OSF DCE SIG | S. B. Fairthorne (ICL/Sesame) | |
Request For Comments: 19.0 | December 1992 |
This is the first of a potential series of DCE-RFCs proposing enhancements to the security features of DCE, based on work done by the Sesame consortium.\*(f! The
Sesame is an acronym (with appropriate security connotations) for Secure European System for Applications in a Multivendor Environment. The member companies of the Sesame consortium are Bull, ICL and SNI.DCE 1.1 enhancements proposed in the present DCE-RFC provide a much smaller increment than those in the so-called Sesame 1.X proposal presented at the DCE 1.1 review meeting in July 1992 -- with fewer functional extensions to DCE 1.0 based on existing mechanisms and protocols. This proposal also complements other DCE-RFCs on expected security enhancements to DCE for DCE 1.1. Thus, the current proposal represents a thoughtfully integrated solution for inclusion of major Sesame features into DCE.
At the same time, a vision for the path forward from DCE 1.1 has been developed, which shows how the initial increment being offered here lays the ground work for further enhancements. These further enhancements will be the subject of future DCE-RFCs.
The main objectives of the current proposal are:
The proposal in this DCE-RFC is a natural extension to DCE 1.0, using existing security services and protocols where possible. It makes no changes to the Authentication Service (AS) and Key Distribution/Ticket Granting Service (TGS) components of DCE 1.0 (sometimes referred to by the Kerberos terminology of Key Distribution Center (KDC)). Full support for existing DCE 1.0 functionality and protocols is retained (though new and enhanced security operations are provided, with new and extended arguments and returns), and the client and security server codes paths executed for those targets accepting DCE 1.0 service tickets remain virtually unchanged.
The proposal introduces optional use of public key technology -- PACs can be signed (integrity protected using public key technology) or sealed (integrity protected using symmetric key technology). It also prepares for wider use of public key technology in future. Therefore, central to the proposal is a restructuring of the ticket for DCE 1.1 application services to separate the key handling and access privileges. This allows use of different key distribution options and reduces the amount of encryption used. Also, separate keys for protecting the integrity and confidentiality of user data can be used so integrity protection can be strong while confidentiality protection can be weaker. These central changes are described in Section 2.
A client's rights may be delegated to a server which may then allow these rights to be delegated further. It is possible to control whether delegation is allowed, and if so, which individual targets, or groups of targets can act as delegates for a client. The chain of delegates between the initiator and final target can also be traced. The same delegation facilities are offered independently of the key technology option used. The secret key case is essentially that described in [RFC 3.0] though there are minor changes for consistency with the public key case. (Note: DCE-RFC 3 is undergoing changes to accomodate this.) Delegation functionality and options are described in Section 3.
The proposal includes support for a wider range of privilege attributes such as those needed to support non-UNIX systems. [RFC 6.0] allows the registry to contain an extended set of attributes. This proposal allows these to be included in PACs and then made available to applications via an API. This is described in Sections 4 and 6.
The extended security services, such as the Privilege Service, audit significant security related events, though it should be noted that no changes are proposed to the AS in this DCE-RFC. Use will be made of any audit service that might be provided in response to [RFC 1.0], though if this is not available, audit records will be stored in files locally.
Some changes are also proposed to simplify administration; privileges and controls which apply to a user session can be selected automatically based on the role the user is taking in the session. Audit and management changes are described in Section 5.
The security facilities proposed are available to non-RPC as well as RPC applications. The API supported for these non-RPC applications is an extension to the GSS-API in [RFC 5.0]. The APIs affected by these enhancements are described in Section 6 below.
The extensions to the Privilege Server protocol are described in Section 7 and the updated data structures, including the PAC syntax, are described in Section 8.
The diagram below shows the main exchanges with the security services from a user logging in to accessing a server. For simplicity it does not show getting new privileges during a user session or intercell exchanges.
.ft 5
+--------+ +------+ authenticate +------+ |enhanced|-|------|----------------------------| | | DCE | | | (returns TGT) | AS | | login | | | | | +--------+ | | get PS ticket +------+ | |----------------------------| | |client| +----| | | | get privileges | | TGS | | |-----------------------| PS | | | | (returns PTGT & EPAC) | | | | | +----| | | | get service ticket | | | |----------------------------| | | | +------+ | | |get ticket etc. | | |for delegation | | | | | +-----+ +------+ +-----+ +------+ | | | PVF |-| | | PVF |-| | | | call server +-----+ |server| +-----+ |server| | |-----------------------| A |---------| B | | | (sends ticket & EPAC) | | | | | | +------+ +------+ | | | | | | +------+ +------+ | | | DACL | | DACL | +------+ +------+ +------+
.ft 1
Initial exchanges with the existing AS and TGS components of the KDC are unchanged. An enhanced DCE login provides a command line interface to the user for authentication and selection of attributes.
The Privilege Server is extended as follows:
The Privilege Ticket Granting Ticket (PTGT) and ticket formats are unchanged, so the TGS is still used to obtain service tickets, but instead of containing privilege attributes, these contain a link to an Extended Privilege Attribute Certificate (EPAC) (described in Section 2) which contains the attributes. It is also still possible to generate DCE 1.0 style tickets.
A client, when calling a server, passes the EPAC as well as the ticket. A PAC Validation Facility (PVF) checks the PAC and ticket at the server and only releases the keys for dialogue protection if the PAC is accepted. This is a separate component for increased assurability.
The server may use privilege attributes (in UUID form) from the PAC for access control to its own objects via DCE ACLs in the usual way. It may also obtain privilege attributes from PACs and use them in other types of authorisation mechanisms.
The first server called may go on to delegate the access privileges obtained to a further server, provided delegation controls allow this. Server B may optionally base access control decisions on the rights of server A as well as those of the original user.
A major part of this proposal is a restructuring of the ticket for DCE 1.1 application servers. It is split into a ticket which handles communications security, linked to an EPAC which carries access privileges. This helps achieve the two objectives of enabling the use of confidentiality to be reduced (as the EPAC does not now need to be encrypted) and separating key distribution from access control management -- the ticket design has been insulated from future design choices for particular contents of the EPAC (and vice versa). In this proposal, however, key management remains unchanged from DCE 1.0.
The syntax of tickets, including PTGTs, is unchanged and they are encrypted as in DCE 1.0. The authorisation data can take one of three forms depending on whether the target servers to be accessed are:
For DCE 1.1 servers, the EPAC contains the user's access control privileges, along with administrative and control information. Existing identity and group privileges are all supported within an EPAC syntax which also provides for additional attribute types and controls. Existing DCE ACLs (DACLs) can use privileges from EPACs with no changes to DACL contents being required, subject to the choice of delegation controls. The delegation controls in the EPAC are described in Section 3.
In the symmetric case, the authorisation field in the ticket contains a hash of the EPAC to act as the link between the ticket and EPAC. The EPAC itself includes this same hash encrypted under the secret key of the Privilege Service (PS), shared only with the KDC. In other words, it is sealed by the PS. This enables the PS to validate the EPAC independently of any ticket to which it is linked.
.ft 5
PTGT or other ticket EPAC +------------------------+ +-------------------------------------+ | | hash of | | | delegation and | privilege | hash/ | | | EPAC | | | other controls | attributes | seal | +------------------------+ +-------------------------------------+ | | +----------------------------------------------------+
.ft 1
In the asymmetric case also, the EPAC includes a hash which this time is asymmetrically encrypted by the private key of the PS instead of being symmetrically encrypted in the PTGT. In other words the EPAC is now signed by the PS. The link between the PTGT and the EPAC is looser. They are linked by means of a Ticket Requester Identifier (TRID) held in both PTGT and EPAC. The TRID at DCE 1.1 is a random, unique identifier invented by the PS for this client (though in future releases, it may be a managed value which can identify the environment or location in which the client is operating). More than one EPAC or ticket for that requester can have the same TRID value.
.ft 5
PTGT or other ticket EPAC +---------------------+ +----------------------------------------+ | | TRID | | |delegation and | privilege | TRID |hash/| | | | | |other controls | attributes| |sign.| +---------------------+ +----------------------------------------+ | | +----------------------------------------------+
.ft 1
EPACs give the client's rights, tickets handle the communications security. One EPAC may be used with several tickets where the client's rights are to be passed to a number of different targets. Also, a ticket for a target could be used at different times with different EPACs belonging to the same client.
The changes are further explained below in the form of a walk-through. Only access to DCE 1.1 servers is described in the following walkthrough, as access to DCE 1.0 servers is unchanged. Delegation is also not described here; it is described in Section 3.
For DCE 1.1 servers, the PTGT returned is accompanied by a separate EPAC, and possibly other control information depending on the delegation options and EPAC protection methods in use (see Section 3).
If the client calls on a server in another cell, the exchanges with the TGS in both client and foreign cells are as in DCE 1.0 (possibly updated to take into account hierarchic cells as described in [RFC 7.0]). In the case of symmetric PAC protection, the calls on the foreign PS also pass the EPAC so this can be resealed. However, when asymmetric PAC protection is being used, the exchange with the foreign PS is not needed as the PVF at the target system can use the public key of the client's PS to validate the PAC.
Protection of DCE 1.0 tickets continues to be supported unchanged. DCE 1.0 tickets carry access privileges inside them (the DCE 1.0 PAC) and remain non-delegatable. They are exchanged and protected via existing protocols and existing symmetric cryptographic techniques.
DCE 1.1 introduces a separation between the PAC (now extended to become the EPAC, as already described) and the DCE 1.1 ticket (which no longer contains privileges). The DCE 1.1 ticket itself is protected in the same way as the DCE 1.0 ticket, but the EPAC is not encrypted; it is integrity protected as described in Section 2.1.
Sealed non-delegatable EPACs are validated by the PVF by calculating the EPAC checksum and comparing it with the value found in the decrypted ticket.
Signed non-delegatable EPACs are validated by the PVF by:
Both sealed and signed PACs can contain optional Target Qualifier Attribute fields (see also Section 3.2); the PVF will reject the EPAC if the target application at which the EPAC is aimed does not qualify. If the target application is a member of one of the groups listed, or its identity is listed, then the target qualifies.
While existing DCE 1.0 security services will use encryption as before, a Cryptographic Support Facility (CSF) is provided for DCE 1.1 functions which allows plug-replaceable algorithms. The API to this is a general one providing interfaces to encrypt, decrypt, sign and verify data while hiding the actual algorithms and key formats used. These functions are implementations of:
The CSF is a library used by security components such as the PS, PVF and RPC and components (such as the GSS-API support routines for non-RPC applications) which need to ensure the confidentiality and integrity of data in transit. The level of protection of the exchanges is configurable. It can, for example, provide weak confidentiality and strong integrity.
Public key technology is implemented as a natural extension to the cryptography facilities. The use of public key technology offers security benefits particularly in larger systems but is not mandatory, and cells supporting public key technology can use secret key technology to interwork with those which do not (though mixed technology delegation chains are not supported).
At DCE 1.1 public key technology is used only for signing EPACs. This reduces the number of exchanges with security servers needed for intercell working, since PS public keys can be directly known at servers in multiple domains without risk of compromise of the PS domain. It also improves the performance of delegation, since (as will be seen in Section 3) the PS does not need to be visited on each leg of the delegation chain.
Interfaces are put in place so no interface change is required when public key technology is used for key distribution.
Certificate Authorities (CAs) are used to sign public key certificates for PS public keys using the X.509 certificate syntax. Initially only the PS will use a public key pair, and servers will be able to obtain a certificate for its public key either from the CDS, or by manual installation in the target server system. CAs are expected to serve many cells, producing certificates for their PS's keys. Later, this will be extended to allow CAs to be arranged in a hierarchy, and to allow certificates to be obtained from the GDS, but in DCE 1.1 CA keys will be installed in servers by management action.
A user or client may allow an application to use its rights by proxy, i.e., it may delegate its rights to another. This application may in turn delegate the client's rights further, for example, a user's rights may be delegated to a business application which then delegates them to a database server which uses them when handling records belonging to that user.
The client may want to control the extent to which its rights can be passed on. Each target application may wish to control access to its objects based on both the original user's rights and the delegates who passed them on.
The delegation proposal here is a unification of the existing DCE 1.1 delegation proposal [RFC 3.0], and the simpler CV/PV mechanism (see Section 3.3.1 for the definitions of CV and PV) originally proposed in the Sesame proposal dated 4th of July 1992. Some minor changes to [RFC 3.0] are proposed for compatibility with the asymmetric case and also some changes to the API are proposed to ease support of non-RPC as well as RPC applications.
Different levels of delegation are supported for DCE 1.1:
A target can upgrade to use fully controlled delegation facilities in gradual stages: first accepting simple delegation, then accepting delegation provided it is traced, then accepting delegation provided the traced delegates have appropriate access rights in the DACL. However, the simple level of delegation will be adequate for many cases.
All delegation options are provided for both symmetric and asymmetric EPAC protection options, with the same administration image and the same API support.
Applications at target systems can control access using the standard DCE ACLs with controls based on the original owner's rights. When tracing is used, a target can make access control decisions based not only on the access rights of the original initiator, but of all the delegates. For this case, the target modifies its DACL to include delegation access rights. The appropriate DACL semantics for this are described in [RFC 3.0].
While many applications are not expected to want detailed control over delegation, for those security aware applications which do want to set their own controls, APIs are provided as specified in Section 6.
This Section describes the controls as seen by the administrator or security aware application which wants to control delegation. It is possible for delegation controls to be entirely specified by principals (humans and applications) calling on the APIs in Section 6. However, administrators will often want some control of delegation, in line with the security policy, particularly because many principals will not be sufficiently informed to do this themselves. The administrator's view is given in 5.2.
Delegation and other restrictions on the legitimate users of an EPAC are included in the EPAC itself, or passed with it as described below and can be checked by both delegates in the chain and the final target applications. Some delegates may use the client's rights in the EPAC for their own access control as well as passing them onto others.
The following control attribute types in the EPAC are used to validate whether a server can use the EPAC either as a target, or a delegate:
Applications can be grouped into application trust groups and the control attributes above can identify applications either individually or by their group membership. The advantage of the latter is the flexibility and ease of administration of delegation control. The administrator can choose what sort of groups he wants, depending on the installation's needs. For example, he might define a few large groups of applications to separate major areas such as administration, finance etc. Some services, such as file or print services, could belong to several groups. Alternatively, he could define more smaller groups for finer control. Tight controls have a penalty in the extra cost of implementing and administering them.
More generally, different levels of constraint can be provided by appropriately confined or open values when nominating valid targets or delegates. If no target controls are specified, an EPAC can be valid at any target which accepts that kind of delegation.
It is also possible to include other control attributes in the EPAC which restrict when and how it can be used. These include controls such as time constraints and attributes such as the required and optional restrictions described in [RFC 3.0]. Required and optional restrictions are represented by specific security attribute types in the EPAC and are supported for all forms of delegation.
A target can just insist that the route has been traced, without using delegate rights for access control. In this case, the target knows that all delegates have been empowered with the ability to become a delegate by virtue of the traceable EPACs they are able to obtain from the PS.
At the API, the client annotates a login context with delegation constraints. Subsequent calls to use this context cause a request to the PS for an EPAC containing attributes reflecting those constraints, and a request to the TGS for a ticket to talk to the server (where suitable ones have not been cached). The server receiving these items establishes a login context reflecting the delegation from the client. This server may annotate the context with further constraints. Again, suitable tickets and EPACs are forwarded to the next server called.
Note: Non-RPC applications will use the GSS-API style of interface and refer to credentials rather than login contexts. (In practice, the only difference between a login context and a set of credentials is the form of handle used to access them.)
This Section describes the mechanisms used to support delegation in both symmetric and asymmetric EPAC options. These mechanisms are not visible at the API and this Section can be skipped on first reading by those who do not want to understand how the facilities are provided.
Protection and control values are used to protect EPACs, particularly when delegation uses asymmetrically signed EPACs. They allow the same EPAC to have different restrictions at different targets.
Any qualifier attributes about targets can be associated with a value in the EPAC known as a Protection Value (PV). The PV is a one-way function of a matching value known as the Control Value (CV) which the PS returns to the client with the EPAC encrypted under the key being used to protect the EPAC request. (The PS calculates the PV from a randomly generated CV.) Apart from the PS itself, only the original requester of the EPAC now knows the CV, though subsequently other principals may learn it by being passed it with the EPAC.
The client sends the CV encrypted under the session key with the EPAC to the target. The target checks that:
The target now knows:
More than one group of controls can appear in an EPAC, each one associated with a different PV. When the same EPAC is used at different times with respect to different targets, an appropriate group of controls can be activated by the sender transmitting the corresponding CV.
Use of CV/PVs is not always required. For example they are not required for non-delegatable EPACs.
Whether tracing is required or not, the mechanism for handling delegation is as described in [RFC 3.0] with the following differences:
The PVF at a target receiving an EPAC will first check whether it has come directly from the original requester of the EPAC. It does this by making the TRID check as described in Section 2.3. If this check fails, the EPAC is being delegated and must be accompanied by a CV. The target PVF checks that untraced delegation is acceptable to it, and if so, that the CV corresponds to a PV in the EPAC and that the DQA or TQA values associated with the PV are appropriate for itself. If these checks are passed, the EPAC can be said to have been properly presented by an acceptable delegate for use at this target.
The target itself is now potentially in a position to use the incoming EPAC acting as a delegate itself, since its PVF now knows the CV. However, the PVF will only release the CV if the target is a valid delegate.
In simple delegation, delegates do not require EPACs of their own, and do not need to visit the PS to get their position as delegates authorised in any way.
When public key technology is being used to provide EPAC protection, delegation with trace is provided using EPAC chaining along the lines of [VAB]. The provision of DQA controls in the initial EPAC in the chain prevents the delegation attack to which [VAB] indicates that this method is susceptible. The chaining technique is also more flexible: multiple potential forward pointers can be present in an EPAC, from which one can be dynamically selected on any particular use of the EPAC by using a CV as described in Section 3.3.1. The additional EPAC fields that have been defined for chaining are:
This field is associated with a flag which indicates if this PAC is of a delegate or not.
The NTQA in an EPAC in a delegation chain will have the same value as the OQA of the next EPAC in the chain.
When delegation is traced, delegates require EPACs. However, provided that the delegates on the route have already obtained EPACs containing appropriate NTQAs there is no need for a delegate to visit the PS for each instance of an actual delegation (delegate EPACs can be relatively long lived and they can for example be obtained at the start of day -- they can be created with NTQAs directed at commonly used next targets).
A sequence of EPACs is built up along the delegation route in a similar way to the symmetric case. The ticket accompanying them however contains, on each leg, only the TRID of the direct invoker; i.e., the ticket is always a normal ticket for the last EPAC that was added and no accumulation of TRIDs is made in tickets. This permits tickets that have been already obtained by delegates to be used with newly received EPACs, with consequent performance improvements.
A target receiving such a sequence with a ticket makes the following checks:
This proposal supports an extended range of attribute types and values in EPACs as follows:
The APIs at target systems permit these attributes to be extracted in a transparent way so that API callers there (often the applications themselves) can use them in access control decisions independently of any local operating system controls. In this way the door will be opened to OSF DCE users for them to provide further extensions of their own design to the support of access control policy in applications. These can either be entirely within the OSF DCE regime, or to support interworking with non-DCE systems.
[RFC 6.0] provides registry support for an extended range of attribute types and values. To complement this, the syntax of the EPAC has been designed so that any of these attributes can be carried in it. The syntax can be anything [RFC 6.0] permits, and therefore does not need to be confined to the current DCE/UNIX style attributes such as UUIDs.
DCE 1.1 continues to supports the current principal identity and group attributes and also supports a role attribute which is a type of group attribute. All these are in UUID form and can be used in existing DCE ACLs.
Attributes can be specified with values other than UUIDs. For example, global names, directory distinguished names, simple strings or ASN.1 object identifiers can be specified. The attribute can have a pair of values with a defining authority permitting attributes other than those defined in the initiating cell to be inserted in the EPAC.
The user wants a simple interface to the system so does not want to have to understand and request all the privileges and controls he needs. The administrator wants to control what privileges the user is allowed but does not want to specify each privilege individually for each user and then update these whenever a user's job changes. Similarly, many business applications would like to control access on the basis of the job an individual is doing in the organisation. The user must be uniquely accountable for his or her actions, but the user's identity need play no part in actual access control decisions. In this way, access control lists can be established independently of knowing which specific users have what particular jobs in the organisation, and are insulated from management change when the user population changes.
To help satisfy these requirements, the concept of a role is introduced. A user may potentially be allowed to take more than one role, though will be acting in only one at a time. Not all users need have roles, since in some security policies, roles are not relevant.
A user working in a particular role is likely to need particular privileges and controls which give the required access to particular applications and services. For example, he may need to be a member of a particular group and have access to particular target application groups.
The administrator defines the set of attributes which is associated with a role. He also defines which users can take which roles. At the start of a session, the user specifies the role name (or gets a default) which automatically gives him the associated attributes.
Some of the advantages of this are:
Support of roles requires some extra information in the registry which the administrator can maintain. This is:
This is done using the extended registry attribute proposal ([RFC 6.0]) with some additions.
The extended attributes are defined and used as follows:
In DCE 1.1 targets, the DACL manager routines will be modified to use the get attributes interface to obtain the incoming context attributes instead of the current interface which is specific to DCE 1.0 PACs. This provides access to the extended attributes, such as the delegation controls, and will also enable the DACL routines to be insulated from any further changes to the methods by which a principal's privileges are established.
For attributes like principal ids and groups, which are identified by separate UUIDs for the cell and principal/group, existing DCE 1.0 rules are normally used. Only attributes from the client cell are accepted and can be used for access control in DCE ACLs and elsewhere.
However, DCE 1.1 allows an administrator to set up trust relationships with specified cells (or all cells) and decide whether to accept all or just certain attribute types from these cells. This is not confined to attributes with UUID values, it can apply to attributes types with, for example, global names or defining authority and value.
Some attribute types are expected to be understood across cells, for example the application trust group used in delegation.
All security related events detected by the enhanced DCE 1.1 security components can be audited. A unique audit ID is assigned to each principal to ensure personal accountability across the system. It is an extended attribute of a user and is put in the EPAC by the PS.
The audit ID of the initiator, and those of the delegates if delegate tracing is in use, are extracted from the EPACs and written to the audit records.
The following events are audited by components described in this DCE-RFC:
Furthermore, all security relevant administrative operations can be audited.
This audit proposal fits with [RFC 25.0].
The administrator can set delegation and other controls as follows:
-- so that these do not need to be specified by all applications at run-time.
Other changes are associated with facilities described earlier in the document.
This Section specifies the APIs used by applications. These are generic APIs which hide the details of the security mechanisms used. For RPC applications, they extend the existing RPC API so use rpc binding handles. For non-RPC applications, the generic APIs are an extension to the GSS-API as proposed in [RFC 5.0]. Underlying these are the interfaces to the security services such as the enhanced Privilege Server. The PS interface is only used by security software such as that supporting the RPC run-time library and is described in Section 7.
This operation annotates the specified binding handle so that it can be used to make authenticated RPC calls. Used by the more security aware RPC applications, it sets the controls that are to be applied (e.g., validity time, restrictions on attributes, proxy) in addition to those already associated with the binding handle. The authentication and authorisation information for the binding handle is also set up, see \*(sBrpc_binding_set_auth_info(3rpc)\*(sE. Unless an application calls this routine or \*(sBrpc_binding_set_auth_info(3rpc)\*(sE all remote procedure calls made on the binding handle are unauthenticated. This routine may be used instead of \*(sBrpc_binding_set_auth_info(3rpc)\*(sE by security aware applications.
Signature:
.ft 5
This operation gets the authentication attributes associated with the specified binding handle. The calling client associates the authentication attributes with the server binding handle by prior use of the set authentication binding attributes operation. The RPC runtime allocates memory for the returned \*(sBprinc_name\*(sE argument. The caller is responsible for calling the \*(sBrpc_string_free()\*(sE routine for the returned argument string. This routine may be used instead of \*(sBrpc_binding_inq_auth_info(3rpc)\*(sE by security aware client applications. It returns the controls that are applied (e.g., validity time, restrictions on attributes, proxy). The authentication and authorization information from the binding handle is also returned (see \*(sBrpc_binding_inq_auth_info(3rpc)\*(sE).
Signature:
.ft 5
A server manager routine uses this operation to set-up a server binding handle so that it can be used to make authenticated remote procedure calls on behalf of the client to another server. It sets up a binding handle for an outgoing RPC on behalf of the distant client. Used by server applications.
Signature:
.ft 5
Returns the security attributes from the binding handle for an authenticated client. This operation gets the authentication attributes associated with the client specified client binding handle. The calling server manager routine can use the returned data for authorization purposes. The authentication and authorization information from the server binding handle is also returned (see \*(sBrpc_binding_inq_auth_client(3rpc)\*(sE).
Signature:
.ft 5
For non-RPC applications, the Generic Security Service API defined in [GSS-API] is used for supporting secure associations between client and server and support facilities such as mutual authentication and data confidentiality and integrity. The most important GSS-API calls are \*(sBGSS_Init_sec_context()\*(sE which is called by a client (using the default or specified credentials) to obtain the security information needed and make the association, and \*(sBGSS_Accept_sec_context()\*(sE which is called by the server accepting the association.
The calls to change between DCE login contexts and GSS-API credentials and vice versa (\*(sBGSSDCE_LoginContext_To_Cred()\*(sE and \*(sBGSSDCE_Cred_To_LoginContext()\*(sE) specified in [RFC 5.0] are also supported.
In addition to these, two extra calls are introduced. Modify credentials is used to request a set of privileges and controls and Get attributes allows the caller to retrieve attributes associated with credentials.
This is used to request a set of privileges and controls, optionally modifying existing credentials or creating a new set. Repeated calls to modify an existing set of credentials are cumulative.
Signature:
.ft 5
This is used to get attributes associated with credentials or security context. Two important usages of this API are:
Signature:
.ft 5
.ft 5
Suppose the required controls are:
Then the \*(sBgss_target_control_set\*(sE structure is as follows (in pseudo-code):
The following are the RPC calls used to obtain PTGTs and EPACs from the Privilege Server. These calls are not normally visible to applications who use the interfaces described in Section 6. They can be used by clients in a non-DCE environment. The data structures used are described in Section 8. New parameters for DCE 1.1 are noted.
Signature:
.ft 5
Input:
Output:
Signature:
.ft 5
Input:
Output:
Description: The PS modifies the validity time as defined in the registry policy, checks the validity time for renew PTGT and signs against the EPAC.
This DCE-RFC introduces:
The data is described here in DCE IDL, though an ASN.1 definition of the PAC is also available. This Section describes the essential components, not all fields are expanded here.
This field of the ticket contains the cryptography technology used to protect the PAC; and, for the symmetric cryptography, the PAC serial number and a hash of the PAC.
.ft 5
.ft 5
.ft 5
This DCE-RFC has been produced by the Sesame consortium, with the consultation and encouragement of Joseph Pato (HP). Sesame members who contributed to this document include Eric Baize (Bull), Hiep Doan (Bull), Belinda Fairthorne (ICL), Stephen Farrell (SNI), Peter Hartmann (SNI), Per Kaiser (SNI), Piers McMahon (ICL), Tom Parker (ICL) and Denis Pinkas (Bull).
Belinda Fairthorne | Internet email: | |
ICL | s.b.fairthorne@rea0805.wins.icl.co.uk | |
Kings House | Telephone: +44 734 855127 | |
33 Kings Road | ||
Reading | ||
Berkshire RG1 3PX | ||
ENGLAND |