Re: [abfab] Message Integrity for gss-eap

Thu, 31 Mar 2011 07:14:35 -0700 

> With respect to communicating the mutual authentication state, a new TLV 
> token type is defined containing a 32-bit integer in network byte order, 
> which consists of req_flags as passed to GSS_Init_sec_context. These flags 
> are masked by, currently, GSS_C_MUTUAL_FLAG before encoding. Other flags may 
> be allowed in the future; at this stage we do not wish to reveal in plaintext 
> anything more than the mutual authentication state.

This token is sent in the last leg by the initiator. It is not marked critical; 
if the acceptor does not receive it, after verifying the initiator MIC, it 
should assume the client did not do mutual authentication.

I also prototyped an extension negotiation mechanism: at the start the 
initiator can send an extension token containing a set of types indicating the 
acceptor extensions it accepts; and the acceptor can do the converse. See below 
for a list of token types:

#define ITOK_TYPE_NONE                      0x00000000
#define ITOK_TYPE_CONTEXT_ERR               0x00000001 /* critical */
#define ITOK_TYPE_ACCEPTOR_NAME_REQ         0x00000002 /* TBD */
#define ITOK_TYPE_ACCEPTOR_NAME_RESP        0x00000003 /* TBD */
#define ITOK_TYPE_EAP_RESP                  0x00000004 /* critical, required, 
if not reauth */
#define ITOK_TYPE_EAP_REQ                   0x00000005 /* critical, required, 
if not reauth */
#define ITOK_TYPE_GSS_CHANNEL_BINDINGS      0x00000006 /* optional */
#define ITOK_TYPE_REAUTH_CREDS              0x00000007 /* optional */
#define ITOK_TYPE_REAUTH_REQ                0x00000008 /* optional */
#define ITOK_TYPE_REAUTH_RESP               0x00000009 /* optional */
#define ITOK_TYPE_GSS_FLAGS                 0x0000000A /* optional */
#define ITOK_TYPE_INITIATOR_MIC             0x0000000B /* required */
#define ITOK_TYPE_ACCEPTOR_MIC              0x0000000C /* required */
#define ITOK_TYPE_SUPPORTED_ACCEPTOR_EXTS   0x0000000D /* optional */
#define ITOK_TYPE_SUPPORTED_INITIATOR_EXTS  0x0000000E /* optional */

Again, this is mostly my private experimentation, it's not in the main Moonshot 
branch and I'm not advocating either way vis ABFAB.

-- Luke
_______________________________________________
abfab mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/abfab

Reply via email to