LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
RFC 2847
Document | Type |
RFC - Proposed Standard
(June 2000; No errata)
Was draft-ietf-cat-lipkey (cat WG)
|
|
---|---|---|---|
Author | Mike Eisler | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 2847 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group M. Eisler Request for Comments: 2847 Zambeel Category: Standards Track June 2000 LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. Abstract This memorandum describes a method whereby one can use GSS-API [RFC2078] to supply a secure channel between a client and server, authenticating the client with a password, and a server with a public key certificate. As such, it is analogous to the common low infrastructure usage of the Transport Layer Security (TLS) protocol [RFC2246]. The method leverages the existing Simple Public Key Mechanism (SPKM) [RFC2025], and is specified as a separate GSS-API mechanism (LIPKEY) layered above SPKM. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. LIPKEY's Requirements of SPKM . . . . . . . . . . . . . . . . 4 2.1. Mechanism Type . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Name Type . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.1. MANDATORY Algorithms . . . . . . . . . . . . . . . . . . . 5 2.3.2. RECOMMENDED Integrity Algorithms (I-ALG) . . . . . . . . . 7 2.4. Context Establishment Tokens . . . . . . . . . . . . . . . . 8 2.4.1. REQ-TOKEN Content Requirements . . . . . . . . . . . . . . 8 2.4.1.1. algId and req-integrity . . . . . . . . . . . . . . . . 8 2.4.1.2. Req-contents . . . . . . . . . . . . . . . . . . . . . . 8 2.4.1.2.1. Options . . . . . . . . . . . . . . . . . . . . . . . 9 2.4.1.2.2. Conf-Algs . . . . . . . . . . . . . . . . . . . . . . 9 2.4.1.2.3. Intg-Algs . . . . . . . . . . . . . . . . . . . . . . 9 Eisler Standards Track [Page 1] RFC 2847 LIPKEY June 2000 2.4.2. REP-TI-TOKEN Content Requirements . . . . . . . . . . . . 9 2.4.2.1. algId . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4.2.2. rep-ti-integ . . . . . . . . . . . . . . . . . . . . . . 9 2.5. Quality of Protection (QOP) . . . . . . . . . . . . . . . .10 3. How LIPKEY Uses SPKM . . . . . . . . . . . . . . . . . . . . 11 3.1. Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2. Initiator . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2.1. GSS_Import_name . . . . . . . . . . . . . . . . . . . . 11 3.2.2. GSS_Acquire_cred . . . . . . . . . . . . . . . . . . . . 11 3.2.3. GSS_Init_sec_context . . . . . . . . . . . . . . . . . . 12 3.2.3.1. LIPKEY Caller Specified anon_req_flag as TRUE . . . . 12 3.2.3.2. LIPKEY Caller Specified anon_req_flag as FALSE . . . . 13 3.2.4. Other operations . . . . . . . . . . . . . . . . . . . . 14 3.3. Target . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.3.1. GSS_Import_name . . . . . . . . . . . . . . . . . . . . 14 3.3.2. GSS_Acquire_cred . . . . . . . . . . . . . . . . . . . . 14 3.3.3. GSS_Accept_sec_context . . . . . . . . . . . . . . . . . 15 4. LIPKEY Description . . . . . . . . . . . . . . . . . . . . . 15 4.1. Mechanism Type . . . . . . . . . . . . . . . . . . . . . . 15 4.2. Name Types . . . . . . . . . . . . . . . . . . . . . . . . 15 4.3. Token Formats . . . . . . . . . . . . . . . . . . . . . . 16 4.3.1. Context Tokens . . . . . . . . . . . . . . . . . . . . . 16 4.3.1.1. Context Tokens Prior to SPKM-3 Context Establishment . 16 4.3.1.2. Post-SPKM-3 Context Establishment Tokens . . . . . . . 16 4.3.1.2.1. From LIPKEY Initiator . . . . . . . . . . . . . . . 17 4.3.1.2.2. From LIPKEY Target . . . . . . . . . . . . . . . . . 17 4.3.2. Tokens from GSS_GetMIC and GSS_Wrap . . . . . . . . . . 17 4.4. Quality of Protection . . . . . . . . . . . . . . . . . . 18 5. Security Considerations . . . . . . . . . . . . . . . . . . 18 5.1. Password Management . . . . . . . . . . . . . . . . . . . 18 5.2. Certification Authorities . . . . . . . . . . . . . . . . 18 5.3. HMAC-MD5 and MD5 Weaknesses . . . . . . . . . . . . . . . 18 5.4. Security of cast5CBC . . . . . . . . . . . . . . . . . . . 18 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 21 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 21Show full document text