PKU2U – A peer2peer GSS-API mechanism based on PKINIT - PowerPoint PPT Presentation

oshin
pku2u a peer2peer gss api mechanism based on pkinit n.
Skip this Video
Loading SlideShow in 5 Seconds..
PKU2U – A peer2peer GSS-API mechanism based on PKINIT PowerPoint Presentation
Download Presentation
PKU2U – A peer2peer GSS-API mechanism based on PKINIT

play fullscreen
1 / 6
Download Presentation
PKU2U – A peer2peer GSS-API mechanism based on PKINIT
274 Views
Download Presentation

PKU2U – A peer2peer GSS-API mechanism based on PKINIT

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. PKU2U – A peer2peer GSS-API mechanism based on PKINIT Larry Zhu Microsoft IETF67

  2. Motivation • PKINIT allows Kerberos to use asymmetric keys • No hieratical trusts in peer-2-peer environments– aka no KDC • No interoperable GSS-API mechanism using public keys

  3. Previous/Related Work • PKDA - Public key based Kerberos for Distributed Authentication • requires Kerberos extensions • PKTAPP - Public Key Utilizing Tickets for Application Servers • LTGS uses port 88

  4. PKU2U • Public Key based User to User authentication protocols • Use PKINIT/RFC4556 and RFC4120 messages • Replace the KDC with the application server • All traffic tunneled using GSS-API messages • Uses RFC4121 for all GSS-API primitives

  5. Progress and Open issues • A draft is available now (to be submitted) • A working prototype available • Works well with SPNEGO (RFC4178), useful for app migration • Supports the following name forms • Kerberos Principal Name/User Principal name • Host-based Service name • Additional name forms may be needed

  6. PK-U2U as a TLS Mechanism • SPNEGO-TLS • Key exchange is SPNEGO/PKU2U • To be presented by Stefan Santesson in the TLS working group • Negotiations of GSS-API mechanisms handled by SPNEGO • New TLS cipher suites: TLS_SPNEGO_WITH_AES_128_CBC_SHA TLS_SPNEGO_WITH_AES_256_CBC_SHA