set of elements, a security authority
and a set of security relevant activities in which the set of
elements are subject to the security policy, administered by the
security authority, for the specified activities [ISO 10181-1].
A security domain must support at least, one authentication server
(AS), one privilege attribute server (PAS) and may need a key
distribution server (KDS).
2.2.1.2. Identities
SESAME supports the three following types of identity:
Authenticated Identity which is the identity held in the PAS
ticket obtained from Authentication
Server. This is used to permit the
release of Privilege Attributes for use in
access control decisions.
Access Identity which is used in PACs as a Privilege
Attribute. This attribute reflects a value
given by the PAS administrator. Note that
the access identity does not need to be
always present within a PAC, because access
can be granted using, for example, group-
memberships or roles rather than
individual identities.
Audit Identity a value unique to an individual which is
used in PACs only for accountability
purposes. This is a separate field in the
PAC, which reflects a value given by the
PAS administrator.
2.2.1.3. Privilege Attributes
Standard Privilege Attribute types are defined so they can be
independent of specific end-system representations but which can
be mapped as appropriate in the receiving system.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 5]
internet-draft November 22, 1996
The privilege attributes which are supported in this specification are :
access identity
primary group
group
role attribute
Domain defined attributes (i.e. defined by the PAS
administrator)
Together these provide for the support of a variety of formulations
of access control policy, for example Role Based Access Control.
2.2.1.4. Delegation
An initiator may not wish to delegate all his rights, and may want
to restrict the area within which the PAC may be used. For that
purpose, PACs can be arranged to be valid only for specific
nominated targets. A PAC may contain many target names or other
target attributes (though in SESAME V5 the only attribute type
supported is the Application Trust Group - see next).
Mechanisms are also provided to prevent a PAC from being delegated
where this is appropriate.
2.2.1.5. Application Trust Groups (ATGs)
A PAC may contain one or more target or delegate application or
"Trust Group" names specifying which targets or delegate-targets
the PAC is valid for. A Trust Group name is simply the name of a
group of applications, defined by the security administrator,
that mutually trust each other not to spoof each others'
identities.
In order to allow for a PAC which is usable at all targets a
special trust group is defined - the "universal" trust group. A
PAC targeted at the universal trust group can still be protected
using target controls (as in delegation) which means that such a
PAC still cannot be stolen.
2.2.2. Target Access Enforcement Function (targetAEF)
In SESAME the security processing functionality on the target is
split between two different entities - the target application and
the target access enforcement function (targetAEF)(see ISO IEC
10181-3). This has a number of advantages:
- the number of long-term keys in the system can be reduced
since only the targetAEF need share a symmetric key with the
security server or possess an asymmetric key pair,
- the security critical code is isolated which makes security
evaluation simpler,
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 6]
internet-draft November 22, 1996
- administration is simplified as one targetAEF may "serve" many
target applications,
- different administrators can be responsible for the target
application and targetAEF,
- as the initiator establishes a key with the targetAEF (see
later) this keying information can be re-used whenever another
target served by the same AEF is accessed.
A patent from ICL applies to this method (see section 9).
2.2.3. SESAME Key Distribution
There are different key distribution schemes in SESAME.
Each depends upon the existence of long term cryptographic keys
which held by targets AEFs and KDSs. These keys may be either
symmetric or asymmetric. In the case where the keys are symmetric
they are always shared between the targetAEF and its KDS.
Initiators may also possess symmetric or asymmetric keys. In the
case where an initiator possesses a symmetric key it is a temporary
key that will have been established as a result of an earlier
authentication.
2.2.3.1. Basic keys and dialogue keys
In SESAME, two separate symmetric keys are established between the
initiator and target for the purpose of application data protection.
These are known as the integrity and confidentiality dialogue keys.
Another symmetric key, called the basic key, is established
between the initiator and targetAEF which is used in PAC
protection and to derive the dialogue keys.
The basic key is transmitted from the initiator to the target in
a structure called a TargetKeyBlock. The information required to
derive the dialogue keys is transmitted in a structure called a
DialogueKeyPackage.
2.2.3.2. Basic symmetric key distribution scheme (symmIntradomain)
In this scheme, the initiator shares a temporary secret key with
the KDS and the target AEF shares a long term secret key with the
same KDS.
To establish a basic key between an initiator and a targetAEF,
the initiator KDS returns, as a result of an initiator request, a
targetKeyBlock containing a basic key encrypted under the
targetAEF's long term secret key. On receipt of the targetKeyBlock,
the targetAEF can extract the basic key directly from it.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 7]
internet-draft November 22, 1996
An unmodified Kerberos TGS is used as the KDS in this case.
2.2.3.3. Hybrid key distribution scheme (hybridInterdomain)
In this scheme, the initiator shares a temporary secret key with
a KDS that is different from the KDS with which the targetAEF shares
its long term key. In addition, each KDS possesses an asymmetric key
pair.
To establish a basic key between an initiator and a targetAEF,
the initiator KDS returns, as a result of an initiator request, a
TargetKeyBlock containing a basic key encrypted under a temporary
key and the temporary key encrypted under the targetAEF KDS's
public key. The TargetKeyBlock is signed using the initiator
KDS's private key.
On receipt of the TargetKeyBlock, the targetAEF transmits it to
its own KDS, and gets back the basic key encrypted under the long
term secret key it (the targetAEF) shares with its KDS.
A modified Kerberos TGS can be used as the KDS in this case.
2.2.3.4. Full public key distribution scheme (asymmetric)
In this scheme, neither the initiator nor the targetAEF uses a
KDS. Both the initiator and the targetAEF possesses a
private/public key pair.
To establish a basic key with a targetAEF, the initiator
constructs a TargetKeyBlock containing a basic key encrypted
under the targetAEF's public key. The TargetKeyBlock is signed
using the initiator's private key.
On receipt of the TargetKeyBlock, the targetAEF directly
establishes a basic key from it.
Modified SPKM code can be used for this scheme.
2.2.3.5. Derivation of Dialogue Keys
Once a basic key has been established between the initiator and
targetAEF, the derivation of the dialogue keys can take place.
The dialogue keys are derived using key offsetting - see the
description of the dialogue key package below.
2.2.4. Use of Cryptography in SESAME
In several countries of the world the use of cryptography is
subject to government control, particularly in relation to the
hiding of information by enciphering it.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 8]
internet-draft November 22, 1996
The SESAME architecture has been designed to address these
problems. The use of confidentiality is kept to a minimum. It is
provided only where it is an essential function (for example in
the SESAME key distribution protocols it is necessary to encipher
the basic key being distributed). PACs are cryptographically
signed, not enciphered. When encipherment of user and system data
is a requirement, SESAME allows the algorithms and keys used to
be separately specified, permitting them to have characteristics
acceptable to the prevailing political environment.
3. GSS-API TOKEN FORMATS
3.1. Token framings
All tokens including context-establishment tokens, per-message
tokens, and context-deletion token are enclosed within framing as
follows:
Token ::= [APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType, -- the OBJECT IDENTIFIER specified below
innerContextToken ANY DEFINED BY thisMech
}
The SESAME mechanism type is identified by an OBJECT IDENTIFIER
with value:
{ generic-sesame-mech (v) (y) (z) }
Where:
generic-sesame-mech ::= OBJECT IDENTIFIER
iso.org.icd-ecma.technical-report.security-in-open-systems.
authentication-machanism {1.3.12.1.46.1}
The value v represents the version of the mechanism. The current
version is version 5. The current oid is therefore:
{1.3.12.1.46.1.5}
The values of y and z represent architectural options and
cryptographic algorithm profiles which are specified in section 5.
These values are intended to be negotiated using a generic GSS-API
mechanism negotiation scheme like that given in [SNEGO].
The innerContextToken field of context establishment tokens for
the SESAME GSS-API mechanism will consist of a SESAME token
(InitialContextToken, TargetResultToken, ErrorToken) containing a
token identifier (tokenId) field having the value 01 00 (hex) for
InitialContextToken, 02 00 (hex) for TargetResultToken, and 03 00
(hex) for ErrorToken. These are defined to be:
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 9]
internet-draft November 22, 1996
InitialContextToken sent by the initiator to a target, to start
the process of establishing a Security
Association. Returned by the
GSS_Init_sec_context call.
TargetResultToken sent to the initiator by the target
following receipt of an Initial Context
Token. Returned by the
GSS_Accept_sec_context call.
ErrorToken sent by target on detection of an error
during Security Association establishment.
Returned by either the GSS_Init_sec_context
call or the GSS_Accept_sec_context call.
The innerContextToken field of context-deletion token for the
SESAME GSS-API mechanism will consist of a SESAME token
(ContextDeleteToken) containing a tokenId field having the value
01 02 (hex). This is defined to be:
ContextDeleteToken sent either by the initiator, or the target
to release a Security Association. Returned
by GSS_Delete_sec_context.
The innerContextToken field of per-message tokens for the SESAME
GSS-API mechanism will consist of a token (MICToken, WrapToken)
containing a tokenId field having the value 01 01 (hex) for
MICToken, and 02 01 (hex) for WrapToken. These are defined to be:
MICToken sent either by the initiator or the target
to verify the integrity of the user data
sent separately. Returned by GSS_GetMIC.
WrapToken sent either by the initiator or the target.
Encapsulates the input user data
(optionally encrypted) along with integrity
check values. Returned by GSS_Wrap.
3.2. InitialContextToken format
InitialContextToken ::= SEQUENCE{
ictContents [0] ICTContents,
ictSeal [1] Seal
}
ictContents
Body of the initial context token
ictSeal
Seal of ictContents computed with the integrity dialogue key.
Only the sealValue field of the Seal data structure is present.
The cryptographic algorithms that apply are specified by
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 10]
internet-draft November 22, 1996
integDKUseInfo in the dialogueKeyBlock field of the targetAEFPart
from the initial context token.
ICTContents ::= SEQUENCE {
tokenId [0] INTEGER, -- shall contain X'0100'
SAId [1] OCTET STRING,
targetAEFPart [2] TargetAEFPart,
targetAEFPartSeal [3] Seal,
contextFlags [4] BIT STRING {
delegation (0),
mutual-auth (1),
replay-detect (2),
sequence (3),
conf-avail (4),
integ-avail (5)
}
utcTime [5] UTCTime OPTIONAL,
usec [6] INTEGER OPTIONAL,
seq-number [7] INTEGER OPTIONAL,
initiatorAddress [8] HostAddress OPTIONAL,
targetAddress [9] HostAddress OPTIONAL
-- imported from [Kerberos] and used as channel bindings
}
tokenId
Identifies the initial-context token. Its value is 01 00 (hex)
SAId
A random number for identifying the Security Association being
formed; it is one which (with high probability) has not been used
previously. This random number is generated by the initiator GSS-
API implementation and processed by the target GSS-API
implementation as follows :
- If no targetResultToken is expected, the SAId value is taken
to be the identifier of the Security Association being
established (if this is unacceptable to the target, then an
error token with etContents value of
gss_ses_s_sg_sa_already_established must be generated).
- If a targetResultToken is expected, the target generates its
random number and concatenates it to the end on the
initiator's random number. The concatenated value is then
taken to be the identifier of the Security Association being
established.
targetAEFPart
Part of the initial-context token to be passed to the target
access enforcement function.
targetAEFPartSeal
Seal of the targetAEFPart computed with the basic key. Only the
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 11]
internet-draft November 22, 1996
sealValue field of the Seal data structure is present. The
cryptographic algorithms that apply are specified by algorithm
profile in the SESAME mechanism option (see section 6).
contextFlags
Combination of flags that indicates context-level functions
requested by the GSS-API initiator implementation.
delegation when set to 0, indicates that the initiator
explicitly forbids delegation of the PAC in the
targetAEFPart.
mutual-auth indicates that mutual authentication is
requested.
replay-detect indicates that replay detection features are
requested to be applied to messages transferred
on the established Security Association.
sequence indicates that sequencing features are
requested to be enforced to messages
transferred on the established Security
Association.
conf-avail indicates that a confidentiality service is
available on the initiator side for the
established Security Association.
integ-avail indicates that an integrity service is
available on the initiator side for the
established Security Association.
utcTime
The initiator's UTC time.
usec
Microsecond part of the initiator's time stamp. This field along
with utcTime are used together to avoid collision between tokens
generated by two initiators at the same time. This field enables a
simple scheme for replay detection of initial tokens to be
supported.
seq-number
When present, specifies the initiator's initial sequence number.
Otherwise, the default value of 0 is to be used as an initial
sequence number.
initiatorAddress
Initiator's network address part of the channel bindings. This
field is only present when channel bindings are transmitted by
the GSS-API caller to the SESAME GSS-API implementation.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 12]
internet-draft November 22, 1996
targetAddress
Target's network address part of the channel bindings. This field
is only present when channel bindings are transmitted by the GSS-
API caller to the SESAME GSS-API implementation.
TargetAEFPart ::= SEQUENCE {
pacAndCVs [0] SEQUENCE OF CertandECV OPTIONAL,
targetKeyBlock [1] TargetKeyBlock,
dialogueKeyBlock [2] DialogueKeyBlock,
targetIdentity [3] SecurityAttribute,
flags [4] BIT STRING {
delegation (0)
}
}
Note 1: Individual PACs have validity of their own, thus
it is not sensible to have an overall separately
specified validity period for the whole context.
pacAndCVs
The initiator's privileges and security attributes to be used for
this Security Association. This field is not present when the
association does not require initiator privileges or security
attributes. This field contains the PAC together with associated
PAC protection information. In this specification exactly one of
these should be present.
targetKeyBlock
The targetKeyBlock carrying the basic key to be used for the
Security Association being established.
dialogueKeyBlock
A dialogue key block used by the targetAEF along with the basic
key to establish an integrity dialogue key and a confidentiality
dialogue key for per-message protection over the Security
Association being established.
targetIdentity
The identity of the intended target of the Security Association.
Used by the targetAEF to validate the PAC. Can also be used by
the targetAEF to help protect the delivery of dialogue keys.
flags
flags required by the Target AEF for its validation process. Only
contains a delegation flag, the value of which is the same as the
value of delegation flag in contextFlag field of ictContents.
When the flag is set, all ECVs sent in pacAndCVs are made
available to the target. Other bits are reserved for future use.
The Seal structure is used in this Token and other tokens.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 13]
internet-draft November 22, 1996
Seal ::= SEQUENCE{
sealValue [0] BIT STRING,
symmetricAlgId [1] AlgorithmIdentifier OPTIONAL,
hashAlgId [2] AlgorithmIdentifier OPTIONAL,
targetName [3] SecurityAttribute OPTIONAL,
keyId [4] INTEGER OPTIONAL
}
sealValue
The value of the seal. It is the result of a symmetric encryption
of a hash value of a set of octets (which are the DER encoding of
some ASN.1 type)
symmetricAlgId
An optional indicator of the sealing algorithm.
hashAlgId
Only present if the symmetricAlgId does not specify which hashing
algorithm is used.
targetName
This field identifies the targetAEF or target with which the
symmetric key used for the seal is shared.
keyId
This serial number together with the targetName uniquely
identifies the symmetric key used in the seal.
3.3. TargetResultToken
This token is returned by the target if the mutual-req flag is set
in the Initial Context Token. It serves to authenticate the target
to the initiator, since only the genuine target could derive the
integrity dialogue key needed to seal the TargetResultToken.
TargetResultToken ::= SEQUENCE{
trtContents [0] TRTContents,
trtSeal [1] Seal
}
TRTContents ::= SEQUENCE {
tokenId [0] INTEGER, -- shall contain X'0200'
SAId [1] OCTET STRING,
utcTime [5] UTCTime OPTIONAL,
usec [6] INTEGER OPTIONAL,
seq-number [7] INTEGER OPTIONAL,
}
trtContents
This contains only administrative fields, identifying the token
type, the context and providing exchange integrity.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 14]
internet-draft November 22, 1996
seq-number
When present, specifies the target's initial sequence
number, otherwise, the default value of 0 is to be used as
an initial sequence number.
The other administrative fields are as described in above.
trtSeal
Seal of trtContents computed with the integrity dialogue key.
Only the sealValue field of the Seal data structure is present.
The cryptographic algorithms that apply are specified by
integDKUseInfo in the dialogueKeyBlock field of the targetAEFPart
from the initial context token.
3.4. ErrorToken
ErrorToken ::= SEQUENCE {
tokenType [0] OCTET STRING VALUE X'0300',
etContents [1] ErrorArgument,
}
etContents
Contains the reason for the creation of the error token. The
different reasons are given as minor status return values.
ErrorArgument ::= ENUMERATED {
gss_ses_s_sg_server_sec_assoc_open (1),
gss_ses_s_sg_incomp_cert_syntax (2),
gss_ses_s_sg_bad_cert_attributes (3),
gss_ses_s_sg_inval_time_for_attrib (4),
gss_ses_s_sg_pac_restrictions_prob (5),
gss_ses_s_sg_issuer_problem (6),
gss_ses_s_sg_cert_time_too_early (7),
gss_ses_s_sg_cert_time_expired (8),
gss_ses_s_sg_invalid_cert_prot (9),
gss_ses_s_sg_revoked_cert (10),
gss_ses_s_sg_key_constr_not_supp (11),
gss_ses_s_sg_init_kd_server_ unknown (12),
gss_ses_s_sg_init_unknown (13),
gss_ses_s_sg_alg_problem_in_dialogue_key_block (14),
gss_ses_s_sg_no_basic_key_for_dialogue_key_block (15),
gss_ses_s_sg_key_distrib_prob (16),
gss_ses_s_sg_invalid_user_cert_in_key_block (17),
gss_ses_s_sg_unspecified (18),
gss_ses_s_g_unavail_qop (19),
gss_ses_s_sg_invalid_token_format (20)
}
3.5. Per Message Token formats
The syntax of the Per Message Token has the same general
structure for both MIC and Wrap tokens:
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 15]
internet-draft November 22, 1996
PMToken ::= SEQUENCE{
pmtContents [0] PMTContents,
pmtSeal [1] Seal
-- seal over the pmtContents being protected
}
PMTContents ::= SEQUENCE {
tokenId [0] INTEGER, -- shall contain X'0101'
-- for a MIC token and
-- X'0201' for a Wrap token.
SAId [1] OCTET STRING,
seq-number [2] INTEGER
OPTIONAL,
userData [3] CHOICE {
plaintext OCTET STRING,
ciphertext OCTET STRING
} OPTIONAL,
directionIndicator [4] BOOLEAN OPTIONAL
}
pmtContents
tokenId
SAId
See above for a description of these fields
seq-number
This field must be present if replay detection or message
sequencing have been specified as being required at
Security Association initiation time. The field contains a
message sequence number whose value is incremented by one
for each message in a given direction, as specified by
directionIndicator. The first message sent by the initiator
following the InitialContextToken shall have the message
sequence number specified in that token, or if this is
missing, the value 0. The first message returned by the
target shall have the message sequence number specified in
the TargetReplyToken if present, or failing this, the value
0.
The receiver of the token will verify the sequence number
field by comparing the sequence number with the expected
sequence number and the direction indicator with the
expected direction indicator. If the sequence number in the
token is higher than the expected number, then the expected
sequence number is adjusted and GSS_S_GAP_TOKEN is
returned. If the token sequence number is lower than the
expected number, then the expected sequence number is not
adjusted and GSS_S_DUPLICATE_TOKEN or GSS_S_OLD_TOKEN is
returned, whichever is appropriate. If the direction
indicator is wrong, then the expected sequence number is
not adjusted and GSS_S_UNSEQ_TOKEN is returned
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 16]
internet-draft November 22, 1996
userData
See specific token type narratives below.
directionIndicator
FALSE indicates that the sender is the context initiator,
TRUE that the sender is the target.
pmtSeal
See specific token type narratives below.
3.5.1. MICToken
Use of the GSS_Get_MIC() call yields a per-message token,
separate from the user data being protected, which can be used to
verify the integrity of that data as received. The token and the
data may be sent separately by the sending application and it is
the receiving application's responsibility to associate the
received data with the received token. The syntax of the token
is:
MICToken ::= PMToken
The overall structure and field contents of the token are
described above. Fields specific to the MICToken are:
userData
Not present for MIC Tokens.
pmtSeal
The Checksum is calculated over the DER encoding of the
pmtContents field with the user data temporarily placed in the
userData field. The userData field is not transmitted.
3.5.2. WrapToken
Use of the GSS_Wrap() call yields a token which encapsulates the
input user data (optionally encrypted) along with associated
integrity check values. The token emitted by GSS_Wrap() consists
of an integrity header followed by a body portion that contains
either the plaintext data (if conf_alg == NULL) or encrypted data.
The syntax of the token is:
WrapToken ::= PMToken
The overall structure and field contents of the token are
described above. Fields specific to the WrapToken are:
userData
Present either in plain text form (the choice is plaintext), or
encrypted (choice ciphertext). If the data is encrypted, it is
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 17]
internet-draft November 22, 1996
performed using the Confidentiality Dialogue Key, and as in
[Kerberos], an 8-byte random confounder is first prepended to the
data to be encrypted.
pmtSeal
The Checksum is calculated over the pmtContents field, including
the userData. However if the userData field is to be encrypted,
the seal value is computed prior to the encryption.
3.6 ContextDeleteToken format
The ContextDeleteToken is issued by either the context initiator
or the target to indicate to the other party that the context is
to be deleted.
ContextDeleteToken ::= SEQUENCE {
cdtContents [0] CDTContents,
cdtSeal [1] Seal
-- seal over cdtContents, encrypted
-- under the Integrity Dialogue Key
-- contains only the sealValue field
}
CDTContents ::= SEQUENCE {
tokenType [0] OCTET STRING VALUE X'0301',
SAId [1] OCTET STRING,
utcTime [2] UTCTime OPTIONAL,
usec [3] INTEGER OPTIONAL,
seq-number [4] INTEGER OPTIONAL,
}
cdtContents
This contains only administrative fields, identifying the token
type, the context and providing exchange integrity.
seq-number
When present, this field contains a value one greater than
that of the seq-number field of the last token issued from
this issuer.
The other administrative fields are as described
above.
cdtSeal
See above for a general description of the use of this construct.
4. DATA ELEMENT DEFINITIONS
In this section we give the details of the structures which are
present in the tokens defined above.
These ASN.1 definitions represent the profile of the ASN.1 types
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 18]
internet-draft November 22, 1996
defined in [ECMA-219] which are implemented in the SESAME
project. In some cases CHOICEs and OPTIONAL fields which are
defined by ECMA have been omitted as they are not supported in
this version of SESAME. In order to retain compatibility this
leads to a non-obvious numbering for tags.
In this specification all of the type specifying object
identifiers are below the arc:
generic-sesame-mech ::= OBJECT IDENTIFIER {1.3.12.1.46}
-- top of the SESAME types arc
4.1. Access Control Data Elements
The ASN.1 definitions for the PAC and related data structures. The full
ASN.1 specification can be found in [ECMA-219] and in Annex A.
4.1.1. Generalised certificate (GeneralisedCertificate)
A Generalised Certificate (PAC) consists of a certificateBody and
checkValue, the latter containing a digital signature applied to
the former. The CertificateBody is formed of two parts:
a commonContents and a specificContents part.
The "commonContents" fields collectively serve to provide
generally required management and control over the use of the
PAC.
The "specificContents" fields are different for different types
of certificate, and contain a type identifier to indicate the
type. In this specification only one type is defined: the Privilege
Attribute Certificate (PAC).
The "checkValue" fields are used to guarantee the origin of the
certificate.
The next sections describe these three main structural components
of the Generalised Certificate.
4.1.1.1. Common Contents fields (CommonContents)
The common contents field of the PAC is made of the following fields:
comConSyntaxVersion
Identifies the version of the syntax of the combination of the
commonContents and the checkValue fields parts of the
certificate.
issuerDomain
The security domain of the issuing authority. Not required if the
form of issuerIdentity is a full distinguished name, but required
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 19]
internet-draft November 22, 1996
if other forms of naming are in use, such as proprietary
identifiers.
issuerIdentity
The identity of the issuing authority for the certificate.
serialNumber
The serial number of the certificate (PAC) as allocated by the
issuing authority.
creationTime
The UTC time that the certificate was created, according to the
authority that created it.
validity
A pair of start and end times within which the certificate is
deemed to be valid.
algId
The identifier of the symmetric or of the asymmetric
cryptographic algorithm used to seal or to sign the certificate.
If there is a single identifier for both the encryption algorithm
and the hash function, it appears in this field.
hashAlgId
The identifier of the hash algorithm used in the seal or in the
signature.
4.1.1.2. PAC Specific Certificate Contents (PACSpecificContents)
The specific contents field of the PAC is made of the following fields:
The pacSyntaxVersion is defaulted.
protectionMethods
A sequence of optional groups of Method fields used to protect the
certificate from being stolen or misused. For a full description
see section 4.1.3.
The pacType is defaulted.
privileges
Privilege Attributes of the principal in the form of security
attributes. For a full description ofsecurity attributes see
section 4.1.2.
restrictions
not supported in SESAME V5 - see [ECMA-219] for a full description.
miscellaneousAtts
Attributes that are neither privilege attributes nor restrictions.
Audit identity is one such attribute.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 20]
internet-draft November 22, 1996
TimePeriods
further time period restriction over and above that specified in
commonContents.
4.1.1.3. Check value (CheckValue)
In this specification a PAC is protected by being digitally
signed by the issuer.
A signature may be accompanied by information identifying the
Certification Authority under which the signature can be
verified, and with an optional convenient reference to or the
actual value of the user certificate for the private key that the
signing authority used to sign the certificate.
A signature is composed of the following fields:
signatureValue
The value of the signature. It is the result of an asymmetric
encryption of a hash value of the certificateBody.
issuerCAName
The identity of the Certification Authority that has signed the
user certificate corresponding to the private key used to sign
this certificate.
caCertInformation
Contains either just a certificate serial number which together
with the issuerCAName uniquely identifies the user certificate
corresponding to the private key used to sign this certificate,
or a full specification of a certification path via which the
validity of the signature can be verified. The latter option
follows the approach used in [ISO/IEC 9594-8].
4.1.2. Security Attributes (SecurityAttribute)
The security attribute is a basic construct made up of :
attributeType
Defines the type of the attribute. Attributes of the same type
have the same semantics when used in Access Decision Functions,
though they may have different defining authorities.
definingAuthority
Indicates the authority responsible for defining the value
within the attribute type. Some policies demand that multiple
sources of values for a given attribute type be supported (e.g. a
policy accepting attribute values defined outside the security
domain), These policies give rise to a risk of value clashes. The
definingAuthority field is used to separate these values. When not
present, the value defaults to the name of the authority that
issued the certificate containing the attribute.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 21]
internet-draft November 22, 1996
securityValue
The value of the security attribute. Its syntax is can be either
one of the basic syntaxes for attributes or a more complex one
determined by the attribute type.
4.1.3. Protection Methods
Protection methods are grouped in methodGroups. See section 4.1.3.5
for the significance of these groups. Protection methods are formed
as a combination of methodId and methodParams. The methodParams are
formed as a sequence of Mparm constructs. Each methodId determines
a syntax for Mparm.
methodId
Identifies a protection method. Methods can be used in any
combination, and except where stated otherwise, multiple occurrences
of the same method are permitted. The choice of methodId determines
the permitted choices of method parameters in the methodParams
construct .
methodParams
Parameters for a protection method formed as a sequence of
individual method parameter constructs (Mparm).
There are four basic protection methods, as described below.
4.1.3.1. "Control/Protection Values" protection method
This is known as the CV/PV method. A patent from Bull applies to
this method (see section 9).
This method allows a PAC to be used by proxy while at the same time
preventing it from being stolen by an eavesdropper. The PAC can be
forwarded to any target or group of targets. The owner of the PAC
need not know in advance. But if this information is known, use of
the PAC can be confined to any nominated target or group of targets.
Ownership of a PAC can be proven by presenting a CV value which
matches a public value contained in the PAC. The two values must
relate through the relationship: PV = OWF (CV), where OWF is a one
way collision resistant hash function. Unless otherwise specified,
the one-way function that is used for this method is MD5.
The MethodId for this is: controlProtectionValues
The syntax choice of Mparm for this method is: pValue.
A maximum of one PV method is permitted in each method group. More
than one method group can be specified, each containing a PV.
Associated with each PV is a certificate Control Value (CV)
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 22]
internet-draft November 22, 1996
external to the certificate. The CVs are carried encrypted in the
ECV construct.
When the client sends a PAC to a targetAEF, one or more CVs
are also sent encrypted under the basic key used to communicate
with the target AEF. The targetAEF knows the one-way function and
therefore is able to verify that the client knows a CV which
corresponds to a PV in the certificate. If the other controls in
the PV's method group are passed, the PAC is acceptable under this
method group.
The targetAEF now knows the value of the CVs that have been sent
to it, and can make available one or more of the values to the
infrastructure supporting that application for forwarding with the
certificate to other applications. By including target qualification
controls in the method group, proxy can be confined to nominated
target applications. One use for this might be, for example, all of
the application servers in a distributed service.
4.1.3.2. "Primary Principal Qualification" protection method
This is known as the PPID (Primary Principal IDentifier) method.
A patent from ICL applies to this method.
The MethodId for this is: ppQualification
This method protects the certificate from being stolen, by confining
its use to be from one or more nominated "Primary Principals" as
defined in [ECMA-219]. In its most restrictive form it permits a
certificate to be used only from the Primary Principal of the client
entity to which it was originally issued, preventing delegation of
the certificate. However it can also be used to permit delegation,
when the required attributes of the proxy application are precisely
known in advance. The method by itself does not limit the number of
target applications at which a PAC might be accepted. However, by
including separate target qualification controls in the method
group, delegation can be confined to nominated target applications.
The syntax choice of Mparm for this method is : securityAttribute
A sequence of Mparm constructs is permissible, resulting in multiple
nominated Primary Principals being capable of being permitted.
At least one of these attributes must be possessed by any Primary
Principal from which this certificate is to be validly used if the
PAC is to be accepted under this method. When a targetAEF receives
such a certificate, it is responsible for comparing these attributes
with attributes placed within the targetKeyBlock construct and
associated with the initiating Primary Principal.
When a symmetric key distribution scheme is in use the attribute
values are placed in the target key block by the trusted server
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 23]
internet-draft November 22, 1996
(the KDS) which created it. If there is no KDS, as in the case of
pure asymmetric key distribution, they are present in the public key
certificate of the initiator that is sent with the PAC.
The attribute value used here is termed the primary principal
identifier (PPID) and takes one of two forms depending on the key
distribution scheme used by the initiator. For the symmetric
intradomain and hybrid interdomain schemes the PPID takes the
form of a random bit string which is also sent in the authorization
data field of the Kerberos ticket. For the asymmetric scheme the
PPID is constructed from the certificate serial number and the CA
name for the initiator's X.509 public key certificate.
4.1.3.3. "Target Qualification" protection method
The MethodId for this is: targetQualification.
This method protects the PAC from misuse by allowing its use only
by one or more nominated target applications and at the same time
instructing the target AEF to prevent it from being forwarded.
The syntax choice of Mparm for this method is : securityAttribute
A sequence of Mparm constructs is permissible, resulting in
multiple security attributes being present.
Target AEFs receiving such PACs will compare the values found in
the PAC with the attributes of the target application. If the
target application possesses one of the attributes in one of the
occurrences of this method that is present in a method group, the
Certificate is deemed to be acceptable under this method in this
group but the target AEF is expected not to allow the use of the
certificate for access to further target applications.
4.1.3.4. "Delegate/Target Qualification" protection method
The MethodId for this is: delegateTargetQualification
This method protects the PAC from misuse by confining its validity
to one or more nominated target applications and at the same time
instructing the target AEF to allow the PAC to be forwarded.
The syntax choice of Mparm for this method is: securityAttribute
A sequence of Mparm constructs is permissible, resulting in
multiple security attributes being present.
The target AEF makes the comparisons described in the previous
section, but if the checks are passed, the nominated target
application(s) is/are acceptable as both an accessible target and
as a delegate. The attributes carried by the certificate are valid
at the target application(s) for authentication or access control
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 24]
internet-draft November 22, 1996
purposes and the target AEF will allow the PAC to be forwarded to
further target applications.
4.1.3.5. Combining the methods
The general rule for validating a PAC when received by a target AEF
is as follows:
If the PAC is properly signed by an authority recognised by this
targetAEF and is within the valid time periods then the
protection methods in each group are tested in turn as described
below until one of the groups is passed or the PAC is declared
invalid.
A method group is passed if it is empty, or if:
the PAC is for the nominated target application under any
target or delegateTarget qualification method in this group
and
tests on any ppQualification or controlProtectionValues
method in the group succeed. If more than one of these is
present, at least one must be passed. If only one is
present it must be passed. If none of them is present this
last check is not required.
If the group that has been passed only validates the certificate
for its recipient being a target, then further groups are checked
to see if the recipient is also valid as a delegate/target. If,
following these additional checks, a recipient is still valid
only as a target, the targetAEF is responsible for preventing its
use for access to further target applications.
4.1.4. External Control Values Construct (ECV)
Whenever the protection controlProtectionValues method is in
place, when a PAC protected under that method is being presented
as authorisation for an operation, it may be accompanied by one
or more control values and indices to the method occurrences in
the certificate to which they apply.
crypAlgIdentifier
This specifies the encryption algorithm of the control values.
cValues
An ECV construct contains in the encryptedCvalueList field a list
of control values encrypted under the basic key protecting the
operation. The whole list is encrypted in bulk, but the in-clear
contents of this field are expected to have the syntax CValues.
The CValues is composed of a sequence of tuples, each one being
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 25]
internet-draft November 22, 1996
composed of an index of the method occurrence in the certificate,
starting at 1, and the value of the CV.
4.2. Basic Key Distribution
The TargetKeyBlock is structured as follows:
- an identifier (kdSchemeOID) for the key distribution scheme
being used, which takes the form of an OBJECT IDENTIFIER,
- a part which, if present, the target AEF needs to pass on to
its KDS (targetKDSPart - will be present only when the target
AEF's KDS is different from the initiator's),
- a part which, if present, can be used directly by the target
AEF (targetPart).
When a targetAEF using a separate KDS receives the
targetKeyBlock, it first checks whether it supports the key
distribution scheme indicated in kdsSchemeOID. Two different
cases need to be considered:
1) Only the targetPart is present. The target AEF computes the
basic key directly, using the information present in the
TargetPart. The syntax of targetPart is scheme dependent.
Expiry information can optionally be present in targetPart. If
supported by the scheme, the Primary Principal attributes of
the initiator will also be present for PAC protection under
the Primary Principal Qualification method (see above).
2) Only the targetKDSPart is present. The targetAEF forwards
TargetKeyBlock to its KDS. In return it receives a scheme
dependent data structure which by itself allows the target AEF
to determine the basic key and, if supported by the scheme,
the Primary Principal attributes of the initiator for PAC
protection purposes. Expiry information can optionally be
present in the targetKDSPart.
The form of this information depends on the key distribution
configuration in place.
The TargetKeyBlock is composed of the following fields:
kdSchemeOID
Identifies the key distribution scheme used. Allows the targetAEF
to determine rapidly whether or not the scheme is supported. It
also allows for the easy addition of future schemes.
targetKDSpart
Part of the Target Key Block which is processable only by the KDS
of the target AEF. This part is sent by the target AEF to its
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 26]
internet-draft November 22, 1996
local KDS, in order to get the basic key which is in it. It must
always contain the name of a target "served" by the targetAEF in
question. The mapping between the name of the application and the
name of the target AEF is known to the target AEF's KDS which is
able to authenticate which target AEF is issuing the request for
translating the targetKDSpart. It can then verify that the AEF is
one which is responsible for the application name contained in
the targetKDSpart. If it is, the key is released and is sent
protected back to the requesting AEF. The targetKDSpart
includes data that enables the KDS of the target AEF to
authenticate the KDS of the initiator. When the "Primary
Principal Qualification" protection method needs to be used for
the PAC, unless there is an accompanying targetPart,
targetKDSpart contains the appropriate primary principal
security attributes.
targetPart
Part of the Target Key Block which is processed only by the target
AEF. When there is no targetKDSpart it is processable directly;
otherwise it can only be processed after the targetKDSpart has been
processed by the KDS of the target AEF, and the appropriate Keying
Information has been returned to the AEF. The targetPart construct
should include data that enables the target AEF to authenticate the
KDS of the initiator. When the "Primary Principal Qualification"
protection method needs to be used for the PAC, targetPart must
contain the primary principal security attributes.
The following table shows the different syntaxes used for
targetKDSpart and targetPart for the defined KD-schemes. "Missing"
in the tables means that the relevant construct is not supplied.
KD-Scheme name kdSchemeOID targetKDSpart targetPart
symmIntradomain {kd-schemes 1} Missing Ticket
hybridInterdomain {kd-schemes 3} PublicTicket Missing
asymmetric {kd-schemes 6} Missing SPKM_REQ
Table 1 - Key Distribution Scheme OBJECT IDENTIFIERs
The syntax of PublicTicket is given in appendix A.1, and the syntax
of Ticket (copied from [Kerberos]) is given in appendix A.2. The
syntax of SPKM_REQ (copied from [SPKM])is given in appendix A.3.
The OBJECT IDENTIFIERs that are for use in the kdSchemeOID field
of TargetKeyBlock are formally derived from the kd-schemes OBJECT
IDENTIFIER
The SPKM_REQ construct used in scheme 6 requires a sequence of key
establishment algorithm identifier values to be inserted into the
key_estb_set field. The OBJECT IDENTIFIER sesame-key-estb-alg is
defined as the (single) key establishment "algorithm" for the
SESAME mechanism.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 27]
internet-draft November 22, 1996
kd-schemes
This OBJECT IDENTIFIER is the top of the arc of key distribution
scheme OBJECT IDENTIFIERs defined in this specification.
symmIntradomain
This OBJECT IDENTIFIER indicates the basic symmetric key
distribution scheme described in section 2.2.3.2. As indicated in
the third column of Table 1, the targetKDSpart of the
TargetKeyBlock is not supplied and the targetPart contains a
Kerberos Ticket (see [Kerberos] and appendix A.2). The profile of
the ticket that is supported this scheme can be found in Table 2.
hybridInterdomain
This OBJECT IDENTIFIER indicates the hybrid scheme described in
section 2.2.3.3. The targetKDSpart contains a PublicTicket (defined
in section 4.2.2). The targetPart field is not supplied. The
PublicTicket contains a Kerberos Ticket. The profile supported in
this scheme can be found in Table 3.
asymmetric
This OBJECT IDENTIFIER indicates the scheme described in section
2.2.3.4. The targetKDSpart is not supplied and the targetPart
contains an SPKM_REQ. The syntax of SPKM_REQ is given in
appendix A.3. The profile of SPKM_REQ that is supported in this
scheme is given in Table 4.
sesame-key-estb-alg
This AlgorithmIdentifier identifies the key establishment
algorithm value to be used within the key_estb_set field of an
SPKM_REQ data element as the one defined by SESAME.
This algorithm is used to establish a symmetric key for use by
both the initiator and the target AEF as part of the context
establishment. The corresponding key_estb_req field of the
SPKM_REQ will be a BIT STRING the content of which is a DER
encoding of the KeyEstablishmentData element defined later.
4.2.1. Data elements for the Symmetric Intradomain kd-scheme
The full ASN.1 for the Kerberos elements used by the SESAME GSS-
API mechanism is given in appendix A.2. This section specifies
the specific contents of the Kerberos Ticket's authorization_data
field required by the SESAME GSS-API mechanism.
Essentially this construct (SESAME-AUTHORIZATION-DATA) contains the
PPID of the context initiator.
ppidType
Indicates the type of authorisation data as being SESAME
authorisation data.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 28]
internet-draft November 22, 1996
ppidValue
This value is used in the ppQualification PAC protection method
as defined in section 4.1.3.2.
4.2.2. Data elements for the Hybrid interdomain kd-scheme.
The PublicTicket contains the following fields:
krb5Ticket
The Kerberos Ticket which contains the basic key. The encrypted
part of this ticket is encrypted using the key found within the
encryptedPlainKey field of the KeyEstablishmentData in the
PublicKeyBlock.
publicKeyBlock
Contains the key used to protect the krb5Ticket encrypted using
the public key of the recipient and signed by the encryptor (i.e.
the context initiator's KD-Server).
signedPKBPart
The part of the publicKeyBlock which is signed. The
keyEstablishmentData field contains the
KeyEstablishementData (defined in section 4.2.4), i.e. the
actual encrypted temporary key (see section 2.2.3). The
encryptionMethod indicates the algorithm used to encrypt
the encryptedKey. The issuingKDS is the name of the KD-
Server who produced the PublicTicket. The uniqueNumber is a
value (containing a timestamp and a random number) which
prevents replay of the PublicTicket. validityTime specifies
the times for which the PublicTicket is valid. creationTime
contains the time at which the PublicTicket was created.
signature
Contains the signature calculated by the issuingKDS on the
signedPKBPart field.
certificate
If present, contains the public key certificate of the
issuing KDS.
The KeyEstablishmentData contains the following fields :
encryptedPlainKey
Contains the encrypted key. The BIT STRING contains the result of
encrypting a PlainKey structure.
targetName
If present, contains the name of the target application. This is
necessary for some of the SESAME KD-schemes.
nameHashingAlg
Specifies the algorithm which is used to calculate the hashedName
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 29]
internet-draft November 22, 1996
field of the PlainKey.
hniPlainKey
hniIssuingKDS
Used as input to a hashing algorithm as a general means to
prevent ciphertext stealing attacks.
plainKey
Contains the actual bits of the plaintext key which is to be
established.
hashedName
A hash of the name of the encrypting KDS calculated using the
plainkey and KDS name as input (within the HashedNameInput
structure). The algorithm identified in nameHashingAlg is used to
calculate this value.
targetName
If present, contains the name of the target for which the
PublicTicket was originally produced. This may be different from
the targetIdentity field of the initialContextToken if caching of
PublicTickets has been implemented.
4.2.3. Data elements for the asymmetric kd-scheme
The targetPart contains an SPKM_REQ. The syntax of SPKM_REQ is
given in appendix A.3. The profile of SPKM_REQ that is supported
in this scheme is given in Table 4.
4.3. Dialogue Key Block
Dialogue Key Block constructs are used to specify how the
integrity dialogue key and confidentiality dialogue key should be
derived from the basic key, and specify the cryptographic
algorithms with which the keys should be used.
The DialogueKeyBlock is composed of the following fields:
integKeySeed
A random number, optionally concatenated with a time value to
ensure uniqueness, used as input to the one way function
specified in integKeyDerivationInfo.
confKeySeed
A random number, optionally concatenated with a time value to
ensure uniqueness, used as input to the one way function
specified in confKeyDerivationInfo.
integKeyDerivationInfo
Key derivation information for the integrity dialogue key, as
follows:
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 30]
internet-draft November 22, 1996
owfId
The one way algorithm which takes the basic key XOR the
seed as input, resulting in the integrity dialogue key.
keySize
The size of the key in bits. If the algorithm identified by
owfId produces a larger key, it is reduced by masking to
this length, losing its most significant end.
confKeyDerivationInfo
Key derivation information for the confidentiality dialogue key.
The fields in this construct have the same meanings as defined
above for the integrity dialogue key.
Note:
It may be insecure to specify the same derivation algorithms and
seeds for both integrity and confidentiality dialogue keys,
particularly if they are to be of different lengths.
integDKuseInfo
Information describing how the integrity dialogue key is to be
used, as follows:
useAlgId
The symmetric or asymmetric reversible encryption algorithm
with which the integrity dialogue key is to be used.
useHashAlgId
The one way function with which the integrity dialogue key
is to be used. It is the hash produced by this algorithm on
the data to be protected which is encrypted using useAlgId.
confDKuseInfo
Information describing how the confidentiality key is to be used.
The useHashAlgId construct is not used here.
4.4. Attribute Definitions
4.4.1. Privilege attributes
4.4.1.1. Access Identity
The access identity represents an identity that the principal is
permitted to use for access control purposes.
4.4.1.2. Group
The group represents a characteristic common to several
principals. A security context may contain more than one group
for a given principal.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 31]
internet-draft November 22, 1996
4.4.1.3. Primary group
The primary group represents a unique group to which a principal
belongs. A security context must not contain more than one
primary group for a given principal.
4.4.1.4. Role attribute
The role attribute represents a principal's role as might be used
in a role based access control policy. For example it can represent
a job position an individual may have within a company.
4.4.2. Miscellaneous attributes
4.4.2.1. Audit Identity
Audit identity represents an identity unique to principal to be
used for accountability purposes.
4.4.2.2 Other
Other miscellaneous attributes are
defined in ECMA-219 but are not currently supported in SESAME V5.
4.4.3. Qualifier Attributes
When a targetQualifiication or delegateTargetQualification method
is present in the PAC, the syntax used for the method parameters
is securityAttribute.
4.4.3.1. Target Attributes
Within a PAC protection method, targets can be identified by name
or other attributes to indicate whether they are allowed to accept
or both accept and forward that PAC.
Other than name, the only target attribute supported in SESAME V5 is the
Application Trust Group (see below)..
4.4.3.2. Application Trust Groups
Within a PAC protection method, an application trust group name
specifies the name of a set of targets allowed to accept or both
accept and forward that PAC.
The universal application trust group (see section 2) is specified
by using an empty string value. See also section 2.2.1.5.
5. ALGORITHMS AND CIPHERTEXT FORMATS
Cryptographic and hashing algorithms are used for various
purposes within the SESAME GSS-API mechanism. This section
categorises these algorithms according to usage so that context
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 32]
internet-draft November 22, 1996
initiators and acceptors can more easily determine if they have
the cryptographic support required to allow inter-operation. The
categorisation is then refined into cryptographic profiles that
can be incorporated into specific mechanism identifiers for the
purpose of mechanism negotiation.
The table below summarises the different uses to which algorithms
are put within the SESAME GSS-API mechanism.
Use Description of use Type of Algorithm
Reference
2 PAC protection OWF + asymmetric
using signature signature
3 basic key usage symmetric
confidentiality and
integrity
4 integrity dialogue OWF
key derivation
5 integrity dialogue symmetric integrity
key usage
6 CA public keys OWF + asymmetric
signature
7 encryption using symmetric
shared long term confidentiality.
symmetric key
8 name hash to OWF
prevent ciphertext
stealing
9 asymmetric basic asymmetric encryption
key distribution and OWF + signature
10 key estab. within (fixed value)
SPKM_REQ
11 confidentiality OWF
dialogue key
derivation
12 confidentiality symmetric
dialogue key use confidentiality
Table 5 - Summary of algorithm uses:
The algorithms can now be further categorised into broader
classes as follows:
Class 1: symmetric for security of mechanism:
Uses 3, 5, 7
Class 2: all OWFs:
Uses 2, 4, 6, 8, 11
Class 3: internal mechanism asymmetric, encrypting:
Use 9
Class 4: internal mechanism asymmetric, non-encrypting:
Use 2
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 33]
internet-draft November 22, 1996
Class 5: CA's asymmetric non-encrypting:
Use 6
Class 6: Data confidentiality, symmetric:
Use 12
Use 10 is a fixed value, and does not contribute to mechanism use
options. The fixed value for this has already been defined above.
Based on these classes, the following cryptographic algorithm
usage profiles are defined. Other profiles are possible and can
be defined as required. Note that symmetric algorithm key sizes
are included in this profiling, thus DES/64 indicates DES with a
64 bit key.
Profile 1: Profile 2: Profile 3: Profile 5:
Full No user Exportable Defaulted
data
Confiden
tiality
Class 1 DES/64 DES/64 RC4/128 separately
agreed
default
Class 2 MD5 MD5 MD5 separately
agreed
default
Class 3 RSA RSA RSA separately
agreed
default
Classes 4 and 5 RSA RSA RSA separately
agreed
default
Class 6 DES/64 None RC4/40 separately
agreed
default
Table 6 - Algorithm profiles
Where:
- Profile 1 provides full security, using standard cryptographic
algorithms with commonly accepted key sizes.
- Profile 2 is the same but without supporting any
confidentiality of user data.
- Profile 3 is exportable under many countries' legislations,
- Profile 5 uses algorithms identified by a separately specified
default. It is intended for use by organisations who wish to
use their own proprietary or government algorithms by separate
agreement or negotiation.
The next section shows how these algorithm profiles can be used
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 34]
internet-draft November 22, 1996
to extend the architectural key distribution schemes to form
negotiable SESAME mechanism choices.
6. SESAME MECHANISM NEGOTIATION
Preceding sections have separately defined the alternatives
allowed by the generic SESAME mechanism in terms of key
distribution schemes and the use of cryptographic and hash
algorithms within the data elements.
This section brings these together by defining the specific
SESAME mechanism identifiers which correspond to each combination
of the available options under these headings. These specific
mechanism identifiers are intended to be negotiable using a
generic GSS-API negotiation scheme (like [SNEGO]).
The approach is to use the key distribution schemes to form
broad architectural mechanism options, as follows (more options
are defined by ECMA, hence the numbering):
Architectural Description of Key Distribution
Mechanism Mechanism Option Scheme(s)
Number
2 Symmetric key symmIntradomain
distribution
3 Symmetric initiator symmIntradomain;
and target; hybridInterdomain
Asymmetric KD-
Servers;
6 Asymmetric Initiator asymmetric
and Target
Table 7 - Key Distribution Mechanism Options
Each of the security mechanism options described above represents
a key distribution scheme.
Generic GSS-API mechanism negotiation will be carried out on the
basis of the generic SESAME mechanism OBJECT IDENTIFIER
concatenated with an architectural mechanism number from table 7,
and an algorithm profile reference number from table 6. Thus the
form of a negotiable SESAME mechanism is:
SESAME Mechanism OID , V , Y , Z
^ ^ ^
| | |
| | +-- algorithm
| | profile
| |
| +---------- architectural option
|
+------------------ version
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 35]
internet-draft November 22, 1996
Thus a SESAME V5 mechanism using a fully symmetric key distribution
scheme and an exportable cryptographic algorithm profile would
have an OBJECT IDENTIFIER of:
{ generic-sesame-mech (5) (2) (3) }
A SESAME mechanism using a fully asymmetric initiator and target
architectural scheme, and an algorithm profile not supporting
user data confidentiality would have an OBJECT IDENTIFIER of:
{ generic-sesame-mech (5) (6) (2) }
Not all combinations of key distribution scheme and algorithm
profile are meaningful, however, but those that are, are intended
to be negotiable using a generic GSS-API negotiation scheme such
as [SNEGO].
Where information is returned from the target to the initiator as
a result of negotiation then for the SESAME mechanism the
information should contain the public key certificates required
for the initiator to be able to use the selected KD-Scheme. For
example, if the asymmetric KD-Scheme is to be used the target
should return to the initiator the public key certificate of the
targetAEF (containing the target's own name in the extensions
field). The syntax of the mechanism specific information is the
`Certificates' ASN.1 type defined in the AuthenticationFramework.
(To allow multiple certificates to be passed to the initiator.)
7. NAME TYPES
Because [Kerberos] does not support Directory Names (DNs), SESAME
uses two distinct naming conventions, Kerberos and X.500.
7.1. Kerberos naming
SESAME uses the Kerberos V5 Authentication Server protocol for
password based authentication, so SESAME principals are given
Kerberos principal names. Moreover, the SESAME security domain is
equivalent to a Kerberos realm, so Kerberos realm names are used
to identify SESAME security domains. In SESAME, an entity that
uses the normal Kerberos V5 authentication via a password is
given a printable Kerberos principal name of the form :
<principal_name>@<realm_name>
Notes:
1. Components of a name can be separated by `/`.
2. The separator `@` signifies that the remainder of the string
following the `@` is to be interpreted as a realm identifier. If
no `@` is encountered, the name is interpreted in the context of
the local realm. Once an `@` is encountered, a non-null realm
name, with no embedded `/` separators, must follow. The `\`
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 36]
internet-draft November 22, 1996
character is used to quote the immediately-following character.
SESAME reserves two specific Kerberos principal names for its own
use:
- for the SESAME Security Server (containing the AS, PAS and KDS):
krbtgt/<realm_name>@<realm_name>
- for the SESAME PVF :
pvf/<host_name>/<realm_name>@<realm_name>
The realm_name in each of these constructs is repeated for
compatibility with Kerberos.
Note that a <host_name> or a <realm_name> might take the form of
an Internet Protocol domain name, and so a name like:
pvf/mybox.bull.fr/sesame.bull.fr@sesame.bull.fr
is a valid principal name for a SESAME PVF.
When invoking gss_import_name, a Kerberos principal name type can
be identified using either gss_ses_krb5_oid or
GSS_KRB5_NT_PRINCIPAL_NAME symbolic names. A Kerberos service
name type can be identified using either gss_ses_krb5_oid or
GSS_KRB5_NT_HOSTBASED_ SERVICE_NAME symbolic names.
7.2. Directory Naming
As described elsewhere, SESAME uses public key technology
supported by Directory Certificates, so for this purpose SESAME
entities are given DNs. Such names are built from components
separated by a semicolon. The standardised keywords supported by
SESAME are :
CN (common-name).
S (surname),
OU (organisational-unit),
O (organisation),
C (country),
So an example of a DN supported at SESAME is:
CN=Martin;OU=sesame;O=bull;C=fr
SESAME defines a set of reserved common-name parts for DNs for
the core SESAME security components, as follows:
the PAS: CN=SesamePAS.<realm_name>[;...]
the AS: CN=SesameAS.<realm_name>[;...]
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 37]
internet-draft November 22, 1996
the KDS: CN=SesameKDS.<realm_name>[;...]
the PVF: CN=pvf.<host_name>[;...]
the security domain: CN=SesameDomain.<realm_name>[;...]
where <realm_name> is the name of the Kerberos
realm to which the entity belongs.
Note that there is no generic rule for mapping the Directory Name
of a SESAME entity to its Kerberos principal name, so SESAME
provides an explicit mapping in a principal's Directory
Certificate, using the extensions field of the extended Directory
Certificate syntax (version 3) to carry the principal's Kerberos
name.
Note also that in the case of a PVF's Directory Certificate, the
names of the applications supported by the PVF are also held in
this field, preceded by the Kerberos principal name of the PVF
itself. In the absence of such a certificate (i.e. if the PVF
does not have a key pair of its own) the list of application
names can be held (e.g. in a file) in the KDS.
In SESAME the syntax of the Login Name is imported from the
Kerberos Version 5 GSS-API Mechanism. This form of name is
referred to using the symbolic name: GSS_KRB5_NT_PRINCIPAL.
Syntax details are given in [KRB5GSS].When a principal possesses
a private key for authentication, the login name is also stored
in an extension field of the principal's Directory Certificate so
that it can be linked to the principal's Distinguished Name.
8. SECURITY CONSIDERATIONS
Security issues are discussed throughout this memo.
9. PATENTS
Three patents apply. One from Bull and two from ICL.
9.1. BULL PATENT
A patent with the French number 2,662,007 and the French title
"Procedure d'obtention d'une attestation en clair securisee dans
un environnement de systeme informatique distribue " ( Method for
obtaining a securitized clear text attestation in a distributed
data processing system environment ) has been filed on May 10, 1990
under the number 90.05829 and is also registered in the following
countries under the following numbers :
- European Patent No 91401138.2 (designated states: Germany,
France, GB, Italy, Netherlands, and Sweden),
- Canadian Patent No 2,041,761,
- US Patent No 5,214,700.
The inventors are : Philippe Caille and Denis Pinkas.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 38]
internet-draft November 22, 1996
9.2. ICL PATENTS
9.2.1. PAC USE MONITOR (C1167 )
A patent based on GB 9010603.0 with the title "Access Control in
a Distributed Computer System" has been filed on May 11, 1990 and
has also be registered in the following countries under the
following numbers :
- Australia Patent No: 634653 granted: 25/02/93
- European Application No: 91303752.9 filed: 25/04/91
(Designated states: Germany, France, GB, Italy, Netherlands.)
- United States Patent No: 5339403 granted: 16/08/94
- South Africa Patent No: 91/3322 granted: 12/12/91
The inventor is : Parker T A.
It uses the term "PAC use monitor" which corresponds to what is
called in this specification the "targetAEF".
9.2.2. PROXY CONTROL (C1179)
A patent based on GB 9104909.8 with the title "Access Control in
a Distributed Computer System" has been filed on August 3, 1991 and
has also be registered in the following countries under the
following numbers :
- Australia Patent No: 655960 granted: 19/01/95
- European Application No:92301081.3 filed: 19/02/92
(Designated states: Belgium, Germany, France, GB, Italy)
- Japan Application No 48618/1992 filed: 05/03/92
- United States Patent No: 5220603 granted: 15/06/93
- South Africa Patent No: 92/1425 granted: 15/09/92
The inventor is : Parker T A.
It uses the term "Proxy control" which corresponds to what is
called in this specification the PPID method.
10. ACKNOWLEDGEMENTS
The SESAME project has been carried out by Bull SA, ICL and
Siemens (SNI, Siemens ZFE and SSE) under part funding from the
CEC as RACE project R2051.
With apologies to those omitted, the following are amongst the
people who have made significant contributions to the ECMA and
SESAME work: Helmut Baumgaertner, John Cosgrove, Philippe Caille,
Hiep Doan, Belinda Fairthorne, Peter Hartmann, Keith Howker,
Per Kaijser, Jacques Lebastard, Ronan Long, Piers McMahon,
Frank O'Dwyer, Denis Pinkas, Mike Roe, Laurent Rouilhac, Jean Louis
Roule, Don Salmon, Asmund Skomedal and Mark Van DenWauver.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 39]
internet-draft November 22, 1996
11. REFERENCES
ECMA-219 ECMA-219 Second Edition, March 1996, Authentication
and Privilege Attribute Application with related key
distribution functions. This standard is available
free of charge from: ECMA 114 Rue du Rhone
CH-1204 Geneva (Switzerland).
Internet : helpdesk@ecma.ch
This standard can also be downloaded using one of the
following URLs:
ftp://ftp.ecma.ch/ecma-st/e219-doc.exe ;
ftp://ftp.ecma.ch/ecma-st/e219-exp.txt ;
ftp://ftp.ecma.ch/ecma-st/e219-pdf.pdf ;
ftp://ftp.ecma.ch/ecma-st/e219-psc.exe .
GSS-API 1. Internet RFC 1508 Generic Security Service API
(J. Linn, September 1993)
2. X/Open P308 Generic Security Service API
(GSS-API) Base
3. Internet RFC 1509 "Generic Security Service API:
C-Bindings"
Kerberos Internet RFC 1510 The Kerberos Network
Authentication Service (V5) (J. Kohl and C.
Neumann, September 1993)
ISO/IEC 9594-8 ISO/IEC 9594-8, Information Processing Systems -
Open Systems Interconnection - The Directory -
Part 8: Authentication Framework (X.509)
KERB5GSS Internet RFC 1964, The Kerberos Version 5
GSS-API Mechanism (J. Linn, June 1996)
XGSSAPI draft-ietf-cat-xgssapi-acc-cntrl-01.txt: Extended
Generic Security Service APIs: XGSS-APIs (Denis
Pinkas and Piers McMahon, July 1996)
SESOV SESAME Overview, Version 4, (Tom Parker and Denis
Pinkas, December 1995)
SPKM RFC 2025 The Simple Public-Key GSS-API Mechanism
(C. Adams, OCtober 1996)
SNEGO draft-ietf-cat-snego-01 Simple GSS-API
Negotiation Mechanism (Eric Baize and Denis
Pinkas, October 1996)
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 40]
internet-draft November 22, 1996
12. AUTHOR'S ADDRESSES
Eric Baize,
Bull HN - MA02/211S
Technology Park
Billerica, MA 01821,
USA.
email: E.Baize@ma02.bull.com
Stephen Farrell
Software and Systems Engineering Ltd.
Fitzwilliam Court,
Dublin 2,
IRELAND.
email: Stephen.Farrell@sse.ie
Tom Parker,
The Solution Centre,
ICL,
Lovelace Road,
Bracknell,
Berkshire RG12 8SN
UK
email: t.a.parker@win0199.wins.icl.co.uk
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 41]
internet-draft November 22, 1996
APPENDIX A: ASN.1 MODULE DEFINITIONS
A.1. SESAME ASN.1 Definitions
SESAME-gss-api-types { tbs }
DEFINITIONS ::=
BEGIN
-- exports everything
IMPORTS
Name
FROM InformationFramework
{joint-iso-ccitt(2) ds(5) module(1)
informationFramework(1) }
Certificate, AlgorithmIdentifier, Validity,
CertificationPath
FROM AuthenticationFramework
{joint-iso-ccitt(2) ds(5) module(1)
authenticationFramework(7) }
HostAddress, Ticket
FROM SESAME-Kerberos-Definitions { tbs }
SPKM-REQ
FROM SESAME-SPKM-Definitions { tbs };
-- OBJECT IDENTIFIERS
access-identity-privilege ::= OBJECT IDENTIFIER
{ privilege-attribute 2 }
audit-id-misc ::= OBJECT IDENTIFIER { misc-attribute 2 }
generic-sesame-mech ::= OBJECT IDENTIFIER {1.3.12.1.46.1}
generic-sesame-oids ::= OBJECT IDENTIFIER {1.3.12.1.46}
-- top of the SESAME types arc
group-privilege ::= OBJECT IDENTIFIER { privilege-attribute 4 }
kd-schemes OBJECT IDENTIFIER ::= { generic-sesame-oids 9}
-- ECMA-defined arc for SESAME key distribution schemes
symmIntradomain OBJECT IDENTIFIER ::= {kd-schemes 1}
hybridInterdomain OBJECT IDENTIFIER ::= {kd-schemes 3}
asymmetric OBJECT IDENTIFIER ::= {kd-schemes 6}
-- supported key distribution schemes
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 42]
internet-draft November 22, 1996
misc-attribute OBJECT IDENTIFIER ::=
{ generic-sesame-oids misc-attribute(3) }
-- OID below which miscellaneous attributes are defined
primary-group-privilege ::= OBJECT IDENTIFIER{privilege-attribute 3}
privilege-attribute OBJECT IDENTIFIER ::=
{ generic-sesame-oids privilege-attribute(4) }
-- OID below which privilege attributes are defined
qualifier-attribute OBJECT IDENTIFIER ::=
{ generic-sesame-oids qualifier-attribute (4) }
-- OID below which qualifier attributes are defined
role-privilege ::= OBJECT IDENTIFIER { privilege-attribute 1 }
sesame-key-estb-alg AlgorithmIdentifier ::= {kd-schemes, NULL }
-- indicates a SESAME key establishment structure within
-- an SPKM_REQ structure
target-name-qualifier OBJECT IDENTIFIER ::= { qualifier-attribute 1 }
trust-group-qualifier OBJECT IDENTIFIER ::= { qualifier-attribute 2 }
-- Types in alphabetical order
AccessPrivilegeValueSyntax ::= Identifier
AuditIdValueSyntax ::= Identifier
CDTContents ::= SEQUENCE {
tokenType [0] OCTET STRING VALUE X'0301',
SAId [1] OCTET STRING,
utcTime [2] UTCTime OPTIONAL,
usec [3] INTEGER OPTIONAL,
seq-number [4] INTEGER OPTIONAL,
}
CertandECV ::= SEQUENCE {
certificate [0] GeneralisedCertificate,
ecv [1] ECV, OPTIONAL}
-- ECV is defined in later
CertificateBody ::= CHOICE{
encryptedBody [0] BIT STRING,
normalBody [1] SEQUENCE{
commonContents [0] CommonContents,
specificContents[1] SpecificContents
}
}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 43]
internet-draft November 22, 1996
CertificateId ::= SEQUENCE {
issuerDomain [0] Identifier OPTIONAL,
issuerIdentity [1] Identifier,
serialNumber [2] INTEGER
}
-- serialNumber is the same as in [ISO/IEC 9594-8]
CheckValue ::= CHOICE{
signature [0] Signature
-- only signature supported here
}
CommonContents ::= SEQUENCE{
comConSyntaxVersion [0] INTEGER { version1 (1) }DEFAULT 1,
issuerDomain [1] Identifier OPTIONAL,
issuerIdentity [2] Identifier,
serialNumber [3] INTEGER,
creationTime [4] UTCTime OPTIONAL,
validity [5] Validity,
algId [6] AlgorithmIdentifier,
hashAlgId [7] AlgorithmIdentifier OPTIONAL
}
ContextDeleteToken ::= SEQUENCE {
cdtContents [0] CDTContents,
cdtSeal [1] Seal
-- seal over cdtContents, encrypted
-- under the Integrity Dialogue Key
-- contains only the sealValue field
}
CValues ::= SEQUENCE OF SEQUENCE {
index [0] INTEGER,
value [1] BIT STRING
}
DialogueKeyBlock ::= SEQUENCE {
integKeySeed [0] SeedValue,
confKeySeed [1] SeedValue,
integKeyDerivationInfo [2] KeyDerivationInfo OPTIONAL,
confKeyDerivationInfo [3] KeyDerivationInfo OPTIONAL,
integDKuseInfo [4] DKuseInfo OPTIONAL,
confDKuseInfo [5] DKuseInfo OPTIONAL
}
DKuseInfo ::= SEQUENCE {
useAlgId [0] AlgorithmIdentifier,
useHashAlgId [1] AlgorithmIdentifier OPTIONAL
}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 44]
internet-draft November 22, 1996
ECV ::= SEQUENCE {
crypAlgIdentifier [0] AlgorithmIdentifier OPTIONAL,
cValues [1] CHOICE {
encryptedCvalueList [0] BIT STRING,
individualCvalues [1] CValues
}
}
ErrorArgument ::= ENUMERATED {
gss_ses_s_sg_server_sec_assoc_open (1),
gss_ses_s_sg_incomp_cert_syntax (2),
gss_ses_s_sg_bad_cert_attributes (3),
gss_ses_s_sg_inval_time_for_attrib (4),
gss_ses_s_sg_pac_restrictions_prob (5),
gss_ses_s_sg_issuer_problem (6),
gss_ses_s_sg_cert_time_too_early (7),
gss_ses_s_sg_cert_time_expired (8),
gss_ses_s_sg_invalid_cert_prot (9),
gss_ses_s_sg_revoked_cert (10),
gss_ses_s_sg_key_constr_not_supp (11),
gss_ses_s_sg_init_kd_server_ unknown (12),
gss_ses_s_sg_init_unknown (13),
gss_ses_s_sg_alg_problem_in_dialogue_key_block (14),
gss_ses_s_sg_no_basic_key_for_dialogue_key_block (15),
gss_ses_s_sg_key_distrib_prob (16),
gss_ses_s_sg_invalid_user_cert_in_key_block (17),
gss_ses_s_sg_unspecified (18),
gss_ses_s_g_unavail_qop (19),
gss_ses_s_sg_invalid_token_format (20)
}
ErrorToken ::= {
tokenType [0] OCTET STRING VALUE X'0300',
etContents [1] ErrorArgument,
}
GeneralisedCertificate ::= SEQUENCE{
certificateBody [0] CertificateBody,
checkValue [1] CheckValue}
GroupPrivilegeValueSyntax ::= SEQUENCE OF Identifier
HashedNameInput ::= SEQUENCE {
hniPlainKey [0] BIT STRING,-- the same value as plainKey
hniIssuingKDS [1] Identifier
}
ICTContents ::= SEQUENCE {
tokenId [0] INTEGER, -- shall contain X'0100'
SAId [1] OCTET STRING,
targetAEFPart [2] TargetAEFPart,
targetAEFPartSeal [3] Seal,
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 45]
internet-draft November 22, 1996
contextFlags [4] BIT STRING {
delegation (0),
mutual-auth (1),
replay-detect (2),
sequence (3),
conf-avail (4),
integ-avail (5)
}
utcTime [5] UTCTime OPTIONAL,
usec [6] INTEGER OPTIONAL,
seq-number [7] INTEGER OPTIONAL,
initiatorAddress [8] HostAddress OPTIONAL,
targetAddress [9] HostAddress OPTIONAL
-- imported from [Kerberos] and used as channel bindings
}
Identifier ::= CHOICE{
objectId [0] OBJECT IDENTIFIER,
directoryName [1] Name,
-- imported from the Directory Standard
printableName [2] PrintableString,
octets [3] OCTET STRING,
intVal [4] INTEGER,
bits [5] BIT STRING,
pairedName [6] SEQUENCE{
printableName [0] PrintableString,
uniqueName [1] OCTET STRING
}
}
InitialContextToken ::= SEQUENCE{
ictContents [0] ICTContents,
ictSeal [1] Seal
}
KeyDerivationInfo::= SEQUENCE {
owfId [0] AlgorithmIdentifier,
keySize [1] INTEGER
}
KeyEstablishmentData ::= SEQUENCE {
encryptedPlainKey [0] BIT STRING,-- encrypted PlainKey
targetName [1] SecurityAttribute OPTIONAL,
nameHashingAlg [2] AlgorithmIdentifier OPTIONAL
}
Method ::= SEQUENCE{
methodId [0] MethodId,
methodParams [1] SEQUENCE OF Mparm OPTIONAL
}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 46]
internet-draft November 22, 1996
MethodGroup ::= SEQUENCE OF Method
MethodId ::= CHOICE{
predefinedMethod [0] ENUMERATED {
controlProtectionValues (1),
ppQualification (2),
targetQualification (3),
delegateTargetQualification (4)
}
}
MICToken ::= PMToken
Mparm ::= CHOICE{
pValue [0] PValue,
securityAttribute [1] SecurityAttribute
}
PACSpecificContents ::= SEQUENCE{
pacSyntaxVersion [0] INTEGER{ version1 (1)} DEFAULT 1,
protectionMethods [2] SEQUENCE OF MethodGroup OPTIONAL,
pacType [4] ENUMERATED{
primaryPrincipal (1),
temperedSecPrincipal (2),
untemperedSecPrincipal (3)
} DEFAULT 3,
privileges [5] SEQUENCE OF PrivilegeAttribute,
restrictions [6] SEQUENCE OF Restriction OPTIONAL,
miscellaneousAtts [7] SEQUENCE OF SecurityAttribute OPTIONAL,
timePeriods [8] TimePeriods OPTIONAL
}
PlainKey ::= SEQUENCE {
plainKey [0] BIT STRING, -- The cleartext key
hashedName [1] BIT STRING
}
PMTContents ::= SEQUENCE {
tokenId [0] INTEGER, -- shall contain X'0101' for a MIC
-- token and X'0201' for a Wrap
-- token.
SAId [1] OCTET STRING,
seq-number [2] INTEGER OPTIONAL,
userData [3] CHOICE {
plaintextBIT STRING,
ciphertext OCTET STRING
} OPTIONAL,
directionIndicator [4] BOOLEAN OPTIONAL
}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 47]
internet-draft November 22, 1996
PMToken ::= SEQUENCE{
pmtContents [0] PMTContents,
pmtSeal [1] Seal
-- seal over the pmtContents being protected
}
PrimaryGroupValueSyntax ::= Identifier
PrivilegeAttribute ::= SecurityAttribute
PublicKeyBlock ::= SEQUENCE{
signedPKBPart [0] SignedPKBPart,
signature [1] Signature OPTIONAL,
certificate [2] Certificate OPTIONAL
}
PublicTicket ::= SEQUENCE{
krb5Ticket [0] Ticket,
publicKeyBlock [1] PublicKeyBlock}
PValue ::= SEQUENCE{
pv [0] BIT STRING,
algorithmIdentifier [1] AlgorithmIdentifier OPTIONAL
}
Restriction ::= SEQUENCE {
howDefined [0] CHOICE {
hashedExternal [0] BIT STRING, -- the hash value
signedExternal [1] BIT STRING, -- the public key
certExternal [2] CertificateId, -- user certificate
included [3] BIT STRING
},
-- the actual restriction in a form
-- undefined here
algId [1] AlgorithmIdentifier OPTIONAL,
-- either identifies the hash algorithm
-- or the public key algorithm
-- for choices 1 or 2 above.
type [2] ENUMERATED {
mandatory (1),
optional (2)} DEFAULT mandatory,
targets [3] SEQUENCE OF SecurityAttribute OPTIONAL
}
-- applies to all targets if this is omitted
RolePrivilegeValueSyntax ::= Identifier
Seal ::= SEQUENCE{
sealValue [0] BIT STRING,
symmetricAlgId [1] AlgorithmIdentifier OPTIONAL,
hashAlgId [2] AlgorithmIdentifier OPTIONAL,
targetName [3] SecurityAttribute OPTIONAL,
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 48]
internet-draft November 22, 1996
keyId [4] INTEGER OPTIONAL
}
SecurityAttribute ::= SEQUENCE{
attributeType Identifier,
attributeValue SET OF SEQUENCE {
definingAuthority [0] Identifier OPTIONAL,
securityValue [1] SecurityValue
}
}
-- NOTE: SecurityAttribute is not tagged, for compatibility
-- with the Directory Standard.
SecurityValue ::= CHOICE{
directoryName [0] Name,
printableName [1] PrintableString,
octets [2] OCTET STRING,
intVal [3] INTEGER,
bits [4] BIT STRING,
any [5] ANY -- defined by attributeType
}
SeedValue ::= SEQUENCE {
timeStamp [0] UTCTime OPTIONAL,
random [1] BIT STRING
}
SESAME-AUTHORISATION-DATA ::= SEQUENCE {
sesame-ad-type [0] ENUMERATED {
ppidType (0)
},
sesame-ad-value [1] CHOICE {
ppidValue [0]SecurityAttribute
}
}
SESAME-AUTHORISATION-DATA-TYPE ::= INTEGER { SESAME-ADATA (65) }
Signature ::= SEQUENCE{
signatureValue [0] BIT STRING,
asymmetricAlgId [1] AlgorithmIdentifier OPTIONAL,
hashAlgId [2] AlgorithmIdentifier OPTIONAL,
issuerCAName [3] Identifier OPTIONAL,
caCertInformation [4] CHOICE {
caCertSerialNumber [0] INTEGER,
certificationPath [1] CertificationPath
} OPTIONAL
}
--CertificationPath is imported from [ISO/IEC 9594-8]
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 49]
internet-draft November 22, 1996
SignedPKBPart ::= SEQUENCE{
keyEstablishmentData [0] KeyEstablishmentData,
encryptionMethod [1] AlgorithmIdentifier OPTIONAL,
issuingKDS [2] Identifier,
uniqueNumber [3] UniqueNumber,
validityTime [4] TimePeriods,
creationTime [5] UTCTime
}
SpecificContents ::= CHOICE{
pac [1] PACSpecificContents
-- only the PAC is used here
}
TargetAEFPart ::= SEQUENCE {
pacAndCVs [0] SEQUENCE OF CertandECV OPTIONAL,
targetKeyBlock [1] TargetKeyBlock,
dialogueKeyBlock [2] DialogueKeyBlock,
targetIdentity [3] SecurityAttribute,
flags [4] BIT STRING {
delegation (0)
}
}
TargetKeyBlock ::= SEQUENCE {
kdSchemeOID [2] OBJECT IDENTIFIER,
targetKDSpart [3] ANY OPTIONAL,
-- depending on kdSchemeOID
targetPart [4] ANY OPTIONAL
-- depending on kdSchemeOID
}
TargetResultToken ::= SEQUENCE{
trtContents [0] TRTContents,
trtSeal [1] Seal
}
Token ::=
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType, -- the OBJECT IDENTIFIER specified below
innerContextToken ANY DEFINED BY thisMech
}
TRTContents ::= SEQUENCE {
tokenId [0] INTEGER, -- shall contain X'0200'
SAId [1] OCTET STRING,
utcTime [5] UTCTime OPTIONAL,
usec [6] INTEGER OPTIONAL,
seq-number [7] INTEGER OPTIONAL,
}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 50]
internet-draft November 22, 1996
TrustGroupValueSyntax ::= Identifier
UniqueNumber ::= SEQUENCE{
timeStamp [0] UTCTime,
random [1] BIT STRING
}
Validity ::= SEQUENCE {
notBefore UTCTime,
notAfter UTCTime
} -- as in [ISO/IEC 9594-8]
-- Note: Validity is not tagged, for compatibility with the
-- Directory Standard.
WrapToken ::= PMToken
END
A.2. Kerberos ASN.1 Definitions
The SESAME GSS-API mechanism re-uses the HostAddress and Ticket
types from [Kerberos]. These are reproduced here for ease of
reference.
SESAME-Kerberos-Definitions {tbs }
DEFINITIONS ::=
BEGIN
-- exports everything
IMPORTS
-- imports nothing
-- data types
AuthorizationData ::= SEQUENCE OF SEQUENCE {
ad-type [0] INTEGER,
ad-data [1] OCTET STRING}
EncryptedData ::= SEQUENCE {
etype [0] INTEGER, -- EncryptionType
kvno [1] INTEGER OPTIONAL,
cipher [2] OCTET STRING -- ciphertext}
EncryptionKey ::= SEQUENCE {
keytype [0] INTEGER,
keyvalue [1] OCTET STRING}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 51]
internet-draft November 22, 1996
EncTicketPart ::= [APPLICATION 3] SEQUENCE {
flags [0] TicketFlags,
key [1] EncryptionKey,
crealm [2] Realm,
cname [3] PrincipalName,
transited [4] TransitedEncoding,
authtime [5] KerberosTime,
starttime [6] KerberosTime OPTIONAL,
endtime [7] KerberosTime,
renew-till [8] KerberosTime OPTIONAL,
caddr [9] HostAddresses OPTIONAL,
authorization-data [10] AuthorizationData OPTIONAL}
HostAddress ::= SEQUENCE {
addr-type [0] INTEGER,
address [1] OCTET STRING}
HostAddresses ::= SEQUENCE OF SEQUENCE {
addr-type [0] INTEGER,
address [1] OCTET STRING}
KerberosTime ::= GeneralizedTime
-- Specifying UTC time zone (Z)
PrincipalName ::= SEQUENCE {
name-type [0] INTEGER,
name-string [1] SEQUENCE OF GeneralString}
Realm ::= GeneralString
Ticket ::= [APPLICATION 1] SEQUENCE {
tkt-vno [0] INTEGER,
realm [1] Realm,
sname [2] PrincipalName,
enc-part [3] EncryptedData} -- decrypts to
EncTicketPart
TicketFlags ::= BIT STRING {
reserved (0), -- not supported in the SESAME mechanism
forwardable (1), -- not supported in the SESAME mechanism
forwarded (2), -- not supported in the SESAME mechanism
proxiable (3), -- not supported in the SESAME mechanism
proxy (4), -- not supported in the SESAME mechanism
may-postdate (5), -- not supported in the SESAME mechanism
postdated (6),
invalid (7), -- not supported in the SESAME mechanism
renewable (8), -- not supported in the SESAME mechanism
initial (9), -- not supported in the SESAME mechanism
pre-authent (10),
hw-authent (11)}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 52]
internet-draft November 22, 1996
TransitedEncoding ::= SEQUENCE {
tr-type [0] INTEGER, -- must be registered
contents [1] OCTET STRING}
-- the TransitedEncoding construct is not used in the SESAME
-- mechanism.
END
A.3. SPKM ASN.1 Definitions
The SESAME GSS-API mechanism re-uses the SPKM-REQ type from
[SPKM]. These are reproduced here for ease of reference.
SESAME-SPKM-Definitions {tbs }
DEFINITIONS ::=
BEGIN
-- exports everything
IMPORTS
AuthorizationData
FROM SESAME-Kerberos-Defintions { tbs }
AlgorithmIdentifier, Certificate, CertificateList,
CertificatePair, CertificatePath
FROM AuthenticationFramework {
joint-iso-ccitt ds(5) modules(1)
authenticationFramework(7) }
Name
FROM InformationFramework {
joint-iso-ccitt ds(5) modules(1)
informationFramework(1) }
-- data types
CertificationData ::= SEQUENCE {
certificationPath [0] CertificationPath OPTIONAL,
certificateRevocationList [1] CertificateList OPTIONAL
} -- at least one of the above shall be present
CertificationPath ::= SEQUENCE {
userKeyId [0] OCTET STRING OPTIONAL,
-- identifier for user's public key
userCertif [1] Certificate OPTIONAL,
-- certificate containing user's public key
verifKeyId [2] OCTET STRING OPTIONAL,
-- identifier for user's public
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 53]
internet-draft November 22, 1996
-- verification key
userVerifCertif [3] Certificate OPTIONAL,
-- certificate containing user's public
-- verification key
theCACertificates [4] SEQUENCE OF CertificatePair OPTIONAL
-- certification path from target to source
}
ChannelId ::= OCTET STRING
Conf_Algs ::= CHOICE {
SEQUENCE OF AlgorithmIdentifier,
NULL -- used when conf. is not available
-- over context
} -- for C-ALG
Context_Data ::= SEQUENCE {
channelId ChannelId, -- channel bindings
seq_number INTEGER OPTIONAL, -- sequence number
options Options,
conf_alg Conf_Algs, -- confidentiality. algs.
intg_alg Intg_Algs -- integrity algorithm
}
ENCRYPTED MACRO ::=
BEGIN
TYPE NOTATION ::= type(ToBeEnciphered)
VALUE NOTATION ::= value(VALUE BIT STRING)
END -- of ENCRYPTED
HASHED MACRO ::=
BEGIN
TYPE NOTATION ::= type ( ToBeHashed )
VALUE NOTATION ::= value ( VALUE OCTET STRING )
END -- hash used is the one specified for the MANDATORY I-ALG
Intg_Algs ::= SEQUENCE OF AlgorithmIdentifier -- for I-ALG
Key_Estb_Algs ::= SEQUENCE OF AlgorithmIdentifier -- to allow
negotiation of K-ALG
MAC MACRO ::=
BEGIN
TYPE NOTATION ::= type ( ToBeMACed )
VALUE NOTATION ::= value ( VALUE
SEQUENCE {
algId AlgorithmIdentifier,
mac BIT STRING
}
)
END
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 54]
internet-draft November 22, 1996
Options ::= BIT STRING {
delegation_state (0),
mutual_state (1),
replay_det_state (2), -- used for replay det.
-- during context
sequence_state (3), -- used for sequencing
-- during context
conf_avail (4),
integ_avail (5),
target_certif_data_required (6) -- used to request
-- targ's certif. data
}
Random_Integer ::= BIT STRING
Req_Integrity ::= CHOICE {
sig_integ [0] SIGNATURE REQ_TOKEN,
mac_integ [1] MAC REQ_TOKEN
}
REQ_TOKEN ::= SEQUENCE {
tok_id INTEGER, -- shall contain 0100 (hex)
context_id Random_Integer,
pvno BIT STRING, -- protocol version number
timestamp UTCTime OPTIONAL,
-- mandatory for SPKM-2
randSrc Random_Integer,
targ_name Name,
src_name Name, -- may be a value indicating
-- "anonymous"
req_data Context_Data,
validity [0] Validity OPTIONAL,
-- validity interval for key
-- (may be used in the
-- computation of security
-- context lifetime)
key_estb_set [1] Key_Estb_Algs, -- specifies set of key
-- establishment algorithms
key_estb_req BIT STRING OPTIONAL,
-- key estb. parameter corresponding to first K-ALG in set
-- (not used if initiator is unable or unwilling to
-- generate and securely transmit key material to target).
-- Established key must be sufficiently long to be used
-- with any of the offered confidentiality algorithms.
key_src_bind HASHED SEQUENCE {
src_name Name,
symm_key BIT STRING}OPTIONAL
-- used to bind the source name to the symmetric key
-- (i.e., the unprotected version of what is
-- transmitted in key_estb_req).
}
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 55]
internet-draft November 22, 1996
SIGNATURE MACRO ::=
BEGIN
TYPE NOTATION ::= type (OfSignature)
VALUE NOTATION ::= value(VALUE
SEQUENCE {
AlgorithmIdentifier,
ENCRYPTED OCTET STRING
}
)
END
SPKM_REQ ::= SEQUENCE {
requestToken REQ_TOKEN,
req_integrity Req_Integrity,
certif_data [2] CertificationData OPTIONAL,
auth_data [3] AuthorizationData OPTIONAL
-- see [Kerberos] for a discussion of authorization data
}
Validity ::= SEQUENCE {
notBefore UTCTime,
notAfter UTCTime }
END
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 56]
internet-draft November 22, 1996
APPENDIX B: Profiling of KD-schemes
The following tables provide profiling information for the data
elements defined above and in appendices A.1 and A.2. The tables
indicate which optional fields must be present for each of the
KD-Schemes and indicate the values which are required to be present
in all fields.
B.1. Profile of Ticket as used in symmIntradomain scheme
Field Value/Constraint
----- ----------------
tkt-vno 5
realm ticket issuer's domain name in Kerberos realm
name form
sname target application name including the realm of
the target
- EncTicketPart encrypted with long term key of target AEF
-- flags only bits 6, 10 and 11 can be meaningful in
the context of the SESAME mechanism, the rest
are ignored
-- key the basic key
-- crealm initiator domain name in Kerberos realm name
form
-- cname principal name of the initiator (in the case
of delegation the cname will be that of the
delegate)
-- transited not used
-- authtime the time at which the initiator was
authenticated
-- starttime not used
-- endtime the time at which the ticket becomes invalid
-- renew-till not used
-- caddr not used
-- authorization- contains the PPID corresponding to cname
data
Table 2 - Kerberos ticket fields supported
B.2. Profile of PublicTicket as used in hybridInterdomain scheme
Field Value/Constraint
----- ----------------
krb5Ticket
- tkt-vno 5
- realm initiator domain name in Kerberos realm name
form
- sname target application name including the realm
of the target
-- EncTicketPart encrypted with temporary key (which is in
turn encrypted within the
keyEstablishmentData field)
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 57]
internet-draft November 22, 1996
--- flags only bits 6, 10 and 11 can be meaningful in
the context of the SESAME mechanism, the
rest are ignored
--- key the basic key
--- crealm initiator domain name in Kerberos realm name
form
--- cname principal name of the initiator (in the case
of delegation the cname will be that of the
delegate)
--- transited not used
--- authtime the time at which the initiator was
authenticated
--- starttime not used
--- endtime the time at which the ticket becomes invalid
--- renew-till not used
--- caddr not used
--- authorization- contains the PPID corresponding to cname
data publicKeyBlock
- signedPKBPart
-- encryptedKey KeyEstablishmentData structure
-- encryptionMethod sesame-key-estb-alg
-- issuingKDS X.500 name of initiator's KDS (the signer)
-- uniqueNumber creation time of publicKeyBlock plus a
random bit string
-- validityTime only one period allowed
-- creationTime creation time of publicKeyBlock
- signature contains all the signing information as well
as the actual signature bits
- certificate optional
Table 3 - PublicTicket fields supported
B.3. Profile of SPKM_REQ as used in asymmetric scheme
Field Value/Constraint
----- ----------------
requestToken
- tok_id not used - fixed value of `0'
- context_id not used - fixed value of bit string
containing one zero bit
- pvno not used - fixed value of bit string
containing one zero bit
- timestamp creation time of SPKM_REQ - required
- randSrc random bit string
- targ_name X.500 Name of target AEF
- src_name X.500 Name of initiator
- req_data
-- channelId not used - octet string of length one value
`00'H
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 58]
internet-draft November 22, 1996
-- seq_number missing
-- options not used - all bits set to zero
-- conf_alg not used - use NULL CHOICE
-- intg_alg not used - use a SEQUENCE OF with zero
elements
- validity mandatory
- key_estb_set only one element supplied containing sesame-
-key-estb-alg
- key_estb_req contains KeyEstablishmentData with
targetApplication field missing
- key_src_bind missing
req_integrity sig_integ mandatory
certif_data only userCertificate field supported
auth_data missing
Table 4 - SPKM_REQ fields supported
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 59]
internet-draft November 22, 1996
APPENDIX C: ECMA BACKGROUND MATERIAL.
ECMA's work was based on the OSI Architecture [ISO 7498-2], and
the series of Security Frameworks developed in ISO/IEC JTC1 [ISO
10181]. A Technical Report, [ECMA TR/46] published in 1988,
concentrates on the application layer and describes a security
framework in terms of application functions necessary to build
secure open systems. The continuation of this report, [ECMA-138],
defines the abstract security services for use in a distributed
system. A parallel standard, [ECMA-206], describes a model for
establishing secure relationships between applications in a
distributed system. ECMA has recently completed work to define
the functionality and the protocols for a distributed security
service in charge of authenticating and distributing access
rights to human and application principals, along with supportive
key distribution functions. The ECMA standard which is the result
of that work is called ECMA-219 [ECMA-219]. It was approved by
the ECMA General Assembly in December 1994 and released in
January 1995.
Baize, Farrell, Parker Document Expiration: 22 May 1997 [Page 60]