LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM
RFC 2847

Document Type RFC - Proposed Standard (June 2000; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2847 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          M. Eisler
Request for Comments: 2847                                       Zambeel
Category: Standards Track                                      June 2000

     LIPKEY - A Low Infrastructure Public Key Mechanism Using SPKM

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   This memorandum describes a method whereby one can use GSS-API
   [RFC2078] to supply a secure channel between a client and server,
   authenticating the client with a password, and a server with a public
   key certificate.  As such, it is analogous to the common low
   infrastructure usage of the Transport Layer Security (TLS) protocol
   [RFC2246].

   The method leverages the existing Simple Public Key Mechanism (SPKM)
   [RFC2025], and is specified as a separate GSS-API mechanism (LIPKEY)
   layered above SPKM.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
   2.  LIPKEY's Requirements of SPKM  . . . . . . . . . . . . . . . . 4
   2.1.  Mechanism Type . . . . . . . . . . . . . . . . . . . . . . . 4
   2.2.  Name Type  . . . . . . . . . . . . . . . . . . . . . . . . . 4
   2.3.  Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . 5
   2.3.1.  MANDATORY Algorithms . . . . . . . . . . . . . . . . . . . 5
   2.3.2.  RECOMMENDED Integrity Algorithms (I-ALG) . . . . . . . . . 7
   2.4.  Context Establishment Tokens . . . . . . . . . . . . . . . . 8
   2.4.1.  REQ-TOKEN Content Requirements . . . . . . . . . . . . . . 8
   2.4.1.1.  algId and req-integrity  . . . . . . . . . . . . . . . . 8
   2.4.1.2.  Req-contents . . . . . . . . . . . . . . . . . . . . . . 8
   2.4.1.2.1.  Options  . . . . . . . . . . . . . . . . . . . . . . . 9
   2.4.1.2.2.  Conf-Algs  . . . . . . . . . . . . . . . . . . . . . . 9
   2.4.1.2.3.  Intg-Algs  . . . . . . . . . . . . . . . . . . . . . . 9

Eisler                      Standards Track                     [Page 1]
RFC 2847                         LIPKEY                        June 2000

   2.4.2.  REP-TI-TOKEN Content Requirements  . . . . . . . . . . . . 9
   2.4.2.1.  algId  . . . . . . . . . . . . . . . . . . . . . . . . . 9
   2.4.2.2.  rep-ti-integ . . . . . . . . . . . . . . . . . . . . . . 9
   2.5.  Quality of Protection (QOP)  . . . . . . . . . . . . . . . .10
   3.  How LIPKEY Uses SPKM . . . . . . . . . . . . . . . . . . . .  11
   3.1.  Tokens . . . . . . . . . . . . . . . . . . . . . . . . . .  11
   3.2.  Initiator  . . . . . . . . . . . . . . . . . . . . . . . .  11
   3.2.1.  GSS_Import_name  . . . . . . . . . . . . . . . . . . . .  11
   3.2.2.  GSS_Acquire_cred . . . . . . . . . . . . . . . . . . . .  11
   3.2.3.  GSS_Init_sec_context . . . . . . . . . . . . . . . . . .  12
   3.2.3.1.  LIPKEY Caller Specified anon_req_flag as TRUE  . . . .  12
   3.2.3.2.  LIPKEY Caller Specified anon_req_flag as FALSE . . . .  13
   3.2.4.  Other operations . . . . . . . . . . . . . . . . . . . .  14
   3.3.  Target . . . . . . . . . . . . . . . . . . . . . . . . . .  14
   3.3.1.  GSS_Import_name  . . . . . . . . . . . . . . . . . . . .  14
   3.3.2.  GSS_Acquire_cred . . . . . . . . . . . . . . . . . . . .  14
   3.3.3.  GSS_Accept_sec_context . . . . . . . . . . . . . . . . .  15
   4.  LIPKEY Description . . . . . . . . . . . . . . . . . . . . .  15
   4.1.  Mechanism Type . . . . . . . . . . . . . . . . . . . . . .  15
   4.2.  Name Types . . . . . . . . . . . . . . . . . . . . . . . .  15
   4.3.  Token Formats  . . . . . . . . . . . . . . . . . . . . . .  16
   4.3.1.  Context Tokens . . . . . . . . . . . . . . . . . . . . .  16
   4.3.1.1.  Context Tokens Prior to SPKM-3 Context Establishment .  16
   4.3.1.2.  Post-SPKM-3 Context Establishment Tokens . . . . . . .  16
   4.3.1.2.1.  From LIPKEY Initiator  . . . . . . . . . . . . . . .  17
   4.3.1.2.2.  From LIPKEY Target . . . . . . . . . . . . . . . . .  17
   4.3.2.  Tokens from GSS_GetMIC and GSS_Wrap  . . . . . . . . . .  17
   4.4.  Quality of Protection  . . . . . . . . . . . . . . . . . .  18
   5.  Security Considerations  . . . . . . . . . . . . . . . . . .  18
   5.1.  Password Management  . . . . . . . . . . . . . . . . . . .  18
   5.2.  Certification Authorities  . . . . . . . . . . . . . . . .  18
   5.3.  HMAC-MD5 and MD5 Weaknesses  . . . . . . . . . . . . . . .  18
   5.4.  Security of cast5CBC . . . . . . . . . . . . . . . . . . .  18
   References . . . . . . . . . . . . . . . . . . . . . . . . . . .  19
   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . .  21
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . .  21
Show full document text