Download presentation
Presentation is loading. Please wait.
Published byShannon Hall Modified over 8 years ago
1
GSSAPI-CFX Larry Zhu Microsoft Corporation IETF 58
2
Goals Support cryptosystem framework Support AES enctypes in GSSAPI Backward compatible with existing apps Interoperability
3
Status of the draft Latest revision –draft-ietf-krb-wg-gssapi-cfx-03.txt –Submitted on 10/26/2003 Design team Ken Raeburn, Nicolas Williams, Sam Hartman, Karthik Jaganathan, Larry Zhu, Paul Leach et al
4
Open issues in draft -03 Generic token framing in per-message tokens (call for consensus) MUST vs SHOULD: acceptor-asserted- subkey (resolved) List of “not-newer” enctypes: name and values (resolved)
5
Questions and Comments
6
Kcrypto Enctypes des-cbc-crc 1 6.2.3 des-cbc-md4 2 6.2.2 des-cbc-md5 3 6.2.1 [reserved] 4 des3-cbc-md5 5 [reserved] 6 des3-cbc-sha1 7 dsaWithSHA1-CmsOID 9 (pkinit) md5WithRSAEncryption-CmsOID 10 (pkinit) sha1WithRSAEncryption-CmsOID 11 (pkinit) rc2CBC-EnvOID 12 (pkinit) rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5) rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0) des-ede3-cbc-Env-OID 15 (pkinit) des3-cbc-sha1-kd 16 6.3 * aes128-cts-hmac-sha1-96 17 [KRB5-AES] * aes256-cts-hmac-sha1-96 18 [KRB5-AES] rc4-hmac 23 (Microsoft)
7
What is new (from 1964) Directional keys 64bit sequence numbers Generic token framing New token IDs 0404 for MIC tokens, 0504 for Wrap tokens Direction indicator as a single flag bit “Extra Count” Right Rotation Count Empty context deletion tokens
8
What is new (cont’d) Acceptor asserted subkey Token ID assignment considerations Handling of unknown token IDs
9
Inherited from 1964 Everything else, with minor improvements: –Delegation KRB_CRED MUST be encrypted in session key –Channel binding encoding clarified
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.