DASS - Distributed Authentication Security Service
RFC 1507

Document Type RFC - Experimental (September 1993; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 1507 (Experimental)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         C. Kaufman
Request for Comments: 1507                 Digital Equipment Corporation
                                                          September 1993

                                  DASS
              Distributed Authentication Security Service

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard.  Discussion and
   suggestions for improvement are requested.  Please refer to the
   current edition of the "Internet Official Protocol Standards" for the
   standardization state and status of this protocol.  Distribution of
   this memo is unlimited.

Table of Contents

    1.   Introduction ................................................ 2
         1.1  What is DASS? .......................................... 2
         1.2  Central Concepts ....................................... 4
         1.3  What This Document Won't Tell You ..................... 11
         1.4  The Relationship between DASS and ISO Standards ....... 17
         1.5  An Authentication Walkthrough ......................... 20
    2.   Services Used .............................................. 25
         2.1  Time Service .......................................... 25
         2.2  Random Numbers ........................................ 26
         2.3  Naming Service ........................................ 26
    3.   Services Provided .......................................... 37
         3.1  Certificate Contents .................................. 38
         3.2  Encrypted Private Key Structure ....................... 40
         3.3  Authentication Tokens ................................. 40
         3.4  Credentials ........................................... 43
         3.5  CA State .............................................. 47
         3.6  Data types used in the routines ....................... 47
         3.7  Error conditions ...................................... 49
         3.8  Certificate Maintenance Functions ..................... 49
         3.9  Credential Maintenance Functions ...................... 55
         3.10 Authentication Procedures ............................. 63
         3.11 DASSlessness Determination Functions .................. 87
    4.   Certificate and message formats ............................ 89
         4.1  ASN.1 encodings ....................................... 89
         4.2  Encoding Rules ........................................ 96
         4.3  Version numbers and forward compatibility ............. 96
         4.4  Cryptographic Encodings ............................... 97
    Annex A - Typical Usage ........................................ 101
         A.1  Creating a CA ........................................ 101

Kaufman                                                         [Page 1]
RFC 1507                          DASS                    September 1993

         A.2  Creating a User Principal ............................ 102
         A.3  Creating a Server Principal .......................... 103
         A.4  Booting a Server Principal ........................... 103
         A.5  A user logs on to the network ........................ 103
         A.6  An Rlogin (TCP/IP) connection is made ................ 104
         A.7  A Transport-Independent Connection ................... 104
    Annex B - Support of the GSSAPI ................................ 104
         B.1  Summary of GSSAPI .................................... 105
         B.2  Implementation of GSSAPI over DASS ................... 106
         B.3  Syntax ............................................... 110
    Annex C - Imported ASN.1 definitions ........................... 112
    Glossary ....................................................... 114
   Security Considerations ......................................... 119
   Author's Address ................................................ 119
   Figures
    Figure 1 - Authentication Exchange Overview ....................  24

1. Introduction

1.1 What is DASS?

   Authentication is a security service. The goal of authentication is
   to reliably learn the name of the originator of a message or request.
   The classic way by which people authenticate to computers (and by
   which computers authenticate to one another) is by supplying a
   password.  There are a number of problems with existing password
   based schemes which DASS attempts to solve.  The goal of DASS is to
   provide authentication services in a distributed environment which
   are both more secure (more difficult for a bad guy to impersonate a
   good guy) and easier to use than existing mechanisms.

   In a distributed environment, authentication is particularly
   challenging.  Users do not simply log on to one machine and use
   resources there.  Users start processes on one machine which may
   request services on another.  In some cases, the second system must
Show full document text