| blob | dd172fe9c95550447b5f864345fee27ffa3d2746 |
1 Network Working Group Johansson
2 Internet-Draft Stockholm university
3 Expires: December 30, 2004 July 2004
7 An information model for Kerberos version 5
8 draft-johansson-kerberos-model-01
11 Status of this Memo
14 This document is an Internet-Draft and is in full conformance with
15 all provisions of Section 10 of RFC2026.
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as
21 Internet-Drafts.
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
34 The list of Internet-Draft Shadow Directories can be accessed at
35 http://www.ietf.org/shadow.html.
38 This Internet-Draft will expire on December 30, 2004.
41 Copyright Notice
44 Copyright (C) The Internet Society (2004). All Rights Reserved.
47 Abstract
50 This document describes an information model for Kerberos version 5
51 from the point of view of an administrative service. There is no
52 standard for administrating a kerberos 5 KDC. This document
53 describes the services exposed by an administrative interface to a
54 KDC.
66 Johansson Expires December 30, 2004 [Page 1]
67 Internet-Draft An information model for Kerberos version 5 July 2004
71 Table of Contents
74 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 3
75 2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 4
76 3. How to interpret RFC2119 terms . . . . . . . . . . . . . . . . 5
77 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6
78 5. Information model . . . . . . . . . . . . . . . . . . . . . . 7
79 5.1 Principal . . . . . . . . . . . . . . . . . . . . . . . . 7
80 5.1.1 Principal: Attributes . . . . . . . . . . . . . . . . 7
81 5.1.2 Principal: Associations . . . . . . . . . . . . . . . 7
82 5.1.3 Principal: Remarks . . . . . . . . . . . . . . . . . . 8
83 5.2 KeySet . . . . . . . . . . . . . . . . . . . . . . . . . . 8
84 5.2.1 KeySet: Attributes . . . . . . . . . . . . . . . . . . 8
85 5.2.2 KeySet: Associations . . . . . . . . . . . . . . . . . 8
86 5.2.3 KeySet: Remarks . . . . . . . . . . . . . . . . . . . 8
87 5.3 Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
88 5.3.1 Key: Attributes . . . . . . . . . . . . . . . . . . . 9
89 5.3.2 Key: Associations . . . . . . . . . . . . . . . . . . 9
90 5.3.3 Key: Remarks . . . . . . . . . . . . . . . . . . . . . 10
91 5.4 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 10
92 5.4.1 Policy: Attributes . . . . . . . . . . . . . . . . . . 10
93 5.4.2 Password Quality Policy . . . . . . . . . . . . . . . 10
94 5.4.3 Password Management Policy . . . . . . . . . . . . . . 10
95 5.4.4 Keying Policy . . . . . . . . . . . . . . . . . . . . 11
96 6. Implementation Scenarios . . . . . . . . . . . . . . . . . . . 12
97 6.1 LDAP backend to KDC . . . . . . . . . . . . . . . . . . . 12
98 6.2 LDAP frontend to KDC . . . . . . . . . . . . . . . . . . . 12
99 6.3 SOAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
100 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
101 8. Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
102 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
103 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 14
104 Intellectual Property and Copyright Statements . . . . . . . . 15
124 Johansson Expires December 30, 2004 [Page 2]
125 Internet-Draft An information model for Kerberos version 5 July 2004
129 1. Requirements notation
132 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
133 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
134 document are to be interpreted as described in [RFC2119].
182 Johansson Expires December 30, 2004 [Page 3]
183 Internet-Draft An information model for Kerberos version 5 July 2004
187 2. Motivation
190 The Kerberos version 5 authentication service described in [RFC1510]
191 describes how a Key Distribution Service (KDC) provides
192 authentication to clients. The standard does not stipulate how a KDC
193 is managed and several "kadmin" servers have evolved. This document
194 describes the services required to administrate a KDC and the
195 underlying information model assumed by a kadmin-type service.
198 The information model is written in terms of "attributes" and
199 "services" or "interfaces" but the use of these particular words MUST
200 NOT be taken to imply any particular modeling paradigm so that
201 neither an object oriented model or an LDAP schema is intended. The
202 author has attempted to describe in natural language the intended
203 semantics and syntax of the components of the model. An LDAP schema
204 (for instance) based on this model will be more precise in the
205 expression of the syntax while preserving the semantics of this
206 model.
209 Implementations of this document MAY decide to change the names used
210 (eg principalName). If so an implementation MUST provide a name to
211 name mapping to this document.
242 Johansson Expires December 30, 2004 [Page 4]
243 Internet-Draft An information model for Kerberos version 5 July 2004
247 3. How to interpret RFC2119 terms
250 This document describes an information model for kerberos 5 but does
251 not directly describe any mapping onto a particular schema- or
252 modelling language. Hence an implementation of this model consists
253 of a mapping to such a language - eg an LDAP or SQL schema. The
254 precise interpretation of terms from [RFC2119] therefore require some
255 extra explanation. The terms MUST, MUST NOT, REQUIRED, SHALL, SHALL
256 NOT mean that an implementation MUST provide a feature but does not
257 mean that this feature MUST be REQUIRED by the implementation - eg an
258 attribute is available in an LDAP schema but marked as OPTIONAL. If
259 a feature must be implemented and REQUIRED this is made explicit in
260 this model. The term MAY, OPTIONAL and RECOMMENDED means that an
261 implementation MAY need to REQUIRE the feature due to the particular
262 nature of the schema/modelling language. In some cases this is
263 expressly forbidden by this model (feature X MUST NOT be REQUIRED by
264 an implementation).
267 Note that any implementation of this model SHOULD be published as an
268 RFC.
301 Johansson Expires December 30, 2004 [Page 5]
302 Internet-Draft An information model for Kerberos version 5 July 2004
306 4. Acknowledgments
309 Love H÷rnquist-Êstrand <lha@it.su.se> for important contributions.
359 Johansson Expires December 30, 2004 [Page 6]
360 Internet-Draft An information model for Kerberos version 5 July 2004
364 5. Information model
367 5.1 Principal
370 The fundamental entity stored in a KDC is the principal. The
371 principal is associated to keys and generalizes the "user" concept.
372 The principal MUST be implemented in full and MUST NOT be optional in
373 an implementation
376 5.1.1 Principal: Attributes
379 5.1.1.1 principalName
382 The principalName MUST uniquely identify the principal within the
383 administrative context of the KDC. The type of the principalName is
384 not described in this document. It is a unique identifier and can be
385 viewed as an opaque which can be compared for equality.
388 5.1.1.2 principalNotUsedBefore
391 The principal may not be used before this date. The syntax of the
392 attribute MUST be semantically equivalent with the standard ISO date
393 format.
396 5.1.1.3 principalNotUsedAfter
399 The principal may not be used after this date. The syntax of the
400 attribute MUST be semantically equivalent with the standard ISO date
401 format.
404 5.1.1.4 principalIsDisabled
407 A boolean attribute used to temporarily disable a principal.
410 5.1.1.5 principalAliases
413 This multivalued attribute contains a set of aliases for the
414 principal.
417 5.1.2 Principal: Associations
420 Each principal MAY be associated with 1 or more KeySet and MAY be
421 associated with 1 or more Policies. The KeySet is represented as an
422 object in this model since it has attributes associated with it (the
423 key version number). In typical situations the principal is
424 associated with exactly 1 KeySet but implementations MUST NOT assume
425 this case, i.e an implemenation of this standard (e.g an LDAP schema)
426 MUST be able to handle the general case of multiple KeySet associated
431 Johansson Expires December 30, 2004 [Page 7]
432 Internet-Draft An information model for Kerberos version 5 July 2004
436 with each principal.
439 5.1.3 Principal: Remarks
442 Traditionally a principal consists of a local-part and a realm
443 denoted in string form by local-part@REALM. The realm concept is
444 used to provide administrative boundaries and together with
445 cross-realm authentication provides scalability to Kerberos 5.
446 However the realm is not central to an administrative information
447 model. For instance the initialization or creation of a realm is
448 equivalent to creating a specific set of principals (krbtgt@REALM,
449 etc) which is covered by the model and services described in this
450 document. A realm is typically associated with policy covering (for
451 instance) keying and password management. The management of such
452 policy and their association to realms is beyond the scope of this
453 document.
456 5.2 KeySet
459 A KeySet is a set of keys associated with exactly one principal.
460 This object and its associations MUST NOT be REQUIRED by an
461 implementation. It is expected that most implementations of this
462 standard will use the set/change password protocol for all aspects of
463 key management [I-D.ietf-krb-wg-kerberos-set-passwd]. This
464 information model only includes these objects for the sake of
465 completenes.
468 5.2.1 KeySet: Attributes
471 5.2.1.1 keySetVersionNumber
474 This is traditionally called the key version number (kvno).
477 5.2.2 KeySet: Associations
480 To each KeySet MUST be associated a set of 1 or more Keys.
483 5.2.3 KeySet: Remarks
486 The reason for separating the KeySet from the Principal is security.
487 The security of Kerberos 5 depends absolutely on the security of the
488 keys stored in the KDC. The KeySet type is provided to make this
489 clear and to make separation of keys from other parts of the model
490 clear.
493 Implementations of this standard (eg an LDAP schema) MUST preserve
494 this distinction.
500 Johansson Expires December 30, 2004 [Page 8]
501 Internet-Draft An information model for Kerberos version 5 July 2004
505 5.3 Key
508 Implementations of this model MUST NOT REQUIRE keys to be
509 represented.
512 5.3.1 Key: Attributes
515 5.3.1.1 keyEncryptionType
518 The enctype. The precise representation depends on the
519 implementation.
522 5.3.1.2 keyValue
525 The binary representation of the key data.
528 5.3.1.3 keySaltValue
531 The binary representation of the key salt.
534 5.3.1.4 keyStringToKeyParameter
537 The syntax of this opaque object is defined by the encryption type
538 used.
541 5.3.1.5 keyNotUsedAfter
544 This key MUST NOT be used after this date. The syntax of the
545 attribute MUST be semantically equivalent with the standard ISO date
546 format.
549 5.3.1.6 keyNotUsedBefore
552 This key MUST NOT be used before this date. The syntax of the
553 attribute MUST be semantically equivalent with the standard ISO date
554 format.
557 5.3.1.7 keyIsDisabled
560 If this attribute is true the key MUST NOT be used. This is used to
561 temporarily disable a key.
564 5.3.2 Key: Associations
567 None
575 Johansson Expires December 30, 2004 [Page 9]
576 Internet-Draft An information model for Kerberos version 5 July 2004
580 5.3.3 Key: Remarks
583 The security of the keys is an absolute requirement for the operation
584 of Kerberos 5. If keys are implemented adequate protection from
585 unauthorized modification and disclosure MUST be available and
586 REQUIRED by the implementation.
589 5.4 Policy
592 Implementations SHOULD implement policy but MAY allow them to be
593 OPTIONAL.
596 5.4.1 Policy: Attributes
599 5.4.1.1 policyIdentifier
602 The policyIdentifier MUST be unique within the local administrative
603 context and MUST be globally unique. Possible types of identifiers
604 include:
607 An Object Identifier (OID)
608 A URN
609 A UUID
612 5.4.1.2 policyIsMandatory
615 This attribute indicates that the KDC MUST be able to correctly
616 interpret and apply this policy for the key to be used.
619 5.4.1.3 policyContent
622 This is an optional opaque binary value used to store a
623 representation of the policy. In general a policy cannot be fully
624 expressed using attribute-value pairs. The policyContent is OPTIONAL
625 in the sense that an implementation MAY use it to store an opaque
626 value for those policy-types which are not directly representable in
627 that implementation.
630 5.4.2 Password Quality Policy
633 5.4.2.1 Password Quality Policy: Attributes
636 Password quality policy controls the requirements placed by the KDC
637 on new passwords. TODO: update with information from Nico
640 5.4.3 Password Management Policy
647 Johansson Expires December 30, 2004 [Page 10]
648 Internet-Draft An information model for Kerberos version 5 July 2004
652 5.4.3.1 Password Management Policy: Attributes
655 Password management policy controls how passwords are changed. TODO:
656 update with information from Nico and Ludovic
659 5.4.4 Keying Policy
662 5.4.4.1 Keying Policy: Attributes
665 A keying policy specifies the association of enctypes with new
666 principals, i.e when a principal is created one of the possibly many
667 applicable keying policies determine the set of keys to associate
668 with the principal. In general the expression of a keying policy may
669 require a Touring-complete language.
708 Johansson Expires December 30, 2004 [Page 11]
709 Internet-Draft An information model for Kerberos version 5 July 2004
713 6. Implementation Scenarios
716 There are several ways to implement an administrative service for
717 Kerberos 5 based on this information model. In this section we list
718 a few of them.
721 6.1 LDAP backend to KDC
724 Given an LDAP schema implementation of this information model it
725 would be possible to build an administrative service by backending
726 the KDC to a directory server where principals and keys are stored.
727 Using the security mechanisms available on the directory server keys
728 are protected from access by anyone apart from the KDC.
729 Administration of the principals, policy and other non-key data is
730 done through the directory server while the keys are modified using
731 the set/change password protocol
732 [I-D.ietf-krb-wg-kerberos-set-passwd].
735 6.2 LDAP frontend to KDC
738 An alternative way to provide a directory interface to the KDC is to
739 implement an LDAP-frontend to the KDC which exposes all non-key
740 objects as entries and attributes. As in the example above all keys
741 are modified using the set/change password protocol
742 [I-D.ietf-krb-wg-kerberos-set-passwd]. In this scenario the
743 implementation would typically not use a traditional LDAP
744 implementation but treat LDAP as an access-protocol to data in the
745 native KDC database.
748 6.3 SOAP
751 Given an XML schema implementation of this information model it would
752 be possible to build a SOAP-interface to the KDC. This demonstrates
753 the value of creating an abstract information model which is mappable
754 to multiple schema representations.
772 Johansson Expires December 30, 2004 [Page 12]
773 Internet-Draft An information model for Kerberos version 5 July 2004
777 7. Security Considerations
780 This document describes an abstract information model for Kerberos 5.
781 The Kerberos 5 protocol depends on the security of the keys stored in
782 the KDC. The model described here assumes that keys MUST NOT be
783 transported in the clear over the network and furthermore that keys
784 are treated as write-only attributes that SHALL only be modified
785 (using the administrative interface) by the change-password protocol
786 [I-D.ietf-krb-wg-kerberos-set-passwd].
789 Exposing the object model of a KDC typically implies that objects can
790 be modified and/or deleted. In a KDC not all principals are created
791 equal, so that for instance deleting krbtgt/EXAMPLE.COM@EXAMPLE.COM
792 effectively disables the EXAMPLE.COM realm. Hence access control is
793 paramount to the security of any implementation. This document does
794 not (at the time of writing - leifj) mandate access control. This
795 only implies that access control is beyond the scope of the standard
796 information model, i.e that access control MAY NOT be accessible via
797 any protocol based on this model. If access control objects is
798 exposed via an extension to this model the presence of access control
799 may in itself provide points of attack by giving away information
800 about principals with elevated rights etc. etc.
831 Johansson Expires December 30, 2004 [Page 13]
832 Internet-Draft An information model for Kerberos version 5 July 2004
836 8. Remarks
839 A few notes and TODOs:
840 Do we want to model access control? I have received a few notes on
841 that from Love. It will affect both the model and the security
842 considerations but It may be relevant. The catch is that most
843 implementations (SOAP, LDAP, etc) will have acl mechanisms
844 separate from the data which makes modeling acls difficult.
845 Perhaps there are certain aspects of access control which can be
846 modeled with relative ease - for instance the ability to make an
847 object immutable.
848 Need to specify how extensions to the model happens.
849 Comparison for equality is implied by specifying syntax, but what
850 about ordering? Do we need/want to compare objects/
851 attribute-values for order?
852 Explanatory text on a few of the basic attributes that doesn't
853 just repeat the section title.
854 Expand on the password policy types. Is the subdivision into
855 quality and management policies valid?
858 9 References
861 [I-D.ietf-krb-wg-kerberos-clarifications]
862 Neuman, C., "The Kerberos Network Authentication Service
863 (V5)", draft-ietf-krb-wg-kerberos-clarifications-05 (work
864 in progress), February 2004.
867 [I-D.ietf-krb-wg-kerberos-set-passwd]
868 Trostle, J., "Kerberos Set/Change Password: Version 2",
869 draft-ietf-krb-wg-kerberos-set-passwd-01 (work in
870 progress), October 2003.
873 [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network
874 Authentication Service (V5)", RFC 1510, September 1993.
877 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
878 Requirement Levels", BCP 14, RFC 2119, March 1997.
882 Author's Address
885 Leif Johansson
886 Stockholm university
887 Enheten f÷r IT och Media
888 Stockholm SE-106 91
891 EMail: leifj@it.su.se
892 URI: http://people.su.se/~leifj/
897 Johansson Expires December 30, 2004 [Page 14]
898 Internet-Draft An information model for Kerberos version 5 July 2004
902 Intellectual Property Statement
905 The IETF takes no position regarding the validity or scope of any
906 intellectual property or other rights that might be claimed to
907 pertain to the implementation or use of the technology described in
908 this document or the extent to which any license under such rights
909 might or might not be available; neither does it represent that it
910 has made any effort to identify any such rights. Information on the
911 IETF's procedures with respect to rights in standards-track and
912 standards-related documentation can be found in BCP-11. Copies of
913 claims of rights made available for publication and any assurances of
914 licenses to be made available, or the result of an attempt made to
915 obtain a general license or permission for the use of such
916 proprietary rights by implementors or users of this specification can
917 be obtained from the IETF Secretariat.
920 The IETF invites any interested party to bring to its attention any
921 copyrights, patents or patent applications, or other proprietary
922 rights which may cover technology that may be required to practice
923 this standard. Please address the information to the IETF Executive
924 Director.
928 Full Copyright Statement
931 Copyright (C) The Internet Society (2004). All Rights Reserved.
934 This document and translations of it may be copied and furnished to
935 others, and derivative works that comment on or otherwise explain it
936 or assist in its implementation may be prepared, copied, published
937 and distributed, in whole or in part, without restriction of any
938 kind, provided that the above copyright notice and this paragraph are
939 included on all such copies and derivative works. However, this
940 document itself may not be modified in any way, such as by removing
941 the copyright notice or references to the Internet Society or other
942 Internet organizations, except as needed for the purpose of
943 developing Internet standards in which case the procedures for
944 copyrights defined in the Internet Standards process must be
945 followed, or as required to translate it into languages other than
946 English.
949 The limited permissions granted above are perpetual and will not be
950 revoked by the Internet Society or its successors or assignees.
953 This document and the information contained herein is provided on an
954 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
955 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
956 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
961 Johansson Expires December 30, 2004 [Page 15]
962 Internet-Draft An information model for Kerberos version 5 July 2004
966 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
967 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
971 Acknowledgment
974 Funding for the RFC Editor function is currently provided by the
975 Internet Society.
1019 Johansson Expires December 30, 2004 [Page 16]