Network Working Group R. Van Rein Internet-Draft ARPA2.net Intended status: Standards Track March 13, 2016 Expires: September 14, 2016 Kerberos in the Extensible Authentication Protocol (EAP-Kerberos) draft-vanrein-eap-kerberos-00 Abstract This specification permits Kerberos authentication as part of the EAP. To support identity bootstrapping during network logon, the preceding acquisition of tickets may also be passed through this EAP mechanism. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 14, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Van Rein Expires September 14, 2016 [Page 1] Internet-Draft EAP-Kerberos March 2016 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Inner and Outer Identities . . . . . . . . . . . . . . . . . 3 3. Transporting Kerberos Frames over EAP . . . . . . . . . . . . 4 3.1. EAP-Kerberos as a Flow of Kerberos Frames . . . . . . . . 4 3.2. Format of a Kerberos Frame . . . . . . . . . . . . . . . 4 3.3. Encapsulation of Kerberos Frames in EAP . . . . . . . . . 5 4. Component Support for EAP-Kerberos . . . . . . . . . . . . . 6 4.1. Peer Support for EAP-Kerberos . . . . . . . . . . . . . . 6 4.2. Authenticator Support for EAP-Kerberos . . . . . . . . . 7 4.3. Backend Support for EAP-Kerberos . . . . . . . . . . . . 7 5. Established Master Key . . . . . . . . . . . . . . . . . . . 9 6. Efficiency Considerations . . . . . . . . . . . . . . . . . . 9 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10.2. Informative References . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction EAP, or the Extensible Authentication Protocol, is a pluggable mechanism for the control of network or service access by users. It is usually communicated with users during a login phase of PPP or 802.1x, and passed on to backend servers in a RADIUS attribute [Section 5.1 of [RFC2865]] or Diameter AVP [Section 8.14 of [RFC6733]] set aside for EAP. Although often used with password-based policies, EAP is equally suited for more advanced cryptographic approaches. What this specification adds, is a facility for Kerberos authentication, without resorting to the use of a KDC as a mere password oracle for PAP. To make this possible, the Application Protocol (AP) exchange of Kerberos is facilitated over EAP. Since EAP is so often used to bootstrap online access, as is the case with PPP and 802.1x use cases, additional care is needed for procuring Kerberos tickets to use in the AP exchange. To facilitate this, the EAP profile presented herein can also be used to pass Authentication Service (AS) and Ticket Granting Service (TGS) exchanges with a Kerberos-supportive backend. For users, the applications of EAP are integrated with a Single Sign- On (SSO) facility, making their online experience more seemless Van Rein Expires September 14, 2016 [Page 2] Internet-Draft EAP-Kerberos March 2016 because no separate password entry is required, nor is it required to resort to fixed secrets installed on their systems. The following Security Claims [Section 7.2 of [RFC3748]] are made for EAP-Kerberos: Auth. mechanism: Kerberos Ciphersuite negotiation: Yes Mutual authentication: Yes Integrity protection: No (not for EAP header fields) Replay protection: Yes Confidentiality: No, not always and not completely Key derivation: Yes Key strength: Usually 128 or 256 bit Dictionary attack prot.: No Fast reconnect: Yes Crypt. binding: Yes, as implied by Kerberos Session independence: Yes Fragmentation: Yes Channel binding: No 2. Inner and Outer Identities It is common for EAP to be encapsulated in a context that communicates an identity, independently of what the EAP does with it. This identity is sometimes referred to as the "outer" identity, to contrast it with an "inner" identity negotiated within the EAP transport. As an example, when EAP is transported in RADIUS or Diameter, there is commonly a User-Name attribute at the same level as EAP; this would be the outer identity. Not all methods distinguish between inner and outer identities and under such methods the outer identity often holds a user name to be authenticated. This is not strictly required in an EAP context; the only thing needed is a decision from the backend to Accept or Reject a peer; any data exchanged works towards that end result. Under EAP-Kerberos, the client PrincipalName and Realm may be considered the inner identity, and indeed is this the identity that is validated by the protocol flow. It is vital to understand that the outer identity is in no way to be considered reliable as a user identity for the peer; this is because it falls outside the protected context of EAP-Kerberos. The outer identity serves a different goal, namely as a locator for the backend authorisation server. To the peer, this is a backend that is supportive of its access, and to the authenticator this is a basis for locating and/or constraining the backend server as an Van Rein Expires September 14, 2016 [Page 3] Internet-Draft EAP-Kerberos March 2016 authoritative source of information about the peer and its rights of access to the EAP-protected resource. 3. Transporting Kerberos Frames over EAP The EAP-Kerberos protocol carries an ordered flow of Kerberos frames, communicated in round trips. This facilitates a Kerberos query/ response sequence initiated by the peer, and leading to eventual Succes or Failure to authenticate the peer. This section details what Kerberos frames are, and how an EAP message flow implements them. Whenever a fatal error is detecting during the processing of EAP- Kerberos, this MUST lead to rejection of the authentication attempt, possibly after delivery of a final KRB-ERROR frame. Any conflict with the specifications is considered a fatal error. 3.1. EAP-Kerberos as a Flow of Kerberos Frames EAP-Kerberos implements a flow of Kerberos frames. Each Kerberos frame is a single data structure, recognised by an [APPLICATION n] tag. The exchange between the authenticating peer and backend authentication server consists of a request/response interaction: The peer sens a request and the backend sends a response (which may be an error message). The transmission channel of EAP-Kerberos is half-duplex, meaning that the peer and backend take turns sending messages. Each sends one Kerberos frame and is then open for another. In the case of the peer, receiving a Kerberos frame makes him free to send another, and in case of the backend, having receiving a Kerberos frame initiates its handling. 3.2. Format of a Kerberos Frame A Kerberos frame is defined as a single DER-encoded data structure, so a single tag with length and a value that may hold more DER data. The outermost tag and length are of explicit use to EAP-Kerberos. The outermost tag MUST be an [APPLICATION n] tag. The tag indicates what meaning the frame has in the context of the Kerberos application [usually according to [RFC4120]]. The tag may facilitate relaying decisions, especially in the backend authentication server. Finally, the tag indicates a syntax that the entire Kerberos frame MUST adhere to. The outermost length is used in the collection of a Kerberos frame that MAY have gotten fragmented over multiple EAP frames. The first Van Rein Expires September 14, 2016 [Page 4] Internet-Draft EAP-Kerberos March 2016 EAP frame to transport a Kerberos frame holds the outermost tag and length and a failure to contain both within this first message MAY be treated as a fatal error. As a result of these definitions, Kerberos frames can be concatenated; the DER encoding clearly marks where one Kerberos frame ends and the next one starts. This does not mean that such concatenation is permitted within an EAP frame; in fact, it is considered a fatal error if an EAP frame contains excess bytes after the end of a Kerberos frame. 3.3. Encapsulation of Kerberos Frames in EAP A Kerberos frame is cut into one or more non-empty fragments that lead to EAP frames that fit in the MTU for EAP frames. The EAP- Kerberos protocol consists of such individually encapsulated fragments, as well as acknowledgement packages. To enapsulate a Kerberos fragment, the standard EAP packet header [Section 4 of [RFC3748]] is prepended, consisting of the fragments's Code, Identifier and Length. Note that it is possible to include a Kerberos fragment with a Success or Failure EAP frame that holds the Success or Failure code, not just for Request or Response codes. The Length field holds five more than the non-zero number of bytes of the contained Kerberos fragment, and it should be noted that any further bytes count as padding in the data link layer, so these should not be taken into account when reconstructing a Kerberos frame from fragments in EAP frames. EAP packets with Length set to 1 hold no Kerberos data but are instead used to acknowledge the reception of traffic up to the given Identifer. The Type field is always set to the value TBD assigned by IANA as the Method Type for EAP-Kerberos. When a Kerberos frame falls apart into multiple fragments, then all these fragments are submitted individually, with an Identifier byte value that increments from the value of its first packet. This is useful on the receiving end, where the portions must be recollected. When it transpires that EAP frames were not received in good order, they MUST be retransmitted. Indications of such ill-received EAP frames are received through special acknowledgement EAP frames. The Identifier starts from 0 for each new Kerberos frame, so the initial EAP frame for a Kerberos frame is easily recognised. When encapsulating a Kerberos fragment, the EAP frame always has a Length over 5. There is an additional EAP frame used to acknowledge having received prior frames, and this is a frame with Length equal Van Rein Expires September 14, 2016 [Page 5] Internet-Draft EAP-Kerberos March 2016 to 5. It SHOULD only be sent on the last frame before an apparent gap in the frame sequence, and in addition it MUST be sent on the last frame that completes the reconstruction of a Kerberos frame. Acknowledgement packets replicate the Identifier tag from the last EAP frame that they received in good order. TODO: Is this possible, or MUST it be a roundtrip to satisfy carriers such as RADIUS? Only when a complete Kerberos frame has been reconstructed on the receiving end, is it possible to send the next message in the opposite direction. The backend authentication server can start to build a response after receiving a Kerberos frame, and the authenticating peer can choose if it wants to send another request in a Kerberos frame. 4. Component Support for EAP-Kerberos The following subsections indicate what support is needed for EAP- Kerberos to be used. 4.1. Peer Support for EAP-Kerberos In EAP terminology, the (authenticating) peer is the endpoint that wants to be authenticated by the Authenticator. It must have explicit support for EAP-Kerberos. When the peer has no valid ticket granting ticket, or when it prefers to use another for EAP-Kerberos, then it should first get one using the AS exchange [Section 3.1 of [RFC4120]]. When the peer has no valid service ticket, or when it prefers to use another one, for EAP-Kerberos, then it should get one (or multiple) using the TGS exchange [Section 3.3 of [RFC4120]]. Finally, the peer will want to authenticate with the backend server. To do that, it uses the service ticket in a double AP exchange [Section 3.2 of [RFC4120]]: 1. The first AP request [Section 5.5.1 of [RFC4120]] sent from peer to backend includes no cksum, but supplies a randomly generated seq-number in its Authenticator. It does not include a subkey. 2. The first AP response [Section 5.5.2 of [RFC4120]] sent from backend to peer contains a subkey and a seq-number field that is one more than the seq-number field in the first AP request. The subkey is stored by the peer as its master key. 3. The second AP request sent from the peer to the backend includes a cksum computed over the EncAPRepPart of the first AP response, Van Rein Expires September 14, 2016 [Page 6] Internet-Draft EAP-Kerberos March 2016 after it has been decrypted into a DER structure. The seq-number field is one higher than the seq-number field in the first AP response. The hash assures the peer's ability to decrypt, and thus ownership of the key; the seq-number may help to assure extra protection from replay. The second AP request additionally holds a subkey that the backend should henceforth be used by the backend. The second AP request is encrypted with the subkey found in the first AP response. 4. The second AP response sent from backend to peer includes no subkey but it does hold a seq-number which is one higher than the seq-number from the second AP request. The second AP response is encrypted with the subkey found in the second AP request. This exchange establishes mutual authentication between the peer and backend. Peers SHOULD support at least the above variations of Kerberos frame flow, but they MAY attempt to do more; specifically, it may attempt to perform other AS, TGS and AP exchanges than what is strictly needed for authentication to commence. All this must be done before the final authentication step is made. 4.2. Authenticator Support for EAP-Kerberos In EAP terminology, the authenticator is the part of the infrastructure that wants to know if the authenticating peer can be granted access. It often coincides with the Network Access Server in the customary EAP use case of granting network access. The authenticator SHOULD NOT modify EAP-Kerberos messages that it passes between peer and a backend authentication server. Specifically, it MUST NOT filter on [APPLICATION n] tags of Kerberos frames. In summary, there is nothing that needs to change to an authenticator to be able to pass EAP-Kerberos. 4.3. Backend Support for EAP-Kerberos In EAP terminology, the backend (authentication server) is the endpoint for EAP that makes the decision to grant or deny access to the authenticating peer. It is usually a server that runs an AAA protocol such as RADIUS or Diameter. To facilitate EAP-Kerberos, the backend reconstructs Kerberos frames from EAP frames, and either handles them locally or relays them as permitted by configured policy. Van Rein Expires September 14, 2016 [Page 7] Internet-Draft EAP-Kerberos March 2016 It is RECOMMENDED for backends to facilitate AS and TGS requests [Section 5.4.1. of [RFC4120]] from the peer, and relay those to a KDC. In both cases, the backend SHOULD perform KDC Discovery [Section 7.2.3 of [RFC4120]] to find the KDC, based on the realm field in the request. It relays the Kerberos frame to this discovered KDC, and awaits a reply (or produces a timeout error to replace it). The reply is relayed back to the peer as a Kerberos frame encapsulated in EAP frames. The backend MAY additionally relay AP requests [Section 5.5.1 or [RFC4120]] to servers when configured to do so; in this case the realm and sname fields of the contained ticket are helpful to locate the target for relaying. The applications KRB-SAFE, KRB-PRIV and KRB-CRED have no indication of the protocol being used, so their relaying is less likely. What this means is that the facility for relaying AP requests is rather limited, and only suitable for situations that require nothing but the AP requests themselves; it may be useful to exchange key materials in the backend infrastructure, such as end-to-end key material. The backend MUST accept AP requests directed to a service name of its own. Such requests are processed under the following rules: o Upon arrival of an AP request, the encrypted part is decrypted, by default with the encryption contained in the ticket. When a subkey has been previously supplied to the peer in the current EAP-Kerberos session, then this replaces the default encryption key from the ticket. o An AP request from the peer has a seq-number field, and the response MUST have a seq-number increased by one. o When the peer has not been sent a subkey before, one is generated from a good random source, and sent in the AP response. This is done only once per EAP-Kerberos session. o Every AP request receives an AP response or a KRB-ERROR; this is even true if the AP request leads to the deciding one. The AP response is encrypted with the key in the ticket by default; when a subkey has just been supplied by the AP request from the peer, then this is used instead. o When timing in the AP request diverts too far from the clock time of the backend, then an error is sent instead of an AP response. It is common to permit a time window of about five minutes around the backend clock time. Van Rein Expires September 14, 2016 [Page 8] Internet-Draft EAP-Kerberos March 2016 An AP request leads to the final decision of either Failure or Success when a subkey has been sent to the peer, when the peer just sent a subkey and cksum in the encrypted part of the AP request. The decision is Failure, except when all the following requirements are met and the decision therefore becomes Success: o The timing information diverts is close enough to the clock time of the backend. o The seq-number is one more than the seq-number that was sent to the peer in a preceding AP response sent during this EAP-Kerberos session; o The cksum is a correctly computed checksum over the DER-encoded bytes that hold the EncAPRepPart after decryption, taken from the foregoing AP response in the current EAP-Kerberos session. The backend MUST send exactly one Kerberos response to any Kerberos request that it receives. If it receives a request encapsulated in EAP that it does not handle, then it MUST reply with a KRB-ERROR message [Section 5.9.1 of [RFC4120]] with a suitable error code [Section 7.5.1 of [RFC4120]], and/or trigger a fatal error. 5. Established Master Key When an EAP-Kerberos session ends in Success, then both sides have provided a subkey to the other side, to be used for future communication towards them. Upon success, these keys MAY be used to initiate any further keying requirements between the peer and the infrastructure setup by the backend. We do not prescribe the manner in which this is done, or how the master key is used to construct session keys, but leave it to the general remark that session keys should be derived in a manner that does not permit derivation of the master key or other session keys derived from it. 6. Efficiency Considerations Among the uses of EAP are applications where no IP address has been obtained by the peer, such as gaining network access over PPP or Ethernet protocols with 802.1x protection. In such networks, it may be required to bootstrap Kerberos tickets that would be needed for EAP-Kerberos. This is why AS and TGS exchanges may be passed over EAP, and why the backend server may support such exchanges by relaying such traffic to a KDC. Van Rein Expires September 14, 2016 [Page 9] Internet-Draft EAP-Kerberos March 2016 Once access to a network has been granted, there may be an additional need to encrypt traffic, and facilitate authentication. For such exchanges, there may be a use for additional Kerberos exchanges. This is why this specification leaves room for such additional exchanges, without enforcing them. 7. Privacy Considerations The EAP-Kerberos exchange reveals some information that may be considered private. This may be a privacy concern in infrastructures that pass the EAP-Kerberos data through third party network components. It is possible facilitate privacy for any intermediate EAP relays by sending EAP-Kerberos within EAP tunneling mechanisms, such as EAP-TTLS [RFC5281] or EAP-FAST [RFC4851]. 8. Security Considerations Tunneling is not required for reasons of security; Kerberos frames are designed to travel over untrusted networks. When EAP-Kerberos travels in the company of attributes descriptive of the peer, it is important to understand that nothing that EAP- Kerberos will do can assign any validity to these attributes. The "innert" identity as mentioned in Kerberos packets is what is validated. Any "outer" identity as mentioned in such companion attributes is more inclined towards routing than to identification. The peer and its KDC establish end-to-end trust on the basis of their pre-shared secret. This is subsequently used to infer trust on derived keys and tickets. For the intermediaries (namely, the authenticator and even the backend authentication server) the secret is not known, and so they may need extra bases for trust in the established relationship. Specifically, where the lookup of a KDC does not require DNSSEC to secure the client, it will often be instrumental for such intermediate pieces of the infrastructure to establish trust in the authenticity of the KDC for a particular realm or domain name. Note however that the eventual use of the AP exchange between the peer and its backend should imply an alternative trust basis between these two players, through either a shared KDC or two that have a secure realm-crossover relationship. This leaves the authenticator as the main party to protect itself; note that this party can be especially sensitive when it takes action based on companion attributes that travel back with an EAP-Kerberos Success. Van Rein Expires September 14, 2016 [Page 10] Internet-Draft EAP-Kerberos March 2016 9. IANA Considerations This specification requests the registration of a Method Type in the Extensible Authentication Protocol (EAP) Registry, from the range granted through the Designated Expert with Specification Required procedure. IANA has assigned TBD to the EAP method specified herein. 10. References 10.1. Normative References [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, DOI 10.17487/RFC3748, June 2004, . [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, DOI 10.17487/RFC4120, July 2005, . 10.2. Informative References [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000, . [RFC4851] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)", RFC 4851, DOI 10.17487/RFC4851, May 2007, . [RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)", RFC 5281, DOI 10.17487/RFC5281, August 2008, . [RFC6733] Fajardo, V., Ed., Arkko, J., Loughney, J., and G. Zorn, Ed., "Diameter Base Protocol", RFC 6733, DOI 10.17487/RFC6733, October 2012, . Van Rein Expires September 14, 2016 [Page 11] Internet-Draft EAP-Kerberos March 2016 Author's Address Rick van Rein ARPA2.net Haarlebrink 5 Enschede, Overijssel 7544 WP The Netherlands Email: rick@openfortress.nl Van Rein Expires September 14, 2016 [Page 12]