Network Working Group A. Medvinsky
Request for Comments: 2712 Excite
Category: Standards Track M. Hur
CyberSafe Corporation
October 1999
Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
IESG Note:
The 40-bit ciphersuites defined in this memo are included only for
the purpose of documenting the fact that those ciphersuite codes have
already been assigned. 40-bit ciphersuites were designed to comply
with US-centric, and now obsolete, export restrictions. They were
never secure, and nowadays are inadequate even for casual
applications. Implementation and use of the 40-bit ciphersuites
defined in this document, and elsewhere, is strongly discouraged.
1. Abstract
This document proposes the addition of new cipher suites to the TLS
protocol [1] to support Kerberos-based authentication. Kerberos
credentials are used to achieve mutual authentication and to
establish a master secret which is subsequently used to secure
client-server communication.
2. Introduction
Flexibility is one of the main strengths of the TLS protocol.
Clients and servers can negotiate cipher suites to meet specific
security and administrative policies. However, to date,
authentication in TLS is limited only to public key solutions. As a
result, TLS does not fully support organizations with heterogeneous
security deployments that include authentication systems based on
symmetric cryptography. Kerberos, originally developed at MIT, is
Medvinsky & Hur Standards Track [Page 1]RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
based on an open standard [2] and is the most widely deployed
symmetric key authentication system. This document proposes a new
option for negotiating Kerberos authentication within the TLS
framework. This achieves mutual authentication and the establishment
of a master secret using Kerberos credentials. The proposed changes
are minimal and, in fact, no different from adding a new public key
algorithm to the TLS framework.
3. Kerberos Authentication Option In TLS
This section describes the addition of the Kerberos authentication
option to the TLS protocol. Throughout this document, we refer to
the basic SSL handshake shown in Figure 1. For a review of the TLS
handshake see [1].
CLIENT SERVER
------ ------
ClientHello
-------------------------------->
ServerHello
Certificate *
ServerKeyExchange*
CertificateRequest*
ServerHelloDone
<-------------------------------
Certificate*
ClientKeyExchange
CertificateVerify*
change cipher spec
Finished
| -------------------------------->
| change cipher spec
| Finished
| |
| |
Application Data <------------------------------->Application Data
FIGURE 1: The TLS protocol. All messages followed by a star are
optional. Note: This figure was taken from an IETF document
[1].
The TLS security context is negotiated in the client and server hello
messages. For example: TLS_RSA_WITH_RC4_MD5 means the initial
authentication will be done using the RSA public key algorithm, RC4
will be used for the session key, and MACs will be based on the MD5
algorithm. Thus, to facilitate the Kerberos authentication option,
we must start by defining new cipher suites including (but not
limited to):
Medvinsky & Hur Standards Track [Page 2]
datatracker.ietf.org