DASS - Distributed Authentication Security Service
RFC 1507
Document | Type |
RFC - Experimental
(September 1993; No errata)
Was draft-ietf-cat-dass (cat WG)
|
|
---|---|---|---|
Author | Charlie Kaufman | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 1507 (Experimental) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group C. Kaufman Request for Comments: 1507 Digital Equipment Corporation September 1993 DASS Distributed Authentication Security Service Status of this Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard. Discussion and suggestions for improvement are requested. Please refer to the current edition of the "Internet Official Protocol Standards" for the standardization state and status of this protocol. Distribution of this memo is unlimited. Table of Contents 1. Introduction ................................................ 2 1.1 What is DASS? .......................................... 2 1.2 Central Concepts ....................................... 4 1.3 What This Document Won't Tell You ..................... 11 1.4 The Relationship between DASS and ISO Standards ....... 17 1.5 An Authentication Walkthrough ......................... 20 2. Services Used .............................................. 25 2.1 Time Service .......................................... 25 2.2 Random Numbers ........................................ 26 2.3 Naming Service ........................................ 26 3. Services Provided .......................................... 37 3.1 Certificate Contents .................................. 38 3.2 Encrypted Private Key Structure ....................... 40 3.3 Authentication Tokens ................................. 40 3.4 Credentials ........................................... 43 3.5 CA State .............................................. 47 3.6 Data types used in the routines ....................... 47 3.7 Error conditions ...................................... 49 3.8 Certificate Maintenance Functions ..................... 49 3.9 Credential Maintenance Functions ...................... 55 3.10 Authentication Procedures ............................. 63 3.11 DASSlessness Determination Functions .................. 87 4. Certificate and message formats ............................ 89 4.1 ASN.1 encodings ....................................... 89 4.2 Encoding Rules ........................................ 96 4.3 Version numbers and forward compatibility ............. 96 4.4 Cryptographic Encodings ............................... 97 Annex A - Typical Usage ........................................ 101 A.1 Creating a CA ........................................ 101 Kaufman [Page 1] RFC 1507 DASS September 1993 A.2 Creating a User Principal ............................ 102 A.3 Creating a Server Principal .......................... 103 A.4 Booting a Server Principal ........................... 103 A.5 A user logs on to the network ........................ 103 A.6 An Rlogin (TCP/IP) connection is made ................ 104 A.7 A Transport-Independent Connection ................... 104 Annex B - Support of the GSSAPI ................................ 104 B.1 Summary of GSSAPI .................................... 105 B.2 Implementation of GSSAPI over DASS ................... 106 B.3 Syntax ............................................... 110 Annex C - Imported ASN.1 definitions ........................... 112 Glossary ....................................................... 114 Security Considerations ......................................... 119 Author's Address ................................................ 119 Figures Figure 1 - Authentication Exchange Overview .................... 24 1. Introduction 1.1 What is DASS? Authentication is a security service. The goal of authentication is to reliably learn the name of the originator of a message or request. The classic way by which people authenticate to computers (and by which computers authenticate to one another) is by supplying a password. There are a number of problems with existing password based schemes which DASS attempts to solve. The goal of DASS is to provide authentication services in a distributed environment which are both more secure (more difficult for a bad guy to impersonate a good guy) and easier to use than existing mechanisms. In a distributed environment, authentication is particularly challenging. Users do not simply log on to one machine and use resources there. Users start processes on one machine which may request services on another. In some cases, the second system mustShow full document text