[3317] in Kerberos
Re: challenge/response -- hooks in V5?
daemon@ATHENA.MIT.EDU (Glen Zorn)
Sat May 21 21:34:12 1994
Date: Sat, 21 May 94 18:19:20 PDT
From: glenz@geek.ocsg.com (Glen Zorn)
To: bukys@cs.rochester.edu
Cc: kerberos@MIT.EDU
Liudvikas ~
: I have seen comments along the lines of "Kerberos V5 has hooks for
: incorporation of challenge/response authentication".
: I see that one vendor seems to have incorporated support for this type
: of user authentication device.
: I have scanned various V5 documents, but I haven't found exactly what
: the hooks are, or how general they are.
: Can someone point me in the right direction?
The KRB_KDC_REQ message contains a field called padata, which is described in
RFC 1510 as containing "authentication information which may be needed before
credentials can be issued or decrypted...This field may also contain information needed by certain extensions to the Kerberos protocol. For example, it might
be used to initially verify the identity of a client before any response is
returned. This is accomplished with a padata field with padata-type equal to PA-ENC-TIMESTAMP and padata-value defined as follows:
padata-type ::= PA-ENC-TIMESTAMP
padata-value ::= EncryptedData -- PA-ENC-TS-ENC
PA-ENC-TS-ENC ::= SEQUENCE {
patimestamp[0] KerberosTime, -- client's time
pausec[1] INTEGER OPTIONAL
}
with patimestamp containing the client's time and pausec containing the
microseconds which may be omitted if a client will not generate more than one
request per second. The ciphertext (padata-value) consists of the PA-ENC-TS-ENC
sequence, encrypted using the client's secret key.
The padata field can also contain information needed to help the KDC or the
client select the key needed for generating or decrypting the response. This
form of the padata is useful for supporting the use of certain "smartcards" with
Kerberos. The details of such extensions are beyond the scope of this
specification.
If you have MIT's beta 3 code, you can look in lib/krb5/krb/preauth.c for a sample implementation of encrypted timestamp preauthentication.
<begin commercial message -- STOP READING IF THIS WILL OFFEND YOU>
Incidently, our company's commercial K5 implementation supports
preauthentication using Security Dynamics token cards, with other mechanisms
to be supported Real Soon Now.
<end commercial message>
~ gwz
Glen Zorn Senior Scientist
glenz@OCSG.COM CyberSafe Corporation
Since I was forced to write it by the alien parasite which attached itself to
my brain stem during my recent visit to an isolated area of Northern Arizona,
it could hardly be construed that this message would reflect either the
opinions or policies of my employer.
