Projects/RFC 4537

From K5Wiki
< Projects
Revision as of 13:24, 6 January 2009 by SamHartman (talk | contribs) (Project for enctype negotiation)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

An announcement has been sent to krbdev@mit.edu starting a review of this project. That review will conclude on January 10, 2009.

Comments can be sent to krbdev@mit.edu.

RFC 4537 defines an encryption type negotiation extension to Kerberos. This option allows clients and servers to use a stronger or faster bulk encryption mechanism even if the KDC does not support it. The client indicates a set of supported encryption types in the ap-req. If the server chooses one of these encryption types then it proposes a subkey in the ap-rep with an encryption type different than that selected by the client.

New krb5_mk_req option

The AP_OPTS_ETYPE_NEGOTIATION option is introduced. If this option is passed into krb5_mk_req, then the RFC 4537 authorization data is included in the AP-REQ. If this data is included and mutual authentication is used, then the server will see if any of the enctypes included in this option are preferred to the ticket session key enctype. If so, one of these enctypes is used to propose a subkey in the ap-rep.

GSS-API Integration

The GSS-API mechanism uses the AP_OPTS_ETYPE_NEGOTIATION option in gss_init_sec_context. If the acceptor returns a subkey of a different encryption type, it is used.