DataMuseum.dk

top - metrics - download

    Length: 435123 (0x6a3b3)
    Types: TextFile
    Names: »draft-ietf-cat-dass-00.ps«

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦this⟧ »./papers/IETF-drafts/draft-ietf-cat-dass-00.ps« 

TextFile

%!PS-Adobe-2.1
%%Creator: DECwrite V1.1
%%+Copyright (c) 1990 DIGITAL EQUIPMENT CORPORATION.  
%%+All Rights Reserved.
%%DocumentFonts: (atend)
%%EndComments
%%BeginProcSet DEC_WRITE 1.07
/DEC_WRITE_dict 150 dict def DEC_WRITE_dict begin/$D save def/$I 0 def/$S 0
def/$C matrix def/$R matrix def/$L matrix def/$E matrix def/pat1{/px exch
def/pa 8 array def 0 1 7{/py exch def/pw 4 string def 0 1 3{pw exch px py 1
getinterval putinterval}for pa py pw put}for}def/pat2{/pi exch def/cflag
exch def save cflag 1 eq{eoclip}{clip}ifelse newpath{clippath
pathbbox}stopped not{/ph exch def/pw exch def/py exch def/px exch def/px px
3072 div floor 3072 mul def/py py 3072 div floor 3072 mul def px py
translate/pw pw px sub 3072 div floor 1 add cvi def/ph ph py sub 3072 div
floor 1 add cvi def pw 3072 mul ph 3072 mul scale/pw pw 32 mul def/ph ph 32
mul def/px 0 def/py 0 def pw ph pi[pw 0 0 ph 0 0]{pa py get/px px 32 add
def px pw ge{/px 0 def/py py 1 add 8 mod def}if}pi type/booleantype
eq{imagemask}{image}ifelse}if restore}def/PS{/_op exch def/_np 8 string def
0 1 7{/_ii exch def/num _op _ii get def _np 7 _ii sub num -4 bitshift PX
num 15 and 4 bitshift -4 bitshift PX 4 bitshift or put}for _np}def/PX{[15 7
11 3 13 5 9 1 14 6 10 2 12 4 8 0]exch get}def/FR{0.7200 0 $E defaultmatrix
dtransform/yres exch def/xres exch def xres dup mul yres dup mul add
sqrt}def/SU{/_sf exch def/_sa exch def/_cs exch def/_mm $C currentmatrix
def/rm _sa $R rotate def/sm _cs dup $L scale def sm rm _mm _mm concatmatrix
_mm concatmatrix pop 1 0 _mm dtransform/y1 exch def/x1 exch def/_vl x1 dup
mul y1 dup mul add sqrt def/_fq FR _vl div def/_na y1 x1 atan def _mm 2 get
_mm 1 get mul _mm 0 get _mm 3 get mul sub 0 gt{{neg}/_sf load
concatprocs/_sf exch def}if _fq _na/_sf load setscreen}def/BO{/_yb exch
def/_xb exch def/_bv _bs _yb _bw mul _xb 8 idiv add get def/_mk 1 7 _xb 8
mod sub bitshift def _bv _mk and 0 ne $I 1 eq xor}def/BF{DEC_WRITE_dict
begin/_yy exch def/_xx exch def/_xi _xx 1 add 2 div _bp mul cvi def/_yi _yy
1 add 2 div _bp mul cvi def _xi _yi BO{/_nb _nb 1 add def 1}{/_fb _fb 1 add
def 0}ifelse end}def/setpattern{/_cz exch def/_bw exch def/_bp exch def/_bs
exch PS def/_nb 0 def/_fb 0 def _cz 0/BF load SU{}settransfer _fb _fb _nb
add div setgray/$S 1 def}def/invertpattern{$S 0 eq{{1 exch
sub}currenttransfer concatprocs settransfer}if}def/invertscreen{/$I 1
def/$S 0 def}def/revertscreen{/$I 0 def}def/setrect{/$h exch def/$w exch
def/$y exch def/$x exch def newpath $x $y moveto $w $x add $y lineto $w $x
add $h $y add lineto $x $h $y add lineto closepath}def/concatprocs{/_p2
exch cvlit def/_p1 exch cvlit def/_pn _p1 length _p2 length add array def
_pn 0 _p1 putinterval _pn _p1 length _p2 putinterval _pn
cvx}def/OF/findfont load def/findfont{dup DEC_WRITE_dict exch
known{DEC_WRITE_dict exch get}if DEC_WRITE_dict/OF get exec}def
mark/ISOLatin1Encoding 
8#000 1 8#001{StandardEncoding exch get}for /emdash/endash
8#004 1 8#025{StandardEncoding exch get}for /quotedblleft/quotedblright
8#030 1 8#054{StandardEncoding exch get}for /minus 8#056 1 8#217
{StandardEncoding exch get}for/dotlessi 8#301 1 8#317{StandardEncoding 
exch get}for/space/exclamdown/cent/sterling/currency/yen/brokenbar/section
/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered
/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph
/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter
/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde
/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave
/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde
/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn
/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla
/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis
/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave
/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis
256 array astore def cleartomark 
/encodefont{findfont dup maxlength dict begin{1 index/FID ne{def}{pop
pop}ifelse}forall/Encoding exch def dup/FontName exch def currentdict
definefont end}def/loads{/$/ISOLatin1Encoding load def/&/encodefont load
def/*/invertpattern load def/+/revertscreen load def/-/invertscreen load
def/:/concatprocs load def/^/setpattern load def/~/pat1 load def/_/pat2
load def/@/setrect load def/A/arcn load def/B/ashow load def/C/curveto load
def/D/def load def/E/eofill load def/F/findfont load def/G/setgray load
def/H/closepath load def/I/clip load def/J/fill load def/K/kshow load
def/L/lineto load def/M/moveto load def/N/newpath load def/O/rotate load
def/P/pop load def/R/grestore load def/S/gsave load def/T/translate load
def/U/sub load def/V/div load def/W/widthshow load def/X/exch load
def/Y/awidthshow load def/a/save load def/c/setlinecap load def/d/setdash
load def/e/restore load def/f/setfont load def/g/initclip load def/h/show
load def/i/setmiterlimit load def/j/setlinejoin load def/k/stroke load
def/l/rlineto load def/m/rmoveto load def/n/currentfont load
def/o/scalefont load def/p/currentpoint load def/q/setrgbcolor load
def/r/currenttransfer load def/s/scale load def/t/setmatrix load
def/u/settransfer load def/w/setlinewidth load def/x/matrix load
def/y/currentmatrix load def}def
end
%%EndProcSet
%%EndProlog

%%BeginSetup
DEC_WRITE_dict begin
loads
version cvi 23.0 gt {
currentdict {dup type /arraytype eq
{bind def} {pop pop} ifelse} forall} if
0.0100 0.0100 s

%%EndSetup
%%Page: 1 1
/$P a D
g N
0 79200 T
S
S
8504 -68794 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26458 -900 M
43224 -900 M
(Page ) h
(1) h
0 -2284 M
-8504 68794 T
R

R
S
38380 -3137 T
N
0 G
8034 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
964 -2350 M
( ) h
(Digital Equipment Corporation) h
10033 -4500 M
(October 1991) h
-38380 3137 T
R

S
8590 -12749 T
N
0 G
21124 -1350 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1800 o f
(DASS) h
6601 -4450 M
(Distributed Authentication Security Service) h
-8590 12749 T
R

S
8504 -22707 T
N
0 G
0 -1050 M
/Times-Bold-ISOLatin1 F 1400 o f
(DRAFT) h
0 -3553 M
(STATUS OF THIS MEMO) h
0 -5756 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
2.6 0 32 (This DRAFT document specifies the Services, Interfaces,
Operation,and Protocols of the DASS Authentication Serv\255) W
0 -6806 M
10.7 0 32 (ice. The DASS Authentication Service is used by applications
to strongly authenticate and establish shared keys with) W
0 -7856 M
(peer applications. Distribution of this memo is unlimited.) h
0 -10759 M
/Times-Bold-ISOLatin1 F 1400 o f
(Contents) h
0 -14462 M
709 -14462 M
n 0.857 o f
(1 ) h
4252 -14462 M
(Introduction) h
11000 -14462 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
......................................................................) h
46527 -14462 M
(3) h
0 -16565 M
4252 -16565 M
(1.1 ) h
7087 -16565 M
(What is DASS?) h
13750 -16565 M
(.......................................................................
...........................................................) h
46527 -16565 M
(3) h
0 -18418 M
4252 -18418 M
(1.2 ) h
7087 -18418 M
(Central Concepts) h
14250 -18418 M
(.......................................................................
.........................................................) h
46527 -18418 M
(4) h
0 -20271 M
4252 -20271 M
(1.3 ) h
7087 -20271 M
(What This Document Won't Tell You) h
22500 -20271 M
(.......................................................................
........................) h
46527 -20271 M
(8) h
0 -22124 M
4252 -22124 M
(1.4 ) h
7087 -22124 M
(T) h
(he Relationship between DASS and ISO Standards) h
28250 -22124 M
(......................................................................) h
46027 -22124 M
(11) h
0 -23977 M
4252 -23977 M
(1.5 ) h
7087 -23977 M
(An Authentication Walkthrough) h
20250 -23977 M
(.......................................................................
...............................) h
46027 -23977 M
(13) h
0 -25980 M
709 -25980 M
/Times-Bold-ISOLatin1 F 1200 o f
(2 ) h
4252 -25980 M
(Services Used) h
11500 -25980 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
..................................................................) h
46027 -25980 M
(17) h
0 -28083 M
4252 -28083 M
(2.1 ) h
7087 -28083 M
(Time Service) h
12750 -28083 M
(.......................................................................
.............................................................) h
46027 -28083 M
(17) h
0 -29936 M
4252 -29936 M
(2.2 ) h
7087 -29936 M
(Random Numbers) h
14500 -29936 M
(.......................................................................
......................................................) h
46027 -29936 M
(17) h
0 -31789 M
4252 -31789 M
(2.3 ) h
7087 -31789 M
(Naming Service) h
13750 -31789 M
(.......................................................................
.........................................................) h
46027 -31789 M
(18) h
0 -33792 M
709 -33792 M
/Times-Bold-ISOLatin1 F 1200 o f
(3 ) h
4252 -33792 M
(Services Provided) h
13750 -33792 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
.........................................................) h
46027 -33792 M
(25) h
0 -35895 M
4252 -35895 M
(3.1 ) h
7087 -35895 M
(Certificate Contents) h
15250 -35895 M
(.......................................................................
...................................................) h
46027 -35895 M
(25) h
0 -37748 M
4252 -37748 M
(3.2 ) h
7087 -37748 M
(Encrypted Private Key Structure) h
20250 -37748 M
(.......................................................................
...............................) h
46027 -37748 M
(27) h
0 -39601 M
4252 -39601 M
(3.3 ) h
7087 -39601 M
(Authentication Tokens) h
16500 -39601 M
(.......................................................................
..............................................) h
46027 -39601 M
(27) h
0 -41454 M
4252 -41454 M
(3.4 ) h
7087 -41454 M
(Credentials) h
11750 -41454 M
(.......................................................................
.................................................................) h
46027 -41454 M
(28) h
0 -43307 M
4252 -43307 M
(3.5 ) h
7087 -43307 M
(CA State) h
11000 -43307 M
(.......................................................................
....................................................................) h
46027 -43307 M
(31) h
-8504 22707 T
R

S
8469 -3137 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Network Working Group) h
0 -2400 M
(Internet Draft ) h
( ) h
0 -3784 M
-8469 3137 T
R

showpage
$P e

%%Page: 2 2
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24824 -900 M
(DASS) h
39768 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -68756 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26458 -900 M
43236 -900 M
(Page ) h
(2) h
0 -2284 M
-8642 68756 T
R

R
S
8502 -8501 T
N
0 G
0 -750 M
4252 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(3.6 ) h
7087 -750 M
(Data types used in the routines) h
19500 -750 M
(.......................................................................
..................................) h
46031 -750 M
(32) h
0 -2550 M
4252 -2550 M
(3.7 ) h
7087 -2550 M
(Error conditions) h
13750 -2550 M
(.......................................................................
.........................................................) h
46031 -2550 M
(33) h
0 -4350 M
4252 -4350 M
(3.8 ) h
7087 -4350 M
(Certificate Maintenance Functions) h
21250 -4350 M
(.......................................................................
...........................) h
46031 -4350 M
(33) h
0 -6150 M
4252 -6150 M
(3.9 ) h
7087 -6150 M
(Credential Maintenance Functions) h
21000 -6150 M
(.......................................................................
............................) h
46031 -6150 M
(37) h
0 -7950 M
4252 -7950 M
(3.10 ) h
7087 -7950 M
(Authentication Procedures) h
18000 -7950 M
(.......................................................................
........................................) h
46031 -7950 M
(42) h
0 -9750 M
4252 -9750 M
(3.11 ) h
7087 -9750 M
(DASSlessness Determination Functions) h
23250 -9750 M
(.......................................................................
...................) h
46031 -9750 M
(57) h
0 -11700 M
709 -11700 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(4 ) h
4252 -11700 M
(Certificate and message formats) h
21000 -11700 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
............................) h
46031 -11700 M
(59) h
0 -13750 M
4252 -13750 M
(4.1 ) h
7087 -13750 M
(ASN.1 encoding) h
14000 -13750 M
(.......................................................................
........................................................) h
46031 -13750 M
(59) h
0 -15550 M
4252 -15550 M
(4.2 ) h
7087 -15550 M
(Encoding Rules) h
13750 -15550 M
(.......................................................................
.........................................................) h
46031 -15550 M
(65) h
0 -17350 M
4252 -17350 M
(4.3 ) h
7087 -17350 M
(Version numbers and forward compatibility) h
24750 -17350 M
(.......................................................................
.............) h
46031 -17350 M
(65) h
0 -19150 M
4252 -19150 M
(4.4 ) h
7087 -19150 M
(Cryptographic Encoding) h
17250 -19150 M
(.......................................................................
...........................................) h
46031 -19150 M
(66) h
0 -21100 M
720 -21100 M
/Times-Bold-ISOLatin1 F 1200 o f
(Annex A ) h
5920 -21100 M
(Typical Usage) h
13500 -21100 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
..........................................................) h
46031 -21100 M
(69) h
0 -23150 M
4252 -23150 M
(A.1 ) h
7087 -23150 M
(Creating a CA) h
13000 -23150 M
(.......................................................................
............................................................) h
46031 -23150 M
(69) h
0 -24950 M
4252 -24950 M
(A.2 ) h
7087 -24950 M
(Creating a User Principal) h
17500 -24950 M
(.......................................................................
..........................................) h
46031 -24950 M
(69) h
0 -26750 M
4252 -26750 M
(A.3 ) h
7087 -26750 M
(Creating a Server Principal) h
18250 -26750 M
(.......................................................................
.......................................) h
46031 -26750 M
(70) h
0 -28550 M
4252 -28550 M
(A.4 ) h
7087 -28550 M
(Booting a Server Principal) h
18000 -28550 M
(.......................................................................
........................................) h
46031 -28550 M
(70) h
0 -30350 M
4252 -30350 M
(A.5 ) h
7087 -30350 M
(A user logs on to the network) h
19250 -30350 M
(.......................................................................
...................................) h
46031 -30350 M
(70) h
0 -32150 M
4252 -32150 M
(A.6 ) h
7087 -32150 M
(An Rlogin \(TCP/IP\) connection is made) h
23500 -32150 M
(.......................................................................
..................) h
46031 -32150 M
(71) h
0 -33950 M
4252 -33950 M
(A.7 ) h
7087 -33950 M
(A Transport\255Independent Connection) h
22250 -33950 M
(.......................................................................
.......................) h
46031 -33950 M
(71) h
0 -35900 M
720 -35900 M
/Times-Bold-ISOLatin1 F 1200 o f
(Annex B ) h
5854 -35900 M
(Support of the GSSAPI) h
18000 -35900 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
........................................) h
46031 -35900 M
(72) h
0 -37950 M
4252 -37950 M
(B.1 ) h
7087 -37950 M
(Summary of GSSAPI) h
16000 -37950 M
(.......................................................................
................................................) h
46031 -37950 M
(72) h
0 -39750 M
4252 -39750 M
(B.2 ) h
7087 -39750 M
(Implementation of GSSAPI over DASS) h
23250 -39750 M
(.......................................................................
...................) h
46031 -39750 M
(73) h
0 -41550 M
4252 -41550 M
(B.3 ) h
7087 -41550 M
(Syntax) h
10000 -41550 M
(.......................................................................
........................................................................) h
46031 -41550 M
(75) h
0 -43500 M
720 -43500 M
/Times-Bold-ISOLatin1 F 1200 o f
(Annex C ) h
5920 -43500 M
(Imported ASN.1 definitions) h
20250 -43500 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
...............................) h
46031 -43500 M
(78) h
0 -45850 M
720 -45850 M
/Times-Bold-ISOLatin1 F 1400 o f
(Glossary) h
6409 -45850 M
6750 -45850 M
/Times-Roman-ISOLatin1 F 1000 o f
(.......................................................................
........................................................................
.............) h
46031 -45850 M
(81) h
0 -49450 M
/Times-Bold-ISOLatin1 F 1400 o f
(Figures) h
0 -51550 M
709 -51550 M
/Times-Roman-ISOLatin1 F 1000 o f
(Figure 1 \255 ) h
5303 -51550 M
(Authentication Exchange Overview) h
19750 -51550 M
(.......................................................................
.................................) h
46031 -51550 M
(16) h
-8502 8501 T
R

showpage
$P e

%%Page: 3 3
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(3) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -1200 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1600 o f
(1 ) h
1417 -1200 M
(Introduction) h
0 -4179 M
n 0.875 o f
(1.1 ) h
2126 -4179 M
(What is DASS?) h
0 -6808 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
107.3 0 32 (Authentication is a security service. The goal of
authentication is to reliably learn the name of the originator of a) W
0 -7858 M
59.8 0 32 (message or request. The classic way by which people
authenticate to computers \(and by which computers authenti\255) W
0 -8908 M
127.8 0 32 (cate to one another\) is by supplying a password.  There
are a number of problems with existing password based) W
0 -9958 M
114.6 0 32 (schemes which DASS attempts to solve.  The goal of DASS is
to provide authentication services in a distributed) W
0 -11008 M
46.5 0 32 (environment which are both more secure \(more difficult for
a bad guy to impersonate a good guy\) and easier to use) W
0 -12058 M
(than existing mechanisms.) h
0 -14237 M
52.7 0 32 (In a distributed environment, authentication is particularly
challenging.  Users do not simply log on to one machine) W
0 -15287 M
123.6 0 32 (and use resources there.  Users start processes on one
machine which may request services on another.  In some) W
0 -16337 M
121.9 0 32 (cases, the second system must request services from ) W
121.9 0 32 (a ) W
121.9 0 32 (third system on behalf of the user.  Further, given current) W
0 -17387 M
80.6 0 32 (network technology, it is fairly easy to eavesdrop on
conversations between computers and pick up any passwords) W
0 -18437 M
(that might be going by.) h
0 -20616 M
23.2 0 32 (DASS uses cryptographic mechanisms to provide "strong,
mutual" authentication.  Mutual authentication means that) W
0 -21666 M
105.5 0 32 (the two parties communicating each reliably learn the name
of the other.  Strong authentication means that in the) W
0 -22716 M
86.6 0 32 (exchange neither obtains any information that it could use
to impersonate the other to a third party.  This can't be) W
0 -23766 M
65.3 0 32 (done with passwords alone.  Mutual authentication can be
done with passwords by having a "sign" and a "counter\255) W
0 -24816 M
123.7 0 32 (sign" which the two parties must utter to assure one
another of their identities.  But whichever party speaks first) W
0 -25866 M
87.6 0 32 (reveals information which can be used by the second
\(unauthenticated\) party to impersonate it.  Longer sequences) W
0 -26916 M
3.6 0 32 (\(often seen in spy movies\) cannot solve the problem in
general.  Further, anyone who can eavesdrop on the conversa\255) W
0 -27966 M
4.2 0 32 (tion can impersonate either party in a subsequent
conversation \(unless passwords are only good once\).  Cryptography) W
0 -29016 M
(provides a means whereby one can prove knowledge of a secret without
revealing it.) h
0 -31195 M
92.0 0 32 (People cannot execute cryptographic algorithms in their
heads, and thus cannot strongly authenticate to computers) W
0 -32245 M
29.6 0 32 (directly.  DASS lays the groundwork for "smart cards":
microcomputers sealed in credit cards which when activated) W
0 -33295 M
110.3 0 32 (by a PIN will strongly authenticate to a computer.  Until
smart cards are available, the first link from a user to a) W
0 -34345 M
11.1 0 32 (DASS node remains vulnerable to eavesdropping.  DASS
mechanisms are constructed so that after the initial authen\255) W
0 -35395 M
(tication, smart card or password based authentication looks the same.) h
0 -37574 M
76.8 0 32 (Today,  systems are constructed to think of user identities
in terms of accounts on individual computers.  If I have) W
0 -38624 M
17.3 0 32 (accounts on ten machines, there is no way a priori to see
that those ten accounts all belong to the same individual.  If) W
0 -39674 M
10.3 0 32 (I want to be able to access a resource through any of the
ten machines, I must tell the resource about all ten accounts. ) W
0 -40724 M
(I must also tell the resource when I get an eleventh account.) h
0 -42903 M
92.1 0 32 (DASS supports the concept of global identity and network
login.  A user is assigned a name from a global name\255) W
0 -43953 M
4.5 0 32 (space and that name will be recognized by any node in the
network.  \(In some cases, a resource may be configured as) W
0 -45003 M
107.6 0 32 (accessible only by a particular user acting through a
particular node.  That is an access control decision, and it is) W
0 -46053 M
73.0 0 32 (supported by DASS, but the user is still known by his global
identity\).  From a practical point of view, this means) W
0 -47103 M
27.1 0 32 (that a user can have a single password \(or smart card\)
which can be used on all systems which allow him access and) W
0 -48153 M
147.8 0 32 (access control mechanisms can conveniently give access to a
user through any computer the user happens to be) W
0 -49203 M
75.4 0 32 (logged into.  Because a single user secret is good on all
systems, it should never be necessary for a user to enter a) W
0 -50253 M
26.8 0 32 (password other than at initial login.  Because cryptographic
mechanisms are used, the password should never appear) W
0 -51303 M
(on the network beyond the initial login node.) h
0 -53482 M
32.4 0 32 (DASS was designed as a component of the Distributed System
Security Architecture \(DSSA\) \(see "The Digital Dis\255) W
0 -54532 M
106.7 0 32 (tributed System Security Architecture" by M. Gasser, A.
Goldstein, C. Kaufman, and B. Lampson, 1989 National) W
0 -55582 M
75.5 0 32 (Computer Security Conference\).  It is a goal of DSSA that
access control on all systems be based on users' global) W
0 -56632 M
31.4 0 32 (names and the concept of "accounts" on computers eventually
be replaced with unnamed rights to execute processes) W
0 -57682 M
52.4 0 32 (on those computers.  Until this happens, computers will
continue to support the concept of "local accounts" and ac\255) W
-8503 8502 T
R

showpage
$P e

%%Page: 4 4
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(4) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
17.1 0 32 (cess controls on resources on those systems will still be
based on those accounts.  There is today within the Berkeley) W
0 -1800 M
122.0 0 32 (rtools running over the Internet Protocol suite ) W
122.0 0 32 (the concept of a ".rhosts database" which gives access to
local ac\255) W
0 -2850 M
40.7 0 32 (counts from remote accounts.  We envision that those
databases will be extended to support granting access to local) W
0 -3900 M
66.3 0 32 (accounts based on DASS global names as a bridge between the
past and the future.  DASS should greatly simplify) W
0 -4950 M
20.8 0 32 (the administration of those databases for the \(presumably
common\) case where a user should be granted access to an) W
0 -6000 M
(account ignoring his choice of intermediate systems.) h
0 -8403 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(1.2 ) h
2126 -8403 M
(Central Concepts) h
0 -11106 M
n 0.857 o f
(1.2.1 ) h
2834 -11106 M
(Strong Authentication with Public Keys) h
0 -13309 M
/Times-Roman-ISOLatin1 F 1000 o f
55.9 0 32 (DASS makes heavy use of the RSA Public Key cryptosystem. 
The important properties of the RSA algorithms for) W
0 -14359 M
(purposes of this discussion are:) h
709 -16462 M
/Symbol F 1000 o f
(-) h
2154 -16462 M
/Times-Roman-ISOLatin1 F 1000 o f
2.9 0 32 (It supports the creation of a public/private key pair, where
operations with one key of the pair reverse the opera\255) W
2154 -17512 M
(tions of the other, but it is computationally infeasible to derive the
private key from the public key.) h
709 -19615 M
/Symbol F 1000 o f
(-) h
2154 -19615 M
/Times-Roman-ISOLatin1 F 1000 o f
113.3 0 32 (It supports the "signing" of a message with the private
key, after which anyone knowing the public key can) W
2154 -20665 M
22.3 0 32 ("verify" the signature and know that it was constructed with
knowledge of the private key and that the message) W
2154 -21715 M
(was not subsequently altered.) h
709 -23818 M
/Symbol F 1000 o f
(-) h
2154 -23818 M
/Times-Roman-ISOLatin1 F 1000 o f
129.7 0 32 (It supports the "enciphering" of a message by anyone
knowing the public key such that only someone with) W
2154 -24868 M
(knowledge of the private key can recover the message.) h
0 -26971 M
64.7 0 32 (With access to the RSA algorithms, it is easy to see how one
could construct a "strong" authentication mechanism. ) W
0 -28021 M
1.8 0 32 (Each "principal" \(user or computer\) would construct a
public/private key pair, publish the public key, and keep secret) W
0 -29071 M
88.5 0 32 (the private key.  To authenticate to you, I would write a
message, sign it with my private key, and send it to you. ) W
0 -30121 M
40.0 0 32 (You would verify the message using my public key and know
the message came from me.  If mutual authentication) W
0 -31171 M
17.3 0 32 (were desired, you could create an acknowledgment and sign it
with your private key; I could verify it with your pub\255) W
0 -32221 M
(lic key and I would know you received my message.) h
0 -34324 M
60.0 0 32 (The authentication algorithms used by DASS are considerably
more complex than those described in the paragraph) W
0 -35374 M
28.5 0 32 (above in order to deal with a large number of practical
concerns including subtle security threats.  Some of these are) W
0 -36424 M
(discussed below.) h
0 -38677 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.2.2 ) h
2834 -38677 M
(Timestamps vs. Challenge/Response) h
0 -40880 M
/Times-Roman-ISOLatin1 F 1000 o f
23.9 0 32 (Cryptosystems give you the ability to sign messages so that
the receiver has assurance that the signer of the message) W
0 -41930 M
102.5 0 32 (knew some cryptographic secret.  Free\255standing public
key based authentication is sufficiently expensive that it is) W
0 -42980 M
68.4 0 32 (unlikely that anyone would want to sign every message of an
interactive communication, and even if they did they) W
0 -44030 M
18.5 0 32 (would still face the threat of someone rearranging the
messages or playing them multiple times.  Authentication gen\255) W
0 -45080 M
17.1 0 32 (erally takes place in the context of establishing some sort
of "connection," where a conversation will ensue under the) W
0 -46130 M
0.7 0 32 (auspices of the single peer\255entity authentication.  This
connection might be cryptographically protected against modi\255) W
0 -47180 M
91.0 0 32 (fication or reordering of the messages, but any such
protection would be largely independent of the authentication) W
0 -48230 M
89.5 0 32 (which occurred at the start of the connection.  DASS
provides as a side effect of authentication the provision of a) W
0 -49280 M
(shared key which may be used for this purpose.) h
0 -51383 M
43.0 0 32 (If in our simple minded authentication above, I signed the
message "It's really me!" with my private key and sent it) W
0 -52433 M
75.5 0 32 (to you, you could verify the signature and know the message
came from me and give the connection in which this) W
0 -53483 M
44.9 0 32 (message arrived access to my resources.  Anyone watching
this message over the network, however, could replay it) W
0 -54533 M
91.4 0 32 (to any server \(just like a password!\) and impersonate me. 
It is important that the message I send you only be ac\255) W
0 -55583 M
99.8 0 32 (cepted by you and only once.  I can prevent the message from
being useful at any other server by including your) W
0 -56633 M
17.4 0 32 (name in the message.  You will only accept the message if
you see your name in it.  Keeping you from accepting the) W
0 -57683 M
(message twice is harder.) h
-8503 8502 T
R

showpage
$P e

%%Page: 5 5
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(5) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
29.4 0 32 (There are two "standard" ways of providing this replay
protection.  One is called challenge/response and the other is) W
0 -1800 M
15.8 0 32 (called timestamp\255based.  In a challenge response type
scheme, I tell you I want to authenticate, you generate a "chal\255) W
0 -2850 M
36.3 0 32 (lenge" \(generally a number\), and I include the challenge
in the message I sign.  You will only accept a message if it) W
0 -3900 M
94.9 0 32 (contains the recently generated challenge and you will make
sure you never issue the same challenge to me twice) W
0 -4950 M
29.8 0 32 (\(either by using a sequence number, a timestamp, or a
random number big enough that the probability of a duplicate) W
0 -6000 M
49.4 0 32 (is negligible\).  In the timestamp\255based scheme, I
include the current time in my message.  You have a rule that you) W
0 -7050 M
72.5 0 32 (will not accept messages more than \255 say \255 five
minutes old and you keep track of all messages you've seen in the) W
0 -8100 M
29.7 0 32 (last five minutes.  If someone replays the message within
five minutes, you will reject it because you will remember) W
0 -9150 M
(you've seen it before; if someone replays it after five minutes, you
will reject it as timed out.) h
0 -11337 M
28.7 0 32 (The disadvantage of the challenge/response based scheme is
that it requires extra messages.  While one\255way authen\255) W
0 -12387 M
79.1 0 32 (tication could otherwise be done with a single message and
mutual authentication with one message in each direc\255) W
0 -13437 M
(tion, the challenge/response scheme always requires at least three messages.) h
0 -15624 M
120.0 0 32 (The disadvantage of the timestamp\255based scheme is that
it requires secure synchronized time.  If our clocks drift) W
0 -16674 M
19.0 0 32 (apart by more than five minutes, you will reject all of my
attempts to authenticate.  If a network time service spoofer) W
0 -17724 M
3.6 0 32 (can convince you to turn back your clock and then
subsequently replays an expired message, you will accept it again. ) W
0 -18774 M
11.9 0 32 (The multicast nature of existing distributed time services
and the likelihood of detection make this an unlikely threat,) W
0 -19824 M
111.6 0 32 (but it must be considered in any analysis of the security
of the scheme.  The timestamp scheme also requires the) W
0 -20874 M
92.7 0 32 (server to keep state about all messages seen in the clock
skew interval.  To be secure, this must be kept on stable) W
0 -21924 M
(storage \(unless rebooting takes longer than the permitted clock skew
interval\).) h
0 -24111 M
54.2 0 32 (DASS uses the timestamp\255based scheme.  The primary
motivations behind this decision were so that authentication) W
0 -25161 M
16.4 0 32 (messages could be "piggybacked" on existing connection
establishment messages) W
16.4 0 32 ( ) W
16.4 0 32 (and so that DASS would fit within) W
0 -26211 M
(the same "form factor" \(number and direction of messages\) as Kerberos.) h
0 -28548 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(1.2.3 ) h
2834 -28548 M
(Delegation) h
0 -30835 M
/Times-Roman-ISOLatin1 F 1000 o f
28.1 0 32 (In a distributed environment, authentication alone is not
enough.  When I log onto a computer, not only do I want to) W
0 -31885 M
41.5 0 32 (prove my identity to that computer, I want to use that
computer to access network resources \(e.g. file systems, data\255) W
0 -32935 M
60.0 0 32 (base systems\) on my behalf.  My files should \(normally\)
be protected so that I can access them through any node I) W
0 -33985 M
83.5 0 32 (log in through.  DASS allows them to be so protected without
allowing all of the systems that I might ever use ) W
83.5 0 32 (to) W
0 -35035 M
32.0 0 32 (access ) W
32.0 0 32 (those files in my absence.  In the process of logging in, my
password gives my login node access to my RSA) W
0 -36085 M
25.4 0 32 (secret.  It can use that secret to "impersonate" me on any
requests it makes on my behalf.  It should forget all secrets) W
0 -37135 M
54.7 0 32 (associated with me when I log off.  This limits the trust
placed in computer systems.  If someone takes control of a) W
0 -38185 M
(computer, they can impersonate all people who use that computer after
it is taken over but no others.) h
0 -40372 M
30.8 0 32 (Normally when I access a network service, I want to strongly
authenticate to it.  That is, I want to prove my identity) W
0 -41422 M
54.6 0 32 (to that service, but I don't want to allow that service to
learn anything that would allow it to impersonate me.  This) W
0 -42472 M
58.6 0 32 (allows me to use a service without trusting it for more than
the service it is delivering.  When using some services,) W
0 -43522 M
29.7 0 32 (for example remote login services, I may want that service
to act on my behalf in calling additional services.  DASS) W
0 -44572 M
(provides a mechanism whereby I can pass secrets to such services that
allow them to impersonate me.) h
0 -46759 M
24.8 0 32 (Future versions of this architecture may a) W
24.8 0 32 (llow "limited delegation" so that a user may delegate to a
server only those) W
0 -47809 M
43.9 0 32 (rights the server needs to carry out the user's wishes.  This version ) W
43.9 0 32 ( ) W
43.9 0 32 (can limit delegation only in terms of time.  The) W
0 -48859 M
14.4 0 32 (information a user gives a server \(other than the initial
login node\) can be used to impersonate the user but only for a) W
0 -49909 M
(limited period of time.  Smart cards will permit that time limitation
to apply to the initial login node as well.) h
0 -52246 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.2.4 ) h
2834 -52246 M
(Certification Authorities) h
0 -54533 M
/Times-Roman-ISOLatin1 F 1000 o f
102.9 0 32 (A flaw in the strong authentication mechanism described
above is that it assumes that every "principal" \(user and) W
0 -55583 M
46.0 0 32 (node\) knows the public key of every other principal it
wants to authenticate.  If I can fool a server into thinking my) W
0 -56633 M
7.0 0 32 (public key is actually your public key, I can impersonate you
by signing a message, saying it is from you, and having) W
0 -57683 M
(the server verify the message with what it thinks is your public key.) h
-8503 8502 T
R

showpage
$P e

%%Page: 6 6
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(6) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
83.9 0 32 (To avoid the need to securely install the public key of
every principal in the database of every other principal, the) W
0 -1800 M
20.5 0 32 (concept of a "Certification Authority" was invented.  A
certification authority is a principal trusted to act as an intro\255) W
0 -2850 M
7.9 0 32 (duction service.  Each principal goes to the certification
authority, presents its public key, and proves it has a particu\255) W
0 -3900 M
8.1 0 32 (lar name \(the exact mechanisms for this vary with the type
of principal and the level of security to be provided\).  The) W
0 -4950 M
17.7 0 32 (CA then creates a "certificate" which is a message
containing the name and public key of the principal, an expiration) W
0 -6000 M
95.7 0 32 (date, and bookkeeping information signed by the CA's private
key.  All "subscribers" to a particular CA can then) W
0 -7050 M
0.8 0 32 (authenticated to one another by presenting their certificates
and proving knowledge of the corresponding secret.  CAs) W
0 -8100 M
66.6 0 32 (need only act when new principals are being named and new
private keys created, so that can be maintained under) W
0 -9150 M
(tight physical security.) h
0 -11243 M
(The two problems with the scheme as described so far are "revocation"
and "scaleability".) h
0 -13411 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1100 o f
(1.2.4.1 ) h
3300 -13411 M
(Certificate Revocation) h
0 -15579 M
/Times-Roman-ISOLatin1 F 1000 o f
110.2 0 32 (Revocation is the process of announcing that a key has \(or
may have\) fallen into the wrong hands and should no) W
0 -16629 M
79.3 0 32 (longer be accepted as proof of some particular identity. 
With certificates as described above, someone who learns) W
0 -17679 M
11.1 0 32 (your secret and your certificate can impersonate you
indefinitely \255 even after you have learned of the compromise.  It) W
0 -18729 M
24.7 0 32 (lacks the ability corresponding to changing your password. 
DASS supports two independent mechanisms for revok\255) W
0 -19779 M
(ing certificates.) h
( In the future, a third may be added.) h
0 -21872 M
100.6 0 32 ( One method for revocation is using timeouts and renewals
of certificates.  Part of the signed message which is a) W
0 -22922 M
0.7 0 32 (certificate may be a time after which the certificate should
not be believed.  Periodically, the CA would renew certifi\255) W
0 -23972 M
100.4 0 32 (cates by signing one with a later timeout.  If a key were
compromised, a new key would be generated and a new) W
0 -25022 M
125.6 0 32 (certificate signed.  The old certificate would only be
valid until its timeout.  Timeouts are not perfect revocation) W
0 -26072 M
68.3 0 32 (mechanisms because they provide only slow revocation
\(timeouts are typically measured in months for the load on) W
0 -27122 M
20.8 0 32 (the CA and communication with users to be kept manageable\)
and they depend on servers having an accurate source) W
0 -28172 M
(of the current time.  Someone who can trick a server into turning back
its clock can use expired certificates.) h
0 -30265 M
120.4 0 32 (The second method is by listing all non\255revoked
certificates in the naming service and believing only certificates) W
0 -31315 M
37.9 0 32 (found there.  The advantage of this method is that it is
almost immediate \(the only delay is for name service "skulk\255) W
0 -32365 M
65.4 0 32 (ing" and caching delays\).  The disadvantages are: \(1\) the
availability of authentication is only as good as the avail\255) W
0 -33415 M
(ability of the naming service and \(2\) the security of revocation is
only as good as the security of the naming service.) h
0 -35508 M
2.1 0 32 (A third method for revocation \255 not) W
2.1 0 32 ( currently) W
2.1 0 32 ( supported by DASS \255 is for certification authorities to
periodically issue) W
0 -36558 M
("revocation lists" which list certificates which should no longer be accepted.) h
0 -38726 M
/Times-Bold-ISOLatin1 F 1100 o f
(1.2.4.2 ) h
3300 -38726 M
(Certification Authority Hierarchy) h
0 -40894 M
/Times-Roman-ISOLatin1 F 1000 o f
58.1 0 32 (While using a certification authority as an introduction
service scales much better than having every principal learn) W
0 -41944 M
6.5 0 32 (the public key of every other principal by some out of band
means, it has the problem that it creates a central point of) W
0 -42994 M
120.1 0 32 (trust.  The certification authority can impersonate any
principal by inventing a new key and creating a certificate) W
0 -44044 M
82.5 0 32 (stating that the new key represents the principal.  In a
large organization, there may be no individual who is suffi\255) W
0 -45094 M
61.5 0 32 (ciently trusted to operate the CA.  Even if there were, in a
large organization it would be impractical to have every) W
0 -46144 M
41.2 0 32 (individual authenticate to that single person.  Replicating
the CA solves the availability problem but makes the trust) W
0 -47194 M
28.3 0 32 (problem worse.  When authentication is to be used in a
global context \255 between companies \255 the concept of a single) W
0 -48244 M
(CA is untenable.) h
0 -50337 M
0.5 0 32 (DASS addresses this problem by creating a hierarchy of CAs. 
The CA hierarchy is tied to the naming hierarchy.  For) W
0 -51387 M
18.6 0 32 (each directory in the namespace, there is a single CA
responsible for certifying the public keys of its members.  That) W
0 -52437 M
59.6 0 32 (CA will also certify the public keys of the CAs of all child
directories and of the CA of the parent directory.  With) W
0 -53487 M
36.1 0 32 (this cross\255certification, it is possible knowing the
public key of any CA to verify the public keys of a series of inter\255) W
0 -54537 M
(mediate CAs and finally to verify the public key of any principal.) h
0 -56630 M
7.6 0 32 (Because the CA hierarchy is tied to the naming hierarchy, the
trust placed in any individual CA is limited.  If a CA is) W
0 -57680 M
16.9 0 32 (compromised, it can impersonate any of the principals listed
in its directory, but it cannot impersonate arbitrary prin\255) W
-8503 8502 T
R

showpage
$P e

%%Page: 7 7
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(7) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
15.2 0 32 (qcipals.  DASS provides mechanisms for every principal to
know the public key of its "parent" CA \255 the CA control\255) W
0 -1800 M
(ling the directory in which it is named.  The result is the following
rules for the implications of a compromised CA:) h
709 -4067 M
(a\)) h
2154 -4067 M
(A CA can impersonate any principal named in its directory.) h
709 -6334 M
(b\)) h
2154 -6334 M
(A CA can impersonate any principal to a server named in its directory.) h
709 -8601 M
(c\)) h
2154 -8601 M
(A CA can impersonate any principal named in a subdirectory to any
server not named in the same subdirectory.) h
709 -10868 M
(d\)) h
2154 -10868 M
(A CA can impersonate to any server in a subdirectory any principal not
named in the same subdirectory.) h
0 -13135 M
124.6 0 32 (The implication is that a compromise low in the naming tree
will compromise all principals below that directory) W
0 -14185 M
88.4 0 32 (while a compromise high in the naming tree will compromise
only the authentication of principals far apart in the) W
0 -15235 M
70.2 0 32 (naming hierarchy.  In particular, when multiple
organizations share a namespace \(as they do in the case of X.500\),) W
0 -16285 M
(the compromise of a CA in one organization can not result in false
authentication within another organization.) h
0 -18552 M
57.7 0 32 (DASS uses the X.500 directory hierarchy for principal
naming.  At the top of the hierarchy are names of countries. ) W
0 -19602 M
43.3 0 32 (National authorities are not expected to establish
certification authorities \(at least initially\), so an alternative mecha\255) W
0 -20652 M
20.6 0 32 (nism must be used to authenticate entities "distant" in the
naming hierarchy.  The mechanism for this in DASS is the) W
0 -21702 M
48.6 0 32 ("cross\255certificate" where a CA certifies the public key
for some CA or principal not its parent or child.  By limiting) W
0 -22752 M
24.8 0 32 (the chains of certificates they will use to parent
certificates followed by a single "cross certificate" followed by child) W
0 -23802 M
86.6 0 32 (certificates, a DASS implementation ) W
86.6 0 32 (can avoid the need to have CAs near the root of the tree or
can avoid the re\255) W
0 -24852 M
7.1 0 32 (quirement to trust them even if they do exist.  A special
case can also be supported whereby a global authority whose) W
0 -25902 M
(name is not the root can certify the local roots of independent "islands".) h
0 -28319 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(1.2.5 ) h
2834 -28319 M
(User vs. Node Authentication) h
0 -30686 M
/Times-Roman-ISOLatin1 F 1000 o f
32.1 0 32 (In concept, DASS mechanisms support the mutual
authentication of two principals regardless of whether those prin\255) W
0 -31736 M
31.8 0 32 (cipals are people, computers, or applications.  Those
mechanisms have been extended, however, to deal with a com\255) W
0 -32786 M
110.4 0 32 (mon case of a pair of principals acting together \(a user
and a node\) authenticating to a single principal \(a remote) W
0 -33836 M
28.4 0 32 (server\).  This is done by having optionally in each
credentials structure two sets of secrets \255 one for the user and one) W
0 -34886 M
15.2 0 32 (for the node.  When authentication is done using such
credentials, both secrets sign the request so the receiving party) W
0 -35936 M
(can verify that both principals are present.) h
0 -38203 M
73.3 0 32 (This setup has a number of advantages.  It permits access
controls to be enforced based on both the identity of the) W
0 -39253 M
58.4 0 32 (user ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
58.4 0 32 (and) W
/Times-Roman-ISOLatin1 F 1000 o f
58.4 0 32 ( the identity of the originating node.  It also makes it
possible to define users of systems who have no net\255) W
0 -40303 M
3.5 0 32 (work wide identities who can access network resources on the
basis of node credentials alone.  The security of such a) W
0 -41353 M
38.0 0 32 (setup is less because a node can impersonate all of its
users even when they are not logged in, but it offers an easier) W
0 -42403 M
38.1 0 32 (transition from existing ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
38.1 0 32 (.rhosts) W
/Times-Roman-ISOLatin1 F 1000 o f
38.1 0 32 ( based mechanisms because it does not require creation of
global identities for all us\255) W
0 -43453 M
(ers.) h
0 -45870 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.2.6 ) h
2834 -45870 M
(Protection of User Keys) h
0 -48237 M
/Times-Roman-ISOLatin1 F 1000 o f
6.3 0 32 (DASS mechanisms generally deal with authentication between
principals each knowing a private key.  For principals) W
0 -49287 M
5.0 0 32 (who are people, special mechanisms are provided for
maintaining that private key.  In particular, it many cases it will) W
0 -50337 M
118.1 0 32 (be most convenient to keep passwords as secrets rather than
private keys.  This architecture specifies a means of) W
0 -51387 M
19.6 0 32 (storing private keys encrypted under passwords.  This would
provide security as good as hiding a private key were it) W
0 -52437 M
16.4 0 32 (not that people tend to choose passwords from a small space
\(like words in a dictionary\) such that a password can be) W
0 -53487 M
88.6 0 32 (more easily guessed than a private key.  To address this
potential weakness, DASS specifies a protocol between a) W
0 -54537 M
33.3 0 32 (login node and a login agent whereby the login agent can
audit and limit the rate of password guesses.  Use of these) W
0 -55587 M
35.0 0 32 (features is optional.  A user with a smart card could store
a private key directly and bypass all of these mechanisms. ) W
0 -56637 M
108.0 0 32 (If users can be forced to choose "good" passwords, the
login agent could be eliminated and encrypted credentials) W
0 -57687 M
(could be stored directly in the naming service.) h
-8503 8502 T
R

showpage
$P e

%%Page: 8 8
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(8) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
65.1 0 32 (Another way in which user keys are protected is that the
architecture does not require that they be available except) W
0 -1800 M
58.9 0 32 (briefly at login.  This reduces the threat of a user walking
away from a logged on workstation and having someone) W
0 -2850 M
94.5 0 32 (take over the workstation and extract his key.  It also
makes the use of RSA based smart cards practical; the card) W
0 -3900 M
(could keep the user's private key and execute one signature operation
at login time to authenticate an entire session.) h
0 -6302 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(1.3 ) h
2126 -6302 M
(What This Document Won't Tell You) h
0 -8854 M
/Times-Roman-ISOLatin1 F 1000 o f
32.9 0 32 (Architecture documents are by their nature difficult to
read. This one is no exception. The reason is that an architec\255) W
0 -9904 M
52.6 0 32 (ture document contains the details sufficient to build
interoperable implementations, but it is not a design specifica\255) W
0 -10954 M
34.1 0 32 (tion. It goes out of its way to leave out any details which
an implementation could choose without affecting interop\255) W
0 -12004 M
16.9 0 32 (erability. It also does not specify all the uses of the
services provided because these services are properly regarded as) W
0 -13054 M
(general purpose tools.) h
0 -15156 M
59.7 0 32 (T) W
59.7 0 32 (he remainder of this section includes information which is
not properly part of the authentication architecture, but) W
0 -16206 M
(which may be useful in understanding why the architecture is the way it is.) h
0 -18458 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.1 ) h
2834 -18458 M
(How DASS is Embedded in an Operating System) h
0 -20660 M
/Times-Roman-ISOLatin1 F 1000 o f
131.3 0 32 (While architecturally DASS does not require any operating
system support in order to be used by an application) W
0 -21710 M
5.9 0 32 (\(other than the services listed in Section 2\), it is
expected that actual implementations of DASS will be closely tied to) W
0 -22760 M
(the operating systems of host computers.  This is done both for
security and for convenience.) h
0 -24862 M
4.0 0 32 (In particular, it is expected that when a user logs into a
node, a set of credentials will be created for that user and then) W
0 -25912 M
0.5 0 32 (associated by the operating system with all processes
initiated by or on behalf of the user.  When a user delegates to a) W
0 -26962 M
99.4 0 32 (service, the remote operating system is expected to accept
the delegation and start up the remote process with the) W
0 -28012 M
43.2 0 32 (delegated credentials.  Most nodes are expected to have
credentials of their own and support the concept of user ac\255) W
0 -29062 M
119.1 0 32 (counts.  When user credentials are created, the node is
expected to verify them in its own context, determine the) W
0 -30112 M
(appropriate user account, and add node credentials to the created
credentials set.) h
0 -32364 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.2 ) h
2834 -32364 M
(Forms of Credentials) h
0 -34566 M
/Times-Roman-ISOLatin1 F 1000 o f
52.6 0 32 (In the DASS architecture, there is a single data structure
called "Credentials" with a large number of optional parts. ) W
0 -35616 M
65.3 0 32 (In an implementation, it is possible that not all of the
architecturally allowed subsets will be supported and creden\255) W
0 -36666 M
(tials structures with different subsets of the data may be implemented
quite differently.) h
0 -38768 M
(The major categories of credentials likely to be supported in an
implementation are:) h
709 -40870 M
/Symbol F 1000 o f
(-) h
2154 -40870 M
/Times-Bold-ISOLatin1 F 1000 o f
110.9 0 32 (Claimant credentials) W
/Times-Roman-ISOLatin1 F 1000 o f
110.9 0 32 ( \255 these are the credentials which would normally be
associated with a user process in) W
2154 -41920 M
37.7 0 32 (order that it be able to create authentication tokens.  It
would contain the user's name, login ticket, session pri\255) W
2154 -42970 M
(vate key, and \(at least logically\) local node credentials and cached
outgoing contexts.) h
709 -45072 M
/Symbol F 1000 o f
(-) h
2154 -45072 M
/Times-Bold-ISOLatin1 F 1000 o f
62.4 0 32 (Verifier credentials \255) W
/Times-Roman-ISOLatin1 F 1000 o f
62.4 0 32 ( these are the credentials which would normally be
associated with a server which must) W
2154 -46122 M
81.5 0 32 (verify tokens and produce mutual authentication response
tokens.  Since servers may be started by a node on) W
2154 -47172 M
10.2 0 32 (demand, some representation of verifier credentials must
exist independent of a process.  If an operating system) W
2154 -48222 M
49.2 0 32 (wishes to authenticate a request before starting a server
process, the credentials must exist in usable form.  An) W
2154 -49272 M
121.8 0 32 (implementation may choose to have all services on a "node"
share a verifier credentials structure, or it may) W
2154 -50322 M
(choose to have each service have its own.) h
709 -52424 M
/Symbol F 1000 o f
(-) h
2154 -52424 M
/Times-Bold-ISOLatin1 F 1000 o f
73.9 0 32 (Combined credentials ) W
/Times-Roman-ISOLatin1 F 1000 o f
73.9 0 32 (\255 architecturally, a server may have a structure which is
both claimant credentials and) W
2154 -53474 M
78.8 0 32 (verifier credentials combined so that the server may act in
either role using a single structure.  There is some) W
2154 -54524 M
(overlap in the contents.  There is no requirement, however, that an
implementation support such a structure.) h
709 -56626 M
/Symbol F 1000 o f
(-) h
2154 -56626 M
/Times-Bold-ISOLatin1 F 1000 o f
49.4 0 32 (Stub credentials ) W
/Times-Roman-ISOLatin1 F 1000 o f
49.4 0 32 (\255 In the architecture, a credentials structure is created
whenever a token is accepted.  If dele\255) W
2154 -57676 M
83.1 0 32 (gation took place, these are ) W
/Times-Bold-ISOLatin1 F 1000 o f
83.1 0 32 (claimant credentials) W
/Times-Roman-ISOLatin1 F 1000 o f
83.1 0 32 ( usable by their possessor to create additional tokens.  If no) W
-8503 8502 T
R

showpage
$P e

%%Page: 9 9
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
43237 -900 M
(Page ) h
(9) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
136.6 0 32 (delegation took place, this structure exists as an
architectural place holder against which an implementation) W
2154 -1800 M
95.0 0 32 (may attempt to authenticate user and node names.  An
implementation might choose to implement ) W
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
95.0 0 32 (stub cre\255) W
2154 -2850 M
83.1 0 32 (dentials) W
/Times-Roman-ISOLatin1 F 1000 o f
83.1 0 32 ( with a different mechanism than claimant or verifier
credentials.  In particular, it might do whatever) W
2154 -3900 M
(user and node authentication is useful itself and not support this
structure at all.) h
0 -6262 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.3 ) h
2834 -6262 M
(Support for Alternative Certification Authority Implementations) h
0 -8574 M
/Times-Roman-ISOLatin1 F 1000 o f
31.3 0 32 (A motivating factor in much of the design of DASS is the
need to protect certification authorities from compromise.) W
0 -9624 M
45.6 0 32 (CAs are only used to create certificates for new principals
and to renew them on expiration \(expiration intervals are) W
0 -10674 M
99.2 0 32 (likely to be measured in months\). They therefore do not
need to be highly available. For maximum security, CAs) W
0 -11724 M
62.2 0 32 (could be implemented on ) W
62.2 0 32 (standalone ) W
62.2 0 32 (PC) W
62.2 0 32 (s ) W
62.2 0 32 (where the hardware, software, and keys can be locked in a
safe when the) W
0 -12774 M
72.0 0 32 (CA is not in use. The certificates the CA generates must be
delivered to the naming service to be registered, and a) W
0 -13824 M
18.5 0 32 (possible mechanism for this is for the CA to have an RS232
line to an on\255line component which can pass certificates) W
0 -14874 M
19.3 0 32 (and related information but not login sessions. The intent
would be to make it implausible to mount a network attack) W
0 -15924 M
(against the CA.) h
( Alternatively, certificates could be carried to the network on a floppy disk.) h
0 -18136 M
17.2 0 32 (For CAs to be secure, a whole host of design details must be
done right. The most important of these is the design of) W
0 -19186 M
74.6 0 32 (user and system manager interfaces that make it difficult to
"trick" a user or system manager into doing the wrong) W
0 -20236 M
8.9 0 32 (thing and certifying an impostor or revealing a key.
Mechanisms for generating keys must also be carefully protected) W
0 -21286 M
129.5 0 32 (to assure that the generated key cannot be guessed
\(because of lack of randomness\) and is not recorded where a) W
0 -22336 M
13.5 0 32 (penetrator can get it. Because a certificate contains
relatively little human intelligible information \(it) W
13.5 0 32 (s ) W
13.5 0 32 (most important) W
0 -23386 M
11.8 0 32 (components are UIDs and public keys\), it will be a
challenge to design a user interface that assures the human opera\255) W
0 -24436 M
59.8 0 32 (tor only authorizes the signing of intented certificates.
Such considerations are beyond the scope of the architecture) W
0 -25486 M
108.8 0 32 (\(since they do not affect interoperability\), but they did
affect the design in subtle ways.  In particular, it does not) W
0 -26536 M
35.6 0 32 (assume uniform security throughout the CA hierarchy and is
designed to assure that the compromise of a CA in one) W
0 -27586 M
(part of the hierarchy does not have global implications.) h
0 -29798 M
25.8 0 32 (The architecture does not require that CAs be off\255line. ) W
25.8 0 32 (The CA could be software that can run on any node when the) W
0 -30848 M
25.0 0 32 (proper secret is installed.  Administrative convenience can
be gained by integrating the CA with account registration) W
0 -31898 M
38.0 0 32 (utilities and naming service maintenance. ) W
38.0 0 32 (As such, the CA would have to be on\255line when in use in
order to register) W
0 -32948 M
72.8 0 32 (certificates in the naming service.  The CA key ) W
72.8 0 32 (could ) W
72.8 0 32 (be unlocked with a password and the password ) W
72.8 0 32 (could ) W
72.8 0 32 (be en\255) W
0 -33998 M
29.6 0 32 (tered on each use both to authenticate the CA operator and
to assure that compromise of the host node while the CA) W
0 -35048 M
2.8 0 32 (is not in use will not compromise the CA.  This design w) W
2.8 0 32 (ould ) W
2.8 0 32 (be subject to attacks based on planting Trojan horses in) W
0 -36098 M
43.1 0 32 (the CA software) W
43.1 0 32 (, but ) W
43.1 0 32 (is entirely interoperable with a more secure implementation) W
43.1 0 32 (.  Realistic tradeoffs must be made) W
0 -37148 M
20.7 0 32 (between security, cost, and administrative convenience
bearing in mind that a system is only as secure as its weakest) W
0 -38198 M
(link and that there is no benefit in making the CA substantially more
secure than the other components of the system.) h
0 -40560 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.4 ) h
2834 -40560 M
(Services Provided vs. Application Program Interface) h
0 -42872 M
/Times-Roman-ISOLatin1 F 1000 o f
23.1 0 32 (Section 3 of this document specifies "abstract interfaces"
to the services provided by DASS. This means it tells what) W
0 -43922 M
66.6 0 32 (services are provided, what parameters are supplied by the
caller, and what data is returned. It does not specify the) W
0 -44972 M
26.8 0 32 (calling interfaces. Calling interfaces may be platform,
operating system, and language dependent. They do not affect) W
0 -46022 M
41.3 0 32 (interoperability; different implementations which implement
completely different calling interfaces can still interop\255) W
0 -47072 M
65.1 0 32 (erate over a network. They do, however, affect portability.
A program which runs on one platform can only run on) W
0 -48122 M
(another which implements an identical API.) h
0 -50334 M
23.0 0 32 (In order to support portability of applications \255 not
just between implementations of DASS but between implementa\255) W
0 -51384 M
77.2 0 32 (tions of DASS and implementations of Kerberos \255 a
"Generic Security Service API" has been designed and is ) W
77.2 0 32 (out\255) W
0 -52434 M
35.0 0 32 (lined in Annex B. This API ) W
35.0 0 32 (could be the only "published" interface to DASS services.
This interface does not, how\255) W
0 -53484 M
70.6 0 32 (ever, give access to all the functions provided by DASS and
it provides some non\255DASS services. It does not give) W
0 -54534 M
17.6 0 32 (access to the "login" service, for example, so the login
function cannot be implemented in a portable way. Clearly an) W
0 -55584 M
105.9 0 32 (implementation must provide some implementation of the
login function, though perhaps only to one system pro\255) W
0 -56634 M
0.6 0 32 (gram and the implementation need not be portable. Similarly,
the Generic API provides no access to ) W
0.6 0 32 (node authentica\255) W
0 -57684 M
(tion information,) h
( so applications which use these services may not be portable.) h
-8503 8502 T
R

showpage
$P e

%%Page: 10 10
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(10) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
45.0 0 32 (The Generic API provides services for encryption of user
data for integrity and possibly privacy. These services are) W
0 -1800 M
16.7 0 32 (not specified as a part of the DASS architecture. This is
because we envisioned that such services would be provided) W
0 -2850 M
111.9 0 32 (by the communications network and not in applications.
These services are provided by the Generic API because) W
0 -3900 M
14.7 0 32 (these services are provided by Kerberos, there exist
applications which use these services, and they are desired in the) W
0 -4950 M
90.9 0 32 (context of the IETF\255CAT work. The DASS architecture) W
90.9 0 32 ( include) W
90.9 0 32 (s) W
90.9 0 32 ( a Key Distribution service so that the encryption) W
0 -6000 M
65.6 0 32 (functions of the Generic API can be supported and
integrated. Annex B specifies how those services can be imple\255) W
0 -7050 M
(mented using DASS services.) h
0 -9117 M
10.5 0 32 (The Services Provided also differ from the ) W
10.5 0 32 (GSSAPI ) W
10.5 0 32 (because there are important extensions envisioned to the API for) W
0 -10167 M
110.2 0 32 (future applications and it was important to assure that
architecturally those services were available.  In particular,) W
0 -11217 M
61.9 0 32 (DASS provides the ability for a principal to have multiple
aliases and for the receiver of an authentication token to) W
0 -12267 M
39.8 0 32 (verify any one of them.  We want DASS to support the case
where a server only learns the name it is trying to vali\255) W
0 -13317 M
69.4 0 32 (date in the course of evaluating an ACL.  This may be long
after a connection is accepted.  The Services Provided) W
0 -14367 M
24.9 0 32 (section therefore separates the Accept_token function from
the Verify Principal Name.  The other motivation behind) W
0 -15417 M
91.7 0 32 (a different interface is that DASS provides node
authentication \255 the ability to authenticate the node from which a) W
0 -16467 M
11.4 0 32 (request originates as well as the user.  Because Kerberos
provides no such mechanism, the capability is missing from) W
0 -17517 M
(the GSSAPI, but we expect some applications will ) h
(want to ) h
(make use of it.) h
0 -19734 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.5 ) h
2834 -19734 M
(Use of a Naming Service) h
0 -21901 M
/Times-Roman-ISOLatin1 F 1000 o f
68.5 0 32 (With the exception of the syntactical representation of
names, which is tied to X.500, the DASS architecture is de\255) W
0 -22951 M
149.3 0 32 (signed to be independent of the particular underlying
naming service.  While the intention is that certificates be) W
0 -24001 M
45.4 0 32 (stored in an X.500 naming service in the fields
architecturally reserved for this purpose in the standard, this specifi\255) W
0 -25051 M
87.1 0 32 (cation allows for the possibility of different forms of
certificate stores.  The SPX implementation of DASS imple\255) W
0 -26101 M
0.6 0 32 (ments its own certificate distribution service because) W
0.6 0 32 ( we did not want to introduce a dependency on an X.500 naming) W
0 -27151 M
(service.) h
0 -29368 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.6 ) h
2834 -29368 M
(Key Hiding \255 Credentials) h
0 -31535 M
/Times-Roman-ISOLatin1 F 1000 o f
22.7 0 32 (The abstract interfaces described in section 3 specify that
"credentials" and "keys" are the inputs and outputs of vari\255) W
0 -32585 M
77.0 0 32 (ous routines.  Credentials structures in particular contain
secret information which should not be made available to) W
0 -33635 M
38.5 0 32 (the calling application.  In most cases, keeping this
information from applications is simply a matter of prudence \255 a) W
0 -34685 M
56.2 0 32 (misbehaving application can do nearly as much damage using
the credentials as it can by using the secrets directly. ) W
0 -35735 M
91.2 0 32 (Having access to the keys themselves may allow an
application to bypass auditing or leak a key to an accomplice) W
0 -36785 M
87.4 0 32 (who can use it on another node where a large amount of
activity is less likely to be noticed.  In some cases, most) W
0 -37835 M
62.5 0 32 (dramatically where a "node key" is present in user
credentials, it is vital that the contents of the credentials be kept) W
0 -38885 M
(out of the hands of applications.) h
0 -40952 M
140.7 0 32 (To accomplish this, a concrete interface is expected to
create "credentials handles" that are passed in and out of) W
0 -42002 M
136.0 0 32 (DASS routines.  The credentials themselves would be kept in
some portion of memory where unprivileged code) W
0 -43052 M
(can't get at them.) h
0 -45119 M
36.7 0 32 (There is another aspect of the way credentials are used
which is important to the design of real implementations.  In) W
0 -46169 M
76.6 0 32 (normal use, a user will create a set of credentials in the
process of logging on to a system and then use them from) W
0 -47219 M
27.1 0 32 (many processes or jobs.  When many processes share a set of
credentials, it is important for the sake of performance) W
0 -48269 M
102.6 0 32 (that they share one set of credentials rather than having a
copy of the credentials made for each.  This is because) W
0 -49319 M
42.5 0 32 (information is cached in credentials as a side effect of
some requests and for good performance those caches should) W
0 -50369 M
(be shared.) h
0 -52436 M
85.4 0 32 (As an example, consider a) W
85.4 0 32 ( ) W
85.4 0 32 (system executing a series of copy commands moving files from
one system to another. ) W
0 -53486 M
27.1 0 32 (The credentials of the user will have been established when
the user logged on.  The first time a copy is requested, a) W
0 -54536 M
25.5 0 32 (new process will start up, open a connection to the
destination system, and create a token to authenticate itself.  Cre\255) W
0 -55586 M
104.5 0 32 (ating that token will be an expensive operation, but
information will be computed and "cached" in the credentials) W
0 -56636 M
22.8 0 32 (structure which will allow any subsequent tokens on behalf
of that user to that server to be computed cheaply.  After) W
0 -57686 M
63.5 0 32 (the copy completes, the connection is closed and the process
terminates.  In response to a second copy request, an\255) W
-8503 8502 T
R

showpage
$P e

%%Page: 11 11
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(11) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
56.3 0 32 (other new process will be created and a new token computed. 
For this operation to get a performance benefit from) W
0 -1800 M
(the caching, the information computed by the first process must
somehow make it to the second.) h
0 -3998 M
39.7 0 32 (A model for how this caching might work can be seen in the
way Kerberos caches credentials.  Kerberos keeps cre\255) W
0 -5048 M
37.5 0 32 (dentials in a file whose name can be computed from the name
of the local user.  This file is initialized as part of the) W
0 -6098 M
69.3 0 32 (login process and its protection is set so that only
processes running under the UID of the user may read and write) W
0 -7148 M
(the file.  Processes cache information there; all processes running on
behalf of the user share the file.) h
0 -9346 M
58.8 0 32 (There are two problems with this scheme: first, on a
diskless node putting information in a file exposes it to eaves\255) W
0 -10396 M
70.2 0 32 (droppers on the network; second, it does not accomplish the
"key hiding" function described earlier in this section. ) W
0 -11446 M
23.3 0 32 (In a more secure implementation, the kernel or a privileged
process would ) W
23.3 0 32 (manage some "pool" of credentials for all) W
0 -12496 M
66.4 0 32 (processes on a node and w) W
66.4 0 32 (ould ) W
66.4 0 32 (grant access to them only through the DASS calls. 
Credentials structures are com\255) W
0 -13546 M
83.8 0 32 (plex and varying length; DASS may organize them as a set of
pools rather than as contiguous blocks of data.  All) W
0 -14596 M
(such design issues are "beyond the scope of the architecture".) h
0 -16794 M
35.0 0 32 (Implementations must decide how to control access to
credentials.  They could copy the Kerberos scheme of having) W
0 -17844 M
59.5 0 32 (credentials available to processes with the UID of the login
session which created them and to privileged processes) W
0 -18894 M
32.6 0 32 (or there may be a more elaborate mechanism for "passing"
credentials handles from process to process.  This design) W
0 -19944 M
(should probably follow the operating system mechanisms for passing
around local privileges.) h
0 -22292 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(1.3.7 ) h
2834 -22292 M
(Key Hiding \255 Contexts) h
0 -24590 M
/Times-Roman-ISOLatin1 F 1000 o f
30.6 0 32 (The ") W
30.6 0 32 (GSSA) W
30.6 0 32 (PI" has a concept of a security context which has some of
the same key hiding problems as a credentials) W
0 -25640 M
64.4 0 32 (structure.  Security contexts are used in calls to
cryptographically protect user data \(from modification or from dis\255) W
0 -26690 M
81.2 0 32 (closure and modification\) using keys established during
authentication.  The "services provided" specification says) W
0 -27740 M
49.0 0 32 (that create_ and accept_token return a "shared key" and
"instance identifier".  The G) W
49.0 0 32 (SSA) W
49.0 0 32 (PI says that a context han\255) W
0 -28790 M
25.5 0 32 (dle is returned which is an integer.  A secure
implementation would keep the key and instance identifier in protected) W
0 -29840 M
(memory and only allow access to them through provided interfaces.) h
0 -32038 M
99.8 0 32 (Unlike credentials, there is probably no need to provide
mechanisms for contexts to be shared between processes. ) W
0 -33088 M
48.4 0 32 (Contexts will normally be associated with some notion of a
communications "connection" and ends of a connection) W
0 -34138 M
90.9 0 32 (are not normally shared.  I) W
90.9 0 32 (f ) W
90.9 0 32 (an implementation chooses to provide additional services to
applications like message) W
0 -35188 M
88.9 0 32 (sequencing or duplicate detection, contexts will have to
contain additional fields.  These can be created and main\255) W
0 -36238 M
(tained without any additional authentication services.) h
0 -38736 M
/Times-Bold-ISOLatin1 F 1400 o f
(1.4 ) h
2126 -38736 M
(T) h
(he Relationship between DASS and ISO Standards) h
0 -41384 M
/Times-Roman-ISOLatin1 F 1000 o f
244.5 0 32 (This section provides an introduction to DASS
authentication in terms of the ISO Authentication Framework) W
0 -42434 M
92.5 0 32 (\(DP10181\2552\).   The purpose of this introduction is to
give the reader an intuitive understanding of the way DASS) W
0 -43484 M
3.7 0 32 (works and how its mechanisms and terminology relate to
standards.  Important details have been omitted here but are) W
0 -44534 M
(spelled out in section 3.  ) h
0 -46882 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.4.1 ) h
2834 -46882 M
(Concepts) h
0 -49180 M
/Times-Roman-ISOLatin1 F 1000 o f
5.4 0 32 (The primary goal of authentication is to prevent
impersonation, that is, the pretense to a false identity. Authentication) W
0 -50230 M
197.0 0 32 (always involves identification in some form. Without
authentication, anyone could claim to be whomever they) W
0 -51280 M
(wished and get away with it. ) h
0 -53478 M
98.9 0 32 (If it didn't matter with whom one was communicating,
elaborate procedures for authentication would be unneces\255) W
0 -54528 M
37.5 0 32 (sary. However, in most systems, and in timesharing and
distributed processing environments in particular, the rights) W
0 -55578 M
58.4 0 32 (of individuals are often circumscribed by security policy.
In particular, authorization \(identity based access control\)) W
0 -56628 M
34.4 0 32 (and accountability \(audit\) provisions could be
circumvented if masquerading attempts were impossible to prevent or) W
0 -57678 M
(detect.) h
-8503 8502 T
R

showpage
$P e

%%Page: 12 12
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(12) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
117.6 0 32 (Almost all practical authentication mechanisms suitable for
use in distributed environments rely on knowledge of) W
0 -1800 M
238.6 0 32 (some secret information. Most differences lie in how one
presents evidence that they know the secret. Some) W
0 -2850 M
56.2 0 32 (schemes, in particular the familiar simple use of passwords,
are quite susceptible to attack. Generally, the threats to) W
0 -3900 M
(authentication may be classified as:) h
709 -5985 M
/Symbol F 1000 o f
(-) h
2154 -5985 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
(forgery, ) h
/Times-Roman-ISOLatin1 F 1000 o f
(attempting to guess or otherwise fabricate evidence;) h
709 -8070 M
/Symbol F 1000 o f
(-) h
2154 -8070 M
/Times-Bold-ISOLatin1 F 1000 o f
162.3 0 32 (replay, ) W
/Times-Roman-ISOLatin1 F 1000 o f
162.3 0 32 (where one can eavesdrop upon another's authentication
exchange and learn enough to impersonate) W
2154 -9120 M
(them; and) h
709 -11205 M
/Symbol F 1000 o f
(-) h
2154 -11205 M
/Times-Bold-ISOLatin1 F 1000 o f
104.7 0 32 (interception, ) W
/Times-Roman-ISOLatin1 F 1000 o f
104.7 0 32 (where one slips between the communicants and is able to
modify the communications channel) W
2154 -12255 M
(unnoticed.) h
0 -14340 M
41.4 0 32 (Most such attacks can be countered by using what is known as
strong authentication. Strong authentication refers to) W
0 -15390 M
20.7 0 32 (techniques that permit one to provide evidence that they
know a particular secret without revealing even a hint about) W
0 -16440 M
5.3 0 32 (the secret. Thus neither the entity to whom one is
authenticating, nor an eavesdropper on the conversation can further) W
0 -17490 M
134.5 0 32 (their ability to impersonate the authenticating principal
at some future time as the result of an authentication ex\255) W
0 -18540 M
(change. ) h
0 -20625 M
167.5 0 32 (Strong authentication mechanisms, in particular those used
here, rely on cryptographic techniques. In particular,) W
0 -21675 M
143.6 0 32 (DASS uses public key cryptography. Note that interception
attacks cannot be countered by strong authentication) W
0 -22725 M
23.1 0 32 (alone, but generally need additional security mechanisms to
secure the communication channel, such as data encryp\255) W
0 -23775 M
(tion.) h
0 -26010 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.4.2 ) h
2834 -26010 M
(Principals and Their Roles) h
0 -28195 M
/Times-Roman-ISOLatin1 F 1000 o f
(All authentication is on behalf of principals. In DASS the following
types of principals are recognized:) h
709 -30280 M
/Symbol F 1000 o f
(-) h
2154 -30280 M
/Times-Bold-ISOLatin1 F 1000 o f
40.2 0 32 (user principals) W
/Times-Roman-ISOLatin1 F 1000 o f
40.2 0 32 (, normally people with accounts who are responsible for
performing particular tasks. Generally) W
2154 -31330 M
39.0 0 32 (it is users that are authorized to do things by virtue of
having been granted access rights, or who are to be held) W
2154 -32380 M
(accountable for specific actions subject to being audited.) h
709 -34465 M
/Symbol F 1000 o f
(-) h
2154 -34465 M
/Times-Bold-ISOLatin1 F 1000 o f
(server principals) h
/Times-Roman-ISOLatin1 F 1000 o f
(, which are accessed by users.) h
709 -36550 M
/Symbol F 1000 o f
(-) h
2154 -36550 M
/Times-Bold-ISOLatin1 F 1000 o f
81.1 0 32 (node principals, ) W
/Times-Roman-ISOLatin1 F 1000 o f
81.1 0 32 (corresponding to locations where users and servers, or more
accurately, processes acting on) W
2154 -37600 M
(behalf of principals can reside.) h
0 -39685 M
(Principals can act in one of two capacities:) h
709 -41770 M
/Symbol F 1000 o f
(-) h
2154 -41770 M
/Times-Roman-ISOLatin1 F 1000 o f
(the ) h
/Times-Bold-ISOLatin1 F 1000 o f
(claimant ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is the active entity seeking to authenticate itself, and) h
709 -43855 M
/Symbol F 1000 o f
(-) h
2154 -43855 M
/Times-Roman-ISOLatin1 F 1000 o f
(the ) h
/Times-Bold-ISOLatin1 F 1000 o f
(verifier ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is the passive entity to whom the claimant is authenticating.) h
0 -45940 M
78.7 0 32 (Users normally are claimants, whereas servers are usually
verifiers, although sometimes servers can also be claim\255) W
0 -46990 M
(ants.) h
0 -49075 M
(There is another kind of principal:) h
709 -51160 M
/Symbol F 1000 o f
(-) h
2154 -51160 M
/Times-Bold-ISOLatin1 F 1000 o f
(certification authorities ) h
/Times-Roman-ISOLatin1 F 1000 o f
( \(CA's\) issue certificates which attest to another principal's public key.) h
0 -53395 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.4.3 ) h
2834 -53395 M
(Representation, Delegation and Representation Transfer) h
0 -55580 M
/Times-Roman-ISOLatin1 F 1000 o f
0.6 0 32 (Of course, although it is users that are responsible for what
the computer does, human beings are physically unable to) W
0 -56630 M
114.2 0 32 (directly do anything within a computer system. In point of
fact, it is a ) W
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
114.2 0 32 (process) W
/Times-Roman-ISOLatin1 F 1000 o f
114.2 0 32 ( executing on behalf of a user that) W
0 -57680 M
23.5 0 32 (actually performs useful work. From the point of view of
performing security controlled functions, the process is the) W
-8503 8502 T
R

showpage
$P e

%%Page: 13 13
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(13) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
19.8 0 32 (agent, or representative, of the user, and is authorized by
that user to do things on his behalf. In the terms used in the) W
0 -1800 M
(ISO Authentication Framework, the user is said to have a ) h
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
(representation ) h
/Times-Roman-ISOLatin1 F 1000 o f
(in the process.) h
0 -3983 M
46.6 0 32 (The representation has to come into existence somehow. ) W
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
46.6 0 32 (Delegation ) W
/Times-Roman-ISOLatin1 F 1000 o f
46.6 0 32 (refers to the act of creating a representation. A) W
0 -5033 M
65.2 0 32 (user is said to create a representation for themselves by
delegating to a process. If the user creates another process,) W
0 -6083 M
68.8 0 32 (say by doing an rlogin on a different computer, a
representation may be needed there as well. This may be accom\255) W
0 -7133 M
87.3 0 32 (plished automatically by a process known as ) W
/Times-Italic-ISOLatin1 F 1000 o f
87.3 0 32 (representation transfer. ) W
/Times-Roman-ISOLatin1 F 1000 o f
87.3 0 32 (DASS uses the term delegation to also mean) W
0 -8183 M
(the act of creating additional representations on a remote systems.) h
0 -10366 M
74.0 0 32 (A representation is instantiated in DASS as ) W
/Times-Bold-ISOLatin1 F 1000 o f
74.0 0 32 (credentials. ) W
/Times-Roman-ISOLatin1 F 1000 o f
74.0 0 32 (Credentials include the identity of the principal as well as) W
0 -11416 M
64.2 0 32 (the cryptographic "state" needed to engage in strong
authentication procedures. Claimant information in credentials) W
0 -12466 M
4.8 0 32 (enable principals to authenticate themselves to others,
whereas verifier information in credentials permit principals to) W
0 -13516 M
39.5 0 32 (verify the claims of others.  Credentials intended primarily
for use by a claimant will be referred to as ) W
/Times-Italic-ISOLatin1 F 1000 o f
39.5 0 32 (claimant cre\255) W
0 -14566 M
4.9 0 32 (dentials) W
/Times-Roman-ISOLatin1 F 1000 o f
4.9 0 32 ( in the text which follows.  Credentials intended primarily
for use in verification will be referred to as ) W
/Times-Italic-ISOLatin1 F 1000 o f
4.9 0 32 (verifier) W
0 -15616 M
27.0 0 32 (credentials) W
/Times-Roman-ISOLatin1 F 1000 o f
27.0 0 32 (.  A particular set of credentials may or may not contain
all of the data necessary to be used in both roles. ) W
0 -16666 M
(That will depend on the mechanisms by which the credentials were created.) h
0 -18849 M
110.2 0 32 (In some contexts, but not here, the concept of
representation and/or delegation is sometimes referred to as proxy.) W
0 -19899 M
13.0 0 32 (This term is used in ECMA TR/46.  We avoid use of the term
because of possible confusion with an unrelated use of) W
0 -20949 M
(the term in the context of DECnet.) h
0 -23282 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.4.4 ) h
2834 -23282 M
(Key Distribution, Replay, Mutual Authentication and Trust) h
0 -25565 M
/Times-Roman-ISOLatin1 F 1000 o f
20.4 0 32 (Strong authentication uses cryptographic techniques. The
particular mechanisms used in DASS result in the distribu\255) W
0 -26615 M
43.1 0 32 (tion of cryptographic keys as a side effect. These keys are
suitable for use for providing a data origin authentication) W
0 -27665 M
(service and/or a data confidentiality service between a pair of
authenticated principals.) h
0 -29848 M
134.9 0 32 (Replay detection is provided using timestamps on relevant
authentication messages, combined with remembering) W
0 -30898 M
1.6 0 32 (previously accepted messages until they become "stale". This
is in contrast to other techniques, such as challenge and) W
0 -31948 M
(response exchanges.) h
0 -34131 M
77.0 0 32 (Authentication can be one\255way or ) W
/Times-Bold-ISOLatin1 F 1000 o f
77.0 0 32 (mutual. ) W
/Times-Roman-ISOLatin1 F 1000 o f
77.0 0 32 (One\255way authentication is when only one party, in DASS
the claimant,) W
0 -35181 M
176.5 0 32 (authenticates to the other. Mutual authentication provides,
in addition, authentication of the verifier back to the) W
0 -36231 M
102.8 0 32 (claimant. In certain communications schemes, for example
connectionless transfer, only one\255way authentication is) W
0 -37281 M
69.1 0 32 (meaningful. DASS supports mutual authentication as a simple
extension of one\255way authentication for use in envi\255) W
0 -38331 M
(ronments where it makes sense.) h
0 -40514 M
107.6 0 32 (DASS potentially can allow many different "trust
relationships" to exist. All principals trust one or more CA's to) W
0 -41564 M
56.3 0 32 (safeguard the certification process. Principals use
certificates as the basis for authenticating identities, and trust that) W
0 -42614 M
63.4 0 32 (CA's which issue certificates act responsibly. Users expect
CA's to make sure that certificates \(and related secrets\)) W
0 -43664 M
(are only made for principals that the CA knows or has properly
authenticated on its own.) h
0 -46147 M
/Times-Bold-ISOLatin1 F 1400 o f
(1.5 ) h
2126 -46147 M
(An Authentication Walkthrough) h
0 -48780 M
/Times-Roman-ISOLatin1 F 1000 o f
44.4 0 32 (The OSI Authentication Framework characterizes
authentication as occurring in six phases. This section attempts to) W
0 -49830 M
(describe DASS in these terms.) h
0 -52163 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.5.1 ) h
2834 -52163 M
(Installation) h
0 -54446 M
/Times-Roman-ISOLatin1 F 1000 o f
23.8 0 32 (In this phase, principal certificates are created, as is the
additional information needed to create claimant and verifier) W
0 -55496 M
(credentials. OSI defines three sub\255phases:) h
709 -57679 M
/Symbol F 1000 o f
(-) h
2154 -57679 M
/Times-Bold-ISOLatin1 F 1000 o f
(Enrollment. ) h
/Times-Roman-ISOLatin1 F 1000 o f
(In DASS, this is the definition of a principal in terms of a key, name and UID.) h
-8503 8502 T
R

showpage
$P e

%%Page: 14 14
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(14) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Symbol F 1000 o f
(-) h
2154 -750 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
(Validation, ) h
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(confirmation of identity to the satisfaction of the CA, after which
the CA generates a certificate.) h
709 -2875 M
/Symbol F 1000 o f
(-) h
2154 -2875 M
/Times-Bold-ISOLatin1 F 1000 o f
31.8 0 32 (Confirmation. ) W
/Times-Roman-ISOLatin1 F 1000 o f
31.8 0 32 (In DASS, this is the act of providing the user with the
certificate and with the CA's own name,) W
2154 -3925 M
60.8 0 32 (key and UID, followed up by the user creating a ) W
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
60.8 0 32 (trusted authority ) W
/Times-Roman-ISOLatin1 F 1000 o f
60.8 0 32 (for that CA. A trusted authority is a certifi\255) W
2154 -4975 M
(cate for the CA signed by the user.) h
0 -7100 M
29.4 0 32 (Included in this step in DASS is the posting of the
certificate so as to be available to principals wishing to verify the) W
0 -8150 M
103.9 0 32 (principal's identity. In addition, the user principal saves
the trusted authority so as to be available when it creates) W
0 -9200 M
(credentials.) h
0 -11475 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.5.2 ) h
2834 -11475 M
(Distribution) h
0 -13700 M
/Times-Roman-ISOLatin1 F 1000 o f
(DASS distributes certificates by placing them in the name service.) h
0 -15975 M
/Times-Bold-ISOLatin1 F 1200 o f
(1.5.3 ) h
2834 -15975 M
(Acquisition) h
0 -18200 M
/Times-Roman-ISOLatin1 F 1000 o f
105.0 0 32 (Whenever principals wish to authenticate to one another,
they access the Name Service to obtain whatever public) W
0 -19250 M
(key certificates they need and create the necessary credentials. In
DASS, acquisition means obtaining credentials.) h
0 -21375 M
73.8 0 32 (Claimant credentials implement the representation of a
principal in a process, or, more accurately, provide a repre\255) W
0 -22425 M
60.8 0 32 (sentation of the principal for use by a process. In making
this representation, the principal delegates to a temporary) W
0 -23475 M
(delegation key. In this fashion the claimant's long term principal key
need not remain in the system.) h
0 -25600 M
87.7 0 32 (Claimant credentials are made by invoking the get
credentials primitive. Claimant credentials are a DASS specific) W
0 -26650 M
(data structure containing:) h
709 -28775 M
/Symbol F 1000 o f
(-) h
2154 -28775 M
/Times-Roman-ISOLatin1 F 1000 o f
(a ) h
/Times-Bold-ISOLatin1 F 1000 o f
(name) h
709 -30900 M
/Symbol F 1000 o f
(-) h
2154 -30900 M
/Times-Roman-ISOLatin1 F 1000 o f
(a ) h
/Times-Bold-ISOLatin1 F 1000 o f
(ticket, ) h
/Times-Roman-ISOLatin1 F 1000 o f
(a data structure containing ) h
2154 -32825 M
/Symbol F 1000 o f
(\267) h
3600 -32825 M
/Times-Roman-ISOLatin1 F 1000 o f
(a validity interval,) h
2154 -34750 M
/Symbol F 1000 o f
(\267) h
3600 -34750 M
/Times-Roman-ISOLatin1 F 1000 o f
(UID, and) h
2154 -36675 M
/Symbol F 1000 o f
(\267) h
3600 -36675 M
/Times-Roman-ISOLatin1 F 1000 o f
(\(temporary\) delegation public key, along with a) h
2154 -38600 M
/Symbol F 1000 o f
(\267) h
3600 -38600 M
/Times-Roman-ISOLatin1 F 1000 o f
(digital signature on the above made with the principal private key) h
709 -40725 M
/Symbol F 1000 o f
(-) h
2154 -40725 M
/Times-Roman-ISOLatin1 F 1000 o f
(the ) h
/Times-Bold-ISOLatin1 F 1000 o f
(delegation private key) h
0 -42850 M
/Times-Roman-ISOLatin1 F 1000 o f
75.0 0 32 (Optionally in addition, there may be credential information
relating to the node on which the user is logged in and) W
0 -43900 M
(the account on that node.  A detailed description of all the
information found in credentials can be found in section 3.) h
0 -46025 M
4.7 0 32 (Verifier credentials are made with initialize_server.
Verifier credentials consist of a principal \(long term\) private key.) W
0 -47075 M
50.3 0 32 (The rationale is that these credentials are usually needed
by servers that must be able to run indefinitely without re\255) W
0 -48125 M
(entry of any long term key.) h
0 -50250 M
135.9 0 32 (In addition, claimants and verifiers have ) W
/Times-Bold-ISOLatin1 F 1000 o f
135.9 0 32 (a trusted authority) W
/Times-Roman-ISOLatin1 F 1000 o f
135.9 0 32 (, which consists of information about a trusted CA. ) W
0 -51300 M
(That information is its:) h
709 -53425 M
/Symbol F 1000 o f
(-) h
2154 -53425 M
/Times-Roman-ISOLatin1 F 1000 o f
(name \(this will appear in the "issuer" field in principal certificates\),) h
709 -55550 M
/Symbol F 1000 o f
(-) h
2154 -55550 M
/Times-Roman-ISOLatin1 F 1000 o f
(public key \(to use in verifying certificates issued by that CA\), and) h
709 -57675 M
/Symbol F 1000 o f
(-) h
2154 -57675 M
/Times-Roman-ISOLatin1 F 1000 o f
(UID.) h
-8503 8502 T
R

showpage
$P e

%%Page: 15 15
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(15) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
19.3 0 32 (Trusted authorities are used by principals to verify
certificates for other principals' public keys.  CAs are arranged in) W
0 -1800 M
58.1 0 32 (a hierarchy corresponding to the naming hierarchy, where
each directory in the naming hierarchy is controlled by a) W
0 -2850 M
46.8 0 32 (single CA.  Each CA certifies the CA of its parent
directory, the CAs of each of its child directories, and optionally) W
0 -3900 M
27.0 0 32 (CAs elsewhere in the naming hierarchy \(mainly to deal with
the case where the directories up to a common ancestor) W
0 -4950 M
24.4 0 32 (lack CAs\).  Even though a principal has only a single CA as
a trusted authority, it can securely obtain the public key) W
0 -6000 M
(of any principal in the namespace by "walking the CA hierarchy".) h
0 -8200 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(1.5.4 ) h
2834 -8200 M
(Transfer) h
0 -10350 M
/Times-Roman-ISOLatin1 F 1000 o f
237.6 0 32 (The DASS exchange of authentication information is
illustrated in Figure ) W
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
237.6 0 32 (1\2551) W
/Times-Roman-ISOLatin1 F 1000 o f
237.6 0 32 (. During the transfer phase, the) W
0 -11400 M
52.6 0 32 (DASS claimant sends an ) W
/Times-Bold-ISOLatin1 F 1000 o f
52.6 0 32 (authentication token ) W
/Times-Roman-ISOLatin1 F 1000 o f
52.6 0 32 (to the verifier. Authentication tokens are made by invoking
the cre\255) W
0 -12450 M
56.4 0 32 (ate_token primitive. The authentication token is
cryptographically protected and specified as a DASS data structure) W
0 -13500 M
(in ASN.1. The authentication token includes:) h
709 -15550 M
/Symbol F 1000 o f
(-) h
2154 -15550 M
/Times-Roman-ISOLatin1 F 1000 o f
(a ticket,) h
709 -17600 M
/Symbol F 1000 o f
(-) h
2154 -17600 M
/Times-Roman-ISOLatin1 F 1000 o f
(a DES authenticating key encrypted using the intended verifier's public key) h
709 -19650 M
/Symbol F 1000 o f
(-) h
2154 -19650 M
/Times-Roman-ISOLatin1 F 1000 o f
(one of the following:) h
2154 -21500 M
/Symbol F 1000 o f
(\267) h
3600 -21500 M
/Times-Roman-ISOLatin1 F 1000 o f
38.8 0 32 (if delegation is not being performed, a digital signature on
the encrypted DES key using the delegation pri\255) W
3600 -22550 M
(vate key, or) h
2154 -24400 M
/Symbol F 1000 o f
(\267) h
3600 -24400 M
/Times-Roman-ISOLatin1 F 1000 o f
34.7 0 32 (if delegation is being performed, sending the delegation
private key, DES encrypted using the DES authen\255) W
3600 -25450 M
(ticating key) h
709 -27500 M
/Symbol F 1000 o f
(-) h
2154 -27500 M
/Times-Roman-ISOLatin1 F 1000 o f
122.0 0 32 (an ) W
/Times-Bold-ISOLatin1 F 1000 o f
122.0 0 32 (authenticator, ) W
/Times-Roman-ISOLatin1 F 1000 o f
122.0 0 32 (which is a cryptographic checksum made using the DES
authenticating key over a buffer) W
2154 -28550 M
(containing) h
2154 -30400 M
/Symbol F 1000 o f
(\267) h
3600 -30400 M
/Times-Roman-ISOLatin1 F 1000 o f
(a timestamp) h
2154 -32250 M
/Symbol F 1000 o f
(\267) h
3600 -32250 M
/Times-Roman-ISOLatin1 F 1000 o f
30.7 0 32 (any application supplied "channel bindings". For example,
addresses or other context information. The pur\255) W
3600 -33300 M
(pose of this field is to thwart substitution and replay attacks.) h
709 -35350 M
/Symbol F 1000 o f
(-) h
2154 -35350 M
/Times-Roman-ISOLatin1 F 1000 o f
(additional optional information concerning node authentication and context.) h
0 -37400 M
17.6 0 32 (As a side effect, after init_authentication_context, the
caller receives a) W
/Times-Bold-ISOLatin1 F 1000 o f
17.6 0 32 ( local) W
/Times-Roman-ISOLatin1 F 1000 o f
17.6 0 32 ( ) W
/Times-Bold-ISOLatin1 F 1000 o f
17.6 0 32 (authentication context, ) W
/Times-Roman-ISOLatin1 F 1000 o f
17.6 0 32 (a data structure) W
0 -38450 M
(containing:) h
709 -40500 M
/Symbol F 1000 o f
(-) h
2154 -40500 M
/Times-Roman-ISOLatin1 F 1000 o f
(the DES key, and) h
709 -42550 M
/Symbol F 1000 o f
(-) h
2154 -42550 M
/Times-Roman-ISOLatin1 F 1000 o f
(if mutual authentication is being requested, the expected response.) h
0 -44600 M
74.4 0 32 (In order to construct an authentication token, the claimant
needs to access the verifier's public key certificate from) W
0 -45650 M
(the Name Service \(labeled CDC, for Certificate Distribution Center,
in the figure\).) h
0 -47700 M
28.3 0 32 (Note that while an authenticator can only be used once, it
is permissible to re\255establish the same local authentication) W
0 -48750 M
85.4 0 32 (context multiple times. That is, the ticket and DES key
establishment components of the authentication token may) W
0 -49800 M
56.3 0 32 (have a relatively long lifetime. This permits a performance
improvement in that repeated applications of public key) W
0 -50850 M
50.8 0 32 (operations can be alleviated if one caches authentication
contexts, along with other components from a successfully) W
0 -51900 M
42.4 0 32 (used authentication token and the associated verified
principal public key value. It is a relatively inexpensive opera\255) W
0 -52950 M
(tion to create \(and verify\) "fresh" authenticators based on cached
authentication context.) h
-8503 8502 T
R

showpage
$P e

%%Page: 16 16
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(16) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(   Claimant Actions      | Communications |  Verifier Actions) h
0 -1972 M
(                         |                |) h
0 -3194 M
(        verifier name    |                |) h
0 -4416 M
(                |        |                |) h
0 -5638 M
(                |        |           +\255\255\255+|) h
0 -6860 M
(               
\\\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\2
55\255>|   ||) h
0 -8082 M
(  trusted                |           |   ||) h
0 -9304 M
(authorities              |           |CDC||) h
0 -10526 M
(     |    +\255\255\255\255\255\255\255\255\255\255\255+  |certificate|   ||) h
0 -11748 M
(     |    |  Verify  
|<\255\255\255\255\255\255\255\255\255\255\255\255\255|   ||) h
0 -12970 M
(     \\\255\255\255>|Certificate|  |           +\255\255\255+|                  ) h
0 -14192 M
(          +\255\255\255\255\255\255\255\255\255\255\255+  |                |) h
0 -15414 M
(  Claimant        |      |                |) h
0 -16636 M
(credentials    Verifier  |                |   Verifier) h
0 -17858 M
(     |       Public Key  |                | Credentials) h
0 -19080 M
(     |            |      |                |       |) h
0 -20302 M
(     |            V      |                |       V) h
0 -21524 M
(     |    +\255\255\255\255\255\255\255\255\255\255\255+  |
Authentication | +\255\255\255\255\255\255\255\255\255\255\255+) h
0 -22746 M
(     |    |   Make    |  |     Token      | |   Check   |   Replay) h
0 -23968 M
(     \\\255\255\255>|  Token   
|\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\25
5\255\255>|   Token   |<\255\255>Cache) h
0 -25190 M
(          +\255\255\255\255\255\255\255\255\255\255\255+  |           
    | +\255\255\255\255\255\255\255\255\255\255\255+) h
0 -26412 M
(   DES <\255\255\255/      |      |                |  |   |   
\\\255\255\255\255\255>DES) h
0 -27634 M
(   key            |      |                | /Claimant        key) h
0 -28856 M
(                  |      |                |/Public Key    ) h
0 -30078 M
(                  |      |                /      |        trusted  ) h
0 -31300 M
(                  |      |      Claimant /|      V      authorities) h
0 -32522 M
(                  |      |+\255\255\255+   Name  / |
+\255\255\255\255\255\255\255\255\255\255\255+     |) h
0 -33744 M
(         authentication  ||   |<\255\255\255\255\255\255\255/  | | 
Verify   |<\255\255\255\255/) h
0 -34966 M
(            context      ||   |certificate| |Certificate|) h
0 -36188 M
(                  |     
||CDC|\255\255\255\255\255\255\255\255\255\255\255\255>|          
|\255\255>accept/) h
0 -37410 M
(                  |      ||   |           |
+\255\255\255\255\255\255\255\255\255\255\255+   reject) h
0 -38632 M
(                  |      ||   |           |      |      \\) h
0 -39854 M
(                  |      |+\255\255\255+           |authentication\\) h
0 -41076 M
(                  V      |     mutual     |   context     V) h
0 -42298 M
(          +\255\255\255\255\255\255\255\255\255\255\255+  |
authentication |      |      claimant) h
0 -43520 M
(       /\255\255|  Accept   |  |    response    |
+\255\255\255\255\255\255\255\255\255\255+credentials) h
0 -44742 M
(      V   |  Mutual  
|<\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255\2
55\255\255|  Make    |\(delegation\)) h
0 -45964 M
(  accept/ +\255\255\255\255\255\255\255\255\255\255\255+  |           
    | | Response |) h
0 -47186 M
(  reject                 |                |
+\255\255\255\255\255\255\255\255\255\255+) h
0 -48408 M
(                         |                |) h
0 -49630 M
11766 -51002 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(Figure 1 \255 ) h
17065 -51002 M
(Authentication Exchange Overview) h
23515 -52202 M
0 -54424 M
(1.5.5 ) h
2834 -54424 M
(Verification) h
0 -56596 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
49.8 0 32 (Upon receipt of an authentication token, the verifier
extracts the DES key using its verifier credentials, accesses the) W
0 -57646 M
52.7 0 32 (Name Service \(labeled CDC for Certificate Distribution
Center\) to obtain the certificates needed to perform crypto\255) W
-8503 8502 T
R

showpage
$P e

%%Page: 17 17
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(17) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
110.2 0 32 (graphic checks on the incoming information, and verifies
all of the signatures on the received certificates and the) W
0 -1800 M
(authentication token. Verification can result in creation of new
claimant credentials if delegation is performed. ) h
0 -3910 M
(As part of this process, verified authenticators are retained for a
suitable timeout period.) h
0 -6170 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(1.5.6 ) h
2834 -6170 M
(Unenrolment) h
0 -8380 M
/Times-Roman-ISOLatin1 F 1000 o f
22.4 0 32 (This is the removal of information from the Name Service.
The only other form of revocation supported by DASS is) W
0 -9430 M
5.1 0 32 (certificate timeout.  Every certificate contains an
expiration time \(expected in ordinary use to be about a year from its) W
0 -10480 M
(signing date\).  DASS does not ) h
(currently ) h
(support the revocation lists in X.509.) h
0 -14640 M
/Times-Bold-ISOLatin1 F 1600 o f
(2 ) h
1417 -14640 M
(Services Used) h
0 -17250 M
/Times-Roman-ISOLatin1 F 1000 o f
34.8 0 32 (Aside from operating system services needed to maintain its
internal state, DASS relies on a global distributed data\255) W
0 -18300 M
35.5 0 32 (base in which to store its certificates, a reliable source
of time, and a source of random numbers for creating crypto\255) W
0 -19350 M
(graphic keys.) h
0 -21760 M
/Times-Bold-ISOLatin1 F 1400 o f
(2.1 ) h
2126 -21760 M
(Time Service) h
0 -24320 M
/Times-Roman-ISOLatin1 F 1000 o f
53.4 0 32 (DASS requires access to the current time in several of its
algorithms.  Some of its uses of time are security critical. ) W
0 -25370 M
167.2 0 32 (In others, network synchronization of clocks is required.  DASS does ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
167.2 0 32 (not) W
/Times-Roman-ISOLatin1 F 1000 o f
167.2 0 32 (, however, depend on having a single) W
0 -26420 M
(source of time which is both secure and tightly synchronized.) h
0 -28530 M
(The requirements on system provided time are:) h
709 -30640 M
/Symbol F 1000 o f
(-) h
2154 -30640 M
/Times-Roman-ISOLatin1 F 1000 o f
52.1 0 32 (For purposes of validating certificates and tickets, the
system needs access to know the date and time accurate) W
2154 -31690 M
118.9 0 32 (to within a few hours with no particular synchronization
requirements.  If this time is inaccurate, then valid) W
2154 -32740 M
39.9 0 32 (requests may be rejected and expired messages may be
accepted.  Certificate expiration is a backup revocation) W
2154 -33790 M
8.4 0 32 (mechanism, so this can only cause a security compromise in
the event of multiple failures.  ) W
8.4 0 32 (In theory, this could) W
2154 -34840 M
17.6 0 32 (be provided by having ) W
17.6 0 32 (a local clock on every node accurate to within a few hours
over the life of the product to) W
2154 -35890 M
123.2 0 32 (provide this function.  If an insecure network time service) W
123.2 0 32 ( ) W
123.2 0 32 (is used to provide this time, there are theoretical) W
2154 -36940 M
(security threats, but they are expected to be logistically impractical
to exploit.) h
709 -39050 M
/Symbol F 1000 o f
(-) h
2154 -39050 M
/Times-Roman-ISOLatin1 F 1000 o f
36.0 0 32 (For purposes of detecting replay of authentication tokens,
the system needs access to a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
36.0 0 32 (strictly monotonic) W
/Times-Roman-ISOLatin1 F 1000 o f
36.0 0 32 ( time) W
2154 -40100 M
22.6 0 32 (source which is reasonably synchronized across the network
\(within a few minutes\) for the system to work, but) W
2154 -41150 M
48.9 0 32 (inaccuracy does not present a security threat) W
48.9 0 32 ( except as noted below. It) W
48.9 0 32 ( may constitute an availability threat be\255) W
2154 -42200 M
104.1 0 32 (cause valid requests may be rejected.  In order to get
strict monotonicity in the presence of a rapid series of) W
2154 -43250 M
103.3 0 32 (requests, time must be returned with high precision.  There
is no requirement for a high degree of accuracy.) W
103.3 0 32 ( ) W
2154 -44300 M
37.4 0 32 (Inaccurate time could present a security threat in the
following scenario: if a client's clock is made sufficiently) W
2154 -45350 M
29.1 0 32 (fast that its tokens are rejected, someone harvesting those
tokens from the wire could replay them later and im\255) W
2154 -46400 M
53.6 0 32 (personate the client.  In some environments, this might be
an easier threat than harvesting tokens and prevent\255) W
2154 -47450 M
(ing their delivery.) h
709 -49560 M
/Symbol F 1000 o f
(-) h
2154 -49560 M
/Times-Roman-ISOLatin1 F 1000 o f
14.5 0 32 (For purposes of aging stale entries from caches, DASS
requires reasonably accurate timing of ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
14.5 0 32 (intervals) W
/Times-Roman-ISOLatin1 F 1000 o f
14.5 0 32 (.  To the) W
2154 -50610 M
88.5 0 32 (extent that intervals are reported as shorter than the
actually were, revocation of certificates from the naming) W
2154 -51660 M
(service may not be as timely as ) h
(it ) h
(should be.) h
0 -54070 M
/Times-Bold-ISOLatin1 F 1400 o f
(2.2 ) h
2126 -54070 M
(Random Numbers) h
0 -56630 M
/Times-Roman-ISOLatin1 F 1000 o f
41.8 0 32 (In order to generate keys, DASS needs a source of
"cryptographic quality" random numbers.  Cryptographic quality) W
0 -57680 M
30.8 0 32 (means that knowing any of the "random numbers" returned from
a series and knowing all state information which is) W
-8503 8502 T
R

showpage
$P e

%%Page: 18 18
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(18) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
3.6 0 32 (not protected, an attacker cannot predict any of the other
numbers in the series.  Hardware sources are ideal, but there) W
0 -1800 M
114.2 0 32 (are alternative techniques which ) W
114.2 0 32 (may ) W
114.2 0 32 (also ) W
114.2 0 32 (be ) W
114.2 0 32 (acceptable. ) W
114.2 0 32 (A ) W
114.2 0 32 (56 bit "truly random" seed \(say from a series of coin) W
0 -2850 M
1.6 0 32 (tosses\) ) W
1.6 0 32 (could be ) W
1.6 0 32 (used as a DES key to encrypt an infinite length known text
block in CBC mode) W
1.6 0 32 ( to ) W
1.6 0 32 (produce a) W
1.6 0 32 ( ) W
1.6 0 32 (pseudo\255) W
0 -3900 M
51.6 0 32 (random sequence ) W
51.6 0 32 (p) W
51.6 0 32 (rovided the key and current point in the sequence were
adequately protected) W
51.6 0 32 (.  There is consider\255) W
0 -4950 M
132.4 0 32 (able controversy surrounding what constitutes cryptographic
quality random numbers, and it is not a goal of this) W
0 -6000 M
(document to resolve it.) h
0 -8357 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(2.3 ) h
2126 -8357 M
(Naming Service) h
0 -10864 M
/Times-Roman-ISOLatin1 F 1000 o f
55.7 0 32 (DASS stores creates and uses "certificates" associated with
every principal in the system, and encrypted credentials) W
0 -11914 M
72.4 0 32 (associated with most.  This information ) W
72.4 0 32 (is ) W
72.4 0 32 (stored in ) W
72.4 0 32 (an on\255line service ) W
72.4 0 32 (associated with the principal being certified. ) W
0 -12964 M
88.1 0 32 (The long term vision is for DASS to use an X.500 naming
service, and DASS will from its inception authenticate) W
0 -14014 M
86.8 0 32 (X.500 names.  ) W
86.8 0 32 (To avoid a dependence on having an ) W
86.8 0 32 (X.500 ) W
86.8 0 32 (naming service available \(and to gain the benefits of a) W
0 -15064 M
170.3 0 32 ("login agent" that controls password guessing\), an
alternative certificate  distribution center protocol is also de\255) W
0 -16114 M
(scribed.) h
0 -18171 M
(The specific requirements DASS places on the naming service are:) h
709 -20228 M
/Symbol F 1000 o f
(-) h
2154 -20228 M
/Times-Roman-ISOLatin1 F 1000 o f
60.6 0 32 (It must be highly available.  A user's naming service entry
must be available to any node where the user is to) W
2154 -21278 M
72.4 0 32 (obtain services \(or service will be denied\).  A server's
naming service entry must be available from any node) W
2154 -22328 M
(from which the service is to be invoked \(or service will be denied\).) h
709 -24385 M
/Symbol F 1000 o f
(-) h
2154 -24385 M
/Times-Roman-ISOLatin1 F 1000 o f
16.7 0 32 (It must be timely.  The presence of "stale" information in
the naming service may cause some problems.  When) W
2154 -25435 M
35.3 0 32 (a password changes, the old password may remain valid \(and
the new password invalid\) to the extent the nam\255) W
2154 -26485 M
101.6 0 32 (ing service provides stale information.  When a user or
server is added to the network, it will not be able to) W
2154 -27535 M
17.6 0 32 (participate in authentication until the information added to
the naming service is available at the node doing the) W
2154 -28585 M
67.7 0 32 (authentication.  In the unusual circumstance that a key
changes, the entity whose key has changed will not be) W
2154 -29635 M
(able to use the new key until the new certificate is uniformly available.) h
709 -31692 M
/Symbol F 1000 o f
(-) h
2154 -31692 M
/Times-Roman-ISOLatin1 F 1000 o f
21.6 0 32 (It must be secure with regard to certain specific
properties.  In general, the security of DASS protected applica\255) W
2154 -32742 M
101.1 0 32 (tions does not depend on the security of the naming
service.  It is expected that the availability needs of the) W
2154 -33792 M
48.5 0 32 (naming service will prevent it from being as secure as some
applications need to be.) W
48.5 0 32 (  There are two aspects of) W
2154 -34842 M
114.3 0 32 (DASS security which do depend on the security of the naming
service: timely revocation of certificates and) W
2154 -35892 M
18.3 0 32 (protection of user secrets against dictionary based password
guessing. ) W
18.3 0 32 (DASS ) W
18.3 0 32 (d) W
18.3 0 32 (epend) W
18.3 0 32 (s) W
18.3 0 32 ( on the removal of certifi\255) W
2154 -36942 M
18.2 0 32 (cates from the naming service in order to revoke them more
quickly than waiting for them to time out.  For this) W
2154 -37992 M
124.8 0 32 (mechanism to provide any actual security, it must not be
possible for a network entity to "impersonate" the) W
2154 -39042 M
21.2 0 32 (naming service and the naming service must be able to
enforce access controls which prevent a revoked certifi\255) W
2154 -40092 M
88.6 0 32 (cate from being reinstated by an unauthorized entity.  In
the long run, it is expected that DASS itself will be) W
2154 -41142 M
64.1 0 32 (used to secure the naming service, which presents certain
potential recursion problems \(to be addressed in the) W
2154 -42192 M
117.5 0 32 (naming service ) W
117.5 0 32 (design\)) W
117.5 0 32 (.  If th) W
117.5 0 32 (e naming service) W
117.5 0 32 ( is not authenticated \(as is expected in early versions\) a) W
117.5 0 32 (ttacks) W
2154 -43242 M
(where a revoked certificate is "reinstated" through impersonation of
the naming service are possible.) h
0 -45299 M
(The specific functions DASS requests of the naming service are simple:) h
709 -47356 M
/Symbol F 1000 o f
(-) h
2154 -47356 M
/Times-Roman-ISOLatin1 F 1000 o f
(Given an X.500 name, store a set of certificates associated with that name.) h
709 -49413 M
/Symbol F 1000 o f
(-) h
2154 -49413 M
/Times-Roman-ISOLatin1 F 1000 o f
(Given an X.500 name, retrieve the set of certificates associated with that name.) h
709 -51470 M
/Symbol F 1000 o f
(-) h
2154 -51470 M
/Times-Roman-ISOLatin1 F 1000 o f
(Given an X.500 name, store a set of encrypted credentials associated
with that name.) h
709 -53527 M
/Symbol F 1000 o f
(-) h
2154 -53527 M
/Times-Roman-ISOLatin1 F 1000 o f
(Given and X.500 name, retrieve a set of encrypted credentials
associated with that name.) h
0 -55584 M
169.6 0 32 (Implementation over a particular naming service may
implement more specialized functions for reasons of effi\255) W
0 -56634 M
31.7 0 32 (ciency.  For example, the certificates associated with a
name may be separated into several sets \(child, parent, cross,) W
0 -57684 M
47.4 0 32 (self\) so that only the relevant ones may be retrieved.  In
order that access to the naming service itself be secure, the) W
-8503 8502 T
R

showpage
$P e

%%Page: 19 19
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(19) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
28.5 0 32 (protocols should be authenticated.  Certificates should
generally be readable without authentication in order to avoid) W
0 -1800 M
0.8 0 32 (recursion problems.  Requests to read encrypted credentials
should be specialized and should include proof of knowl\255) W
0 -2850 M
(edge of the password in order that the naming service can audit and
slow down false password guesses.) h
0 -4978 M
(The following sections describe the interfaces to specific naming services) h
(:) h
0 -7256 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(2.3.1 ) h
2834 -7256 M
(Interface to X.500) h
0 -9484 M
/Times-Roman-ISOLatin1 F 1000 o f
69.4 0 32 (Certificates associated with a particular name are stored as
attributes of the entry as specified in X.509.  X.509 de\255) W
0 -10534 M
10.4 0 32 (fines attributes appropriate for parent and cross
certificates \(CrossCertificatePair, CACertificate\) for some principals;) W
0 -11584 M
2.1 0 32 (we will have to define a DASSUserPrincipal object class
including these attributes in order to properly use them with) W
0 -12634 M
44.7 0 32 (ordinary users.  Retrieval is via normal X.500 protocols. 
Certificates should be world readable and modifiable only) W
0 -13684 M
(by appropriate authorities.) h
0 -15812 M
72.4 0 32 (Encrypted credentials are stored with the entry of the
principal under a yet to be defined attribute.  The credentials) W
0 -16862 M
40.8 0 32 (should be encoded as specified in section 4.  In the absence
of extensions to the X.500 protocol to control password) W
0 -17912 M
87.6 0 32 (guessing, the encrypted credentials should be world readable
and updatable only by the named principal and other) W
0 -18962 M
(appropriate authorities.) h
0 -21240 M
/Times-Bold-ISOLatin1 F 1200 o f
(2.3.2 ) h
2834 -21240 M
(Interface to CDC) h
0 -23468 M
/Times-Roman-ISOLatin1 F 1000 o f
48.1 0 32 (The CDC \(Certificate Distribution Center) W
48.1 0 32 (\)) W
48.1 0 32 ( is a special purpose name server created to service DASS
until an X.500) W
0 -24518 M
11.7 0 32 (service is available in all of the environments where DASS
needs to operate.  The CDC uses a special purpose proto\255) W
0 -25568 M
72.4 0 32 (col to communicate with DASS clients.  The protocol was
designed for efficiency, simplicity, and security.  CDCs) W
0 -26618 M
(use DASS as an authentication mechanism and to protect encrypted
credentials from unaudited password guessing.) h
0 -28746 M
69.9 0 32 (Each DASS client maintains a list of CDCs and the portion of
the namespace served by that CDC.  Each directory) W
0 -29796 M
121.8 0 32 (has a master replica which is the only one which will
accept updates.  The CDCs maintain consistency with one) W
0 -30846 M
117.2 0 32 (another using protocols beyond the scope of this document. 
When a DASS client wishes to make a request of a) W
0 -31896 M
35.2 0 32 (CDC, it opens a TCP or DECnet connection to the CDC and
sends an ASN.1 \(BER\) encoded request and receives a) W
0 -32946 M
118.4 0 32 (corresponding ASN.1 \(BER\) encoded response.  ) W
118.4 0 32 (Clients are expected to learn the IP or DECnet address and port) W
0 -33996 M
118.4 0 32 (number of the CDC supporting a particular name from a local
configuration file.  T) W
118.4 0 32 (o maximize performance, the) W
0 -35046 M
16.7 0 32 (requests bundle what would be several requests if made in
terms of requests for individual certificates.  It is intended) W
0 -36096 M
89.7 0 32 (that all certificates needed for an authentication operation
be retrievable with a) W
89.7 0 32 (t most two ) W
89.7 0 32 (CDC request) W
89.7 0 32 (s) W
89.7 0 32 (/response) W
89.7 0 32 (s) W
0 -37146 M
(\(one to the CDC of the client and one to the CDC of the server\).) h
0 -39274 M
85.6 0 32 (Documented here ) W
85.6 0 32 (is ) W
85.6 0 32 (the protocol) W
85.6 0 32 ( ) W
85.6 0 32 (a DASS client would use to retrieve certificates and
credentials from a CDC and) W
0 -40324 M
27.0 0 32 (update a user password.  ) W
27.0 0 32 (This protocol does not provide for updates to the
certificate and credential databases.  Such) W
0 -41374 M
42.1 0 32 (updates must be supported for a practical system, but could
be done either by extensions to this protocol or by local) W
0 -42424 M
70.9 0 32 (security mechanisms implemented on nodes supporting the CDC.
 Similarly, availability can be enhanced by repli\255) W
0 -43474 M
77.5 0 32 (cating the CDC.  Automating the replication of updates could
be implemented by extensions to this protocol or by) W
0 -44524 M
42.3 0 32 (some other mechanism.  This specification assumes that
updates and replication are local matters solved by individ\255) W
0 -45574 M
(ual CA/CDC implementations.) h
0 -47702 M
(Requests and responses are encoded as follows:) h
0 -49905 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.1 ) h
3300 -49905 M
(ReadPrinCertRequest) h
0 -52108 M
/Times-Roman-ISOLatin1 F 1000 o f
85.7 0 32 (This request asks the CDC to return the child certificates
and selected incoming cross certificates for the specified) W
0 -53158 M
(object.  The format of the request is:) h
3600 -55286 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(ReadPrinCertRequest ::= [4] IMPLICIT SEQUENCE {) h
3600 -56486 M
7072 -56486 M
(flags [0] BIT STRING DEFAULT {},) h
3600 -57686 M
7072 -57686 M
(index [1] IMPLICIT INTEGER DEFAULT 0,) h
-8503 8502 T
R

showpage
$P e

%%Page: 20 20
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(20) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
3600 -750 M
7072 -750 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(resolveFrom [2] Name OPTIONAL,) h
3600 -1950 M
7072 -1950 M
(principal Name,) h
3600 -3150 M
7072 -3150 M
(crossCertIssuers ListOfIssuers OPTIONAL) h
3600 -4350 M
7072 -4350 M
(}) h
3600 -6159 M
(ListOfIssuers ::= SEQUENCE OF Name) h
0 -7968 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
33.7 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
33.7 0 32 (flags, ) W
/Times-Roman-ISOLatin1 F 1000 o f
33.7 0 32 (if present, contain a protocol version number.  Clients
following this spec should place the) W
0 -9018 M
44.6 0 32 (value 2.0.0 in the three bytes.  Servers following this spec
should accept any value of the form 1.x.x or 2.x.x.  ) W
/Times-Bold-ISOLatin1 F 1000 o f
44.6 0 32 (flag) W
44.6 0 32 (s) W
0 -10068 M
/Times-Roman-ISOLatin1 F 1000 o f
34.9 0 32 (bits beyond the first 24 are reserved for future use
\(should not be supplied by clients and should be ignored by serv\255) W
0 -11118 M
(ers\).) h
0 -13177 M
/Times-Bold-ISOLatin1 F 1000 o f
18.1 0 32 (index ) W
/Times-Roman-ISOLatin1 F 1000 o f
18.1 0 32 (is only used if the response exceeds the size of a single
message; in that case, the query is repeated with ) W
/Times-Bold-ISOLatin1 F 1000 o f
18.1 0 32 (index) W
0 -14227 M
/Times-Roman-ISOLatin1 F 1000 o f
(set to the value that was returned by ReadPrinCertResponse.) h
0 -16286 M
/Times-Bold-ISOLatin1 F 1000 o f
64.5 0 32 (resolveFrom ) W
/Times-Roman-ISOLatin1 F 1000 o f
64.5 0 32 (and ) W
/Times-Bold-ISOLatin1 F 1000 o f
64.5 0 32 (principal ) W
/Times-Roman-ISOLatin1 F 1000 o f
64.5 0 32 (imply a set of entities for which certificates should be retrieved.  ) W
/Times-Bold-ISOLatin1 F 1000 o f
64.5 0 32 (resolveFrom ) W
/Times-Roman-ISOLatin1 F 1000 o f
64.5 0 32 (\(if pre\255) W
0 -17336 M
44.4 0 32 (sent\) must be an ancestor of ) W
/Times-Bold-ISOLatin1 F 1000 o f
44.4 0 32 (principal) W
/Times-Roman-ISOLatin1 F 1000 o f
44.4 0 32 ( and ) W
44.4 0 32 (child ) W
44.4 0 32 (certificates will be retrieved for ) W
/Times-Bold-ISOLatin1 F 1000 o f
44.4 0 32 (principal ) W
/Times-Roman-ISOLatin1 F 1000 o f
44.4 0 32 (and) W
/Times-Bold-ISOLatin1 F 1000 o f
44.4 0 32 ( ) W
/Times-Roman-ISOLatin1 F 1000 o f
44.4 0 32 (all names which are) W
0 -18386 M
110.2 0 32 (ancestors of ) W
/Times-Bold-ISOLatin1 F 1000 o f
110.2 0 32 (principal ) W
/Times-Roman-ISOLatin1 F 1000 o f
110.2 0 32 (but descendants of ) W
/Times-Bold-ISOLatin1 F 1000 o f
110.2 0 32 (resolveFrom.) W
/Times-Roman-ISOLatin1 F 1000 o f
110.2 0 32 (  The encoding of names is per X.500 and is specified in) W
0 -19436 M
21.8 0 32 (more detail in section 4.  The CDC returns the certificates
in order of the object they came from, parents before chil\255) W
0 -20486 M
(dren.  ) h
0 -22545 M
/Times-Bold-ISOLatin1 F 1000 o f
32.7 0 32 (c) W
32.7 0 32 (ross) W
32.7 0 32 (CertIssuers ) W
/Times-Roman-ISOLatin1 F 1000 o f
32.7 0 32 (is a list of cross certifiers that would be believed in the
context of this authentication.  ) W
32.7 0 32 (If supplied,) W
0 -23595 M
116.4 0 32 (the CDC may return a chain of certificates starting with
one of the named ) W
/Times-Bold-ISOLatin1 F 1000 o f
116.4 0 32 (crossCertIssuers ) W
/Times-Roman-ISOLatin1 F 1000 o f
116.4 0 32 (and ending with the) W
0 -24645 M
42.3 0 32 (named ) W
/Times-Bold-ISOLatin1 F 1000 o f
42.3 0 32 (principal.  ) W
/Times-Roman-ISOLatin1 F 1000 o f
42.3 0 32 (One of ) W
/Times-Bold-ISOLatin1 F 1000 o f
42.3 0 32 (resolveFrom ) W
/Times-Roman-ISOLatin1 F 1000 o f
42.3 0 32 (or ) W
/Times-Bold-ISOLatin1 F 1000 o f
42.3 0 32 (crossCertIssuers) W
/Times-Roman-ISOLatin1 F 1000 o f
42.3 0 32 ( must be present in any request; if both are present, the) W
0 -25695 M
(CDC may return either chain.  ) h
0 -27829 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.2 ) h
3300 -27829 M
(ReadPrinCertResponse) h
0 -29963 M
/Times-Roman-ISOLatin1 F 1000 o f
(This is the response a CDC sends to a ReadPrinCertRequest.  Its syntax is:) h
3600 -32022 M
/Courier-ISOLatin1 F 1000 o f
(ReadPrinCertResponse ::= [5] IMPLICIT SEQUENCE {) h
3600 -33222 M
7072 -33222 M
(status [0] IMPLICIT CDCstatus DEFAULT success,) h
3600 -34422 M
7072 -34422 M
(index [1] INTEGER OPTIONAL,) h
3600 -35622 M
7072 -35622 M
(resolveTo [2] Name OPTIONAL,) h
3600 -36822 M
7072 -36822 M
(certSequence [3] IMPLICIT CertSequence,) h
3600 -38022 M
7072 -38022 M
(indexInvalidator [4] OCTET STRING \(SIZE\(8\)\) ) h
38976 -38022 M
42523 -38022 M
3600 -39222 M
7072 -39222 M
8511 -39222 M
15893 -39222 M
19440 -39222 M
23083 -39222 M
(OPTIONAL,) h
3600 -40422 M
7072 -40422 M
(flags [5] BIT STRING OPTIONAL) h
3600 -41622 M
7072 -41622 M
(}) h
3600 -43431 M
(CertSequence ::= SEQUENCE OF Certificate) h
0 -45240 M
/Times-Bold-ISOLatin1 F 1000 o f
(status ) h
/Times-Roman-ISOLatin1 F 1000 o f
(indicates success or the cause of the failure.) h
0 -47299 M
/Times-Bold-ISOLatin1 F 1000 o f
54.5 0 32 (index ) W
/Times-Roman-ISOLatin1 F 1000 o f
54.5 0 32 (if present indicates that the request could not be fully
satisfied in a single request because of size limitations. ) W
0 -48349 M
(The request should be repeated with this index supplied in the request
to get more.) h
0 -50408 M
/Times-Bold-ISOLatin1 F 1000 o f
(resolveTo ) h
/Times-Roman-ISOLatin1 F 1000 o f
(will be present if ) h
/Times-Bold-ISOLatin1 F 1000 o f
(index) h
/Times-Roman-ISOLatin1 F 1000 o f
( is present and should be supplied in the request for more certificates.) h
0 -52467 M
/Times-Bold-ISOLatin1 F 1000 o f
(certSequence) h
/Times-Roman-ISOLatin1 F 1000 o f
( ) h
(contains ) h
(certificates found matching the search criteria.) h
0 -54526 M
/Times-Bold-ISOLatin1 F 1000 o f
6.2 0 32 (indexInvalidator) W
/Times-Roman-ISOLatin1 F 1000 o f
6.2 0 32 ( may be present and indicates the version of the database
being read.  If a set of certificates is being) W
0 -55576 M
66.5 0 32 (read in multiple requests \(because there were too many to
return in a single message\), the reader should check that) W
0 -56626 M
90.5 0 32 (the value for indexInvalidator is the same on each request. 
If it is not, the server may have skipped or duplicated) W
0 -57676 M
(some certificates.  This field must not be present if the version
number in the request was missing or version 1.x.x.) h
-8503 8502 T
R

showpage
$P e

%%Page: 21 21
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(21) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
53.3 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
53.3 0 32 (flags, ) W
/Times-Roman-ISOLatin1 F 1000 o f
53.3 0 32 (if present, indicate the protocol version number.) W
53.3 0 32 (  Implementers of this version of the spec) W
0 -1800 M
(should supply 2.0.0 and should accept any version number of the form
1.x.x or 2.x.x.) h
0 -4120 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.3 ) h
3300 -4120 M
(ReadOutgoingCertRequest) h
0 -6440 M
/Times-Roman-ISOLatin1 F 1000 o f
13.1 0 32 (This requests from the CDC a list of all parent and outgoing
cross certificates for a specified object.  ) W
13.1 0 32 (A CDC is capa\255) W
0 -7490 M
94.5 0 32 (ble of storing cross certificates either with the subject or
the issuer of the cross certificate.  In response to this re\255) W
0 -8540 M
9.8 0 32 (quest, the CDC will return all parent and cross certificates
stored with the issuer for the named principal and all of its) W
0 -9590 M
(ancestors. I) h
(ts syntax is:) h
3600 -11835 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(ReadOutgoingCertRequest ::= [6] IMPLICIT SEQUENCE {) h
3600 -13035 M
7072 -13035 M
(flags [0] BIT STRING DEFAULT {},) h
3600 -14235 M
7072 -14235 M
(index [1] IMPLICIT INTEGER DEFAULT 0,) h
3600 -15435 M
7072 -15435 M
(principal Name) h
3600 -16635 M
7072 -16635 M
(}) h
0 -18630 M
/Times-Roman-ISOLatin1 F 1000 o f
32.5 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 F 1000 o f
32.5 0 32 (flags) W
/Times-Roman-ISOLatin1 F 1000 o f
32.5 0 32 ( is a protocol version number and should contain 2.0.0 for
clients implementing this version) W
0 -19680 M
83.8 0 32 (of the spec.  Servers implementing this version of the spec
should accept any version number of the form 1.x.x or) W
0 -20730 M
54.7 0 32 (2.x.x.  The remaining bits are reserved for future use
\(they should not be supplied by clients and they should be ig\255) W
0 -21780 M
(nored by servers\).) h
0 -24025 M
/Times-Bold-ISOLatin1 F 1000 o f
(index ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is used for continuation \(see ReadPrinCertRequest\).) h
0 -26270 M
/Times-Bold-ISOLatin1 F 1000 o f
(principal ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is the name for which certificates are requested.) h
0 -28590 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.4 ) h
3300 -28590 M
(ReadOutgoingCertResponse) h
0 -30910 M
/Times-Roman-ISOLatin1 F 1000 o f
(This is the response to a Read) h
(OutgoingC) h
(ertRequest.  Its syntax is:) h
3600 -33155 M
/Courier-ISOLatin1 F 1000 o f
(ReadOutgoingCertResponse::= [7] IMPLICIT SEQUENCE {) h
3600 -34355 M
7072 -34355 M
(status [0] IMPLICIT CDCStatus DEFAULT success,) h
3600 -35555 M
7072 -35555 M
(index [1] INTEGER OPTIONAL,) h
3600 -36755 M
7072 -36755 M
(certSequence [2] IMPLICIT CertSequence,) h
3600 -37955 M
7072 -37955 M
(indexInvalidator [3] OCTET STRING \(SIZE\(8\)\) ) h
38976 -37955 M
42523 -37955 M
3600 -39155 M
7072 -39155 M
8511 -39155 M
15893 -39155 M
19440 -39155 M
23083 -39155 M
30155 -39155 M
(OPTIONAL,) h
3600 -40355 M
7072 -40355 M
(flags [4] BIT STRING OPTIONAL) h
3600 -41555 M
7072 -41555 M
(}) h
3600 -43550 M
(CertSequence ::= SEQUENCE OF Certificate) h
0 -45545 M
/Times-Bold-ISOLatin1 F 1000 o f
(status ) h
/Times-Roman-ISOLatin1 F 1000 o f
(indicates success of the cause of failure of the operation.) h
0 -47790 M
/Times-Bold-ISOLatin1 F 1000 o f
(index ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is used for continuation; see ReadPrinCertRequest.) h
0 -50035 M
/Times-Bold-ISOLatin1 F 1000 o f
(certSequence ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is the list of parent and outgoing cross certificates.) h
0 -52280 M
/Times-Bold-ISOLatin1 F 1000 o f
54.1 0 32 (indexInvalidator ) W
/Times-Roman-ISOLatin1 F 1000 o f
54.1 0 32 (is used for continuation; see ReadPrinCertResponse \(the
same rules apply with respect to version) W
0 -53330 M
(numbers\).) h
0 -55575 M
66.1 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 F 1000 o f
66.1 0 32 (flags, ) W
/Times-Roman-ISOLatin1 F 1000 o f
66.1 0 32 (if present, contain the protocol version number.  Clients
implementing this version of the) W
0 -56625 M
32.2 0 32 (spec should supply the value 2.0.0.  Servers should accept
any values of the form 1.x.x or 2.x.x.  The remaining bits) W
0 -57675 M
(are reserved for future use \(they should not be supplied by clients
and should be ignored by servers\).) h
-8503 8502 T
R

showpage
$P e

%%Page: 22 22
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(22) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -825 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.5 ) h
3300 -825 M
(ReadCredentialRequest) h
0 -3034 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
58.0 0 32 (This request is made to retrieve an principal's encrypted
credentials.  To prevent unaudited password guessing, this) W
0 -4084 M
69.4 0 32 (structure includes an encrypted value that proves that the
requester knows the password that will decrypt the struc\255) W
0 -5134 M
(ture.  The syntax of the request is:) h
3600 -7268 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(ReadCredentialRequest ::= [2] IMPLICIT SEQUENCE {) h
3600 -8468 M
7072 -8468 M
(flags [0] BIT STRING DEFAULT {}) h
3600 -9668 M
7072 -9668 M
(principal) h
( ) h
(Name,) h
3600 -10868 M
7072 -10868 M
(logindata [2] BIT STRING DEFAULT {},) h
3600 -12068 M
7072 -12068 M
(token [3] BIT STRING OPTIONAL) h
3600 -13268 M
7072 -13268 M
(}) h
0 -15152 M
/Times-Roman-ISOLatin1 F 1000 o f
13.6 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 F 1000 o f
13.6 0 32 (flags ) W
/Times-Roman-ISOLatin1 F 1000 o f
13.6 0 32 (contains the version number of the protocol.  The value
2.0.0 should be supplied. Any value) W
0 -16202 M
28.4 0 32 (of the form 1.x.x or 2.x.x should be accepted. Any
additional bits are reserved for future use \(should not be supplied) W
0 -17252 M
(by clients and should be ignored by servers\).) h
0 -19386 M
/Times-Bold-ISOLatin1 F 1000 o f
(principal ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is the name of the principal for whom encrypted credentials are desired.) h
0 -21520 M
/Times-Bold-ISOLatin1 F 1000 o f
36.6 0 32 (logindata ) W
/Times-Roman-ISOLatin1 F 1000 o f
36.6 0 32 (is an encrypted value.  It may only be present if the
version number is 2.0.0 or higher.  It must be present) W
0 -22570 M
7.1 0 32 (to read credentials which are protected by the login agent
functionality of the CDC.  It is constructed as a single RSA) W
0 -23620 M
19.7 0 32 (block ) W
19.7 0 32 (e) W
19.7 0 32 (ncrypted under the public key of the CDC.  ) W
19.7 0 32 (The public key of the CDC is learned by some local means.  Pos\255) W
0 -24670 M
7.4 0 32 (sibilities include a local configuration file or by using
DASS to read and verify a chain of certificates ending with the) W
0 -25720 M
64.8 0 32 (CDC [the CDC serving a directory should have its public key
listed under a name consisting of the directory name) W
0 -26770 M
(with the RDN "CSS=X509"; the OID for the type CSS is 1.3.24.9.1].  T) h
(he contents of the block are as follows:) h
709 -28904 M
/Symbol F 1000 o f
(-) h
2154 -28904 M
/Times-Roman-ISOLatin1 F 1000 o f
63.7 0 32 (The low order eight bytes contain a randomly generated DES
key with the last byte of the DES key placed in) W
2154 -29954 M
6.6 0 32 (the l) W
6.6 0 32 (ast ) W
6.6 0 32 (byte of the RSA block.  This DES key will be used by the CDC
to encrypt the response.) W
6.6 0 32 (  Key parity bits) W
2154 -31004 M
(are ignored.) h
709 -33138 M
/Symbol F 1000 o f
(-) h
2154 -33138 M
/Times-Roman-ISOLatin1 F 1000 o f
61.7 0 32 (The next ) W
61.7 0 32 (to last eight ) W
61.7 0 32 (bytes contain a ) W
61.7 0 32 (long ) W
61.7 0 32 (Posix time ) W
61.7 0 32 (with the integer time encoded as a byte string using big) W
2154 -34188 M
(endian order.) h
709 -36322 M
/Symbol F 1000 o f
(-) h
2154 -36322 M
/Times-Roman-ISOLatin1 F 1000 o f
53.8 0 32 (The next eight) W
53.8 0 32 ( ) W
53.8 0 32 (bytes) W
53.8 0 32 ( \(from the end\) ) W
53.8 0 32 (contain a hash of the password.  The algorithm for computing
this hash is) W
2154 -37372 M
81.4 0 32 (listed in section 4.4.2.  The CDC never computes this hash;
it simply compares the value it receives with the) W
2154 -38422 M
(value associated with the credentials.) h
709 -40556 M
/Symbol F 1000 o f
(-) h
2154 -40556 M
/Times-Roman-ISOLatin1 F 1000 o f
(The next six) h
(teen ) h
(bytes ) h
(\(from the end\) ) h
(contain zero.) h
709 -42690 M
/Symbol F 1000 o f
(-) h
2154 -42690 M
/Times-Roman-ISOLatin1 F 1000 o f
30.3 0 32 (The remainder of the RSA block ) W
30.3 0 32 (\(which should be the same size as the public modulus of the CDC\) c) W
30.3 0 32 (ontains a) W
2154 -43740 M
50.0 0 32 (random number.  The ) W
50.0 0 32 (first ) W
50.0 0 32 (byte should be chosen to be non\255zero but so the value in
the block does not exceed) W
2154 -44790 M
200.5 0 32 (the RSA modulus.  Servers should ignore these bits.) W
200.5 0 32 (  This random number need not be of cryptographic) W
2154 -45840 M
(strength, but should not be the same value for all encryptions. 
Repeating the DES key would be adequate.) h
709 -47974 M
/Symbol F 1000 o f
(-) h
2154 -47974 M
/Times-Roman-ISOLatin1 F 1000 o f
52.6 0 32 (The byte string thus constructed is encrypted using the RSA
algorithm by treating the string of bytes as a "big) W
2154 -49024 M
(endian" integer and treating the integer result as "big endian" to
make a string of bytes.) h
0 -51158 M
/Times-Bold-ISOLatin1 F 1000 o f
88.4 0 32 (token ) W
/Times-Roman-ISOLatin1 F 1000 o f
88.4 0 32 (will not be present in the initial implementation but a
space is reserved in case some future implementation) W
0 -52208 M
(wants to authenticate and audit the node from which a user is logging in.) h
0 -54417 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.6 ) h
3300 -54417 M
(R) h
(eadCredentialProtectedResponse) h
0 -56626 M
/Times-Roman-ISOLatin1 F 1000 o f
74.2 0 32 (This is the second possible response to a
ReadPrinLoginRequest.  It is returned when the encrypted credentials are) W
0 -57676 M
(protected from password guessing by the CDC acting as a login agent. 
Its syntax is:) h
-8503 8502 T
R

showpage
$P e

%%Page: 23 23
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(23) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(ReadCredentialProtectedResponse::=[16] IMPLICIT SEQUENCE {) h
0 -1800 M
5760 -1800 M
(status [0] IMPLICIT CDCStatus DEFAULT success,) h
0 -2850 M
5760 -2850 M
(encryptedCredential [1] BIT STRING,) h
0 -3900 M
5760 -3900 M
(flags [2] BIT STRING OPTIONAL) h
0 -4950 M
5760 -4950 M
(}) h
0 -7084 M
0 -9218 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
(status) h
/Times-Roman-ISOLatin1 F 1000 o f
( indicates that the request succeeded or the cause of the failure.) h
0 -11352 M
/Times-Bold-ISOLatin1 F 1000 o f
101.3 0 32 (encryptedCredential ) W
/Times-Roman-ISOLatin1 F 1000 o f
101.3 0 32 (contains the DASSPrivateKey structure \(defined in section
4.1\) encrypted under a DES key) W
0 -12402 M
48.6 0 32 (computed from the user's name and password as specified in
section 4.4.2 and then reencrypted under the DES key) W
0 -13452 M
(provided in the ReadPrinLoginRequest.) h
0 -15586 M
17.6 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 F 1000 o f
17.6 0 32 (flags) W
/Times-Roman-ISOLatin1 F 1000 o f
17.6 0 32 (, if present, contains the version number of the protocol.  ) W
17.6 0 32 (Implementers of this version of the) W
0 -16636 M
34.0 0 32 (spec should supply 2.0.0 and should accept any version
number of the form 2.x.x.  O) W
34.0 0 32 (ther bits are reserved for future) W
0 -17686 M
(use) h
( \(they should not be supplied and they should be ignored\).) h
0 -19895 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.7 ) h
3300 -19895 M
(WriteCredentialRequest) h
0 -22104 M
/Times-Roman-ISOLatin1 F 1000 o f
12.0 0 32 (This is a request to update the encrypted credential
structure.  It is used when a user's key or password changes.  The) W
0 -23154 M
(syntax of the request is:) h
3600 -25288 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(WriteCredentialRequest ::= [17] IMPLICIT SEQUENCE {) h
3600 -26488 M
7072 -26488 M
(flags [0] BIT STRING DEFAULT {},) h
3600 -27688 M
7072 -27688 M
(authtoken [) h
(2]) h
( BIT STRING OPTIONAL,) h
3600 -28888 M
7072 -28888 M
(principal [) h
(3]) h
( Name,) h
3600 -30088 M
7072 -30088 M
(logindata [) h
(4]) h
( BIT STRING DEFAULT {},) h
3600 -31288 M
7072 -31288 M
(furtherSensitiveStuff [) h
(5]) h
( BIT STRING) h
3600 -32488 M
7072 -32488 M
(}) h
0 -34372 M
/Times-Roman-ISOLatin1 F 1000 o f
101.6 0 32 (The first 24 bits of ) W
/Times-Bold-ISOLatin1 F 1000 o f
101.6 0 32 (flags ) W
/Times-Roman-ISOLatin1 F 1000 o f
101.6 0 32 (is a version number.  Clients implementing this version of
the spec should supply 2.0.0. ) W
0 -35422 M
110.3 0 32 (Servers should accept any value of the form) W
110.3 0 32 ( ) W
110.3 0 32 (2.x.x.  Additional bits are reserved for future use
\(clients should not) W
0 -36472 M
(supply them and servers should ignore them\).) h
0 -38606 M
/Times-Bold-ISOLatin1 F 1000 o f
124.1 0 32 (token) W
/Times-Roman-ISOLatin1 F 1000 o f
124.1 0 32 (, if present, authenticates the entity making the request. 
A request will be accepted either from ) W
124.1 0 32 (a principal) W
0 -39656 M
39.1 0 32 (proving knowledge of the password \(see ) W
/Times-Bold-ISOLatin1 F 1000 o f
39.1 0 32 (logindata) W
/Times-Roman-ISOLatin1 F 1000 o f
39.1 0 32 ( below\) or a principal presenting a token in this field and
satisfy\255) W
0 -40706 M
57.3 0 32 (ing the authorization policy of the CDC.) W
57.3 0 32 (  This field need not be present if logindata includes the
hash2 of the pass\255) W
0 -41756 M
(word \(anyone knowing the old password may set a new one\).) h
0 -43890 M
/Times-Bold-ISOLatin1 F 1000 o f
(principal) h
/Times-Roman-ISOLatin1 F 1000 o f
( is the name of the object for which encrypted credentials should be updated.) h
0 -46024 M
/Times-Bold-ISOLatin1 F 1000 o f
9.7 0 32 (logindata ) W
/Times-Roman-ISOLatin1 F 1000 o f
9.7 0 32 (is encrypted as in ReadPrinLoginRequest.  It proves that the
requester knows the old password of the prin\255) W
0 -47074 M
0.6 0 32 (cipal to be updated \(unless the token supplied is from the
user's CA\) and includes the key which encrypts furtherSen\255) W
0 -48124 M
(sitiveStuff.) h
0 -50258 M
/Times-Bold-ISOLatin1 F 1000 o f
(furtherSensitiveStuff ) h
/Times-Roman-ISOLatin1 F 1000 o f
(is an encrypted field constructed as follows:) h
709 -52392 M
/Symbol F 1000 o f
(-) h
2154 -52392 M
/Times-Roman-ISOLatin1 F 1000 o f
85.8 0 32 (The first eight bytes consist of the hash2 defined in
section 4.4.2 with the last byte of the hash2 value stored) W
2154 -53442 M
66.0 0 32 (first.  The CDC stores this value and compares it with the
values supplied in future requests of ) W
/Times-Bold-ISOLatin1 F 1000 o f
66.0 0 32 (ReadCreden\255) W
2154 -54492 M
(tialRequest ) h
/Times-Roman-ISOLatin1 F 1000 o f
(and ) h
/Times-Bold-ISOLatin1 F 1000 o f
(WriteCredentialRequest.) h
709 -56626 M
/Symbol F 1000 o f
(-) h
2154 -56626 M
/Times-Roman-ISOLatin1 F 1000 o f
40.6 0 32 (The next \(variable number of\) bytes contains a
DASSPrivateKey structure \(defined in section 4.1\).  This is the) W
2154 -57676 M
(new credential structure that will be returned by the CDC on future ) h
/Times-Bold-ISOLatin1 F 1000 o f
(ReadCredentialRequest) h
/Times-Roman-ISOLatin1 F 1000 o f
(s.) h
-8503 8502 T
R

showpage
$P e

%%Page: 24 24
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(24) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Symbol F 1000 o f
(-) h
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(The result is padded with zero bytes to a multiple of eight bytes.) h
709 -2818 M
/Symbol F 1000 o f
(-) h
2154 -2818 M
/Times-Roman-ISOLatin1 F 1000 o f
107.4 0 32 (The entire padded string is encrypted using the key from ) W
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
107.4 0 32 (logindata ) W
/Times-Roman-ISOLatin1 F 1000 o f
107.4 0 32 (or ) W
/Times-Bold-ISOLatin1 F 1000 o f
107.4 0 32 (token) W
/Times-Roman-ISOLatin1 F 1000 o f
107.4 0 32 ( using DES in CBC mode with) W
2154 -3868 M
(zero IV.) h
0 -5936 M
57.5 0 32 (the new eight byte "hash2" defined in section 4.4.2
concatenated with the DASSPrivateKey structure encrypted un\255) W
0 -6986 M
(der the new "hash1" all encrypted under the DES key included ) h
(i) h
(n logindata.) h
0 -9129 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.8 ) h
3300 -9129 M
(HereIsStatus) h
0 -11272 M
/Times-Roman-ISOLatin1 F 1000 o f
(This is the response message to ) h
(ill\255formed ) h
(requests ) h
(and requests ) h
(that only return a status and no data.  It's syntax is:) h
3600 -13340 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(HereIsStatus ::= [1] IMPLICIT SEQUENCE {) h
3600 -14540 M
7072 -14540 M
(status [0] IMPLICIT CDCStatus DEFAULT success) h
3600 -15740 M
7072 -15740 M
(}) h
0 -17558 M
/Times-Bold-ISOLatin1 F 1000 o f
(status) h
/Times-Roman-ISOLatin1 F 1000 o f
( indicates success or the cause of the failure.) h
0 -19701 M
/Times-Bold-ISOLatin1 F 1100 o f
(2.3.2.9 ) h
3300 -19701 M
(Status Codes) h
0 -21844 M
/Times-Roman-ISOLatin1 F 1000 o f
31.0 0 32 (The following are the CDCStatus codes that can be returned
by servers.  Not all of these values are possible with all) W
0 -22894 M
(calls, and some of the status codes are not possible with any of the
calls described in this document.) h
3600 -24962 M
/Courier-ISOLatin1 F 1000 o f
(CDCStatus ::= INTEGER {) h
3600 -26780 M
7072 -26780 M
(success\(0\),) h
3600 -28598 M
7072 -28598 M
(accessDenied\(1\),) h
3600 -30416 M
7072 -30416 M
(wrongCDC\(2\),) h
15893 -30416 M
19440 -30416 M
(\255\255this CDC does not store the) h
3600 -32234 M
7072 -32234 M
8511 -32234 M
15893 -32234 M
19440 -32234 M
(\255\255requested information) h
3600 -34052 M
7072 -34052 M
(unrecognizedCA\(3\),) h
3600 -35870 M
7072 -35870 M
(unrecognizedPrincipal\(4\),) h
3600 -37688 M
7072 -37688 M
(decodeRequestError\(5\),) h
23083 -37688 M
(\255\255invalid BER) h
3600 -39506 M
7072 -39506 M
(illegalRequest\(6\),) h
19440 -39506 M
(\255\255request not recognised) h
3600 -41324 M
7072 -41324 M
(objectDoesNotExist\(7\),) h
3600 -43142 M
7072 -43142 M
(illegalAttribute\(8\),) h
3600 -44960 M
7072 -44960 M
(notPrimaryCDC\(9\),) h
19440 -44960 M
(\255\255write requests not accepted) h
3600 -46778 M
7072 -46778 M
8511 -46778 M
15893 -46778 M
19440 -46778 M
(\255\255at this CDC replica) h
3600 -48596 M
7072 -48596 M
(authenticationFailure\(11\),) h
3600 -50414 M
7072 -50414 M
(incorrectPassword\(12\),) h
3600 -52232 M
7072 -52232 M
(objectAlreadyExists\(13\),) h
3600 -54050 M
7072 -54050 M
(objectWouldBeOrphan\(15\),) h
3600 -55868 M
7072 -55868 M
(objectIsPermanent\(16\),) h
3600 -57686 M
7072 -57686 M
(objectIsTentative\(17\),) h
-8503 8502 T
R

showpage
$P e

%%Page: 25 25
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(25) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
3600 -750 M
7072 -750 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(parentIsTentative\(18\),) h
3600 -2691 M
7072 -2691 M
(certificateNotFound\(19\),) h
3600 -4632 M
7072 -4632 M
(attributeNotFound\(20\),) h
3600 -6573 M
7072 -6573 M
(ioErrorOnCertifDatabase\(100\),) h
3600 -8514 M
7072 -8514 M
(databaseFull\(101\),) h
3600 -10455 M
7072 -10455 M
(serverInternalError\(102\),) h
3600 -12396 M
7072 -12396 M
(serverFatalError\(103\),) h
3600 -14337 M
7072 -14337 M
(insufficientResources\(104\)) h
3600 -16278 M
7072 -16278 M
(}) h
0 -20269 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1600 o f
(3 ) h
1417 -20269 M
(Services Provided) h
0 -22960 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
22.2 0 32 (This section specifies the services provided by DASS in
terms of abstract interfaces and a model implementation.  A) W
0 -24010 M
159.9 0 32 (particular implementation may support only a subset of
these services and may provide them through interfaces) W
0 -25060 M
95.2 0 32 (which combine functions and supply some parameters
implicitly. The specific calling interfaces are in some cases) W
0 -26110 M
47.1 0 32 (language and operating system specific.  An actual
implementation may choose, for example, to structure interfaces) W
0 -27160 M
88.6 0 32 (so that security contexts are established and then passed
implicitly in calls rather than explicitly including them in) W
0 -28210 M
28.3 0 32 (every call.  It might also bundle keys into opaque
structures to be used with supplied encryption and decryption rou\255) W
0 -29260 M
100.3 0 32 (tines in order to enhance security and modularity and
better comply with export regulations. Annex ) W
100.3 0 32 (B ) W
100.3 0 32 (describes a) W
0 -30310 M
91.4 0 32 (Portable API designed so that applications using a limited
subset of the capabilities of DASS can be easily ported) W
0 -31360 M
88.1 0 32 (between operating systems and between DASS and Kerberos
based environments.  The model implementation de\255) W
0 -32410 M
32.9 0 32 (scribes data structures which include cached values to
enhance performance.  Implementations may choose different) W
0 -33460 M
122.6 0 32 (contents or different caching strategies so long as the
same sequence of calls would produce the same output for) W
0 -34510 M
(some caching policy.) h
0 -36701 M
46.3 0 32 (DASS operates on four kinds of data structures:
Certificates, Credentials, Tokens, and Certification Authority State.) W
0 -37751 M
161.6 0 32 (Certificates and Tokens are passed between implementations
and thus their exact format must be architecturally) W
0 -38801 M
54.3 0 32 (specified. This detailed bit\255for\255bit specification is
in section ) W
54.3 0 32 (4) W
54.3 0 32 (. Credentials generally exist only within a single node) W
0 -39851 M
63.5 0 32 (and their format is therefore not specified here. The
contents of all of these data structures is listed below followed) W
0 -40901 M
(by the algorithms for manipulating them.) h
0 -43092 M
30.8 0 32 (There are three kinds of services provided by DASS:
Certificate Maintenance, Credential Maintenance, and Authen\255) W
0 -44142 M
78.9 0 32 (tication. The first two kinds exist only in support of the
third. Certificate maintenance functions maintain the data\255) W
0 -45192 M
25.5 0 32 (base of public keys in the naming service. These functions
tend to be fairly specialized and may not be supported on) W
0 -46242 M
56.5 0 32 (all platforms. Before authentication can take place, both
authenticating principals must have constructed credentials) W
0 -47292 M
26.6 0 32 (structures. These are built using the Credential Maintenance
calls. The Authentication functions use credential infor\255) W
0 -48342 M
58.1 0 32 (mation and certificates, produce and consume authentication
tokens and tell the two communicating parties one an\255) W
0 -49392 M
(other's names.) h
0 -51883 M
/Times-Bold-ISOLatin1 F 1400 o f
(3.1 ) h
2126 -51883 M
(Certificate Contents) h
0 -54524 M
/Times-Roman-ISOLatin1 F 1000 o f
71.7 0 32 (For purposes of this architecture, a certificate is a data
structure posted in the naming service which proclaims that) W
0 -55574 M
111.9 0 32 (knowledge of the private key associated with a stated
public key authenticates a named principal. Certificates are) W
0 -56624 M
86.4 0 32 ("signed" by some authority, are readable by anyone, and can
be verified by anyone knowing the public key of the) W
0 -57674 M
(authority.) h
-8503 8502 T
R

showpage
$P e

%%Page: 26 26
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(26) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
11.1 0 32 (DASS organizes the CA trust hierarchy around the naming
hierarchy. There exists a trusted authority associated with) W
0 -1800 M
54.8 0 32 (each directory in the naming hierarchy. Generally, each
authority creates certificates stating the public keys of each) W
0 -2850 M
35.0 0 32 (of its children \(in the naming hierarchy\) and the public
key of its parent \(in the naming hierarchy\). In this way, any\255) W
0 -3900 M
8.9 0 32 (one knowing the public ) W
8.9 0 32 (key ) W
8.9 0 32 (of any authority can learn the public key of any other by
"walking the tree". In order that) W
0 -4950 M
77.1 0 32 (principals may authenticate even when all of their ancestor
directories do not participate in DASS, authorities may) W
0 -6000 M
67.4 0 32 (also create "cross\255certificates" which certify the public
key of a named entity which is not a descendent.  Rules for) W
0 -7050 M
117.5 0 32 (finding and following these cross\255certificates are
described in the Get_Pub_Keys routines.  Every principal is ex\255) W
0 -8100 M
53.5 0 32 (pected to know the public key of the CA of the directory in
which it is named. This must be securely learned when) W
0 -9150 M
104.6 0 32 (the principal is initialized and may be maintained in some
form of local storage or by having the principal sign a) W
0 -10200 M
(certificate listing the name and public key of its parent and posting
that certificate in the naming service.) h
0 -12380 M
33.8 0 32 (The syntax and content of DASS certificates are defined in
terms of X.509 \(Directory \255 Authentication Framework\). ) W
0 -13430 M
(While that standard prescribes a single syntax for certificates, DASS
considers certificates to be of one of six types:) h
709 -15610 M
/Symbol F 1000 o f
(-) h
2154 -15610 M
/Times-Roman-ISOLatin1 F 1000 o f
56.9 0 32 (Normal Principal certificates are signed by a CA and certify
the name and public key of a principal where the) W
2154 -16660 M
(name of the CA is a prefix of the name of the principal and is one
component shorter.) h
709 -18840 M
/Symbol F 1000 o f
(-) h
2154 -18840 M
/Times-Roman-ISOLatin1 F 1000 o f
99.5 0 32 (Trusted Authority certificates are signed by an ordinary
principal and certify the name and public key of the) W
2154 -19890 M
(principal's CA \(i.e. the CA whose name is a prefix of the principal's
name and is one component shorter\).) h
709 -22070 M
/Symbol F 1000 o f
(-) h
2154 -22070 M
/Times-Roman-ISOLatin1 F 1000 o f
88.8 0 32 (Child certificates are signed by a CA and certify the name
and public key of a CA of a descendent directory) W
2154 -23120 M
(\(i.e. where the name of the issuing CA is a prefix of the name of the
subject CA and is one component shorter\).) h
709 -25300 M
/Symbol F 1000 o f
(-) h
2154 -25300 M
/Times-Roman-ISOLatin1 F 1000 o f
14.5 0 32 (Parent certificates are signed by a CA and certify the name
and public key of the CA of its parent directory \(i.e.) W
2154 -26350 M
(whose name is a prefix of the name of the issuer and is one component shorter\).) h
709 -28530 M
/Symbol F 1000 o f
(-) h
2154 -28530 M
/Times-Roman-ISOLatin1 F 1000 o f
33.0 0 32 (Cross certificates are signed by a CA and certify the name
and public key of a CA of a directory where neither) W
2154 -29580 M
(name is a prefix of the other.) h
709 -31760 M
/Symbol F 1000 o f
(-) h
2154 -31760 M
/Times-Roman-ISOLatin1 F 1000 o f
51.7 0 32 (Self certificates are signed by a principal or a CA and the
issuer and subject name are the same.  They are not) W
2154 -32810 M
51.0 0 32 (used in this version of the architecture but are defined as
a convenient data structure in which in which imple\255) W
2154 -33860 M
58.4 0 32 (mentations may insecurely pass public keys and they may be
used in the future in certain key roll\255over proce\255) W
2154 -34910 M
(dures.) h
0 -37090 M
113.4 0 32 (It is intended that some future version of the architecture
relax the restrictions above where prefixes must be one) W
0 -38140 M
0.9 0 32 (component shorter.  Being able to handle ) W
0.9 0 32 (certifi) W
0.9 0 32 (cates) W
0.9 0 32 ( where prefixes are two or more components shorter ) W
0.9 0 32 (complicates) W
0 -39190 M
(the logic of treewalking somewhat and is not immediately necessary, so
such certificates are disallowed for now.) h
0 -41370 M
67.7 0 32 (The syntax of certificates is defined in section ) W
67.7 0 32 (4) W
67.7 0 32 (. For purposes of the algorithms which follow, the following is the) W
0 -42420 M
(portion of the content which is used \(names in brackets refer to the
field names in the ASN.1 encoded structure\):) h
709 -44600 M
/Symbol F 1000 o f
(-) h
2154 -44600 M
/Times-Roman-ISOLatin1 F 1000 o f
(UID of the issuer \(optional\)) h
709 -46780 M
/Symbol F 1000 o f
(-) h
2154 -46780 M
/Times-Roman-ISOLatin1 F 1000 o f
(Full name of the issuer \(the authority or principal signing\) [issuer]) h
709 -48960 M
/Symbol F 1000 o f
(-) h
2154 -48960 M
/Times-Roman-ISOLatin1 F 1000 o f
(UID of the subject \(optional\)) h
709 -51140 M
/Symbol F 1000 o f
(-) h
2154 -51140 M
/Times-Roman-ISOLatin1 F 1000 o f
(Full name of the subject \(the authority or principal whose key is
being certified\) [subject]) h
709 -53320 M
/Symbol F 1000 o f
(-) h
2154 -53320 M
/Times-Roman-ISOLatin1 F 1000 o f
(Public Key of the subject [subjectPublicKey]) h
709 -55500 M
/Symbol F 1000 o f
(-) h
2154 -55500 M
/Times-Roman-ISOLatin1 F 1000 o f
(Period of validity \(effective date and expiration date\) [valid]) h
709 -57680 M
/Symbol F 1000 o f
(-) h
2154 -57680 M
/Times-Roman-ISOLatin1 F 1000 o f
(Signature over the entire content of the certificate created using the
private key of the issuer.) h
-8503 8502 T
R

showpage
$P e

%%Page: 27 27
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(27) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
76.8 0 32 (When parsing a certificate, the reader compares the two name
fields to determine what type of certificate it is. For) W
0 -1800 M
17.1 0 32 (Parent and Trusted Authority certificates, the names are
ignored for purposes of all further processing. For Child and) W
0 -2850 M
16.7 0 32 (Normal Principal certificates, only the suffix by which the
child's name is longer than the parent's is used for further) W
0 -3900 M
19.5 0 32 (processing. The reason for this is so that if a branch of
the namespace is renamed, all of the certificates in the moved) W
0 -4950 M
61.1 0 32 (branch remain valid for purposes of DASS processing. The
only purposes of having full names in these certificates) W
0 -6000 M
4.1 0 32 (are \(1\) to comply with X.509, \(2\) for possible
interoperability with other architectures using different algorithms, and) W
0 -7050 M
4.8 0 32 (\(3\) to allow principals to securely store their own names
in trusted authority certificates in the case where they do not) W
0 -8100 M
(have enough local storage to keep it.) h
0 -10495 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(3.2 ) h
2126 -10495 M
(Encrypted Private Key Structure) h
0 -13040 M
/Times-Roman-ISOLatin1 F 1000 o f
45.1 0 32 (In order that humans need only remember a password rather
than a full set of credentials, and also to make installa\255) W
0 -14090 M
48.9 0 32 (tion of nodes and servers easier, there is a defined format
for encrypting RSA secrets under a password and posting) W
0 -15140 M
96.3 0 32 (in the naming service. This structure need only exist when
passwords are used to protect RSA secrets; for servers) W
0 -16190 M
(which keep their secrets in non\255volatile memory or users who carry
smart cards, they are unnecessary.) h
0 -18285 M
48.8 0 32 (This structure includes the RSA private/public key pair
encrypted under a DES key. The DES key is computed as a) W
0 -19335 M
4.3 0 32 (one\255way hash of the password.  This structure also
optionally includes the UID of the principal.  It is needed only if a) W
0 -20385 M
(single RSA key is shared by multiple principals \(with multiple UIDs\).) h
0 -22480 M
60.3 0 32 (Since this structure is posted in the name service and may
be used by multiple implementations, its format must be) W
0 -23530 M
(architecturally defined. The exact encoding is listed in section ) h
(4) h
(.) h
0 -25925 M
/Times-Bold-ISOLatin1 F 1400 o f
(3.3 ) h
2126 -25925 M
(Authentication Tokens) h
0 -28470 M
/Times-Roman-ISOLatin1 F 1000 o f
30.1 0 32 (This section of the document defines the contents of the
authentication tokens which are produced and consumed by) W
0 -29520 M
34.6 0 32 (Create_token and Accept_token. With DASS, the token passed
from the client to the server is complex, with a large) W
0 -30570 M
57.5 0 32 (number of optional parts, while the token passed from server
to client \(in the case of mutual authentication only\) is) W
0 -31620 M
(small and simple.) h
0 -33715 M
64.3 0 32 (The authentication token potentially contains a large number
of parts, most of which are optional depending on the) W
0 -34765 M
44.5 0 32 (type of authentication. The following defines the content
and purpose of each of the parts, but does not describe the) W
0 -35815 M
(actual encoding \(in the belief that such details would be
distracting\). The encoding is in section ) h
(4) h
(.) h
0 -37910 M
44.8 0 32 (The authentication process begins when the initiator calls
Create_token with the name of the target. This routine re\255) W
0 -38960 M
99.2 0 32 (turns an authentication token, which is sent to the target.
The target calls Accept_token passing it the token. Both) W
0 -40010 M
94.1 0 32 (routines produce a second "mutual authentication token". The
target returns this to the initiator to prove that it re\255) W
0 -41060 M
(ceived the token.) h
0 -43305 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.3.1 ) h
2834 -43305 M
(Initial Authentication Token) h
0 -45500 M
/Times-Roman-ISOLatin1 F 1000 o f
46.9 0 32 (The components of the initial authentication token are
\(names in brackets refer to the field names within the ASN.1) W
0 -46550 M
(encoded structures defined in section 4\):) h
709 -48645 M
(a\)) h
2154 -48645 M
3.0 0 32 (Encrypted Shared Key \255 [authenticatingKey] \255 This is a
Shared \(DES\) key encrypted under the public key of the) W
2154 -49695 M
75.4 0 32 (target. Also included in the encrypted structure is a
validity interval and a recognizable pattern so that the re\255) W
2154 -50745 M
(ceiver can tell whether the decryption was successful.) h
709 -52840 M
(b\)) h
2154 -52840 M
23.1 0 32 (Login Ticket \255 [sourcePrincipal.userTicket] \255 This is
a "delegation certificate" signed by a principal's long term) W
2154 -53890 M
(private key delegating to a short term public key. Its "active
ingredients" are: ) h
2154 -55785 M
(1\)) h
3600 -55785 M
(UID of delegating principal [subjectUID]) h
2154 -57680 M
(2\)) h
3600 -57680 M
(Period of validity [validity]) h
-8503 8502 T
R

showpage
$P e

%%Page: 28 28
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(28) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(3\)) h
3600 -750 M
(Delegation public key [delegatingPublicKey]) h
2154 -2609 M
(4\)) h
3600 -2609 M
(Signature by private key of principal) h
3600 -3659 M
51.6 0 32 (The existence of this signature is testimony that the
private key corresponding to the delegation public key) W
3600 -4709 M
(speaks for the user during the validity interval.) h
3600 -5759 M
3600 -6809 M
79.9 0 32 (This data structure is optional and will be missing if the
authentication is only on behalf of a Local User\255) W
3600 -7859 M
(name on a node \(i.e. proxy\) rather than on behalf of a real
principal with a real key.) h
709 -9918 M
(c\)) h
2154 -9918 M
51.2 0 32 (Shared Key Ticket \255
[sourcePrincipal.sharedKeyTicketSignature] \255 This is a signature of
the Encrypted Shared) W
2154 -10968 M
92.7 0 32 (Key by the Delegation Public key in the Login Ticket.  The
existence of this signature is testimony that  the) W
2154 -12018 M
(DES key in the encrypted shared key speaks for the user.) h
2154 -14077 M
59.6 0 32 (This data structure is optional and will be missing if the
authentication is only on behalf of a Local Username) W
2154 -15127 M
36.1 0 32 (on a node \(i.e. proxy\) rather than on behalf of a real
principal with a real key. It will also be missing if delega\255) W
2154 -16177 M
(tion is taking place.) h
709 -18236 M
(d\)) h
2154 -18236 M
49.1 0 32 (Node Ticket \255 [sourceNode.nodeTicketSignature] \255 This
is a signature of the Encrypted Shared key and a "Lo\255) W
2154 -19286 M
50.2 0 32 (cal Username" on the host node by the node's private key. 
The existence of this signature is testimony by the) W
2154 -20336 M
(node that the DES key in the encrypted shared key speaks for the named
account on that node.) h
709 -22395 M
(e\)) h
2154 -22395 M
49.5 0 32 (Delegator \255 [sourcePrincipal.delegator] \255 This data
structure contains the private login key encrypted under the) W
2154 -23445 M
(Shared key. It is optional and is present only if the initiator is
delegating to the destination.) h
709 -25504 M
(f\)) h
2154 -25504 M
6.8 0 32 (Authenticator \255 [authenticatorData] \255 This data
structure contains a timestamp and a message digest of the chan\255) W
2154 -26554 M
(nel bindings signed by the Shared Key. It is always present.) h
709 -28613 M
(g\)) h
2154 -28613 M
7.8 0 32 (Principal name \255 [sourcePrincipal.userName] \255 This is
the name of the initiating principal. It is optional and will) W
2154 -29663 M
94.3 0 32 (be missing for strong proxy where bits on the wire are at a
premium and where the destination is capable of) W
2154 -30713 M
(independently constructing the name.) h
709 -32772 M
(h\)) h
2154 -32772 M
39.2 0 32 (Node name \255 [sourceNode.nodeName] \255 This is the name
of the initiating node. It is optional and will be miss\255) W
2154 -33822 M
33.0 0 32 (ing for strong proxy where bits on the wire are at a premium
and the name is present elsewhere in the message) W
2154 -34872 M
(being passed.) h
709 -36931 M
(i\)) h
2154 -36931 M
21.4 0 32 (Local Username \255 [sourceNode.username] \255 This is the
local user name on the initiating node. It is optional and) W
2154 -37981 M
67.3 0 32 (will be missing for strong proxy where bits on the wire are
at a premium and where the name is present else\255) W
2154 -39031 M
(where in the message being passed.) h
0 -41240 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.3.2 ) h
2834 -41240 M
(Mutual Authentication Token) h
0 -43399 M
/Times-Roman-ISOLatin1 F 1000 o f
46.8 0 32 (The authentication buffer sent from the target to the
initiator \(in the case of mutual authentication\) is much simpler.) W
0 -44449 M
18.1 0 32 (It contains only the timestamp taken from the authenticator
encrypted under the Shared Key.  It is ASN.1 encoded to) W
0 -45499 M
(allow for future extensions. ) h
0 -47858 M
/Times-Bold-ISOLatin1 F 1400 o f
(3.4 ) h
2126 -47858 M
(Credentials) h
0 -50367 M
/Times-Roman-ISOLatin1 F 1000 o f
106.8 0 32 ( DASS organizes its internal state with Credentials
structures. There are many kinds of information which can be) W
0 -51417 M
76.7 0 32 (stored in credentials. Rather than making a different kind
of data structure for each kind of data, DASS provides a) W
0 -52467 M
(single credentials structure where most of its fields are optional.) h
0 -54526 M
87.9 0 32 (Operating systems must provide some mechanism for having
several processes share credentials. An example of a) W
0 -55576 M
18.5 0 32 (mechanism for doing this would be for credentials to be
stored in a file and the name of the file is used as a "handle") W
0 -56626 M
84.0 0 32 (by all processes which use those credentials. Some of the
calls which follow cause credentials structures to be up\255) W
0 -57676 M
86.8 0 32 (dated. It is important to the performance of a system that
updates to credentials \(such as occur during the routines) W
-8503 8502 T
R

showpage
$P e

%%Page: 29 29
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(29) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
84.5 0 32 (Verify_Principal_Name and Verify_Node_Name, where the caches
are updated\) be visible to all processes sharing) W
0 -1800 M
(those credentials.) h
0 -3863 M
20.4 0 32 (In many of the calls which follow, the credentials passed
may be labeled: claimant credentials, verifier credentials or) W
0 -4913 M
52.9 0 32 (some such. This indicates whose credentials are being passed
rather than a type of credentials. DASS supports only) W
0 -5963 M
104.4 0 32 (one type of credentials, though the fields present in the
credentials of one sort of principal may be quite different) W
0 -7013 M
(from those present in the credentials of another.) h
0 -9076 M
33.1 0 32 (An implementation may choose to support multiple kinds of
credentials structures each of which will support only a) W
0 -10126 M
33.8 0 32 (subset of the functions available if it is not implementing
the full architecture.  This would be the case, for example,) W
0 -11176 M
48.6 0 32 (if an implementation did not support the case where a server
both received requests from other principals and made) W
0 -12226 M
(requests on its own behalf using a single set of credentials.) h
0 -14289 M
39.5 0 32 (The following are a list of the fields that may be contained
in a credentials structure. They are grouped according to) W
0 -15339 M
(common usage.) h
0 -17552 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.1 ) h
2834 -17552 M
(Claimant information) h
0 -19715 M
/Times-Roman-ISOLatin1 F 1000 o f
(This is the information used when the holder of these credentials is
requesting something. It includes: ) h
709 -21778 M
(a\)) h
2154 -21778 M
(Full X.500 name of the principal) h
709 -23841 M
(b\)) h
2154 -23841 M
(Public Key of the principal) h
709 -25904 M
(c\)) h
2154 -25904 M
(Login Ticket \255 a login ticket contains:) h
2154 -27767 M
(1\)) h
3600 -27767 M
(the UID of the principal) h
2154 -29630 M
(2\)) h
3600 -29630 M
(a period of validity \(effective date & expiration date\)) h
2154 -31493 M
(3\)) h
3600 -31493 M
(a delegation public key) h
2154 -33356 M
(4\)) h
3600 -33356 M
(a signature of the ticket contents by the principal's long term key) h
709 -35419 M
(d\)) h
2154 -35419 M
(Delegati) h
(on ) h
(Private Key \(corresponding to the public key in ) h
(c) h
(3) h
(\)) h
709 -37482 M
(e\)) h
2154 -37482 M
19.8 0 32 (Encrypted Shared Key \(present only when credentials were
created by accept_token) W
19.8 0 32 (; this information is needed) W
2154 -38532 M
(to verify a node ticket after credentials are accepted\)) h
0 -40745 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.2 ) h
2834 -40745 M
(Verifier information) h
0 -42908 M
/Times-Roman-ISOLatin1 F 1000 o f
43.8 0 32 (This is the information needed by a server to decrypt
incoming requests. It is also used by generate_server_ticket to) W
0 -43958 M
(generate a login ticket. ) h
709 -46021 M
(a\)) h
2154 -46021 M
(RSA private key.) h
0 -48234 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.3 ) h
2834 -48234 M
(Trusted Authority) h
0 -50397 M
/Times-Roman-ISOLatin1 F 1000 o f
104.7 0 32 (This is information used to seed the walk of the CA
hierarchy to reliably find the public key\(s\) associated with a) W
0 -51447 M
79.7 0 32 (name.  Normally, the trusted authority in a set of
credentials will be the directory parent of the principal named in) W
0 -52497 M
62.0 0 32 (Claimant information.  In some circumstances, it may instead
be the directory parent of the node on which the cre\255) W
0 -53547 M
(dentials reside.) h
709 -55610 M
(a\)) h
2154 -55610 M
(Full X.500 name of a CA) h
709 -57673 M
(b\)) h
2154 -57673 M
(Corresponding RSA Public Key) h
-8503 8502 T
R

showpage
$P e

%%Page: 30 30
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(30) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(c\)) h
2154 -750 M
(Corresponding UID) h
0 -2989 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.4 ) h
2834 -2989 M
(Remote node authentication) h
0 -5178 M
/Times-Roman-ISOLatin1 F 1000 o f
66.7 0 32 (This information is present only for credentials generated
by "Accept_token". It includes information about any re\255) W
0 -6228 M
(mote node which vouched for the request.) h
709 -8317 M
(a\)) h
2154 -8317 M
(Full X.500 name of the node) h
709 -10406 M
(b\)) h
2154 -10406 M
(Local Username on the node) h
709 -12495 M
(c\)) h
2154 -12495 M
(Node ticket.) h
0 -14734 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.5 ) h
2834 -14734 M
(Local node credentials) h
0 -16923 M
/Times-Roman-ISOLatin1 F 1000 o f
21.7 0 32 (This information is added by Combine_credentials, and is
used by Create_token to add a node signature to outbound) W
0 -17973 M
(requests.) h
709 -20062 M
(a\)) h
2154 -20062 M
(Full X.500 name of the node) h
709 -22151 M
(b\)) h
2154 -22151 M
(Local Username on the node) h
709 -24240 M
(c\)) h
2154 -24240 M
(RSA private key of the node) h
0 -26479 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.6 ) h
2834 -26479 M
(Cached outgoing contexts) h
0 -28668 M
/Times-Roman-ISOLatin1 F 1000 o f
0.9 0 32 (There may be one \(or more\) such structures for each server
for which this principal has created authentication tokens.) W
0 -29718 M
34.6 0 32 (These represent a cache: they may be discarded at any time
with no effect except on performance. For each associa\255) W
0 -30768 M
(tion, the following information is kept: ) h
709 -32857 M
(a\)) h
2154 -32857 M
(Destination RSA Public Key \(index\)) h
709 -34946 M
(b\)) h
2154 -34946 M
(Encrypted Shared key) h
709 -37035 M
(c\)) h
2154 -37035 M
(Shared Key Ticket \(optional, included if there has been a
non\255delegating connection\)) h
709 -39124 M
(d\)) h
2154 -39124 M
(Node Ticket) h
709 -41213 M
(e\)) h
2154 -41213 M
(Delegator \(optional, included if there has been a delegating connection\)) h
709 -43302 M
(f\)) h
2154 -43302 M
(Validity interval) h
709 -45391 M
(g\)) h
2154 -45391 M
(Shared Key) h
0 -47630 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.7 ) h
2834 -47630 M
(Cached Incoming Contexts) h
0 -49819 M
/Times-Roman-ISOLatin1 F 1000 o f
41.0 0 32 (There may be one such structure for each client from which
this server has received an authentication token.) W
n 0.666 o f
0.0 448.0 m
41.0 0 32 (1) W
0 -448.0 m
n 1.502 o f
41.0 0 32 ( These) W
0 -50869 M
18.4 0 32 (represent a cache: they may be discarded at any time with no
effect except on performance. For each association, the) W
0 -51919 M
(following information is kept: ) h
709 -54008 M
(a\)) h
2154 -54008 M
(Encrypted Shared key \(index\)) h
709 -56097 M
(b\)) h
2154 -56097 M
(Shared Key) h
-8503 8502 T
R

S
8496 -66304 T
N
0 G
576 -900 M
/Times-Roman-ISOLatin1 F 800 o f
0.0 358.0 m
(1) h
0 -358.0 m
976 -900 M
69.9 0 32 (An implementation may choose to keep one System\255wide
Cache \(and list of incoming timestamps\). While it is unlikely that
the same En\255) W
576 -1800 M
32.5 0 32 (crypted Shared Key will result from encryption of Shared
keys generated by different clients or for different servers, an
implementation must) W
576 -2600 M
65.9 0 32 (ensure that an entry made for one client/server can not be
reused by another client/server. Similarly an implementation may choose to keep) W
576 -3400 M
356.1 0 32 (separate caches for the Shared Key/Validity
Interval/Delegation Public Key, the Nodename/UID/key/username and the Principal) W
576 -4200 M
(name/UID/key.) h
-8496 66304 T
R

showpage
$P e

%%Page: 31 31
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(31) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(c\)) h
2154 -750 M
(Validity Interval) h
709 -2805 M
(d\)) h
2154 -2805 M
(Full X.500 name of Client Principal) h
709 -4860 M
(e\)) h
2154 -4860 M
(UID of Client Principal) h
709 -6915 M
(f\)) h
2154 -6915 M
(Public Key of Client Principal) h
709 -8970 M
(g\)) h
2154 -8970 M
(Name of Client Node) h
709 -11025 M
(h\)) h
2154 -11025 M
(UID of Client Node) h
709 -13080 M
(i\)) h
2154 -13080 M
(Public Key of Client Node) h
709 -15135 M
(j\)) h
2154 -15135 M
(Local Username on Client node) h
709 -17190 M
(k\)) h
2154 -17190 M
(Delegation Public key of Client Principal's Login Ticket) h
0 -19245 M
111.8 0 32 (The Name, UID and Public key of the Principal are all
entered together once the Login Ticket has been verified.) W
0 -20295 M
134.9 0 32 (Similarly the Node name, Node key and Username are entered
together once the Node Ticket has been verified.) W
0 -21345 M
(These pieces of information are only present if they have been verified.) h
0 -23550 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.4.8 ) h
2834 -23550 M
(Received Authenticators) h
0 -25705 M
/Times-Roman-ISOLatin1 F 1000 o f
57.5 0 32 (A record of all the authenticators received is kept. This is
used to detect replayed messages) W
n 0.666 o f
0.0 448.0 m
57.5 0 32 (2) W
0 -448.0 m
n 1.502 o f
57.5 0 32 (. The entries in this list) W
0 -26755 M
69.9 0 32 (may be deleted when the timestamp is old enough that they
would no longer be accepted. This list is kept separate) W
0 -27805 M
51.6 0 32 (from the Cached incoming context in order that the
information in the cached incoming context can be discarded at) W
0 -28855 M
57.6 0 32 (any time. An implementation could choose to save these
timestamps with the cached incoming context if it ensures) W
0 -29905 M
28.5 0 32 (that it can  never purge entries from the cache before the
timestamp has aged sufficiently. This list is accessed based) W
0 -30955 M
37.1 0 32 (on an extract from the signature from the Authenticator. The
extract must be at least 64 bits, to ensure that it is very) W
0 -32005 M
(unlikely that 2 authenticators will be received with matching signatures.) h
709 -34060 M
(a\)) h
2154 -34060 M
(Extract from Signature from Authenticator) h
709 -36115 M
(b\)) h
2154 -36115 M
(Timestamp) h
0 -38170 M
46.8 0 32 (If an implementation runs out of space to store additional
authenticators, it may either reject the token which would) W
0 -39220 M
32.4 0 32 (have overflowed the table or it may temporarily narrow the
allowed clock skew to allow it to free some of the space) W
0 -40270 M
106.5 0 32 (used to hold "old" authenticators.  The first strategy will
always falsely reject tokens; the second may cause false) W
0 -41320 M
(rejection of tokens if the allowed clock skew gets narrowed beyond the
actual clock skew in the network.) h
0 -43675 M
/Times-Bold-ISOLatin1 F 1400 o f
(3.5 ) h
2126 -43675 M
(CA State) h
0 -46180 M
/Times-Roman-ISOLatin1 F 1000 o f
5.0 0 32 (The CA needs to maintain some internal state in order to
generate certificates. This internal state must be protected at) W
0 -47230 M
40.7 0 32 (all times, and great care must be taken to prevent its being
disclosed. A CA may choose to maintain additional state) W
0 -48280 M
29.6 0 32 (information in order to enhance security.  In particular, it
is the responsibility of the CA to assure that the same UID) W
0 -49330 M
82.6 0 32 (is not serially reused by two holders of a single name.  In
most cases, this can be done by creating the UID at the) W
0 -50380 M
35.3 0 32 (time the user is registered.  To securely permit users to
keep their UIDs when transferring from another CA, the CA) W
0 -51430 M
56.1 0 32 (must keep a record of any UIDs used by previous holders of
the name. Since actions of a CA are so security sensi\255) W
0 -52480 M
44.1 0 32 (tive, the CA should also maintain an audit trail of all
certificates signed so that a history can be reconstructed in the) W
0 -53530 M
46.9 0 32 (event of a compromise.  Finally, for the convenience of the
CA operator, the CA should record a list of the directo\255) W
0 -54580 M
30.6 0 32 (ries for which it is responsible and their UIDs so that
these need not be entered whenever the CA is to be used.  The) W
0 -55630 M
(state includes at least the following information:) h
709 -57685 M
/Symbol F 1000 o f
(-) h
2154 -57685 M
/Times-Roman-ISOLatin1 F 1000 o f
(Public Key of CA) h
-8503 8502 T
R

S
8496 -68704 T
N
0 G
576 -900 M
/Times-Roman-ISOLatin1 F 800 o f
0.0 358.0 m
(2) h
0 -358.0 m
976 -900 M
39.3 0 32 (This list must be common to all targets that could accept
the same authenticator \(channel bindings will prevent other targets
from accepting) W
576 -1800 M
(the same authenticator\). This includes different `servers' sharing
the same key.) h
-8496 68704 T
R

showpage
$P e

%%Page: 32 32
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(32) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Symbol F 1000 o f
(-) h
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(Private Key of CA) h
709 -2819 M
/Symbol F 1000 o f
(-) h
2154 -2819 M
/Times-Roman-ISOLatin1 F 1000 o f
(Serial number of next certificate to be issued) h
0 -5188 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(3.6 ) h
2126 -5188 M
(Data types used in the routines) h
0 -7707 M
/Times-Roman-ISOLatin1 F 1000 o f
(There are several abstract data types used as parameters to the
routines described in this section. These are listed here) h
709 -9776 M
(a\)) h
2154 -9776 M
(Integer) h
709 -11845 M
(b\)) h
2154 -11845 M
(Name) h
2154 -12895 M
42.9 0 32 (Names unless otherwise noted are always X.500 names.  While
most of the design of DASS is naming service) W
2154 -13945 M
28.9 0 32 (independent, the syntax of certificates and tokens only
permits X.500 names to be used.  If DASS is to be used) W
2154 -14995 M
22.8 0 32 (in an environment where some other form of name is used,
those names must be translated into something syn\255) W
2154 -16045 M
110.7 0 32 (tactically compliant with X.500 using some mechanism which
is beyond the scope of this architecture.  The) W
2154 -17095 M
45.5 0 32 (only other form of name appearing in this architecture is a
"local user name", which corresponds to the simple) W
2154 -18145 M
(name of an "account" on a node.  As a type, such names appear in
parameter lists as "Strings".) h
709 -20214 M
(c\)) h
2154 -20214 M
(String) h
2154 -21264 M
(A String is a sequence of printable characters.) h
709 -23333 M
(d\)) h
2154 -23333 M
(Absolute Time) h
2154 -24383 M
57.8 0 32 (A UTC time. The precision of these Times is not stated. A
precision of the order of one second in all times is) W
2154 -25433 M
(sufficient.) h
709 -27502 M
(e\)) h
2154 -27502 M
(Time Interval) h
2154 -28552 M
(A Time interval is composed of 2 times. A Start Time and an End Time,
both of which are Absolute Times) h
709 -30621 M
(f\)) h
2154 -30621 M
(Timestamp) h
2154 -31671 M
8.5 0 32 (A Timestamp is a time in POSIX format. I.e. two 32 bit
Integers. The first representing seconds, and the second) W
2154 -32721 M
(representing nanoseconds.) h
709 -34790 M
(g\)) h
2154 -34790 M
(Duration) h
2154 -35840 M
(A Duration is the length of a time interval.) h
709 -37909 M
(h\)) h
2154 -37909 M
(Octet String) h
2154 -38959 M
(A sequence of bytes containing binary data) h
709 -41028 M
(i\)) h
2154 -41028 M
(Boolean) h
2154 -42078 M
(A value of either True or False) h
709 -44147 M
(j\)) h
2154 -44147 M
(UID) h
2154 -45197 M
(A UID is an bit string of 128 bits.) h
709 -47266 M
(k\)) h
2154 -47266 M
(OID) h
2154 -48316 M
(An OID is an ISO Object Identifier.) h
709 -50385 M
(l\)) h
2154 -50385 M
(Shared key) h
2154 -51435 M
(A Shared key is a DES key, a sequence of 8 bytes) h
709 -53504 M
(m\)) h
2154 -53504 M
(CA State) h
2154 -54554 M
(A structure of the form described in \247) h
(3.5) h
709 -56623 M
(n\)) h
2154 -56623 M
(Credentials) h
2154 -57673 M
(A structure of the form described in \247) h
(3.4) h
-8503 8502 T
R

showpage
$P e

%%Page: 33 33
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(33) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(o\)) h
2154 -750 M
(Certificate) h
2154 -1800 M
(An ASN.1 encoding of the structure described in \247) h
(3.1) h
709 -3946 M
(p\)) h
2154 -3946 M
(Authentication Token) h
2154 -4996 M
(An ASN.1 encoding of the structure described in \247) h
(3.3.1) h
709 -7142 M
(q\)) h
2154 -7142 M
(Mutual Authentication Token) h
2154 -8192 M
(An ASN.1 encoding of the structure described in \247) h
(3.3.2) h
709 -10338 M
(r\)) h
2154 -10338 M
(Encrypted Credentials) h
2154 -11388 M
(An ASN.1 encoding of  the  structure described in \247) h
(3.2) h
709 -13534 M
(s\)) h
2154 -13534 M
(Public key) h
2154 -14584 M
34.8 0 32 (A representation of an RSA Public key, including all the
information needed to encode the public key in a cer\255) W
2154 -15634 M
(tificate.) h
709 -17780 M
(t\)) h
2154 -17780 M
(Set of Public key/UID pairs) h
2154 -18830 M
26.2 0 32 (A set of Public key/UID pairs. This Data type is only used
internally in DASS \255 it does not appear in any inter\255) W
2154 -19880 M
(face used to other architectures.) h
0 -22326 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(3.7 ) h
2126 -22326 M
(Error conditions) h
0 -24922 M
/Times-Roman-ISOLatin1 F 1000 o f
92.7 0 32 (These routines can return the following error conditions) W
92.7 0 32 ( \(an implementation may indicate errors with more or less) W
0 -25972 M
(precision\):) h
709 -28118 M
(a\)) h
2154 -28118 M
(I) h
(ncomplete chain of trustworthy CAs) h
709 -30264 M
(b\)) h
2154 -30264 M
(Target has no keys which can be trusted.) h
709 -32410 M
(c\)) h
2154 -32410 M
(Invalid Authentication Token) h
709 -34556 M
(d\)) h
2154 -34556 M
(Login Ticket Expired) h
709 -36702 M
(e\)) h
2154 -36702 M
(Invalid Password) h
709 -38848 M
(f\)) h
2154 -38848 M
(Invalid Credentials) h
709 -40994 M
(g\)) h
2154 -40994 M
(Invalid Authenticator) h
709 -43140 M
(h\)) h
2154 -43140 M
(Duplicate Authenticator) h
0 -45586 M
/Times-Bold-ISOLatin1 F 1400 o f
(3.8 ) h
2126 -45586 M
(Certificate Maintenance Functions) h
0 -48182 M
/Times-Roman-ISOLatin1 F 1000 o f
53.2 0 32 (Authentication services depend on a set of data structures
maintained in the naming service. There are two kinds of) W
0 -49232 M
12.6 0 32 (information: Certificates, which associate names and public
keys and are signed by off\255line Certification Authorities;) W
0 -50282 M
60.4 0 32 (and Encrypted Credentials, which contain RSA Private Keys
and certain context information encrypted under pass\255) W
0 -51332 M
54.6 0 32 (words. Encrypted Credentials are only necessary in
environments where passwords are used. Credentials may alter\255) W
0 -52382 M
(natively be stored in some other secure manner \(for example on a smart card\).) h
0 -54528 M
39.3 0 32 (The certificate maintenance services are designed so that
the most sensitive \255 the actual signing of certificates \255 may) W
0 -55578 M
23.0 0 32 (be done by an off\255line authority.  Once signed,
certificates must be posted in the naming service to be believed.  The) W
0 -56628 M
14.8 0 32 (precise mechanisms for moving certificates between
off\255line CAs and the on\255line naming service are implementation) W
0 -57678 M
65.7 0 32 (dependent.  For the off\255line mechanisms to provide any
actual security, the CAs must be told what to sign in some) W
-8503 8502 T
R

showpage
$P e

%%Page: 34 34
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(34) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
39.9 0 32 (reliable manner.  The mechanisms for doing this are
implementation dependent.  The abstract interface says that the) W
0 -1800 M
(CA is given all of the information that goes into a certificate and it
produces the signed certificate.) h
0 -3850 M
5.4 0 32 (There are requirements surrounding the auditing of a CA's
actions. The details of what actions are audited, where the) W
0 -4900 M
57.4 0 32 (audit trail is maintained, and what utilities exist to
search that audit trail ) W
57.4 0 32 (are not specified here.) W
57.4 0 32 ( The functions a CA) W
0 -5950 M
(must provide are:) h
0 -8150 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.8.1 ) h
2834 -8150 M
(Install CA) h
0 -10300 M
/Times-Roman-ISOLatin1 F 1000 o f
(Install_CA\() h
0 -11400 M
(                                                 \255\255inputs) h
0 -12500 M
14256 -12500 M
(keysize) h
30212 -12500 M
(Integer,) h
0 -13600 M
(                                                 \255\255outputs) h
0 -14700 M
14256 -14700 M
(CA_state) h
30212 -14700 M
(CA State,) h
0 -15800 M
14256 -15800 M
(CA_Public_Key) h
30212 -15800 M
(Public Key\)) h
0 -16900 M
10.8 0 32 (This routine need only generate a public/private key pair of
the requested size. Keysize is likely to be in implementa\255) W
0 -17950 M
29.4 0 32 (tion constant rather than a parameter.  The value is likely
to be either 512 or 640.  Key sizes throughout will have to) W
0 -19000 M
54.7 0 32 (increase over time as factoring technology and CPU speeds
improve.  Both keys are stored as part of the CA_state;) W
0 -20050 M
52.0 0 32 (the public key is returned so that other CAs may
cross\255certify this one. The `Next Serial number' in the CA state is) W
0 -21100 M
(set to 1.) h
0 -23300 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.8.2 ) h
2834 -23300 M
(Create Certificate) h
0 -25450 M
/Times-Roman-ISOLatin1 F 1000 o f
(Create_certificate\() h
0 -26550 M
(                                                 \255\255inputs) h
0 -27650 M
14256 -27650 M
(Renewal) h
30212 -27650 M
(Boolean,) h
0 -28750 M
14256 -28750 M
(Include_UID) h
30212 -28750 M
(Boolean,) h
0 -29850 M
14256 -29850 M
(Issuer_name) h
30212 -29850 M
(Name,) h
0 -30950 M
14256 -30950 M
(Issuer_UID) h
30212 -30950 M
(UID,) h
0 -32050 M
14256 -32050 M
(Effective_date) h
30212 -32050 M
(Absolute Time,) h
0 -33150 M
14256 -33150 M
(Expiration_date) h
30212 -33150 M
(Absolute Time,) h
0 -34250 M
14256 -34250 M
(Subject_name) h
30212 -34250 M
(Name,) h
0 -35350 M
14256 -35350 M
(Subject_UID) h
30212 -35350 M
(UID,) h
0 -36450 M
14256 -36450 M
(Subject_public_key) h
30212 -36450 M
(Public Key,) h
0 -37550 M
(                                                 \255\255updated) h
0 -38650 M
14256 -38650 M
(CA_state) h
30212 -38650 M
(CA State,) h
0 -39750 M
(                                                 \255\255outputs) h
0 -40850 M
14256 -40850 M
(Certificate) h
30212 -40850 M
(Certificate\)) h
0 -41950 M
0.8 0 32 (This procedure creates and signs a certificate.  Note that
the various contents of the certificate must be communicated) W
0 -43000 M
115.7 0 32 (to the CA in some reliable fashion.  The Issuer_name and
UID are the name and UID of the directory on whose) W
0 -44050 M
(behalf the certificate is being signed.) h
0 -46100 M
63.5 0 32 (This routine formats and signs a certificate with the
private key in CA_state. It audits the creation of the certificate) W
0 -47150 M
39.5 0 32 (and updates the sequence number which is part of CA_state.
The Issuer and Subject names are X.500 names.  If the) W
0 -48200 M
4.4 0 32 (CA state includes a history of what UIDs have previously been
used by what names, this call will only succeed ) W
4.4 0 32 (in the) W
0 -49250 M
45.5 0 32 (collision case ) W
45.5 0 32 (if the Renewal boolean is set true.  If the Include_UID
boolean is set true, this routine will generate a) W
0 -50300 M
(1992 format X.509 certificate; otherwise it will generate a 1988
format X.509 certificate.) h
-8503 8502 T
R

showpage
$P e

%%Page: 35 35
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(35) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -900 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.8.3 ) h
2834 -900 M
(Create Principal) h
0 -3529 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(Create_principal\() h
0 -4629 M
(                                                 \255\255inputs) h
0 -5729 M
14256 -5729 M
(Password) h
30212 -5729 M
(String,) h
0 -6829 M
14256 -6829 M
(keysize) h
30212 -6829 M
(Integer,) h
0 -7929 M
14256 -7929 M
(Principal_name) h
30212 -7929 M
(Name,) h
0 -9029 M
14256 -9029 M
(Principal_UID) h
30212 -9029 M
(UID,) h
0 -10129 M
14256 -10129 M
(Parent_Public_key) h
30212 -10129 M
(Public Key,) h
0 -11229 M
14256 -11229 M
(Parent_UID) h
30212 -11229 M
(UID,) h
0 -12329 M
(                                                 \255\255outputs) h
0 -13429 M
14256 -13429 M
(Encrypted_Credentials) h
30212 -13429 M
(Encrypted Credentials,) h
0 -14529 M
14256 -14529 M
(Trusted_authority_certificate) h
30212 -14529 M
(Certificate\)) h
0 -16108 M
12.3 0 32 (This procedure creates a new principal by generating a new
public/private key pair, encrypting the public and private) W
0 -17158 M
119.4 0 32 (keys under the password, and signing a trusted authority
certificate for the parent CA.  In an implementation not) W
0 -18208 M
17.6 0 32 (using passwords \(e.g. smart cards\), an alternative
mechanism must be used for initially creating principals.  If a prin\255) W
0 -19258 M
5.6 0 32 (cipal has protected storage for trusted authority
information, it is not necessary to create a trusted authority certificate) W
0 -20308 M
58.8 0 32 (and store it in the naming service.  Some procedure
analogous to this one must be executed, however, in which the) W
0 -21358 M
(principal learns the public key and UID of its CA and its own name. ) h
0 -23887 M
(This routine creates two output structures with the following steps:) h
709 -26416 M
(a\)) h
2154 -26416 M
29.2 0 32 (Generate a public/private key pair using the indicated
keysize. An implementation will likely fix the keysize as) W
2154 -27466 M
124.7 0 32 (an implementation constant, most likely 512 or 640 bits,
rather than accepting it as a parameter.  Key sizes) W
2154 -28516 M
(generally will have to increase over time as factoring technology and
CPU speeds improve.) h
709 -31045 M
(b\)) h
2154 -31045 M
90.4 0 32 (Form the encrypted credentials by using the public key,
private key, and Principal_UID and encrypting them) W
2154 -32095 M
(using a hash of the password as the key.) h
709 -34624 M
(c\)) h
2154 -34624 M
91.3 0 32 (Generate a trusted authority certificate \(which is
identical in format to a "parent" certificate\) getting fields as) W
2154 -35674 M
(follows:) h
2154 -38003 M
(1\)) h
3600 -38003 M
(Certificate version is X.509 1992.) h
2154 -40332 M
(2\)) h
3600 -40332 M
(Issuer name is the Principal name \(which is an X.500 name\).) h
2154 -42661 M
(3\)) h
3600 -42661 M
(Issuer UID is the Principal UID.) h
2154 -44990 M
(4\)) h
3600 -44990 M
(Validity is for all time.) h
2154 -47319 M
(5\)) h
3600 -47319 M
44.7 0 32 (Subject name is constructed from the Principal name by
removing the last simple name from the hierarchi\255) W
3600 -48369 M
(cal name.) h
2154 -50698 M
(6\)) h
3600 -50698 M
(Subject UID is the CA_UID.) h
2154 -53027 M
(7\)) h
3600 -53027 M
(Subject Public Key is the CA_Public_Key) h
2154 -55356 M
(8\)) h
3600 -55356 M
(Sequence number is 1.) h
2154 -57685 M
(9\)) h
3600 -57685 M
(Sign the certificate with the newly generated private key of the principal.) h
-8503 8502 T
R

showpage
$P e

%%Page: 36 36
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(36) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -900 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.8.4 ) h
2834 -900 M
(Change Password) h
0 -3092 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(Change_password\() h
0 -4192 M
(                                                 \255\255inputs) h
0 -5292 M
14256 -5292 M
(Encrypted_credentials) h
30212 -5292 M
(Encrypted Credentials,) h
0 -6392 M
14256 -6392 M
(Old_password) h
30212 -6392 M
(String,) h
0 -7492 M
14256 -7492 M
(New_password) h
30212 -7492 M
(String,) h
0 -8592 M
(                                                 \255\255outputs) h
0 -9692 M
14256 -9692 M
(Encrypted_credentials) h
30212 -9692 M
(Encrypted Credentials\)) h
0 -10834 M
68.7 0 32 (If credentials are stored encrypted under a password, it is
possible to change the password if the old one is known. ) W
0 -11884 M
22.7 0 32 (Note that it is insufficient to just change a user's
password if the password has been disclosed.  Anyone knowing the) W
0 -12934 M
15.5 0 32 (old password may have already learned the user's private
key.  If a password has been disclosed, the secure recovery) W
0 -13984 M
(procedure is to call create_principal again followed by
create_certificate to certify the new key.) h
0 -16076 M
53.1 0 32 (Using DASS, it may not be appropriate for users to
periodically change their passwords as a precaution unless they) W
0 -17126 M
51.9 0 32 (also change their private keys by the procedure above.  The
only likely use of the change_password procedure is to) W
0 -18176 M
8.6 0 32 (handle the case where an administrator has chosen a password
for the user in the course of setting up the account and) W
0 -19226 M
61.7 0 32 (the user wishes to change it to something the user can
remember.  A future version of the architecture may smooth) W
0 -20276 M
0.2 0 32 (key roll\255over by having the change_password command also
generate a new key and sign a "self" certificate in which) W
0 -21326 M
113.0 0 32 (the old key certifies the new one.  As a separate step, a
CA which notices a self certificate posted in the naming) W
0 -22376 M
23.0 0 32 (service could certify the new key instead of the old one
when the user's certificate is renewed.  While this procedure) W
0 -23426 M
49.6 0 32 (is not as rapid or as reliable as having the user directly
interact with the CA, it offers a reasonable tradeoff between) W
0 -24476 M
(security and convenience when there is no evidence of password compromise.) h
0 -26568 M
102.5 0 32 (This routine simply decrypts the encrypted credentials
structure supplied using the password supplied. It returns a) W
0 -27618 M
8.4 0 32 (bad status if the ) W
8.4 0 32 (format of the decrypted information is bad ) W
8.4 0 32 (\(indicating an incorrect password\). Otherwise, it creates a) W
0 -28668 M
12.2 0 32 (new encrypted credentials structure by encrypting the same
data with the new password. It would be highly desirable) W
0 -29718 M
92.1 0 32 (for the user interface to this function to provide the
capability to randomly generate passwords and prohibit easily) W
0 -30768 M
42.4 0 32 (guessed user chosen passwords using length, character set,
and dictionary lookup rules, but such capabilities are be\255) W
0 -31818 M
(yond the scope of this document.) h
0 -33910 M
38.3 0 32 (If encrypted credentials are stored in some local secure
storage, the above function is all that is necessary \(in fact, if) W
0 -34960 M
151.2 0 32 (the storage is sufficiently secure, no password is needed;
credentials could be stored unenciphered\).  If they are) W
0 -36010 M
6.8 0 32 (stored in a naming service, this function must be coupled
with one which retrieves the old encrypted credentials from) W
0 -37060 M
72.8 0 32 (the naming service and stores the new.  The full protocol is
likely to include access control checks that require the) W
0 -38110 M
19.9 0 32 (principal to acquire credentials and produce tokens.  For
best security, the encrypted credentials should be accessible) W
0 -39160 M
52.4 0 32 (only through a login agent.  The role of the login agent is
to audit and limit the rate of password guessing.  If pass\255) W
0 -40210 M
5.7 0 32 (words are well chosen, there is no significant threat from
password guessing because searching the space is computa\255) W
0 -41260 M
14.4 0 32 (tionally infeasible.  In the context of a login agent,
change password will be implemented with a specialized protocol) W
0 -42310 M
122.6 0 32 (requiring knowledge of the password and \(for best
security\) a trusted authority from which the public key of the) W
0 -43360 M
(login agent can be learned.  See section 2.3.2 for the plans for ) h
(the non\255X.500 credential storage facility.) h
0 -45602 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.8.5 ) h
2834 -45602 M
(Change Name) h
0 -47794 M
/Times-Roman-ISOLatin1 F 1000 o f
(Change_name\() h
0 -48894 M
(                                                 \255\255inputs) h
0 -49994 M
14256 -49994 M
(Claimant_Credentials) h
30212 -49994 M
(Credentials,) h
0 -51094 M
14256 -51094 M
(New_name) h
30212 -51094 M
(Name,) h
0 -52194 M
14256 -52194 M
(CA_Public_Key) h
30212 -52194 M
(Public Key,) h
0 -53294 M
14256 -53294 M
(CA_UID) h
30212 -53294 M
(UID,) h
0 -54394 M
(                                                 \255\255outputs) h
0 -55494 M
14256 -55494 M
(Trusted_Authority_Certificate) h
30212 -55494 M
(Certificate\)) h
0 -56636 M
116.4 0 32 (DASS permits a principal to have many current aliases, but
only one current name.  A principal can authenticate) W
0 -57686 M
37.9 0 32 (itself as any of its aliases but verifies the names of
others relative to the name by which it knows itself.  Aliases can) W
-8503 8502 T
R

showpage
$P e

%%Page: 37 37
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(37) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
91.5 0 32 (be created simply by using the create_certificate function
once for each alias.  To change the name of a principal,) W
0 -1800 M
154.9 0 32 (however, requires that the principal securely learn the
public key and UID of its new parent CA.  As with cre\255) W
0 -2850 M
11.6 0 32 (ate_principal, if a principal has secure private storage for
its trusted authority information, it need not create a certifi\255) W
0 -3900 M
(cate, but some analogous procedure must be able to install new naming
information.) h
0 -6099 M
(This routine produces a new Trusted Authority Certificate with
contents as follows:) h
709 -8298 M
(a\)) h
2154 -8298 M
(Issuer name is New_name \(an X.500 name\)) h
709 -10497 M
(b\)) h
2154 -10497 M
(Issuer_UID is Principal UID from Credentials.) h
709 -12696 M
(c\)) h
2154 -12696 M
(Validity is for all time.) h
709 -14895 M
(d\)) h
2154 -14895 M
159.4 0 32 (Subject name is constructed from the Issuer name by
removing the last simple name from the hierarchical) W
2154 -15945 M
(name, and converting to an X.500 name.) h
709 -18144 M
(e\)) h
2154 -18144 M
(Subject UID is CA_UID) h
709 -20343 M
(f\)) h
2154 -20343 M
(Subject Public Key is CA_Public_Key) h
709 -22542 M
(g\)) h
2154 -22542 M
(Sequence number is 1.) h
709 -24741 M
(h\)) h
2154 -24741 M
55.3 0 32 (The certificate is signed with the private key of the
principal from the credentials. Note that this call will only) W
2154 -25791 M
5.8 0 32 (succeed if the principal's private key is in the credentials,
which will only be true if the credentials were created) W
2154 -26841 M
(by calling Create_server_credentials.) h
0 -29340 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(3.9 ) h
2126 -29340 M
(Credential Maintenance Functions) h
0 -31989 M
/Times-Roman-ISOLatin1 F 1000 o f
94.9 0 32 (DASS credentials can potentially have information about two
principals.  This functionality is included to support) W
0 -33039 M
82.7 0 32 (the case where a user on a node has two identities that
might be recognized for purposes of managing access con\255) W
0 -34089 M
70.1 0 32 (trols.  First, there is the user's network identity; second,
there is an identity as controlling a particular "account" or) W
0 -35139 M
43.3 0 32 ("username" on that node.  There are two reasons for
recognizing this second identity: first, access controls might be) W
0 -36189 M
124.9 0 32 (specified such that only a user is only permitted access to
certain resources when coming through certain trusted) W
0 -37239 M
40.2 0 32 (nodes \(e.g. files that can't be accessed from a terminal at
home\); and second, before the transition strategy to global) W
0 -38289 M
152.9 0 32 (identities is complete, as a way to refer to ) W
152.9 0 32 (U) W
152.9 0 32 (SER) W
152.9 0 32 (@NODE) W
152.9 0 32 ( in a way analogous to existing mechanisms but with) W
0 -39339 M
(greater security.) h
0 -41538 M
69.2 0 32 (The mapping of global usernames to local user names on a
node is outside the scope of DASS.  This is done via a) W
0 -42588 M
67.8 0 32 ("proxy database" or some analogous local mechanism.  What
DASS provides are mechanisms for adding node ori\255) W
0 -43638 M
24.6 0 32 (ented credentials into a user's credentials structure,
carrying the dual authentication information in authentication to\255) W
0 -44688 M
(kens, and extracting the information from the credentials structure
created by Accept_token.) h
0 -46887 M
53.1 0 32 (Some applications of DASS will not make use of the node
authentication related extensions.  In that case, they will) W
0 -47937 M
(never use the Combine_credentials, Create_credentials, Get_node_info,
or Verify_node_name functions.) h
0 -50136 M
(The "normal" sequence of events surrounding a user logging into a node
are as follows:) h
709 -52335 M
(a\)) h
2154 -52335 M
82.0 0 32 (When the user logs in, he types either a local user ID known
to the node or a global name \(the details of the) W
2154 -53385 M
72.7 0 32 (user interface are implementation specific\).  Through some
sort of local mapping, the node determines both a) W
2154 -54435 M
(global name and a local account name.  The user also enters a password
corresponding to the global name.) h
709 -56634 M
(b\)) h
2154 -56634 M
55.3 0 32 (The node calls network_login specifying the user's global
name and the supplied password.  The result is cre\255) W
2154 -57684 M
(dentials which can be used to access network services but which have
not yet been verified to be valid.) h
-8503 8502 T
R

showpage
$P e

%%Page: 38 38
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(38) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(c\)) h
2154 -750 M
64.6 0 32 (The node calls verify_principal_name using its own
credentials to verify the authenticity of the user's creden\255) W
2154 -1800 M
116.3 0 32 (tials \(these ) W
116.3 0 32 (node crede) W
116.3 0 32 (ntials must have previously been established by a call to
initialize_server during node) W
2154 -2850 M
(initialization\).) h
709 -4942 M
(d\)) h
2154 -4942 M
(If that test succeeds, the node adds its credentials to those of the
user by calling combine_credentials.) h
0 -7034 M
(The set of facilities for manipulating credentials follow:) h
0 -9276 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.9.1 ) h
2834 -9276 M
(Network login) h
0 -11468 M
/Times-Roman-ISOLatin1 F 1000 o f
(Network_login\() h
0 -12568 M
(                                                 \255\255inputs) h
0 -13668 M
14256 -13668 M
(Name) h
30212 -13668 M
(Name,) h
0 -14768 M
14256 -14768 M
(password) h
30212 -14768 M
(String,) h
0 -15868 M
14256 -15868 M
(keysize) h
30212 -15868 M
(Integer,) h
0 -16968 M
14256 -16968 M
(expiration) h
30212 -16968 M
(Time interval,) h
0 -18068 M
14256 -18068 M
(TA_credentials) h
30212 -18068 M
(Credentials,         \255\255optional) h
0 -19168 M
(                                                 \255\255outputs) h
0 -20268 M
14256 -20268 M
(Claimant_credentials) h
30212 -20268 M
(Credentials\)) h
0 -21410 M
(This function creates credentials for a principal when the principal
"logs into the network".) h
0 -23502 M
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
(Name) h
/Times-Roman-ISOLatin1 F 1000 o f
( is the X.500 name of the principal.) h
0 -25594 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
(Password) h
/Times-Roman-ISOLatin1 F 1000 o f
( is a secret which authenticates the principal to the network.) h
0 -27686 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
17.5 0 32 (Keysize ) W
/Times-Roman-ISOLatin1 F 1000 o f
17.5 0 32 (specifies the size of the temporary "login" or "delegation"
key.  In a real implementation, it is expected to be) W
0 -28736 M
(an implementation constant \(most likely 384 or 512 bits\).) h
0 -30828 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
29.5 0 32 (Expiration) W
/Times-Roman-ISOLatin1 F 1000 o f
29.5 0 32 ( sets a lifetime for the credentials created.  For a normal
login, this is likely to be an implementation con\255) W
0 -31878 M
22.9 0 32 (stant on the order of 8\255) W
22.9 0 32 (72 ) W
22.9 0 32 (hours.  Some mechanism for overriding it must be provided to
make it possible \(for exam\255) W
0 -32928 M
(ple\) to submit ) h
(a ) h
(background job) h
( ) h
(that might run days or even months after ) h
(they are ) h
(submitted.) h
0 -35020 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
14.6 0 32 (TA_credentials ) W
/Times-Roman-ISOLatin1 F 1000 o f
14.6 0 32 (are used if the encrypted credentials are protected by a
login agent. If they are missing, the password) W
0 -36070 M
(will be less well protected from guessing attacks.) h
0 -38162 M
87.1 0 32 (This routine does not \(as one might expect\) securely
authenticate the principal to the calling procedure.  Since the) W
0 -39212 M
51.5 0 32 (password is used to obtain the principal's private key, this
call will normally fail if the principal supplies an invalid) W
0 -40262 M
46.0 0 32 (password.  A penetrator who has compromised the naming
service could plant fake encrypted credentials under any) W
0 -41312 M
20.5 0 32 (name and impersonate that name as far as this call is
concerned. A caller that wishes to authenticate the user in addi\255) W
0 -42362 M
5.2 0 32 (tion to obtaining credentials to be able to act on the user's
behalf should call Verify_principal_name \(below\) with the) W
0 -43412 M
(created credentials and the credentials of the calling process.) h
0 -45504 M
12.8 0 32 (This routine constructs a credentials structure from
information found in the naming service encrypted using the sup\255) W
0 -46554 M
(plied password.) h
709 -48646 M
(a\)) h
2154 -48646 M
(If the encrypted credentials structure is protected with a login
agent, retrieve the public key of the login agent:) h
2154 -50538 M
(1\)) h
3600 -50538 M
26.0 0 32 (If TA_credentials are available, use them in a call to
Get_Pub_Keys to get the public key of the login agent) W
3600 -51588 M
42.1 0 32 (\(whose name is derived from the name of the principal) W
42.1 0 32 ( by truncating the last element of the RDN and add\255) W
3600 -52638 M
(ing CSS=X509\)) h
(.) h
2154 -54530 M
(2\)) h
3600 -54530 M
(If TA_credentials are not available, look up the public key of the
login agent in the naming service.) h
2154 -56622 M
45.4 0 32 (L) W
45.4 0 32 (ogin agents limit and audit password guesses, and are
important when passwords may not be well chosen \(as) W
2154 -57672 M
96.2 0 32 (when users are allowed to choose their own\).  To fully
prevent the password guessing threat, principals may) W
-8503 8502 T
R

showpage
$P e

%%Page: 39 39
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(39) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
93.9 0 32 (only log onto nodes that already have TA_credentials which
can be used to authenticate the login agent.  To) W
2154 -1800 M
19.2 0 32 (support nodes which have no credentials of their own and to
allow this procedure to support node initialization,) W
2154 -2850 M
(it is possible to network login without TA credentials.) h
2154 -4918 M
41.3 0 32 (A principal who logs into a node ) W
41.3 0 32 (that lacks TA ) W
41.3 0 32 (credentials is subject to the following subtle security threat:  A) W
2154 -5968 M
2.8 0 32 (penetrator who impersonates the naming service could post his
own public key and address as those of the login) W
2154 -7018 M
29.1 0 32 (agent.  This procedure would then in the process of logging
in reveal the the penetrator enough information for) W
2154 -8068 M
(the penetrator to mount an unaudited password guessing attack against
the principal's credentials.) h
709 -10136 M
(b\)) h
2154 -10136 M
74.4 0 32 (Retrieve the encrypted credentials from the naming service
or login agent.  In the case of the login agent, the) W
2154 -11186 M
2.9 0 32 (password is one\255way hashed to produce proof of knowledge
of the password and the hashed value is supplied to) W
2154 -12236 M
(the login agent encrypted under its public key as part of the request.) h
709 -14304 M
(c\)) h
2154 -14304 M
55.4 0 32 (Decrypt the encrypted credentials structure using a the
supplied password. Verify that the decryption was suc\255) W
2154 -15354 M
317.5 0 32 (cessful by verifying that the resulting structure can be
parsed according the the ASN.1 rules for En\255) W
2154 -16404 M
46.5 0 32 (crypted_Credentials and that the two included primes when
multiplied together produce the included modulus) W
46.5 0 32 (.) W
2154 -17454 M
62.8 0 32 (If the decryption was unsuccessful then the routine returns
the `Invalid password' error status. The decryption) W
2154 -18504 M
(results in both the Private Key and the Public Key.) h
709 -20572 M
(d\)) h
2154 -20572 M
49.2 0 32 (Generate a public/private key pair for the Delegation Key,
using the indicated keysize. Key size is likely to be) W
2154 -21622 M
76.4 0 32 (an implementation constant rather than a supplied parameter,
with likely values being 384 and 512 bits.  Key) W
2154 -22672 M
77.9 0 32 (sizes generally will have to increase over time as factoring
technology and CPU speeds improve.  Delegation) W
2154 -23722 M
12.1 0 32 (keys can be relatively shorter than long term keys because
DASS is designed so that compromise of the delega\255) W
2154 -24772 M
55.3 0 32 (tion key after it has expired does not result in a security
compromise.  An important advantage of making key) W
2154 -25822 M
78.2 0 32 (size an implementation constant is that nodes can generate
key pairs in advance, thus speeding up this proce\255) W
2154 -26872 M
(dure.  Key generation is the most CPU intensive RSA procedure and
could make login annoyingly slow.) h
709 -28940 M
(e\)) h
2154 -28940 M
43.5 0 32 (Construct a Login Ticket by signing with the user's private
key a combination of the public key, a validity pe\255) W
2154 -29990 M
37.8 0 32 (riod constructed from the current time and the expiration
passed in the call, and the principal UID found in the) W
2154 -31040 M
(encrypted\255key structure.) h
709 -33108 M
(f\)) h
2154 -33108 M
(Forget the user's private key.) h
709 -35176 M
(g\)) h
2154 -35176 M
8.5 0 32 (Retrieve from the naming service any trusted authority
certificates stored with the user's entry. Discard any that) W
2154 -36226 M
15.0 0 32 (are not signed by the user's public key and UID.  An
implementation in which the login node has credentials of) W
2154 -37276 M
16.2 0 32 (its own may choose its trusted authority information instead
of retrieving and verifying trusted authority certifi\255) W
2154 -38326 M
(cates from the naming service.  This will have a subtle effect on the
security of the resulting system) h
(.) h
709 -40394 M
(h\)) h
2154 -40394 M
(Construct a credentials structure from:) h
2154 -42262 M
(1\)) h
3600 -42262 M
(Claimant credentials:) h
3600 -43930 M
(\(i\)) h
5669 -43930 M
(Name of the principal from calling parameter) h
3600 -45598 M
(\(ii\)) h
5669 -45598 M
(Login Ticket as constructed in \() h
(e) h
(\)) h
3600 -47266 M
(\(iii\)) h
5669 -47266 M
(Delegation Private key as constructed in \() h
(d) h
(\)) h
3600 -48934 M
(\(iv\)) h
5669 -48934 M
(Public key from the encrypted credentials structure) h
2154 -50802 M
(2\)) h
3600 -50802 M
(No verifier credentials) h
2154 -52670 M
(3\)) h
3600 -52670 M
(Trusted Authorities: for the most recently signed trusted authority certificate) h
n 0.666 o f
0.0 448.0 m
(3) h
0 -448.0 m
n 1.502 o f
(:) h
3600 -54338 M
(\(i\)) h
5669 -54338 M
(Name of the CA from the subject field of the certificate) h
3600 -56006 M
(\(ii\)) h
5669 -56006 M
(Public Key of the CA from the subject public key field) h
3600 -57674 M
(\(iii\)) h
5669 -57674 M
(UID of the CA from the subject UID field) h
-8503 8502 T
R

S
8496 -68704 T
N
0 G
576 -900 M
/Times-Roman-ISOLatin1 F 800 o f
0.0 358.0 m
(3) h
0 -358.0 m
976 -900 M
36.8 0 32 (There is normally only one Trusted Authority Certificate. If
there is more than one then an implementation may choose to maintain a list of) W
576 -1800 M
(all the valid keys. They should all refer to the same CA \(UID and name\).) h
-8496 68704 T
R

showpage
$P e

%%Page: 40 40
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(40) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(4\)) h
3600 -750 M
(no remote node credentials) h
2154 -3002 M
(5\)) h
3600 -3002 M
(no local node credentials) h
2154 -5254 M
(6\)) h
3600 -5254 M
(no cached outgoing associations) h
2154 -7506 M
(7\)) h
3600 -7506 M
(no cached incoming associations) h
0 -10108 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.9.2 ) h
2834 -10108 M
(Create Credentials) h
0 -12660 M
/Times-Roman-ISOLatin1 F 1000 o f
(Create_credentials\() h
0 -13760 M
(                                                   \255\255outputs) h
0 -14860 M
14256 -14860 M
(Claimant_credentials) h
30212 -14860 M
(Credentials\)) h
0 -16362 M
56.9 0 32 (This routine creates an "empty" credentials structure.  It
is needed in the case of a user logging into a node and ob\255) W
0 -17412 M
41.8 0 32 (taining node oriented credentials but no global username
credentials.  Because the "combine_credentials" call wants) W
0 -18462 M
92.3 0 32 (to modify a set of user credentials rather than create a new
set, this call is needed to produce the "shell" for com\255) W
0 -19512 M
(bine_credentials to fill in.) h
0 -21964 M
41.2 0 32 (It is unlikely that any real implementation would support
this function, but rather would have some functions which) W
0 -23014 M
(combine network_login, create_credentials, and combine_credentials in
whatever ways are supported by that node.) h
0 -25616 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.9.3 ) h
2834 -25616 M
(Combine Credentials) h
0 -28168 M
/Times-Roman-ISOLatin1 F 1000 o f
(Combine_credentials\() h
0 -29268 M
(                                                 \255\255inputs) h
0 -30368 M
14256 -30368 M
(node_credentials) h
30212 -30368 M
(Credentials,) h
0 -31468 M
14256 -31468 M
(localusername) h
30212 -31468 M
(String,) h
0 -32568 M
(                                                 \255\255updated) h
0 -33668 M
14256 -33668 M
(user_credentials) h
30212 -33668 M
(Credentials\)) h
0 -35170 M
49.8 0 32 (This routine is provided by implementations which support
the notion of local node credentials.  After the node has) W
0 -36220 M
77.8 0 32 (verified to its own satisfaction that the user_credentials
are entitled to access to a particular local account, this call) W
0 -37270 M
65.6 0 32 (adds node credential information to the user_credential
structure.  This function may be applied to user_credentials) W
0 -38320 M
(created by network_login, create_credentials, or accept_token.) h
709 -40772 M
(a\)) h
2154 -40772 M
(Fill in the local node credentials substructure of user_credentials as follows:) h
2154 -43024 M
(1\)) h
3600 -43024 M
(Full name of the node: from Full name of the Principal in node_credentials) h
2154 -45276 M
(2\)) h
3600 -45276 M
(Local username on the node: from proxy lookup) h
2154 -47528 M
(3\)) h
3600 -47528 M
(RSA private key of the node: from verifier credentials in node_credentials) h
709 -49980 M
(b\)) h
2154 -49980 M
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
37.2 0 32 (Optionally, ) W
/Times-Roman-ISOLatin1 F 1000 o f
37.2 0 32 (change the trusted authorities to match the trusted
authorities from the node credentials.  This is an) W
2154 -51030 M
114.1 0 32 (implementation option, done most likely as a performance
optimization.  The only case where this option is) W
2154 -52080 M
191.0 0 32 (required is where no trusted authorities existed in the
user credentials \(because they were created by cre\255) W
2154 -53130 M
(ate_credentials of accept_token\).  Server credentials should
generally keep their own trusted authorities.) h
0 -55582 M
3.4 0 32 (It is likely that an implementation will choose not to
replicate its node credentials in every credentials structure that it) W
0 -56632 M
22.0 0 32 (supports, but rather will maintain some sort of pointer to a
single copy.  This algorithm is stated as it is only for ease) W
0 -57682 M
(of specification.) h
-8503 8502 T
R

showpage
$P e

%%Page: 41 41
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(41) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -900 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.9.4 ) h
2834 -900 M
(Initialize_server) h
0 -3246 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(initialize_server\() h
0 -4346 M
(                                                 \255\255inputs) h
0 -5446 M
14256 -5446 M
(Name) h
30212 -5446 M
(Name,) h
0 -6546 M
14256 -6546 M
(password) h
30212 -6546 M
(String,) h
0 -7646 M
14256 -7646 M
(TA_credentials) h
30212 -7646 M
(Credentials,       \255\255optional) h
0 -8746 M
(                                                 \255\255outputs) h
0 -9846 M
14256 -9846 M
(Server_credentials) h
30212 -9846 M
(Credentials\)) h
0 -11142 M
7.2 0 32 (Somehow a server must get access to its credentials. One way
is for the credentials to be stored in the naming service) W
0 -12192 M
72.4 0 32 (like user credentials encrypted under a service password.
The service then needs to gain at startup time access to a) W
0 -13242 M
52.0 0 32 (service password. This may be easier to manage and is not
insecure so long as the service password is well chosen.) W
0 -14292 M
68.6 0 32 (Alternately, the service needs some mechanism to gain access
directly to its credentials. The credentials created by) W
0 -15342 M
126.0 0 32 (this call are intended to be very long lived. They do not
time out, so a node or server might store them in Non\255) W
0 -16392 M
2.9 0 32 (Volatile memory after "initial installation" rather than
calling this routine at each "boot". These credentials are shared) W
0 -17442 M
(between all servers which use the same key. This routine works as follows:) h
709 -19688 M
(a\)) h
2154 -19688 M
83.1 0 32 (Retrieve from the naming service or login agent the
encrypted credentials structure corresponding to the sup\255) W
2154 -20738 M
(plied name. See Network_login for a discussion of the use of
TA_credentials and login agents.) h
709 -22984 M
(b\)) h
2154 -22984 M
50.2 0 32 (Decrypt that structure using a one\255way hash of the
supplied password. Verify that the decryption was success\255) W
2154 -24034 M
(ful. Verify that the public key in the structure matches the private key.) h
709 -26280 M
(c\)) h
2154 -26280 M
18.3 0 32 (Retrieve from the naming service any trusted authority
certificates stored under the supplied name. Discard any) W
2154 -27330 M
69.3 0 32 (which do not contain the UID from the encrypted credentials
structure or are not signed by the key in the en\255) W
2154 -28380 M
(crypted credentials structure.) h
709 -30626 M
(d\)) h
2154 -30626 M
( Construct a credentials structure from: ) h
2154 -32672 M
(1\)) h
3600 -32672 M
(Claimant credentials:) h
3600 -34518 M
(\(i\)) h
5669 -34518 M
(Name of the principal from the calling parameter) h
3600 -36364 M
(\(ii\)) h
5669 -36364 M
(UID of the principal from the encrypted\255key structure) h
3600 -38210 M
(\(iii\)) h
5669 -38210 M
(No login ticket) h
3600 -40056 M
(\(iv\)) h
5669 -40056 M
(No login secret key) h
2154 -42102 M
(2\)) h
3600 -42102 M
(Verifier credentials:) h
3600 -43948 M
(\(i\)) h
5669 -43948 M
(Server secret key from the encrypted\255key structure) h
2154 -45994 M
(3\)) h
3600 -45994 M
(Trusted Authorities: from the most recently signed Trusted Authority
Certificate:) h
3600 -47840 M
(\(i\)) h
5669 -47840 M
(Name of CA from the Subject Name field) h
3600 -49686 M
(\(ii\)) h
5669 -49686 M
(UID of the CA from the Subject UID field) h
3600 -51532 M
(\(iii\)) h
5669 -51532 M
(Public Key of the CA from the Subject Public Key field) h
2154 -53578 M
(4\)) h
3600 -53578 M
(no node credentials) h
2154 -55624 M
(5\)) h
3600 -55624 M
(no cached outgoing associations) h
2154 -57670 M
(6\)) h
3600 -57670 M
(no cached incoming associations) h
-8503 8502 T
R

showpage
$P e

%%Page: 42 42
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(42) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -900 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.9.5 ) h
2834 -900 M
(Generate Server Ticket) h
0 -3088 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(generate_server_ticket\() h
0 -4188 M
(                                                 \255\255inputs) h
0 -5288 M
14256 -5288 M
(expiration) h
30212 -5288 M
(Time interval,) h
0 -6388 M
(                                                 \255\255updated) h
0 -7488 M
14256 -7488 M
(Server_credentials) h
30212 -7488 M
(Credentials\)) h
0 -8626 M
86.0 0 32 (Server credentials created by initialize_server can be used
to accept incoming authentication tokens and can act as) W
0 -9676 M
110.1 0 32 (node_credentials for outgoing authentications, but cannot
create user_credentials of their own. If a server initiates) W
0 -10726 M
50.6 0 32 (connections on its own behalf, it must have a ticket just
like any other user might have. That ticket has limited life\255) W
0 -11776 M
60.2 0 32 (time and the right to act on behalf of the server can be
delegated. The server cannot, however, delegate the right to) W
0 -12826 M
31.4 0 32 (receive connections intended for it. An implementation must
come up with a policy for the expiration of server tick\255) W
0 -13876 M
36.2 0 32 (ets and how long before expiration they are renewed.  A
likely policy is for this procedure to be implicitly called by) W
0 -14926 M
(Create_token if there is no current ticket present in the credentials.
 If so, this interface need not be exposed.) h
0 -17014 M
(This routine is implemented as follows:) h
709 -19102 M
(a\)) h
2154 -19102 M
(Generate an RSA public/private key pair.) h
709 -21190 M
(b\)) h
2154 -21190 M
(Compute a validity interval from the current time and the expiration supplied.) h
709 -23278 M
(c\)) h
2154 -23278 M
27.5 0 32 (Construct a login ticket from the RSA public key \(from ) W
27.5 0 32 (a) W
27.5 0 32 (\), validity interval \(from ) W
27.5 0 32 (b) W
27.5 0 32 (\), the UID from the creden\255) W
2154 -24328 M
(tials, and signed with the server key in the credentials. \(Discard
previous Login Ticket if there was one\).) h
709 -26416 M
(d\)) h
2154 -26416 M
(Discard all information in the  Cached Outgoing Contexts.) h
0 -28654 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.9.6 ) h
2834 -28654 M
(Delete Credentials) h
0 -30842 M
/Times-Roman-ISOLatin1 F 1000 o f
(delete_credentials\() h
0 -31942 M
(                                                 \255\255updated) h
0 -33042 M
14256 -33042 M
(credentials) h
30212 -33042 M
(Credentials\)) h
0 -34180 M
(Erases the secrets in the credentials structure and deallocates the storage.) h
0 -36568 M
/Times-Bold-ISOLatin1 F 1400 o f
(3.10 ) h
2800 -36568 M
(Authentication Procedures) h
0 -39106 M
/Times-Roman-ISOLatin1 F 1000 o f
19.6 0 32 (The guts of the authentication process takes place in the
next two calls. When one principal wishes to authenticate to) W
0 -40156 M
85.6 0 32 (another, it calls Create_token and sends the token which
results to the other. The recipient calls Accept_token and) W
0 -41206 M
13.9 0 32 (creates a new set of credentials. The other calls in this
section manipulate the received credentials in order to retrieve) W
0 -42256 M
(its contents and verify the identity of the token creator.) h
0 -44494 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.1 ) h
3300 -44494 M
( Create Token) h
0 -46682 M
/Times-Roman-ISOLatin1 F 1000 o f
(Create_token\() h
0 -47782 M
(                                                 \255\255inputs) h
0 -48882 M
14256 -48882 M
(target_name) h
30212 -48882 M
(Name,) h
0 -49982 M
14256 -49982 M
(deleg_req_flag) h
30212 -49982 M
(Boolean,) h
0 -51082 M
14256 -51082 M
(mutual_req_flag) h
30212 -51082 M
(Boolean,) h
0 -52182 M
14256 -52182 M
(replay_det_req_flag) h
30212 -52182 M
(Boolean,) h
0 -53282 M
14256 -53282 M
(sequence_req_flag) h
30212 -53282 M
(Boolean,) h
0 -54382 M
14256 -54382 M
(chan_bindings) h
30212 -54382 M
(Octet String,) h
0 -55482 M
14256 -55482 M
(Include_principal_name) h
30212 -55482 M
(Boolean,) h
0 -56582 M
14256 -56582 M
(Include_node_name) h
30212 -56582 M
(Boolean,) h
0 -57682 M
14256 -57682 M
(Include_username) h
30212 -57682 M
(Boolean,) h
-8503 8502 T
R

showpage
$P e

%%Page: 43 43
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(43) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(                                                   \255\255updated) h
0 -1850 M
14256 -1850 M
(claimant_credentials) h
30212 -1850 M
(Credentials,) h
0 -2950 M
(                                                 \255\255outputs) h
0 -4050 M
14256 -4050 M
(authentication_token) h
30212 -4050 M
(Authentication token,) h
0 -5150 M
14256 -5150 M
(mutual_authentication_token) h
30212 -5150 M
(Mutual Authentication token,) h
0 -6250 M
14256 -6250 M
(Shared_key) h
30212 -6250 M
(Shared Key) h
0 -7350 M
14256 -7350 M
(instance_identifier) h
30212 -7350 M
(Timestamp\)) h
0 -8481 M
33.8 0 32 (This routine is used by the initiator of a connection to
create an authentication token which will prove its identity. If) W
0 -9531 M
(the claimant credentials includes node/account information, the token
will include node authentication.) h
0 -11612 M
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
37.5 0 32 (target_name ) W
/Times-Roman-ISOLatin1 F 1000 o f
37.5 0 32 (is the X.500 name of the intended recipient of the token. 
Only an entity with access to the private key) W
0 -12662 M
(associated with that name will be able to verify the created token and
generate the mutual_authentication_token.) h
0 -14743 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
138.1 0 32 (deleg_req_flag) W
/Times-Roman-ISOLatin1 F 1000 o f
138.1 0 32 ( indicates whether the caller wishes to delegate to the
recipient of the token. If it is set, the dele\255) W
0 -15793 M
28.8 0 32 (gated_credentials returned by Accept_token will be capable
of generating tokens on behalf of the caller. Node based) W
0 -16843 M
41.1 0 32 (authentication information cannot be delegated. The ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
41.1 0 32 (mutual_req_flag, replay_det_req_flag) W
/Times-Roman-ISOLatin1 F 1000 o f
41.1 0 32 (, and ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
41.1 0 32 (sequence_req_flag) W
0 -17893 M
/Times-Roman-ISOLatin1 F 1000 o f
115.4 0 32 (are put in the authentication token and passed to the
target.  This information is included in the token to make it) W
0 -18943 M
(easier to implement the GSSAPI over DASS.  DASS itself makes no use of
this information.) h
0 -21024 M
57.5 0 32 (In most applications, the purpose of a token exchange is to
authenticate the principals controlling the two ends of a) W
0 -22074 M
50.1 0 32 (communication channel. ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
50.1 0 32 (chan_bindings) W
/Times-Roman-ISOLatin1 F 1000 o f
50.1 0 32 ( contains an identifier of the channel which is being
authenticated, and thus) W
0 -23124 M
64.1 0 32 (its format and content should be tied to the underlying
communication protocol. DASS only guarantees that the in\255) W
0 -24174 M
63.2 0 32 (formation has been communicated reliably to the named
target. If DASS is used with a cryptographically protected) W
0 -25224 M
3.2 0 32 (channel \(such as SP4\), this data should contain a
one\255way hash of the key used to encrypt the channel. If that channel) W
0 -26274 M
75.5 0 32 (is multiplexed, ) W
75.5 0 32 (the data ) W
75.5 0 32 (should also include the ID of the subchannel.  If the
channel is not encrypted, the network) W
0 -27324 M
70.1 0 32 (must be trusted not to modify data on a connection.  The
source and target network addresses and a connection ID) W
0 -28374 M
9.8 0 32 (should be included in the chan_bindings at the source and
checked at the target.  A token exchange also results in the) W
0 -29424 M
86.9 0 32 (two ends sharing a key and an instance identifier.  If that
key and instance identifier are used to cryptographically) W
0 -30474 M
79.7 0 32 (protect subsequent communications, then ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
79.7 0 32 (chan_bindings) W
/Times-Roman-ISOLatin1 F 1000 o f
79.7 0 32 ( need not have any cryptographic significance but may be) W
0 -31524 M
23.4 0 32 (used to differentiate multiple entities sharing the public
keys of communicating principals.) W
23.4 0 32 (  For example, if a service) W
0 -32574 M
47.8 0 32 (is replicated and all replicas share a public key, ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
47.8 0 32 (chan_bindings) W
/Times-Roman-ISOLatin1 F 1000 o f
47.8 0 32 ( should include something that identifies a single in\255) W
0 -33624 M
24.4 0 32 (stance of the service \(such as current address\) so that
the token cannot be successfully presented to more than one of) W
0 -34674 M
(the servers.) h
0 -36755 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
58.9 0 32 (include_principal_name, include_node_name, ) W
/Times-Roman-ISOLatin1 F 1000 o f
58.9 0 32 (and) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
58.9 0 32 ( include_username ) W
/Times-Roman-ISOLatin1 F 1000 o f
58.9 0 32 (are flags which determine whether the prin\255) W
0 -37805 M
2.2 0 32 (cipal name, node name, and/or username from the credentials
structure are to be included in the token.  This informa\255) W
0 -38855 M
85.3 0 32 (tion is made optional in a token so that applications which
communicate this information out of band can produce) W
0 -39905 M
10.1 0 32 ("compressed" tokens.  If this information is included in the
token, it will be used to populate the corresponding fields) W
0 -40955 M
(in the credentials structure created by Accept_token.) h
0 -43036 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
41.6 0 32 (claimant_credentials ) W
/Times-Roman-ISOLatin1 F 1000 o f
41.6 0 32 (are the credentials of the calling procedure.  The secrets
contained therein are used to sign the) W
0 -44086 M
3.4 0 32 (token and the trusted authorities are used to securely learn
the public key of the target.  The cached outgoing contexts) W
0 -45136 M
(portion of the credentials may be updated as a side effect of this call.) h
0 -47217 M
6.2 0 32 (The major output of this routine is an ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
6.2 0 32 (authentication_token ) W
/Times-Roman-ISOLatin1 F 1000 o f
6.2 0 32 (which can be passed to the target in order to authenticate) W
0 -48267 M
(the caller.) h
0 -50348 M
62.2 0 32 (In addition to returning an authentication token, this
routine returns a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
62.2 0 32 (mutual_authentication_token, ) W
/Times-Roman-ISOLatin1 F 1000 o f
62.2 0 32 (a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
62.2 0 32 (shared_key,) W
0 -51398 M
/Times-Roman-ISOLatin1 F 1000 o f
83.9 0 32 (and an ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
83.9 0 32 (instance_identifier) W
/Times-Roman-ISOLatin1 F 1000 o f
83.9 0 32 (. The mutual authentication token is the same as the one
generated by the Accept_token) W
0 -52448 M
41.3 0 32 (call at the target. If the protocol using DASS wishes mutual
authentication, the target should return this token to the) W
0 -53498 M
97.9 0 32 (source. The source will compare it to the one returned by
this routine using Compare_Mutual_Token \(below\) and) W
0 -54548 M
(know that the token was accepted at its proper destination.) h
0 -56629 M
4.1 0 32 (The DES key and instance identifier can be used to encrypt or
sign data to be sent to this target. The key and instance) W
0 -57679 M
26.9 0 32 (will be given to the target by Accept_token, and the key
will only be known by the two parties to the authentication.) W
-8503 8502 T
R

showpage
$P e

%%Page: 44 44
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(44) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
35.5 0 32 (If a single set of credentials is used to authenticate to
the same target more than once, the same DES key is likely to) W
0 -1800 M
57.5 0 32 (be returned each time. If the parties wish to protect
against the possibility of an outside agent mixing and matching) W
0 -2850 M
136.0 0 32 (messages from one authenticated session with those of
another, they should include the instance identifier in the) W
0 -3900 M
19.1 0 32 (messages. The instance identifier is a timestamp and it is
guaranteed that the DES key/instance identifier pair will be) W
0 -4950 M
(unique.) h
0 -7114 M
92.3 0 32 (An implementation may wish to "hide" the DES key from
calling applications by placing it in system storage and) W
0 -8164 M
(providing calls which encrypt/decrypt/sign/verify using the key. ) h
0 -10328 M
143.6 0 32 (The primary tasks of this routine are to create its output
parameters. As a side effect, it may also update claim\255) W
0 -11378 M
(ant_credentials. It's algorithm is as follows:) h
709 -13542 M
(a\)) h
2154 -13542 M
11.8 0 32 (The login ticket is checked. If it has passed the end of its
lifetime an `Login Ticket Expired' error is returned. If) W
2154 -14592 M
8.6 0 32 (there is a login ticket, but no corresponding private key
then an `Invalid credentials' error is returned \(this is the) W
2154 -15642 M
144.3 0 32 (case if the credentials were created by an
authentication\255without\255delegation operation\).  If there is no login) W
2154 -16692 M
78.7 0 32 (ticket or an expired one and if the long term private key is
present in the credentials, an implementation may) W
2154 -17742 M
(choose to automatically call create_server_ticket to renew the ticket.) h
709 -19906 M
(b\)) h
2154 -19906 M
(Create new timestamp using the current time.) h
n 0.666 o f
0.0 448.0 m
(4) h
0 -448.0 m
709 -22070 M
n 1.502 o f
(c\)) h
2154 -22070 M
39.0 0 32 (The public key and UID of target_name are looked up by
calling get_pub_keys, using the target_name and the) W
2154 -23120 M
133.1 0 32 (Trusted Authority section of the claimant_credentials
structure. If none is found, an error status is returned.) W
2154 -24170 M
25.7 0 32 (Otherwise, the cached outbound connections portion of
credentials are searched \(indexed by target Public Key\)) W
2154 -25220 M
30.1 0 32 (for a cached Shared key with a validity interval which has
not expired. If a suitable one is found skip to step ) W
30.1 0 32 (g) W
30.1 0 32 (,) W
2154 -26270 M
(else create a cache entry as follows:) h
709 -28434 M
(d\)) h
2154 -28434 M
15.7 0 32 (Destination Public Key is the one found looking up the
target. A Shared Key is generated at random. A validity) W
2154 -29484 M
21.6 0 32 (interval is chosen according to node policy but not to
exceed the validity interval of the ticket in the credentials) W
2154 -30534 M
(\(if any\).) h
709 -32698 M
(e\)) h
2154 -32698 M
(Create the Encrypted Shared Key, using the public key of the Target,
and place in the cache.) h
709 -34862 M
(f\)) h
2154 -34862 M
23.4 0 32 (If node authentication credentials are available in the
credentials structure, create a "Node Ticket" signature us\255) W
2154 -35912 M
(ing the node secret and include it in the cache.) h
709 -38076 M
(g\)) h
2154 -38076 M
47.8 0 32 (If delegation is requested and no delegator is present in
the cache, create one by encrypting the delegation pri\255) W
2154 -39126 M
24.4 0 32 (vate key under the Shared key. The delegation private key is
represented as an ASN.1 data structure containing) W
2154 -40176 M
(only one of the primes \(p\).) h
709 -42340 M
(h\)) h
2154 -42340 M
54.0 0 32 (If delegation is not requested and no Shared Key Ticket is
in the cache, create one by signing the requisite in\255) W
2154 -43390 M
(formation with the delegation private key.) h
709 -45554 M
(i\)) h
2154 -45554 M
51.6 0 32 (Create the Authenticator.  The contents of the Authenticator
\(including the channel bindings\) are encoded into) W
2154 -46604 M
118.6 0 32 (ASN.1, and the signature is computed. The Authenticator is
then re\255encoded, without including the Channel) W
2154 -47654 M
(Bindings but using the same signature.) h
709 -49818 M
(j\)) h
2154 -49818 M
(Create output_token as follows: ) h
2154 -51782 M
(1\)) h
3600 -51782 M
(Encrypted Shared Key from cache) h
2154 -53746 M
(2\)) h
3600 -53746 M
(Login Ticket from Claimant Credentials \(if present\)) h
2154 -55710 M
(3\)) h
3600 -55710 M
(Shared Key Ticket from cache \(if no delegation and if present\)) h
2154 -57674 M
(4\)) h
3600 -57674 M
(Node Ticket from cache \(if present\)) h
-8503 8502 T
R

S
8496 -68704 T
N
0 G
576 -900 M
/Times-Roman-ISOLatin1 F 800 o f
0.0 358.0 m
(4) h
0 -358.0 m
976 -900 M
11.1 0 32 (This timestamp must be unique for this Shared Key. The
timestamp is a 64 bit POSIX time, with a resolution of 1 nanosecond An
implemen\255) W
576 -1800 M
(tation must ensure that timestamps cannot be reused.) h
-8496 68704 T
R

showpage
$P e

%%Page: 45 45
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(45) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(5\)) h
3600 -750 M
(Delegator from cache \(if delegation and if present\)) h
2154 -2810 M
(6\)) h
3600 -2810 M
(Authenticator) h
2154 -4870 M
(7\)) h
3600 -4870 M
(Principal name from credentials \(if present and parameter requests this\)) h
2154 -6930 M
(8\)) h
3600 -6930 M
(Node name from credentials \(if present and parameter request this\)) h
2154 -8990 M
(9\)) h
3600 -8990 M
(Local Username from credentials \(if present and parameter requests this\)) h
709 -11250 M
(k\)) h
2154 -11250 M
133.1 0 32 (C) W
133.1 0 32 (ompute Mutual_authentication_token by encrypting ) W
133.1 0 32 (the ) W
133.1 0 32 (timestamp) W
133.1 0 32 ( from the authenticator) W
133.1 0 32 ( ) W
133.1 0 32 (using ) W
133.1 0 32 (the Shared) W
2154 -12300 M
(key.) h
709 -14560 M
(l\)) h
2154 -14560 M
57.0 0 32 (The instance_identifier is the timestamp. This and the
Shared key are returned for use by the caller for further) W
2154 -15610 M
(encryption operations \(if these are supported\).) h
0 -18020 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.2 ) h
3300 -18020 M
(Accept_token) h
0 -20380 M
/Times-Roman-ISOLatin1 F 1000 o f
(Accept_token\() h
0 -21480 M
(                                                 \255\255inputs) h
0 -22580 M
14256 -22580 M
(authentication_token) h
30212 -22580 M
(Authentication Token,) h
0 -23680 M
14256 -23680 M
(chan_bindings) h
30212 -23680 M
(Octet String,) h
0 -24780 M
(                                                  \255\255updated) h
0 -25880 M
14256 -25880 M
(verifying_credentials) h
30212 -25880 M
(Credentials,) h
0 -26980 M
(                                                 \255\255outputs) h
0 -28080 M
14256 -28080 M
(accepted_credentials) h
30212 -28080 M
(Credentials,) h
0 -29180 M
14256 -29180 M
(deleg_req_flag) h
30212 -29180 M
(Boolean,) h
0 -30280 M
14256 -30280 M
(mutual_req_flag) h
30212 -30280 M
(Boolean,) h
0 -31380 M
14256 -31380 M
(replay_det_req_flag) h
30212 -31380 M
(Boolean,) h
0 -32480 M
14256 -32480 M
(sequence_req_flag) h
30212 -32480 M
(Boolean,) h
0 -33580 M
14256 -33580 M
(mutual_authentication_token) h
30212 -33580 M
(Mutual authentication token) h
0 -34680 M
14256 -34680 M
(shared_key ) h
30212 -34680 M
(Shared Key,) h
0 -35780 M
14256 -35780 M
(instance_identifier) h
30212 -35780 M
(Timestamp\)) h
0 -37090 M
68.9 0 32 (This routine is used by the recipient of an authentication
token to validate it.  ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
68.9 0 32 (authentication_token ) W
/Times-Roman-ISOLatin1 F 1000 o f
68.9 0 32 (is the token as) W
0 -38140 M
18.0 0 32 (received; ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
18.0 0 32 (chan_bindings ) W
/Times-Roman-ISOLatin1 F 1000 o f
18.0 0 32 (is the identifier of the channel being authenticated.  See
the description of Create_token for) W
0 -39190 M
185.9 0 32 (information on the appropriate contents for chan_bindings. 
DASS does not enforce any particular content, but) W
0 -40240 M
(checks to assure that the same value is supplied to both Create_token
and Accept_token.) h
0 -42500 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
43.0 0 32 (Verifying_credentials ) W
/Times-Roman-ISOLatin1 F 1000 o f
43.0 0 32 (are the credentials of the recipient of the token.  They
must include the private key of the en\255) W
0 -43550 M
47.8 0 32 (tity named as the target in Create_token or the call will
fail.  The cached incoming contexts section of the verifying) W
0 -44600 M
(credentials may be modified as a side effect of this call.) h
0 -46860 M
/Times-BoldItalic-ISOLatin1 F 1000 o f
47.8 0 32 (Accepted_credentials) W
/Times-Roman-ISOLatin1 F 1000 o f
47.8 0 32 ( will contain additional information about the token
creator. If delegation was requested, these) W
0 -47910 M
71.1 0 32 (credentials can be used to make additional calls to
Create_token on the creator's behalf. Whether or not delegation) W
0 -48960 M
(was requested, they can also be used in the calls which follow to gain
additional information about the token creator.) h
0 -51220 M
7.0 0 32 (The ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
7.0 0 32 (deleg_req_flag ) W
/Times-Roman-ISOLatin1 F 1000 o f
7.0 0 32 (indicates whether the accepted_credentials include delegation
which can be used by the recipient) W
0 -52270 M
24.5 0 32 (to act on behalf of the principal.  ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
24.5 0 32 (Mutual_req_flag, replay_det_req_flag, ) W
/Times-Roman-ISOLatin1 F 1000 o f
24.5 0 32 (and ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
24.5 0 32 (sequence_req_flag) W
/Times-Roman-ISOLatin1 F 1000 o f
24.5 0 32 ( are passed through) W
0 -53320 M
(from Create_token in support of the GSSAPI.  DASS makes no use of these fields) h
(.) h
0 -55580 M
82.1 0 32 (The ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
82.1 0 32 (mutual_authentication_token) W
/Times-Roman-ISOLatin1 F 1000 o f
82.1 0 32 ( can be returned to the token creator as proof of receipt.
In many protocols, this) W
0 -56630 M
214.4 0 32 (will be used by a client to authenticate a server. Only the
genuine server would be able to compute the mu\255) W
0 -57680 M
(tual_authentication_token from the token.) h
-8503 8502 T
R

showpage
$P e

%%Page: 46 46
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(46) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
56.2 0 32 (The ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
56.2 0 32 (shared_key) W
/Times-Roman-ISOLatin1 F 1000 o f
56.2 0 32 ( and ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
56.2 0 32 (instance_identifier) W
/Times-Roman-ISOLatin1 F 1000 o f
56.2 0 32 ( can be used to encrypt or sign data between the two
authenticating parties.) W
0 -1800 M
(See Create_token.) h
0 -3875 M
23.8 0 32 (This routine verifies the contents of the authentication
token in the context of the verifying credentials) W
n 0.666 o f
0.0 448.0 m
23.8 0 32 (5) W
0 -448.0 m
n 1.502 o f
23.8 0 32 ( and returns a) W
0 -4925 M
54.5 0 32 (information about it. The algorithm updates a cache of
information. This cache is not updated if the algorithm exits) W
0 -5975 M
(with an error. The algorithm is as follows:) h
709 -8050 M
(a\)) h
2154 -8050 M
13.1 0 32 (If there is a Login Ticket, but no Shared Key Ticket or
Delegator then exit with error `Invalid Authenticator'. If) W
2154 -9100 M
29.1 0 32 (there is a Shared Key Ticket or Delegator, but no Login
Ticket then exit with error `Invalid Authentication To\255) W
2154 -10150 M
(ken'. ) h
2154 -12225 M
93.8 0 32 (Look up the Encrypted Shared key in the Cached Incoming
Contexts of the credentials structure) W
n 0.666 o f
0.0 448.0 m
93.8 0 32 (6) W
0 -448.0 m
n 1.502 o f
93.8 0 32 (. If it is not) W
2154 -13275 M
(found then create a new cache entry as follows:) h
2154 -15150 M
(1\)) h
3600 -15150 M
(Encrypted Shared Key, from the Authentication Token. ) h
2154 -17025 M
(2\)) h
3600 -17025 M
63.9 0 32 (Shared Key and Validity Interval, by decrypting the
Encrypted Shared Key using the server private key in) W
3600 -18075 M
(credentials. If the decryption fails then exit with error `Invalid
Authentication Token'. ) h
709 -20150 M
(b\)) h
2154 -20150 M
101.6 0 32 (Check that the Validity Interval \(in the cache entry\) ) W
101.6 0 32 (includes the current time; r) W
101.6 0 32 (eturn `Invalid Authentication) W
2154 -21200 M
(Token' if not.) h
2154 -23275 M
100.8 0 32 (Check the Timestamp is within max\255clock\255skew of the
current time, return `invalid Authentication Token' if) W
2154 -24325 M
(not.) h
2154 -26400 M
(Reconstruct the Authenticator including the Channel Bindings passed as
a parameter.) h
2154 -28475 M
143.5 0 32 (Check that the reconstructed Authenticator is signed by the
Shared key. If not then exit with error `Invalid) W
2154 -29525 M
(Authentication Token'.) h
2154 -31600 M
64.9 0 32 (Look up the Authenticator Signature in the Received
Authenticators. If the same Signature is found in the list) W
2154 -32650 M
(then exit with error `Duplicate Authenticator'. Otherwise add the
Signature and timestamp to the list.) h
2154 -34725 M
64.2 0 32 (If there is a Login Ticket and the Delegation Public key is
in the cache entry, then check that the same key is) W
2154 -35775 M
76.1 0 32 (specified in the Login Ticket, if not then exit with error
`Invalid Authentication Token'. Place the Delegation) W
2154 -36825 M
(Public key in the cache if it is not already there.) h
2154 -38900 M
3.8 0 32 (If there is a Login Ticket, the Delegation Public key was not
previously in the cache entry, and there is a Shared) W
2154 -39950 M
117.4 0 32 (Key Ticket in the Authentication Token, then check that the
Shared Key Ticket is signed by the Delegation) W
2154 -41000 M
(Public Key in the Login Ticket. If not then exit with error `Invalid
Authentication Token'.) h
2154 -43075 M
31.9 0 32 (If a delegator is present in the message then decrypt the
delegator using the Shared key. If the private key does) W
2154 -44125 M
(not match the Delegation Public key then exit with error `Invalid
Authentication Token') h
n 0.666 o f
0.0 448.0 m
(7) h
0 -448.0 m
n 1.502 o f
(.) h
2154 -46200 M
(Build the delegation credentials data structure as follows: ) h
2154 -48075 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(1\)) h
3600 -48075 M
(Claimant credentials:) h
3600 -48800 M
(\(i\)) h
5669 -48800 M
(Login Ticket from the Authentication token) h
3600 -49525 M
(\(ii\)) h
5669 -49525 M
(Delegation Private key from the decrypted delegator if the token is delegating.) h
3600 -50250 M
(\(iii\)) h
5669 -50250 M
(Encrypted Shared Key from the Authentication token.) h
2154 -51175 M
(2\)) h
3600 -51175 M
(There are no verifier credentials.) h
2154 -52100 M
(3\)) h
3600 -52100 M
(Trusted authorities are copied from the verifying_credentials passed
to this routine.) h
n 0.666 o f
0.0 464.0 m
(8) h
0 -464.0 m
-8503 8502 T
R

S
8496 -62304 T
N
0 G
576 -900 M
/Times-Roman-ISOLatin1 F 800 o f
0.0 358.0 m
(5) h
0 -358.0 m
976 -900 M
(In particular the Private Key of the server is used. Also the Cached
Incoming Contexts and Incoming Timestamp list is used.) h
576 -2500 M
0.0 358.0 m
(6) h
0 -358.0 m
976 -2500 M
62.1 0 32 (This cache entry is used during the execution of this
routine. An implementation must ensure that references to the cache
entry can not be) W
576 -3400 M
(affected by other users modifying the cache. One way is to use a copy
of the cache entry, and update it at exit.) h
576 -4900 M
0.0 358.0 m
(7) h
0 -358.0 m
976 -4900 M
1.8 0 32 (The prime in  the delegator is used to find the other prime
\(from the modulus\). The division must not have a remainder. Neither
prime may be) W
576 -5800 M
(1. The two primes are then used to reconstruct any other information
needed to perform cryptographic operations.) h
576 -7300 M
0.0 358.0 m
(8) h
0 -358.0 m
976 -7300 M
14.9 0 32 (If an implementation is able to obtain the original Trusted
Authorities for the Principal then it may do so instead of using the
Servers Trusted) W
576 -8200 M
(Authorities) h
-8496 62304 T
R

showpage
$P e

%%Page: 47 47
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(47) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(4\)) h
3600 -750 M
(Remote node credentials \(Node name, Username, Node Ticket\) taken
from the Authentication) h
3600 -1850 M
(token.) h
2154 -3336 M
(5\)) h
3600 -3336 M
(There are no local node credentials.) h
2154 -4822 M
(6\)) h
3600 -4822 M
(There are no cached contexts.) h
709 -6508 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(c\)) h
2154 -6508 M
(The returned boolean values are obtained from the Authenticator.) h
709 -9144 M
(d\)) h
2154 -9144 M
31.8 0 32 (Mutual_authentication_token is computed by encrypting the
timestamp from the Authenticator with the Shared) W
2154 -10194 M
(key from the cache.) h
709 -12830 M
(e\)) h
2154 -12830 M
60.6 0 32 (Instance_identifier is the timestamp from the Authenticator.
This and the Shared key are returned to the caller) W
2154 -13880 M
(for further encryption operations \(if these are supported\).) h
0 -16666 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.3 ) h
3300 -16666 M
(Compare Mutual Token) h
0 -19402 M
/Times-Roman-ISOLatin1 F 1000 o f
(Compare_mutual_token\() h
0 -20502 M
(                                                 \255\255inputs) h
0 -21602 M
14256 -21602 M
(Generated_token) h
30212 -21602 M
(Mutual authentication token,) h
0 -22702 M
14256 -22702 M
(Received_token) h
30212 -22702 M
(Mutual authentication token,) h
0 -23802 M
(                                                  \255\255outputs) h
0 -24902 M
14256 -24902 M
(equality_flag) h
30212 -24902 M
(Boolean\)) h
0 -26588 M
42.2 0 32 (This routine compares two mutual authentication tokens and
tells whether they match.  In the expected use, the first) W
0 -27638 M
12.3 0 32 (is the token generated by Create_token at the initiating end
and the second is the token generated by Accept_token at) W
0 -28688 M
45.0 0 32 (the accepting end and returned to the initiating end.  This
routine can be implemented as a byte by byte comparison) W
0 -29738 M
(of the two parameters.) h
0 -32524 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.4 ) h
3300 -32524 M
(Get Node Info) h
0 -35260 M
/Times-Roman-ISOLatin1 F 1000 o f
(get_node_info\() h
0 -36360 M
(                                                 \255\255inputs) h
0 -37460 M
14256 -37460 M
(accepted_credentials) h
30212 -37460 M
(Credentials,) h
0 -38560 M
(                                                 \255\255outputs) h
0 -39660 M
14256 -39660 M
(nodename) h
30212 -39660 M
(Name,) h
0 -40760 M
14256 -40760 M
(username) h
30212 -40760 M
(String\)) h
0 -42446 M
49.8 0 32 (This routine extracts from accepted credentials the name of
the node from which the authentication token came and) W
0 -43496 M
89.1 0 32 (the named account on that node. Because this information is
not cryptographically protected within the token, this) W
0 -44546 M
87.9 0 32 (information can only be regarded as a "hint" by the
receiving application.  It can, however, be verified using Ver\255) W
0 -45596 M
105.0 0 32 (ify_node_name in a cryptographically secure manner.  This
information will only be present if these are accepted) W
0 -46646 M
(credentials and it the caller of Create_token  set the ) h
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
(include_node_name ) h
/Times-Roman-ISOLatin1 F 1000 o f
(and/or ) h
/Times-BoldItalic-ISOLatin1 F 1000 o f
(include_username) h
/Times-Roman-ISOLatin1 F 1000 o f
( flags.) h
0 -49282 M
129.2 0 32 (An actual implementation is not likely to have
get_node_info and verify_node_name as separate calls.  They are) W
0 -50332 M
26.8 0 32 (specified this way because there are different ways this
information might be used.  For most applications, the node\255) W
0 -51382 M
83.8 0 32 (name and username will be included in the token, and a
single function might extract and verify them \(it might in) W
0 -52432 M
40.3 0 32 (fact be part of accept token\).  For other applications) W
40.3 0 32 (,) W
40.3 0 32 ( the nodename and username will not be in the token but rather) W
0 -53482 M
88.4 0 32 (will be computed from other information ) W
88.4 0 32 (passed during connection initiation ) W
88.4 0 32 (so a call would have to take these as) W
0 -54532 M
18.9 0 32 (inputs.  Still other applications ) W
18.9 0 32 (such as ) W
18.9 0 32 (ACL evaluators) W
18.9 0 32 ( that want to support the renaming and aliasing capabilities of) W
0 -55582 M
29.9 0 32 (DASS) W
29.9 0 32 ( would defer verifying node information until they came upon
an ACL which allowed access only from a par\255) W
0 -56632 M
117.2 0 32 (ticular node.  ) W
117.2 0 32 (They ) W
117.2 0 32 (would then verify that the name on the ACL was an
authenticatable alias for the node which) W
0 -57682 M
(created the token.  All of these uses can be defined in terms of calls
to get_node_info and verify_node_name.) h
-8503 8502 T
R

showpage
$P e

%%Page: 48 48
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(48) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -900 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.5 ) h
3300 -900 M
(Get Principal UID) h
0 -3072 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(get_principal_uid\() h
0 -4172 M
(                                                 \255\255inputs) h
0 -5272 M
14256 -5272 M
(accepted_credentials) h
30212 -5272 M
(Credentials,) h
0 -6372 M
(                                                 \255\255outputs) h
0 -7472 M
14256 -7472 M
(uid) h
30212 -7472 M
(UID\)) h
0 -8594 M
(This routine extracts a principal UID from a set of credentials.) h
0 -10666 M
29.8 0 32 (As with Get_Node_Info, this interface is not likely to
appear in an actual implementation, but rather will be bundled) W
0 -11716 M
47.8 0 32 (with other routines.  It is specified this way because there
might be a variety of algorithms by which credentials are) W
0 -12766 M
(evaluated and all of them can be defined in terms of these primitives.) h
0 -14838 M
43.6 0 32 (In DASS, it is possible for a principal to have many
aliases. This can happen either because the principal was given) W
0 -15888 M
6.4 0 32 (multiple names to limit the number of CAs that need to be
trusted when authenticating to different servers or because) W
0 -16938 M
90.2 0 32 (the principal's name has changed and the old name remains
behind as an alias. Accept_token returns the name by) W
0 -17988 M
79.3 0 32 (which the principal identified itself when creating its
credentials. A service may know the user by some alias. The) W
0 -19038 M
38.1 0 32 (normal way to handle this is for the service to know the
principal's UID \(which is constant over name changes\) and) W
0 -20088 M
49.8 0 32 (to compare it with the UID in the token to identify a likely
alias situation. It gets the UID from the token using this) W
0 -21138 M
(routine. It then confirms the alias by calling verify_principal_name.) h
0 -23210 M
44.2 0 32 (The UID is in a signed portion of accepted credentials, but
the signature may not have been verified at the time this) W
0 -24260 M
160.9 0 32 (call is issued.  The information returned by this routine
must therefore be regarded as a hint.  If a call to Ver\255) W
0 -25310 M
20.4 0 32 (ify_principal_name succeeds, however, then the caller can
securely know that the name given to that routine ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
20.4 0 32 (and) W
/Times-Roman-ISOLatin1 F 1000 o f
20.4 0 32 ( the) W
0 -26360 M
(UID returned by this one are the authenticated source of the token.) h
0 -28582 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.6 ) h
3300 -28582 M
(Get Principal Name) h
0 -30754 M
/Times-Roman-ISOLatin1 F 1000 o f
(get_principal_name\() h
0 -31854 M
(                                                 \255\255inputs) h
0 -32954 M
14256 -32954 M
(accepted_credentials) h
30212 -32954 M
(Credentials,) h
0 -34054 M
(                                                 \255\255outputs) h
0 -35154 M
14256 -35154 M
(name) h
30212 -35154 M
(Name\)) h
0 -36276 M
22.5 0 32 (This routine extracts a principal name from a set of
credentials. This name is the name most recently associated with) W
0 -37326 M
28.5 0 32 (the principal. It may be the name that the principal
supplied when the credentials were created \(in which case it may) W
0 -38376 M
(not have been verified yet\) or it may be a different name that has
been verified.) h
0 -40448 M
30.0 0 32 (As with Get_Node_Info and Get_Principal_UID, this routine is
not likely to appear in an actual implementation, but) W
0 -41498 M
51.8 0 32 (will be bundled in some fashion with related procedures. 
The name returned by this procedure is not guaranteed to) W
0 -42548 M
(have been cryptographically verified.  Verify_Principal_Name performs
that function.) h
0 -44770 M
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.7 ) h
3300 -44770 M
(Get Lifetime) h
0 -46942 M
/Times-Roman-ISOLatin1 F 1000 o f
(get_lifetime\() h
0 -48042 M
(                                                 \255\255inputs) h
0 -49142 M
14256 -49142 M
(Claimant_credentials) h
30212 -49142 M
(Credentials,) h
0 -50242 M
(                                                 \255\255outputs) h
0 -51342 M
14256 -51342 M
(lifetime) h
30212 -51342 M
(Duration\)) h
0 -52464 M
73.1 0 32 (This routine computes the life remaining in a set of
credentials.  Its most common use would be to know to renew) W
0 -53514 M
(credentials before they expire.) h
0 -55586 M
72.8 0 32 (Returns the remaining lifetime of the login ticket in the
credentials. This can either be the done on the node where) W
0 -56636 M
41.0 0 32 (the original login took place, or at a server which has been
delegated to. It indicates how much longer these creden\255) W
0 -57686 M
41.5 0 32 (tials can be used for further delegations. This routine will
return 0 if the login ticket has passed the end of its life, if) W
-8503 8502 T
R

showpage
$P e

%%Page: 49 49
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(49) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
99.0 0 32 (there is no login ticket, or if  the credentials do not
contain the private key certified by the ticket \(i.e. where they) W
0 -1800 M
(were created by an authentication\255without\255delegation operation\).) h
0 -4095 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.8 ) h
3300 -4095 M
(Verify Node Name) h
0 -6340 M
/Times-Roman-ISOLatin1 F 1000 o f
(Verify_node_name\() h
0 -7440 M
(                                                 \255\255inputs) h
0 -8540 M
14256 -8540 M
(nodename) h
30212 -8540 M
(Name,) h
0 -9640 M
14256 -9640 M
(username) h
30212 -9640 M
(String,) h
0 -10740 M
(                                                  \255\255updated) h
0 -11840 M
14256 -11840 M
(verifying_credentials) h
30212 -11840 M
(Credentials,) h
0 -12940 M
14256 -12940 M
(accepted_credentials) h
30212 -12940 M
(Credentials,) h
0 -14040 M
(                                                 \255\255outputs) h
0 -15140 M
14256 -15140 M
(Name matches) h
30212 -15140 M
(Boolean\)) h
0 -16335 M
108.5 0 32 (This routine tests whether the originating node of an
authentication token can be authenticated as having the pro\255) W
0 -17385 M
15.2 0 32 (vided name. Like a principal, a node may have multiple
aliases. One of them may be returned by Get_node_info, but) W
0 -18435 M
75.4 0 32 (this call allows a suspected alias to be verified.  The
verifying credentials supplied with this call must be the same) W
0 -19485 M
(credentials as were used in the Accept_token call. The procedure for
completing this request is as follows:) h
709 -21630 M
(a\)) h
2154 -21630 M
(If there is no Node Ticket in the claimant credentials then return False.) h
709 -23775 M
(b\)) h
2154 -23775 M
168.4 0 32 (Search the incoming context cache of the verifying
credentials for an entry containing the same encrypted) W
2154 -24825 M
35.4 0 32 (shared key as the encrypted shared key subfield of the
claimant information of the accepted credentials.  In the) W
2154 -25875 M
96.6 0 32 (steps which follow, references to "the cache" refer to this
entry.  If none is found, initialize such an entry as) W
2154 -26925 M
(follows:) h
2154 -28870 M
(1\)) h
3600 -28870 M
90.5 0 32 (Encrypted shared key from the encrypted shared key subfield
of the claimant information of the accepted) W
3600 -29920 M
(credentials.) h
2154 -31865 M
(2\)) h
3600 -31865 M
44.8 0 32 (The shared key and validity interval are determined by
decrypting the encrypted shared key using the RSA) W
3600 -32915 M
108.1 0 32 (private key in the verifier information of the server
credentials.  If this procedure is called after a call to) W
3600 -33965 M
53.7 0 32 (Accept_token using the same server credentials \(as is
required for correct use\), the shared key and validity) W
3600 -35015 M
50.6 0 32 (interval must correctly decrypt.  If called in some other
context, the results are undefined.  The validity in\255) W
3600 -36065 M
(terval is not checked.) h
2154 -38010 M
(3\)) h
3600 -38010 M
(Initialize all other entries in the cache to missing.) h
709 -40155 M
(c\)) h
2154 -40155 M
121.0 0 32 (If there is a "local username on client node" in the cache
and it does not match the username supplied as a) W
2154 -41205 M
(parameter, return False.) h
709 -43350 M
(d\)) h
2154 -43350 M
(If there is a "name of client node" in the cache and it matches the
nodename supplied as a parameter:) h
2154 -45295 M
(1\)) h
3600 -45295 M
41.5 0 32 (Set the "Full name of the node" subfield of the remote node
authentication field of the accepted credentials) W
3600 -46345 M
(to be the nodename supplied as a parameter.) h
2154 -48290 M
(2\)) h
3600 -48290 M
44.9 0 32 (Set the "Local Username on the node" subfield of the remote
node authentication field of the accepted cre\255) W
3600 -49340 M
(dentials to be the username supplied as a parameter.) h
2154 -51285 M
(3\)) h
3600 -51285 M
(return True.) h
709 -53430 M
(e\)) h
2154 -53430 M
172.8 0 32 (Call the Get_Pub_Keys subroutine with the
server_credentials, the nodename supplied as a parameter, and) W
2154 -54480 M
(Try_Hard=False.) h
709 -56625 M
(f\)) h
2154 -56625 M
85.2 0 32 (If "Public Key of Client Node" is missing from the cache,
check all of the Public keys returned to see if one) W
2154 -57675 M
1.3 0 32 (verifies the node ticket.  If one does, set the "Public Key
of Client Node" and "UID of Client Node" fields in the) W
-8503 8502 T
R

showpage
$P e

%%Page: 50 50
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(50) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
17.9 0 32 (cache to be the PK/UID pair that verified the ticket and set
the "Local Username on Client node" field to be the) W
2154 -1800 M
(username supplied as a parameter..) h
709 -4032 M
(g\)) h
2154 -4032 M
43.1 0 32 (If any of the Public Key/UID pairs match the "Public Key of
Client Node" and "UID of Client Node" fields in) W
2154 -5082 M
(the cache, then:) h
2154 -7114 M
(1\)) h
3600 -7114 M
(Set the "name of client node" in the cache equal to the nodename
supplied as a parameter.) h
2154 -9146 M
(2\)) h
3600 -9146 M
41.5 0 32 (Set the "Full name of the node" subfield of the remote node
authentication field of the accepted credentials) W
3600 -10196 M
(to be the nodename supplied as a parameter.) h
2154 -12228 M
(3\)) h
3600 -12228 M
44.9 0 32 (Set the "Local Username on the node" subfield of the remote
node authentication field of the accepted cre\255) W
3600 -13278 M
(dentials to be the username supplied as a parameter.) h
2154 -15310 M
(4\)) h
3600 -15310 M
(Return True.) h
709 -17542 M
(h\)) h
2154 -17542 M
29.9 0 32 (If none of them match, call Get_Pub_Keys again with
Try_Hard=True and repeat steps 6 & 7.  If Step 7 fails a) W
2154 -18592 M
(second time, return False.) h
0 -20974 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.9 ) h
3300 -20974 M
(Verify Principal Name) h
0 -23306 M
/Times-Roman-ISOLatin1 F 1000 o f
(Verify_principal_name\() h
0 -24406 M
(                                                 \255\255inputs) h
0 -25506 M
14256 -25506 M
(principal_name) h
30212 -25506 M
(Name,) h
0 -26606 M
(                                                  \255\255updated) h
0 -27706 M
14256 -27706 M
(verifier_credentials) h
30212 -27706 M
(Credentials,) h
0 -28806 M
14256 -28806 M
(claimant_credentials) h
30212 -28806 M
(Credentials,) h
0 -29906 M
(                                                 \255\255outputs) h
0 -31006 M
14256 -31006 M
(Name matches) h
30212 -31006 M
(Boolean\)) h
0 -32288 M
85.9 0 32 (This routine tests \(in the context of the verifier
credentials\) whether the claimant credentials are authenticatable as) W
0 -33338 M
60.6 0 32 (being those of the named principal.  This procedure is
called with a set of accepted credentials to authenticate the) W
60.6 0 32 (ir) W
0 -34388 M
27.1 0 32 (source) W
27.1 0 32 (,) W
27.1 0 32 ( or with a set of credentials produced by network_login to
authenticate the creator of those credentials.  If the) W
0 -35438 M
139.7 0 32 (claimant ) W
139.7 0 32 (credentials were created by Accept_token, then the verifier
credentials supplied in this call must be the) W
0 -36488 M
(same as those used in that call.  The procedure for completing this
request is as follows:) h
709 -38720 M
(a\)) h
2154 -38720 M
(If there is no Login Ticket in the claimant credentials, then return False.) h
709 -40952 M
(b\)) h
2154 -40952 M
(If the current time is not within the validity interval of the Login
Ticket, then return False.) h
709 -43184 M
(c\)) h
2154 -43184 M
52.1 0 32 (If there is an Encrypted Shared Key present in the Claimant
information field of the claimant credentials, then) W
2154 -44234 M
78.9 0 32 (find or create a matching cache entry in the Cached Incoming
Contexts of the verifier credentials.  In the de\255) W
2154 -45284 M
112.0 0 32 (scription which follows, references to "the cache" refer to
this entry.  If the cache entry must be created, its) W
2154 -46334 M
(contents is set to be as follows:) h
2154 -48366 M
(1\)) h
3600 -48366 M
90.5 0 32 (Encrypted shared key from the encrypted shared key subfield
of the claimant information of the accepted) W
3600 -49416 M
(credentials.) h
2154 -51448 M
(2\)) h
3600 -51448 M
44.8 0 32 (The shared key and validity interval are determined by
decrypting the encrypted shared key using the RSA) W
3600 -52498 M
108.1 0 32 (private key in the verifier information of the server
credentials.  If this procedure is called after a call to) W
3600 -53548 M
53.7 0 32 (Accept_token using the same server credentials \(as is
required for correct use\), the shared key and validity) W
3600 -54598 M
50.6 0 32 (interval must correctly decrypt.  If called in some other
context, the results are undefined.  The validity in\255) W
3600 -55648 M
(terval is not checked.) h
2154 -57680 M
(3\)) h
3600 -57680 M
(Initialize all other entries in the cache to missing.) h
-8503 8502 T
R

showpage
$P e

%%Page: 51 51
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(51) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(d\)) h
2154 -750 M
88.1 0 32 (If there is a cache entry and if the "Public Key of Client
Principal" field is present and if the "UID of Client) W
2154 -1800 M
(Principal" field is present and matches the UID in the Login Ticket, then:) h
2154 -3727 M
(1\)) h
3600 -3727 M
50.6 0 32 (Set the Public Key of the principal field in the Claimant
information to be the Public Key of Client Princi\255) W
3600 -4777 M
(pal.) h
2154 -6704 M
(2\)) h
3600 -6704 M
3.8 0 32 (If the "Full name of the principal" field is missing from the
claimant information of the claimant credentials,) W
3600 -7754 M
(then set it to the "Name of Client Principal" field from the cache.) h
709 -9881 M
(e\)) h
2154 -9881 M
99.9 0 32 (If there is a cache entry and if the "Name of Client
Principal" field is present and if it matches the principal) W
2154 -10931 M
(name supplied to this routine and if the UID in the cache matches the
UID in the Login Ticket, return True.) h
709 -13058 M
(f\)) h
2154 -13058 M
316.9 0 32 (Call the Get_Pub_Keys subroutine with the name and verifier
credentials supplied to this routine and) W
2154 -14108 M
119.1 0 32 (Try_Hard=FALSE.  Ignore any keys retrieved where the
corresponding UID does not match the UID in the) W
2154 -15158 M
(claimant credentials.) h
709 -17285 M
(g\)) h
2154 -17285 M
117.2 0 32 (If the Public Key of the principal is missing from the
claimant information of the claimant credentials, then) W
2154 -18335 M
32.2 0 32 (attempt to verify the signature on the login ticket with
each public key returned by Get_Pub_Keys.  If verifica\255) W
2154 -19385 M
(tion succeeds:) h
2154 -21312 M
(1\)) h
3600 -21312 M
61.2 0 32 (Set the Public Key of the principal in the claimant
information of the claimant credentials to be the Public) W
3600 -22362 M
(Key that verified the ticket.) h
2154 -24289 M
(2\)) h
3600 -24289 M
49.2 0 32 (If the Full name of the principal in the claimant
information of the claimant credentials is missing, set it to) W
3600 -25339 M
(the name supplied to this routine.) h
2154 -27266 M
(3\)) h
3600 -27266 M
14.9 0 32 (If there is a cache entry, set the Name of Client Principal
to be the name supplied to this routine, the UID of) W
3600 -28316 M
0.9 0 32 (Client Principal to be the UID from the Login Ticket, and the
Public Key of Client Principal to be the Public) W
3600 -29366 M
(Key that verified the ticket.) h
2154 -31293 M
(4\)) h
3600 -31293 M
(Return True.) h
709 -33420 M
(h\)) h
2154 -33420 M
9.4 0 32 (If the Public Key of the principal is present in the claimant
information of the claimant credentials, then see if it) W
2154 -34470 M
(matches any of the public keys returned by Get_Pub_Keys.  If one of
them matches:) h
2154 -36397 M
(1\)) h
3600 -36397 M
49.2 0 32 (If the Full name of the principal in the claimant
information of the claimant credentials is missing, set it to) W
3600 -37447 M
(the name supplied to this routine.) h
2154 -39374 M
(2\)) h
3600 -39374 M
14.9 0 32 (If there is a cache entry, set the Name of Client Principal
to be the name supplied to this routine, the UID of) W
3600 -40424 M
0.9 0 32 (Client Principal to be the UID from the Login Ticket, and the
Public Key of Client Principal to be the Public) W
3600 -41474 M
(Key that verified the ticket.) h
2154 -43401 M
(3\)) h
3600 -43401 M
(Return True.) h
709 -45528 M
(i\)) h
2154 -45528 M
78.9 0 32 (If steps 7 & 8 fail, retry the call to Get_Pub_Keys with
Try_Hard=TRUE, and retry steps 7 & 8.  If they fail) W
2154 -46578 M
(again, return false.) h
0 -48855 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.10.10 ) h
3900 -48855 M
(Get Pub Keys) h
0 -51082 M
/Times-Roman-ISOLatin1 F 1000 o f
(Get_Pub_Keys\() h
0 -52182 M
(                                                 \255\255inputs) h
0 -53282 M
14256 -53282 M
(TA_credentials) h
30212 -53282 M
(Credentials) h
0 -54382 M
14256 -54382 M
(Try_Hard) h
30212 -54382 M
(Boolean,) h
0 -55482 M
14256 -55482 M
(Target Name) h
30212 -55482 M
(Name,) h
0 -56582 M
(                                                 \255\255outputs) h
0 -57682 M
14256 -57682 M
(Pub_keys) h
30212 -57682 M
(Set of Public key/UID pairs) h
-8503 8502 T
R

showpage
$P e

%%Page: 52 52
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(52) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
521.7 0 32 (This common subroutine is used in the execution of
Create_Token, Verify_Principal_Name, and Ver\255) W
0 -1800 M
88.7 0 32 (ify_Node_Name.  Given the name of a principal, it retrieves
a set of public key/UID pairs which authenticate that) W
0 -2850 M
38.7 0 32 (principal \(normally only one pair\).  It does this by
retrieving from the naming service a series of certificates, verify\255) W
0 -3900 M
(ing the signatures on those certificates, and verifying that the
sequence of certificates constitute a valid "treewalk".) h
0 -6107 M
19.3 0 32 (The credentials structure passed into this procedure
represent a starting point for the treewalk.  Included in these cre\255) W
0 -7157 M
105.7 0 32 (dentials will be the public key, UID, and name of an
authority that is trusted to authenticate all remote principals) W
0 -8207 M
(\(directly or indirectly\).) h
0 -10414 M
52.5 0 32 (The "Try_Hard" bit is a specification anomaly resulting from
the fact that caches maintained by this routine are not) W
0 -11464 M
45.9 0 32 (transparent to the calling routines.  It tells this
procedure to bypass caches when doing all name service lookups be\255) W
0 -12514 M
38.6 0 32 (cause the information in caches is believed to be stale.  In
general, a routine will call Get_Pub_Keys with Try_Hard) W
0 -13564 M
80.2 0 32 (set false and try to use the keys returned.  If use of those
keys fails, the calling routine may call this routine again) W
0 -14614 M
57.4 0 32 (with Try_Hard set true in hopes of getting additional keys. 
Routinely calling this routine with Try_Hard set true is) W
0 -15664 M
(likely to have adverse performance implications but would not affect
the correctness or the security of the operation.) h
0 -17871 M
9.8 0 32 (The name supplied is the full X.500 name of the principal for
whom public keys are needed as part of some authenti\255) W
0 -18921 M
(cation process.) h
0 -21128 M
5.4 0 32 (This procedure securely learns the public keys and UIDs of
foreign principals by constructing a valid chain of certifi\255) W
0 -22178 M
21.5 0 32 (cates between its trusted TA and the certificate naming the
foreign principal.  In the simplest case, where the TA has) W
0 -23228 M
124.2 0 32 (signed a certificate for the foreign principal, the chain
consists of a single certificate.  Otherwise, the chain must) W
0 -24278 M
37.2 0 32 (consist of a series of certificates where the first is
signed by the TA, the last is a certificate for the foreign principal,) W
0 -25328 M
(and the subject of each principal in the chain is the issuer of the next.) h
0 -27535 M
137.8 0 32 (What follows is first a definition of what constitutes a
valid chain of certificates followed by a model algorithm) W
0 -28585 M
(which constructs all of \(and only\) the valid chains which exist
between the TA and the target name.) h
0 -30792 M
25.5 0 32 (In order to limit the implications of the compromise of a
single CA, and also to limit the complexity of the search of) W
0 -31842 M
51.9 0 32 (the certificate space, there are restrictions on what
constitutes a valid chain of certificates from the TA to the Name) W
0 -32892 M
80.4 0 32 (provided.  The only CAs whose compromise should be able to
compromise an authentication are those controlling) W
0 -33942 M
82.7 0 32 (directories that are ancestors of one of the two names and
that are not above a common ancestor.  Therefore, only) W
0 -34992 M
54.8 0 32 (certificates signed by those CAs will be considered valid in
a certificate chain.  Normally, the CA for a directory is) W
0 -36042 M
84.0 0 32 (expected to certify a public key and UID for the CA of each
child directory and one parent directory.  A CA may) W
0 -37092 M
19.9 0 32 (also certify another CA for some remote part of the naming
hierarchy, and such certificates are necessary if there are) W
0 -38142 M
(no CAs assigned to directories high in the naming hierarchy.) h
0 -40349 M
(A certificate chain is considered ) h
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
(valid) h
/Times-Roman-ISOLatin1 F 1000 o f
( if it meets the following criteria:) h
709 -42556 M
(a\)) h
2154 -42556 M
40.0 0 32 (It must consist of zero or more ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
40.0 0 32 (parent) W
/Times-Roman-ISOLatin1 F 1000 o f
40.0 0 32 ( certificates, followed by zero or one ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
40.0 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
40.0 0 32 ( certificates, followed by zero) W
2154 -43606 M
(or more ) h
/Times-BoldItalic-ISOLatin1 F 1000 o f
(child) h
/Times-Roman-ISOLatin1 F 1000 o f
( certificates.) h
709 -45813 M
(b\)) h
2154 -45813 M
93.0 0 32 (The number of ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
93.0 0 32 (parent) W
/Times-Roman-ISOLatin1 F 1000 o f
93.0 0 32 ( certificates may not exceed the number of levels in the
naming hierarchy between the) W
2154 -46863 M
83.2 0 32 (TA name and the name of the least common ancestor in the
naming hierarchy between the TA name and the) W
2154 -47913 M
(target name.) h
709 -50120 M
(c\)) h
2154 -50120 M
(Each ) h
/Times-BoldItalic-ISOLatin1 F 1000 o f
(parent) h
/Times-Roman-ISOLatin1 F 1000 o f
( certificate must be stored in the naming service under the entry of its issuer.) h
709 -52327 M
(d\)) h
2154 -52327 M
64.7 0 32 (The subject of the ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
64.7 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
64.7 0 32 ( certificate \(if any\) must be an ancestor of the target name but m) W
64.7 0 32 (ust ) W
64.7 0 32 (be a ) W
64.7 0 32 (longe) W
64.7 0 32 (r name) W
2154 -53377 M
(than the least common ancestor of the TA name and the target name.) h
709 -55584 M
(e\)) h
2154 -55584 M
49.9 0 32 (The ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
49.9 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
49.9 0 32 ( certificate \(if any\) must have been stored in the naming
service under the entry of its issuer or there) W
2154 -56634 M
95.3 0 32 (must have been an indication in the naming service that
certificates signed by this issuer may be stored with) W
2154 -57684 M
(their subjects.) h
-8503 8502 T
R

showpage
$P e

%%Page: 53 53
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(53) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(f\)) h
2154 -750 M
51.0 0 32 (The issuer of each ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
51.0 0 32 (parent) W
/Times-Roman-ISOLatin1 F 1000 o f
51.0 0 32 ( certificate does not have stored with it in the naming service a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
51.0 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
51.0 0 32 ( certificate) W
51.0 0 32 ( with) W
2154 -1800 M
(the same issuer) h
( whose subject is an ancestor of the target name.) h
709 -3868 M
(g\)) h
2154 -3868 M
(Each ) h
/Times-BoldItalic-ISOLatin1 F 1000 o f
(child) h
/Times-Roman-ISOLatin1 F 1000 o f
( certificate must be stored in the naming service under the entry of
its subject.) h
709 -5936 M
(h\)) h
2154 -5936 M
80.1 0 32 (The subject of each ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
80.1 0 32 (child ) W
/Times-Roman-ISOLatin1 F 1000 o f
80.1 0 32 (certificate does not have associated with it in the naming service a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
80.1 0 32 (cross ) W
/Times-Roman-ISOLatin1 F 1000 o f
80.1 0 32 (certificate) W
2154 -6986 M
11.7 0 32 (with the same subject) W
11.7 0 32 ( whose issuer is the same as the issuer of any of the ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
11.7 0 32 (parent) W
/Times-Roman-ISOLatin1 F 1000 o f
11.7 0 32 ( certificates or the ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
11.7 0 32 (cross ) W
/Times-Roman-ISOLatin1 F 1000 o f
11.7 0 32 (certifi\255) W
2154 -8036 M
(cate of the chain.) h
709 -10104 M
(i\)) h
2154 -10104 M
62.3 0 32 (The subject of each certificate must be the issuer of the certificate ) W
62.3 0 32 (that ) W
62.3 0 32 (follows in the chain.  The equality test) W
2154 -11154 M
(can be met by either of two methods:) h
2154 -13022 M
(1\)) h
3600 -13022 M
39.3 0 32 (The public key of the subject in the earlier certificate
verifies the signature of the later and the subject UID) W
3600 -14072 M
(in the earlier certificate is equal to the issuer UID in the later; or) h
2154 -15940 M
(2\)) h
3600 -15940 M
78.8 0 32 (The public key of the subject in the earlier certificate
verifies the signature of the later,) W
78.8 0 32 ( the earlier lacks a) W
3600 -16990 M
2.7 0 32 (subject UID and/or the later lacks an issuer UID a) W
2.7 0 32 (nd the name of the subject in the earlier certificate is equal) W
3600 -18040 M
(to the name of the issuer in the later.) h
709 -20108 M
(j\)) h
2154 -20108 M
(The Public Key of the TA verifies the signature of the first certificate.) h
709 -22176 M
(k\)) h
2154 -22176 M
90.4 0 32 (The UID of the TA equals the UID of the issuer of the first
certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
90.4 0 32 (or) W
/Times-Roman-ISOLatin1 F 1000 o f
90.4 0 32 ( the UID is missing on one or both) W
2154 -23226 M
(places and the name of the TA equals the name of the issuer of the
first certificate.) h
709 -25294 M
(l\)) h
2154 -25294 M
(All of the certificates are valid X.509 encodings and the current time
is within all of their validity intervals.) h
0 -27362 M
(If a chain is ) h
/Times-BoldItalic-ISOLatin1 F 1000 o f
(valid) h
/Times-Roman-ISOLatin1 F 1000 o f
(, the name which it authenticates can be constructed as follows:) h
709 -29430 M
(a\)) h
2154 -29430 M
62.0 0 32 (If the chain contains a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
62.0 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
62.0 0 32 ( certificate, the name authenticated can be constructed by
taking the subject name) W
2154 -30480 M
14.6 0 32 (from the cross certificate and appending to it a relative
name for each child certificate which follows.  The rela\255) W
2154 -31530 M
(tive name is the extension by which the subject name in the child
certificate extends the issuer name.) h
709 -33598 M
(b\)) h
2154 -33598 M
97.1 0 32 (If the chain does not contain a ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
97.1 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
97.1 0 32 ( certificate, the name authenticated can be constructed by
taking the TA) W
2154 -34648 M
39.2 0 32 (name, truncating from it the last ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
39.2 0 32 (n) W
/Times-Roman-ISOLatin1 F 1000 o f
39.2 0 32 ( name components where ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
39.2 0 32 (n) W
/Times-Roman-ISOLatin1 F 1000 o f
39.2 0 32 ( is the number of ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
39.2 0 32 (parent) W
/Times-Roman-ISOLatin1 F 1000 o f
39.2 0 32 ( certificates in the chain,) W
2154 -35698 M
105.2 0 32 (and appending to the result a relative name for each child
certificate.  The relative name is the extension by) W
2154 -36748 M
(which the subject name in the child certificate extends the issuer name.) h
0 -38816 M
18.7 0 32 ( In the common case, the authenticated name will be the
subject name in the last certificate.  The authenticated name) W
0 -39866 M
75.4 0 32 (is constructed by the rules above to deal with namespace
reorganization.  If a branch of the namespace is renamed) W
0 -40916 M
61.3 0 32 (\(due to, for example, a corporate acquisition or
reorganization\), only the certificates around the break point need to) W
0 -41966 M
94.8 0 32 (be regenerated.  Certificates below the break will continue
to contain the old names \(until renewed\), but the algo\255) W
0 -43016 M
124.2 0 32 (rithms above assure the principals in that branch will be
able to authenticate as their new names.  Further, if the) W
0 -44066 M
20.0 0 32 (certificates at the branch point are maintained for both the
old and new names for an interim period, principals in the) W
0 -45116 M
99.9 0 32 (moved branch will be able to authenticate as either their
old or new names for that interim period without having) W
0 -46166 M
(duplicate certificates.) h
0 -48234 M
44.8 0 32 (A final complication that the algorithm must deal with is
the location of ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
44.8 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
44.8 0 32 ( certificates.  If a key is compromised) W
0 -49284 M
31.0 0 32 (or for some other reason it is important to revoke a
certificate ahead of its expiration, it is removed from the naming) W
0 -50334 M
11.4 0 32 (service.  This algorithm will only use certificates that it
has recently retrieved from the naming service, so revocation) W
0 -51384 M
69.4 0 32 (is as effective as the mechanisms that prevent impersonation
of the naming service.   There are plans to eventually) W
0 -52434 M
22.2 0 32 (use DASS mechanisms to secure access to the naming service;
until they are in place, name service impersonation is) W
0 -53484 M
48.2 0 32 (a theoretical threat to the security of revocation. 
Opinions differ as to whether it is a practical threat.  ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
48.2 0 32 (Child) W
/Times-Roman-ISOLatin1 F 1000 o f
48.2 0 32 ( certifi\255) W
0 -54534 M
10.6 0 32 (cates are always stored with the subject and will not be
found unless stored in the name server of the subject.  ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
10.6 0 32 (Parent) W
0 -55584 M
/Times-Roman-ISOLatin1 F 1000 o f
10.6 0 32 (certificates are always stored with the issuer and will not
be found unless stored in the name server of the issuer.  For) W
0 -56634 M
63.5 0 32 (best security, ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
63.5 0 32 (cross) W
/Times-Roman-ISOLatin1 F 1000 o f
63.5 0 32 ( certificates should be stored with the issuer because the
name server for the subject may not be) W
0 -57684 M
72.4 0 32 (adequately trustworthy to perform revocation.  There are
performance and availability penalties, however, in doing) W
-8503 8502 T
R

showpage
$P e

%%Page: 54 54
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(54) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
71.7 0 32 (so.  The architecture and the algorithm therefore support storing ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
71.7 0 32 (cross ) W
/Times-Roman-ISOLatin1 F 1000 o f
71.7 0 32 (certificates with either the issuer or the sub\255) W
0 -1800 M
17.3 0 32 (ject.  There must be some sort of flag in the name service
associated with the issuer saying whether ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
17.3 0 32 (cross ) W
/Times-Roman-ISOLatin1 F 1000 o f
17.3 0 32 (certificates) W
0 -2850 M
39.0 0 32 (from that issuer are permitted to be stored in the subject's
name service entry, and if that flag is set such certificates) W
0 -3900 M
(will be found and used.) h
0 -6091 M
41.6 0 32 (In order to make revocation effective, DASS must assure that
naming service caches do not become arbitrarily stale) W
0 -7141 M
106.6 0 32 (\(the allowed age of a cache entry is included in the sum
of times with together make up the revocation time\).  If) W
0 -8191 M
30.7 0 32 (DASS uses a naming service such as DNS that does not time
out cache entries, it must bypass cache on all calls and) W
0 -9241 M
58.1 0 32 (\(to achieve reasonable performance\) maintain its own
naming service cache.  It may be advantageous to maintain a) W
0 -10291 M
1.9 0 32 (cache in any case so the that the fact that the certificates
have been verified can be cached as well as the fact that they) W
0 -11341 M
(are current.) h
0 -13607 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1100 o f
(3.10.10.1 ) h
4400 -13607 M
(Basic Algorithm) h
0 -15873 M
/Times-Roman-ISOLatin1 F 1000 o f
98.5 0 32 (For ease of exposition, this first description will ignore
the operation of any caches.  Permissible modifications to) W
0 -16923 M
20.2 0 32 (take advantage of caches and enhance performance will be
covered in the next section.  This path will be followed if) W
0 -17973 M
(the Try_Hard bit is set True on the call.) h
0 -20164 M
100.0 0 32 (Rather than trying construct all possible chains between
the TA and the name to be authenticated \(in the event of) W
0 -21214 M
44.0 0 32 (multiple certificates per principal, there could be
exponentially many valid chains\), this algorithm computes a set of) W
0 -22264 M
28.5 0 32 (PK/UID/Name triples that are valid for each principal on the
path between the TA and the name to be authenticated. ) W
0 -23314 M
(By doing so, it minimizes the processing of redundant information.) h
709 -25505 M
(a\)) h
2154 -25505 M
(Determining path and initialization) h
2154 -27696 M
(Several state variables are manipulated during the tree walk. These are called:) h
2154 -29687 M
(1\)) h
3600 -29687 M
(Current\255directory\255name) h
3600 -30737 M
(This is the name indicating the current place in the tree walk. 
Initially, this is the name of the TA.) h
2154 -32728 M
(2\)) h
3600 -32728 M
(Least\255Common\255Ancestor\255Name) h
3600 -33778 M
123.8 0 32 (This is the portion of the names which is common to both
the CA and the Target.  This is computed at) W
3600 -34828 M
(initialization and does not change during the treewalk.) h
2154 -36819 M
(3\)) h
3600 -36819 M
(Trusted\255Key\255Set) h
3600 -37869 M
5.6 0 32 (For each name which is an ancestor of either the TA or the
Target but not of the Least\255Common\255Ancestor, a) W
3600 -38919 M
74.9 0 32 (list of PK/UID/Name triples.  This is initialized to a
single triple from the TA information in the supplied) W
3600 -39969 M
(credentials.) h
2154 -41960 M
(4\)) h
3600 -41960 M
(Search\255when\255descending) h
3600 -43010 M
75.9 0 32 (This is a list of PK/UID/Name triples of issuers that will
be trusted when descending the tree.  This set is) W
3600 -44060 M
(initially empty.) h
2154 -46051 M
(5\)) h
3600 -46051 M
(Saved\255RDNs) h
3600 -47101 M
128.6 0 32 (This is a sequence of Relative Distinguished Names \(RDNs\)
stripped off the right of the target name to) W
3600 -48151 M
(form Least\255common\255ancestor\255name.  This "stack" is initially
empty and is populated during Step 3.) h
709 -50342 M
(b\)) h
2154 -50342 M
(Ascending the "TA side" of the tree) h
2154 -52533 M
153.3 0 32 (While Current\255directory\255name is not identical to
Common\255point\255Name the algorithm moves up the tree. At) W
2154 -53583 M
(each step it does the following operations.) h
2154 -55574 M
(1\)) h
3600 -55574 M
27.4 0 32 (Find all cross certificates stored in the naming service
under Current\255directory\255name in which the subject is) W
3600 -56624 M
92.9 0 32 (an ancestor of the principal to be authenticated or an
indication that cross certificates from this issuer are) W
3600 -57674 M
5.3 0 32 (stored in the subject entry.  If there is an indication that
such certificates are stored in the subject entry, copy) W
-8503 8502 T
R

showpage
$P e

%%Page: 55 55
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(55) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
3600 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
133.0 0 32 (all triples in Trusted\255Key\255Set for
Current\255directory\255name into the "Search\255when\255descending"
list.  If any) W
3600 -1800 M
(such certificates are found, filter them to include only those which
meet the following criteria:) h
3600 -3499 M
(\(i\)) h
5669 -3499 M
32.6 0 32 (For some triple in the Trusted\255Key\255Set corresponding
to the Current\255directory\255name, the public key in) W
5669 -4549 M
105.0 0 32 (the triple verifies the signature on the certificate ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
105.0 0 32 (and either) W
/Times-Roman-ISOLatin1 F 1000 o f
105.0 0 32 ( the UID in the triple matches the issuer) W
5669 -5599 M
4.6 0 32 (UID in the certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
4.6 0 32 (or) W
/Times-Roman-ISOLatin1 F 1000 o f
4.6 0 32 ( the UID in the triple and/or the certificate is missing and
the name in the triple) W
5669 -6649 M
(matches the issuer name in the certificate.) h
3600 -8348 M
(\(ii\)) h
5669 -8348 M
82.1 0 32 (No certificates were found signed by this issuer in which
the subject name is longer than the subject) W
5669 -9398 M
63.3 0 32 (name in this certificate \(i.e. if there are cross
certificates to two different ancestors, accept only those) W
5669 -10448 M
(which lead to the closest ancestor\).) h
3600 -12147 M
(\(iii\)) h
5669 -12147 M
(The current time is within the validity interval of the certificate.) h
2154 -14046 M
(2\)) h
3600 -14046 M
16.9 0 32 (If any cross certificates were found \(whether or not they
were all eliminated as part of the filtering process\),) W
3600 -15096 M
166.4 0 32 (set Current\255directory\255name to the longest name that
was found in any certificate and construct a set of) W
3600 -16146 M
20.9 0 32 (PK/UID/Name triples for that name from the certificates
which pass the filter and place them in the Trusted) W
3600 -17196 M
25.9 0 32 (Key Set associated with their subject.  Exit the ascending
tree loop at this point and proceed directly to step) W
3600 -18246 M
8.7 0 32 (3.  Note that this means that if there are cross certificates
to an ancestor of the target but they are all rejected) W
3600 -19296 M
25.9 0 32 (\(for example if they have expired\), the treewalk will ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
25.9 0 32 (not) W
/Times-Roman-ISOLatin1 F 1000 o f
25.9 0 32 ( construct a chain through the least common ances\255) W
3600 -20346 M
34.2 0 32 (tor and will ultimately fail unless a crosslink from a lower
ancestor is found stored with its subject.  This is) W
3600 -21396 M
(a security feature.) h
2154 -23295 M
(3\)) h
3600 -23295 M
29.2 0 32 (If no cross certificates are found, find all the parent
directory certificates for the directory whose name is in) W
3600 -24345 M
(the Current\255directory\255name.  Filter these to find only those
which meet the following criteria:) h
3600 -26044 M
(\(i\)) h
5669 -26044 M
(The current time is within the validity interval.) h
3600 -27743 M
(\(ii\)) h
5669 -27743 M
91.8 0 32 (For some triple corresponding to the
Current\255directory\255name, the public key in the triple verifies the) W
5669 -28793 M
23.6 0 32 (signature on the certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
23.6 0 32 (and) W
/Times-Roman-ISOLatin1 F 1000 o f
23.6 0 32 ( ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
23.6 0 32 (either ) W
/Times-Roman-ISOLatin1 F 1000 o f
23.6 0 32 (the UID in the triple matches the issuer UID in the certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
23.6 0 32 (or) W
5669 -29843 M
/Times-Roman-ISOLatin1 F 1000 o f
0.4 0 32 (the UID in the triple and/or the certificate is missing and
the name in the triple matches the issuer name) W
5669 -30893 M
(in the certificate.) h
2154 -32792 M
(4\)) h
3600 -32792 M
14.5 0 32 (Construct PK/UID/Name triples from the remaining
certificates for the directory whose name is constructed) W
3600 -33842 M
134.4 0 32 (by stripping the rightmost simple name from the
Current\255directory\255name and place them in the Trusted\255) W
3600 -34892 M
(Key\255Set.) h
2154 -36791 M
(5\)) h
3600 -36791 M
(Strip the rightmost simple name of the Current\255directory\255name.) h
2154 -38690 M
(6\)) h
3600 -38690 M
497.3 0 32 (Repeat from step \() W
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
497.3 0 32 (a) W
/Times-Roman-ISOLatin1 F 1000 o f
497.3 0 32 (\) \(testing to see if current\255directory\255name is the
same as Common\255point\255) W
3600 -39740 M
(Name\).) h
709 -41839 M
(c\)) h
2154 -41839 M
(Searching the "target side" of the tree for a crosslink:) h
2154 -43738 M
(1\)) h
3600 -43738 M
(Initialization: set Current\255directory\255name to the name supplied
as input to this procedure.) h
2154 -45637 M
(2\)) h
3600 -45637 M
136.4 0 32 (Retrieve from the naming service all cross certificates
associated with Current\255directory\255name.  Filter to) W
3600 -46687 M
(only those that meet the following criteria:) h
3600 -48386 M
(\(i\)) h
5669 -48386 M
(The current time is within their validity interval.) h
3600 -50085 M
(\(ii\)) h
5669 -50085 M
(The subject name is equal to Current\255directory\255name.) h
3600 -51784 M
(\(iii\)) h
5669 -51784 M
158.7 0 32 (For some PK/UID/Name triple in the
"Search\255when\255descending" list compiled while ascending the) W
5669 -52834 M
21.8 0 32 (tree, the Public Key verifies the signature on the certificate and ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
21.8 0 32 (either) W
/Times-Roman-ISOLatin1 F 1000 o f
21.8 0 32 ( the UID matches the issuer UID) W
5669 -53884 M
79.4 0 32 (in the certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
79.4 0 32 (or ) W
/Times-Roman-ISOLatin1 F 1000 o f
79.4 0 32 (a UID is missing from the triple and/or the certificate and
the Name in the triple) W
5669 -54934 M
(matches the issuer name in the certificate.) h
3600 -56633 M
(\(iv\)) h
5669 -56633 M
122.9 0 32 (There are no certificates found meeting criteria \(ii\) and
\(iii\) matching a PK/UID/Name triple in the) W
5669 -57683 M
(Search\255when\255descending list whose subject is a directory lower
in the naming hierarchy.) h
-8503 8502 T
R

showpage
$P e

%%Page: 56 56
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(56) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(3\)) h
3600 -750 M
73.8 0 32 (If any qualifying certificates are found, construct
PK/UID/Name triples for each of them; these should ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
73.8 0 32 (re\255) W
3600 -1800 M
(place) h
/Times-Roman-ISOLatin1 F 1000 o f
( rather than supplement any triples already in the
Trusted\255key\255set for that directory.) h
2154 -3661 M
(4\)) h
3600 -3661 M
140.7 0 32 (If after steps \(b\) and \(c\), there are no PK/UID/Name
triples corresponding to Current\255directory\255name in) W
3600 -4711 M
29.6 0 32 (Trusted\255Key\255Set, shorten Current\255directory\255name
by one RDN \(pushing it onto the Saved\255RDNs stack\) and) W
3600 -5761 M
6.1 0 32 (repeat this process until Current\255directory\255name is
equal to Least\255common\255ancestor\255name ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
6.1 0 32 (or) W
/Times-Roman-ISOLatin1 F 1000 o f
6.1 0 32 ( there is at least) W
3600 -6811 M
(one triple in Trusted\255key\255set corresponding to
Current\255directory\255name..) h
709 -8872 M
(d\)) h
2154 -8872 M
(Descending the tree) h
2154 -10933 M
25.8 0 32 (While the list Saved\255RDNs is not Empty the algorithm
moves down the tree. At each step it does the following) W
2154 -11983 M
(operations.) h
2154 -13844 M
(1\)) h
3600 -13844 M
(Remove the first RDN from Saved\255RDNs and append it to the
Current\255directory\255name.) h
2154 -15705 M
(2\)) h
3600 -15705 M
(Find all the child directory certificates for the directory whose name
is in the current\255directory\255name.) h
2154 -17566 M
(3\)) h
3600 -17566 M
(Filter these certificates to find only those which meet the following criteria:) h
3600 -19227 M
(\(i\)) h
5669 -19227 M
(The current time is within the validity interval.) h
3600 -20888 M
(\(ii\)) h
5669 -20888 M
56.1 0 32 (For some PK/UID/Name triple in the Current\255key\255set for
the parent directory, the Public Key verifies) W
5669 -21938 M
14.4 0 32 (the signature on the certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
14.4 0 32 (and either) W
/Times-Roman-ISOLatin1 F 1000 o f
14.4 0 32 ( the UID matches the issuer UID of the certificate ) W
/Times-BoldItalic-ISOLatin1 F 1000 o f
14.4 0 32 (or ) W
/Times-Roman-ISOLatin1 F 1000 o f
14.4 0 32 (the UID) W
5669 -22988 M
60.6 0 32 (is missing from the triple and/or the certificate and the
Name in the triple matches the issuer name in) W
5669 -24038 M
(the certificate.) h
3600 -25699 M
(\(iii\)) h
5669 -25699 M
82.4 0 32 (The issuer name in the certificate is a prefix of the
subject name and the difference between the two) W
5669 -26749 M
(names is the final RDN of Current\255directory\255name.) h
2154 -28610 M
(4\)) h
3600 -28610 M
183.9 0 32 (Take the key, UID, and name from each remaining certificate
and form a new triple corresponding to) W
3600 -29660 M
375.4 0 32 (Current\255directory\255name in Trusted\255Key\255Set. If
this set is empty then the algorithm exits with the) W
3600 -30710 M
('Incomplete\255chain\255of\255trustworthy\255CAs' error condition.) h
2154 -32571 M
(5\)) h
3600 -32571 M
(repeat from step \() h
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(a) h
/Times-Roman-ISOLatin1 F 1000 o f
(\), appending a new simple name to Current\255directory\255name.) h
709 -34632 M
(e\)) h
2154 -34632 M
(Find public keys:) h
2154 -36693 M
26.1 0 32 (If there are no triples in the Trusted\255Key\255Set for the
named principal, then the algorithm exits with the `Target\255) W
2154 -37743 M
18.7 0 32 (has\255no\255keys\255which\255can\255be\255trusted' error
condition. Otherwise, the Public Key and UID are extracted from each) W
2154 -38793 M
(pair, duplicates are eliminated, and this set is returned as the Pub_keys.) h
0 -40929 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1100 o f
(3.10.10.2 ) h
4400 -40929 M
(Allowed Variations \255 Caching) h
0 -43065 M
/Times-Roman-ISOLatin1 F 1000 o f
7.2 0 32 (Some use of caches can be implemented without affecting the
semantics of the Get_Pub_Keys routine.  For example,) W
0 -44115 M
79.4 0 32 (a crypto\255cache could remember the public key that
verified a signature in the past and could avoid the verification) W
0 -45165 M
33.6 0 32 (operation if the same key was used to verify the same data
structure again.  In some cases, however, it is impossible) W
0 -46215 M
(\(or at least inconvenient\) for a cache implementation to be
completely transparent.) h
0 -48276 M
103.8 0 32 (In particular, for good performance it is important that
certificates not be re\255retrieved from the naming service on) W
0 -49326 M
45.9 0 32 (every authentication.  This must be balanced against the
need to have changes to the contents of the naming service) W
0 -50376 M
22.9 0 32 (be reflected in DASS calls on a timely basis.  There are two
cases of interest: changes which cause an authentication) W
0 -51426 M
60.1 0 32 (which previously would have succeeded to fail and changes
which cause an authentication which previously would) W
0 -52476 M
(have failed to succeed.  These two cases are subject to different time
constraints.) h
0 -54537 M
24.3 0 32 (In general, changes that cause authentication to succeed
must be reflected quite quickly \255 on the order of minutes.  If) W
0 -55587 M
76.7 0 32 (a user attempts an operation, it fails, the user tracks down
a system manager and causes the appropriate updates to) W
0 -56637 M
63.2 0 32 (take place, and the user retries the operation, it is
unacceptable for the operation to continue to fail for an extended) W
0 -57687 M
(period because of stale caches.) h
-8503 8502 T
R

showpage
$P e

%%Page: 57 57
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(57) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
36.2 0 32 (Changes that cause authentication to fail must be reflected
reliably within a bounded period of time for security rea\255) W
0 -1800 M
48.0 0 32 (sons.  If a user leaves the company, it must be possible to
revoke his ability to ) W
48.0 0 32 (authenticate w) W
48.0 0 32 (ithin a relatively short) W
0 -2850 M
(period of time \255 say hours.) h
0 -5243 M
66.8 0 32 (These constraints mean that a naming service cache which
contains arbitrarily old information is unacceptable.  To) W
0 -6293 M
12.9 0 32 (meet the second constraint, naming service cache entries
must be timed out within a reasonable period of time unless) W
0 -7343 M
141.3 0 32 (in implementation verifies that the certificate is still
present \(a crypto\255cache which lasted longer would be legal;) W
0 -8393 M
65.4 0 32 (rather than deleting a name service cache entry, in
implementation might instead verify that the entry was still pre\255) W
0 -9443 M
(sent in the naming service.  This would avoid repeating the
cryptographic "verify"\).) h
0 -11836 M
69.4 0 32 (In order to assure that information cached for even a few
hours not deny authentication for that extended period, it) W
0 -12886 M
43.1 0 32 (must be possible to bypass caches when the result would
otherwise be a failure.  Since the performance of authenti\255) W
0 -13936 M
15.8 0 32 (cation failures is not a serious concern, it is acceptable
to expect that before an operation fails a retry will be made to) W
0 -14986 M
103.6 0 32 (the naming service to see if there are any new relevant
certificates \(or in certain obscure conditions, to see if any) W
0 -16036 M
(relevant certificates have been deleted\).) h
0 -18429 M
21.4 0 32 (If on a call to Get_Pub_Keys, the Try_Hard bit is True, then
this procedure must return results based on the contents) W
0 -19479 M
62.6 0 32 (of the naming service no more than five minutes previous
\(this would normally be accomplished by ignoring name) W
0 -20529 M
18.2 0 32 (service caches and making all operations directly to the
naming service\).  If the Try_Hard bit is False, this procedure) W
0 -21579 M
10.5 0 32 (may return results based on the contents of the naming
service any time in the previous few hours, in the sense that it) W
0 -22629 M
65.1 0 32 (may ignore any certificate added in the previous few hours
and may use any certificate deleted in the previous few) W
0 -23679 M
20.0 0 32 (hours.  Procedures which call this routine with Try_Hard set
to false must be prepared to call it again with Try_Hard) W
0 -24729 M
(True if their operation fails possibly from this result.) h
0 -27122 M
(The exact timer values for "five minutes" and "a few hours" are
expected to be implementation constants.) h
0 -29515 M
140.9 0 32 (In the envisioned implementation, the entire "ascending
treewalk" is retrieved, verified, and its digested contents) W
0 -30565 M
87.5 0 32 (cached when a principal first establishes credentials.  A
mechanism should be provided to refresh this information) W
0 -31615 M
83.8 0 32 (periodically for principals whose sessions might be long
lived, but it would probably be acceptable in the unlikely) W
0 -32665 M
11.3 0 32 (event of a user's ancestor) W
11.3 0 32 ('s keys) W
11.3 0 32 ( ) W
11.3 0 32 (c) W
11.3 0 32 (hanging to require that the user log out and log back in. 
This is consistent with the) W
0 -33715 M
(observed behavior of existing security mechanisms.) h
0 -36108 M
65.7 0 32 (The descending treewalk, on the other hand, is expected to
be maintained as a more conventional cache, where en\255) W
0 -37158 M
11.2 0 32 (tries are kept in a fixed amount of memory with a "least
recently used" replacement policy and a watchdog timer that) W
0 -38208 M
68.3 0 32 (assures that stale information is not kept indefinitely.  A
call to Get_Pub_Keys with Try_Hard set false would first) W
0 -39258 M
23.4 0 32 (check that cache for relevant certificates and only if none
were found there would it go out to the naming service.  If) W
0 -40308 M
77.6 0 32 (there were newer certificates in the naming service, they
might not be found and an authentication might therefore) W
0 -41358 M
(fail.) h
0 -43751 M
20.0 0 32 (When Try_Hard is false, an implementation may assume that
certificates not in the cache do not exist so long as that) W
0 -44801 M
12.9 0 32 (assumption does not cause an authentication to falsely
succeed.  In that case, it may only make that assumption if the) W
0 -45851 M
(certificates have been verified to not exist within the revocation
time \(a few hours\).) h
0 -48544 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(3.11 ) h
2800 -48544 M
(DASSlessness Determination Functions) h
0 -51387 M
/Times-Roman-ISOLatin1 F 1000 o f
34.6 0 32 (In order to provide better interoperability with alternative
authentication mechanisms and to provide backward com\255) W
0 -52437 M
121.9 0 32 (patibility with older \(insecure\) authentication
mechanisms, it is sometimes important to be able to determine in a) W
0 -53487 M
98.1 0 32 (secure way what the appropriate authentication mechanism is
for a particular named principal.  For some applica\255) W
0 -54537 M
8.3 0 32 (tions, this will be done by a local mechanism, where either
the person creating access control information must know) W
0 -55587 M
51.6 0 32 (and specify the mechanism for each principal or a system
administrator on the node must maintain a database map\255) W
0 -56637 M
46.9 0 32 (ping names to mechanisms.  Three applications come to mind
where scaleability makes such mechanisms implausi\255) W
0 -57687 M
(ble:) h
-8503 8502 T
R

showpage
$P e

%%Page: 58 58
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(58) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(a\)) h
2154 -750 M
71.2 0 32 (To transparently secure proxy\255based applications \(like
rlogin\) in an environment where some hosts have been) W
2154 -1800 M
15.9 0 32 (upgraded to support DASS and some have not, a node must be
willing to accept connections authenticated only) W
2154 -2850 M
17.8 0 32 (by their network addresses but only if they can be assured
that such nodes do not have DASS installed.  Access) W
2154 -3900 M
100.6 0 32 (to a resource becomes secure without administrative action
when all nodes authorized to access it have been) W
2154 -4950 M
(upgraded.) h
2154 -6000 M
2154 -7050 M
116.7 0 32 (In this scenario, the server node must be able to determine
whether the client node is DASSless in a secure) W
2154 -8100 M
(fashion.) h
709 -10373 M
(b\)) h
2154 -10373 M
12.1 0 32 (Similarly, in a mixed environment where some servers are
running DASS and some are not, it may be desirable) W
2154 -11423 M
124.8 0 32 (for clients to authenticate servers if they can but it
would be unacceptable for a client to stop being able to) W
2154 -12473 M
32.2 0 32 (access a DASSless server once DASS is installed on the
client.  In such a situation where server authentication) W
2154 -13523 M
61.3 0 32 (is desirable but not essential, the client would like to
determine in a secure fashion whether the server can ac\255) W
2154 -14573 M
(cept DASS authentication.) h
709 -16846 M
(c\)) h
2154 -16846 M
229.1 0 32 (In a DASS/Kerberos interoperability scenario, a server may
decide that Kerberos authentication is "good) W
2154 -17896 M
44.5 0 32 (enough" for principals that do not have DASS credentials
without introducing trust in on\255line authorities when) W
2154 -18946 M
48.8 0 32 (DASS credentials are available.  In parallel with case 1, we
want it to be true that when the last principal with) W
2154 -19996 M
63.9 0 32 (authority to access an object is upgraded to DASS, we
automatically cease to trust PasswdEtc servers without) W
2154 -21046 M
27.5 0 32 (administrative action on the part of the object owner.  For
this purpose, the authenticator must learn in a secure) W
2154 -22096 M
(fashion that the principal is incapable of DASS authentication.) h
0 -24369 M
65.3 0 32 (Reliably determining DASSlessness is optional for
implementations of DASS and for applications.  No other capa\255) W
0 -25419 M
(bilities of DASS rely on this one.) h
0 -27692 M
74.6 0 32 (The interface to the DASSlessness inquiry function is
specified as a call independent of all others.  This capability) W
0 -28742 M
58.8 0 32 (must be exposed to the calling application so that a server
that receives a request and no token can ask whether the) W
0 -29792 M
19.1 0 32 (named principal should be believed without a token.  It
might improve performance and usability if in real interfaces) W
0 -30842 M
76.9 0 32 (DASSlessness were returned in addition to a bad status on
the function that creates a token if the token is targeted) W
0 -31892 M
46.0 0 32 (toward a server incapable or processing it.  An application
could then decide whether to make the request without a) W
0 -32942 M
(token \(and give up server authentication\) or to abort the request.) h
0 -35365 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(3.11.1 ) h
3300 -35365 M
(Query DASSlessness) h
0 -37738 M
/Times-Roman-ISOLatin1 F 1000 o f
(Query_DASSlessness\() h
0 -38838 M
(                                                   \255\255inputs) h
0 -39938 M
14256 -39938 M
(verifying_credentials) h
30212 -39938 M
(Credentials,) h
0 -41038 M
14256 -41038 M
(principal_name) h
30212 -41038 M
(Name,) h
0 -42138 M
(                                                   \255\255outputs) h
0 -43238 M
14256 -43238 M
(alternate_authentication) h
30212 -43238 M
(Set of OIDs\)) h
0 -44561 M
63.9 0 32 (This function uses the verifying credentials to search for
an alternative authentication mechanism certificate for the) W
0 -45611 M
9.0 0 32 (named principal or for any CA on the path between the
verifying credentials and the named principal.  Such a certifi\255) W
0 -46661 M
33.8 0 32 (cate is identical to an DASS X.509 certificate except that
it lists a different algorithm identifier for the public key of) W
0 -47711 M
(the subject than that expected by DASS.) h
0 -49984 M
(This function is implemented identically to Get_Pub_Keys ) h
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
(except) h
/Times-Roman-ISOLatin1 F 1000 o f
(:) h
709 -52257 M
(a\)) h
2154 -52257 M
15.2 0 32 (If in any set of certificates found,) W
15.2 0 32 ( no valid DASS certificate is found and ) W
15.2 0 32 (one or more certificates are found that) W
2154 -53307 M
41.6 0 32 (would otherwise be valid except for an invalid subject
public key OID, the OID from that certificate or certifi\255) W
2154 -54357 M
(cates is returned and the algorithm terminates.) h
709 -56630 M
(b\)) h
2154 -56630 M
89.1 0 32 (On initial execution, Try_Hard=False.  If the first
execution fails to retrieve any valid PK/UID pairs but also) W
2154 -57680 M
(fails to find any invalid OID certificates, repeat the execution with
Try_Hard=True.) h
-8503 8502 T
R

showpage
$P e

%%Page: 59 59
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(59) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(c\)) h
2154 -750 M
97.1 0 32 (If the either execution finds PK/UID pairs or if neither
finds and invalid OID certificates, fail by returning a) W
2154 -1800 M
(null set.) h
0 -5974 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1600 o f
(4 ) h
1417 -5974 M
(Certificate and message formats) h
0 -8898 M
n 0.875 o f
(4.1 ) h
2126 -8898 M
(ASN.1 encoding) h
0 -11472 M
/Times-Roman-ISOLatin1 F 1000 o f
(Some definitions are taken from X.501 and X.509.) h
0 -13596 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(Dass DEFINITIONS ::=) h
0 -14870 M
0 -16144 M
(BEGIN) h
0 -17418 M
0 -18692 M
(\255\255CCITT Definitions:) h
0 -19892 M
(joint\255iso\255ccitt ) h
11520 -19892 M
(OBJECT IDENTIFIER ::= {2}) h
0 -21092 M
(ds) h
5760 -21092 M
11520 -21092 M
(OBJECT IDENTIFIER ::= {joint\255iso\255ccitt 5}) h
0 -22292 M
(algorithm) h
5760 -22292 M
11520 -22292 M
(OBJECT IDENTIFIER ::= {ds 8}) h
0 -23566 M
(encryptionAlgorithm) h
11520 -23566 M
(OBJECT IDENTIFIER ::= {algorithm 1}) h
0 -24840 M
(hashAlgorithm) h
11520 -24840 M
(OBJECT IDENTIFIER ::= {algorithm 2}) h
0 -26114 M
(signatureAlgorithm) h
11520 -26114 M
(OBJECT IDENTIFIER ::= {algorithm 3}) h
0 -27388 M
(rsa) h
5760 -27388 M
11520 -27388 M
(OBJECT IDENTIFIER ::= {encryptionAlgorithm 1}) h
0 -28662 M
0 -29862 M
(iso) h
5760 -29862 M
11520 -29862 M
(OBJECT IDENTIFIER ::= {1}) h
0 -31062 M
(identified\255organization) h
11520 -31062 M
(OBJECT IDENTIFIER ::= {iso 3}) h
0 -32262 M
(ecma) h
5760 -32262 M
11520 -32262 M
(OBJECT IDENTIFIER ::= {identified\255organization 12}) h
0 -33462 M
(member\255company) h
11520 -33462 M
(OBJECT IDENTIFIER ::= {ecma 2}) h
0 -34662 M
(digital) h
5760 -34662 M
11520 -34662 M
(OBJECT IDENTIFIER ::= {member\255company 1011}) h
0 -35936 M
0 -37136 M
(\255\2551989 OSI Implementors Workshop "Stable" Agreements) h
0 -38336 M
(oiw) h
5760 -38336 M
11520 -38336 M
(OBJECT IDENTIFIER ::= {identified\255organization 14}) h
0 -39536 M
(dssig) h
5760 -39536 M
11520 -39536 M
(OBJECT IDENTIFIER ::= {oiw 7}) h
0 -40736 M
(oiwAlgorithm) h
11520 -40736 M
(OBJECT IDENTIFIER ::= {dssig 2}) h
0 -41936 M
(oiwEncryptionAlgorithm) h
11520 -41936 M
(OBJECT IDENTIFIER ::= {oiwAlgorithm 1}) h
0 -43136 M
(oiwHashAlgorithm) h
11520 -43136 M
(OBJECT IDENTIFIER ::= {oiwAlgorithm 2}) h
0 -44336 M
(oiwSignatureAlgorithm) h
11520 -44336 M
(OBJECT IDENTIFIER ::= {oiwAlgorithm 3}) h
0 -45536 M
(oiwMD2) h
5760 -45536 M
11520 -45536 M
(OBJECT IDENTIFIER ::= {oiwHashAlgorithm 1} \255\255null parameter) h
0 -46736 M
(oiwMD2withRSA) h
11520 -46736 M
(OBJECT IDENTIFIER ::= {oiwSignatureAlgorithm 1} \255\255null parameter) h
0 -48010 M
0 -49210 M
(\255\255X.501 definitions) h
0 -50410 M
(AttributeType ::= OBJECT IDENTIFIER) h
0 -51610 M
(AttributeValue ::= ANY) h
0 -52810 M
(AttributeValueAssertion ::= SEQUENCE {AttributeType,AttributeValue}) h
0 -54084 M
0 -55284 M
(Name ::= CHOICE {) h
11520 -55284 M
(\255\255only one for now) h
0 -56484 M
5760 -56484 M
11520 -56484 M
(RDNSequence) h
0 -57684 M
5760 -57684 M
(            }) h
-8503 8502 T
R

showpage
$P e

%%Page: 60 60
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(60) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(RDNSequence ::= SEQUENCE OF RelativeDistinguishedName) h
0 -1968 M
0 -3168 M
(DistinguishedName ::= RDNSequence) h
0 -4386 M
0 -5586 M
(RelativeDistinguishedName ::= SET OF AttributeValueAssertion) h
0 -6804 M
0 -8004 M
(\255\255X.509 definitions \(with proposed 1992 extensions ) h
/NewCenturySchlbk-BoldItalic-ISOLatin1 $
/NewCenturySchlbk-BoldItalic & P
/NewCenturySchlbk-BoldItalic-ISOLatin1 F 1000 o f
(presumed) h
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(\)) h
0 -9222 M
0 -10440 M
(ENCRYPTED MACRO) h
11520 -10440 M
(::=) h
0 -11658 M
(BEGIN) h
0 -12876 M
(TYPE NOTATION) h
11520 -12876 M
(::= type\(ToBeEnciphered\)) h
0 -14094 M
(VALUE NOTATION) h
11520 -14094 M
(::= value\(VALUE BIT STRING\)) h
0 -15312 M
(END) h
5760 -15312 M
(\255\255 of ENCRYPTED) h
0 -16530 M
0 -17730 M
(SIGNED MACRO) h
11520 -17730 M
(::=) h
0 -18930 M
(BEGIN) h
0 -20130 M
(TYPE NOTATION) h
11520 -20130 M
(::= type \(ToBeSigned\)) h
0 -21330 M
(VALUE NOTATION) h
11520 -21330 M
(::= value \(VALUE) h
0 -22530 M
(SEQUENCE{) h
0 -23730 M
5760 -23730 M
(ToBeSigned,) h
0 -24930 M
5760 -24930 M
(AlgorithmIdentifier,) h
17280 -24930 M
(\255\255of the algorithm used to generate the signature) h
0 -26130 M
5760 -26130 M
(ENCRYPTED OCTET STRING) h
23040 -26130 M
(\255\255where the octet string is the result) h
0 -27330 M
5760 -27330 M
11520 -27330 M
17280 -27330 M
23040 -27330 M
(\255\255of the hashing of the value of) h
0 -28530 M
5760 -28530 M
11520 -28530 M
17280 -28530 M
23040 -28530 M
(\255\255"ToBeSigned") h
0 -29748 M
5760 -29748 M
(}) h
0 -30966 M
5760 -30966 M
11520 -30966 M
17280 -30966 M
(\)) h
0 -32184 M
(END) h
5760 -32184 M
(\255\255 of SIGNED) h
0 -33402 M
0 -34620 M
(SIGNATURE MACRO) h
11520 -34620 M
(::=) h
0 -35838 M
(BEGIN) h
0 -37056 M
(TYPE NOTATION) h
11520 -37056 M
(::= type \(OfSignature\)) h
0 -38274 M
(VALUE NOTATION) h
11520 -38274 M
(::= value \(VALUE) h
0 -39492 M
(SEQUENCE {) h
0 -40710 M
5760 -40710 M
(AlgorithmIdentifier,) h
17280 -40710 M
(\255\255of the algorithm used to compute the signature) h
0 -41928 M
5760 -41928 M
(ENCRYPTED OCTET STRING) h
23040 -41928 M
(\255\255 where the octet string is a function) h
0 -43146 M
5760 -43146 M
11520 -43146 M
17280 -43146 M
23040 -43146 M
(\255\255 \(e.g. a compressed or hashed version\)) h
0 -44364 M
5760 -44364 M
11520 -44364 M
17280 -44364 M
23040 -44364 M
(\255\255 of the value 'OfSignature', which may) h
0 -45582 M
5760 -45582 M
11520 -45582 M
17280 -45582 M
23040 -45582 M
(\255\255 include the identifier of the algorithm) h
0 -46800 M
5760 -46800 M
11520 -46800 M
17280 -46800 M
23040 -46800 M
(\255\255 used to compute the signature) h
0 -48018 M
5760 -48018 M
(}) h
0 -49236 M
5760 -49236 M
11520 -49236 M
17280 -49236 M
(\)) h
0 -50454 M
(END) h
5760 -50454 M
(\255\255 of SIGNATURE) h
0 -51672 M
0 -52872 M
(Certificate ::= SIGNED SEQUENCE {) h
0 -54072 M
5760 -54072 M
(version [0]) h
11520 -54072 M
17280 -54072 M
(Version DEFAULT v1988,) h
0 -55272 M
5760 -55272 M
(serialNumber) h
17280 -55272 M
(CertificateSerialNumber,) h
0 -56472 M
5760 -56472 M
(signature) h
11520 -56472 M
17280 -56472 M
(AlgorithmIdentifier,) h
0 -57672 M
5760 -57672 M
(issuer) h
11520 -57672 M
17280 -57672 M
(Name,) h
-8503 8502 T
R

showpage
$P e

%%Page: 61 61
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(61) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
5760 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(valid) h
11520 -750 M
17280 -750 M
(Validity,) h
0 -1950 M
5760 -1950 M
(subject) h
11520 -1950 M
17280 -1950 M
(Name,) h
0 -3150 M
5760 -3150 M
(subjectPublicKey) h
17280 -3150 M
(SubjectPublicKeyInfo,) h
0 -4350 M
5760 -4350 M
(issuerUID [1]) h
17280 -4350 M
(IMPLICIT UID OPTIONAL,) h
34560 -4350 M
(\255\255 v1992) h
0 -5550 M
5760 -5550 M
(subjectUID [2]) h
17280 -5550 M
(IMPLICIT UID OPTIONAL) h
34560 -5550 M
(\255\255 v1992) h
0 -6750 M
5760 -6750 M
(}) h
0 -7969 M
0 -9188 M
5760 -9188 M
(\255\255The Algorithm Identifier for both the signature field and in
the signature itself is:) h
0 -10407 M
5760 -10407 M
(\255\255) h
11520 -10407 M
(oiwMD2withRSA \(1.3.14.7.2.3.1\)) h
0 -11626 M
0 -12826 M
(Version ::= INTEGER {v1988\(0\), v1992\(1\)}) h
0 -14026 M
0 -15245 M
(CertificateSerialNumber ::= INTEGER) h
0 -16445 M
0 -17664 M
(Validity ::= SEQUENCE {) h
0 -18864 M
5760 -18864 M
(NotBefore) h
11520 -18864 M
(UTCTime,) h
0 -20064 M
5760 -20064 M
(NotAfter) h
11520 -20064 M
(UTCTime) h
0 -21264 M
5760 -21264 M
(}) h
0 -22464 M
0 -23664 M
0 -24864 M
(AlgorithmIdentifier ::= SEQUENCE {) h
0 -26083 M
5760 -26083 M
(algorithm) h
11520 -26083 M
(OBJECT IDENTIFIER,) h
0 -27283 M
5760 -27283 M
(parameter) h
11520 -27283 M
(ANY DEFINED BY algorithm OPTIONAL) h
0 -28502 M
5760 -28502 M
(}) h
0 -29721 M
0 -30940 M
(\255\255The algorithms we support in one context or another are:) h
0 -32159 M
5760 -32159 M
(\255\255oiwMD2withRSA \(1.3.14.7.2.3.1\) with parameter NULL) h
0 -33378 M
5760 -33378 M
(\255\255rsa \(2.5.8.1.1\) with parameter keysize INTEGER which is the
keysize in bits) h
0 -34597 M
5760 -34597 M
(\255\255decDEA \(1.3.12.1001.7.1.2\) with optional parameter missing) h
0 -35816 M
5760 -35816 M
(\255\255decDEAMAC \(1.3.12.2.1011.7.3.3\) with optional parameter missing) h
0 -37035 M
0 -38254 M
(SubjectPublicKeyInfo  ::=  SEQUENCE {) h
0 -39473 M
5760 -39473 M
(algorithm) h
11520 -39473 M
(AlgorithmIdentifier,) h
0 -40673 M
5760 -40673 M
11520 -40673 M
(\255\255 rsa \(2.5.8.1.1\)) h
0 -41892 M
5760 -41892 M
(subjectPublicKey) h
17280 -41892 M
(BIT STRING ) h
0 -43111 M
5760 -43111 M
11520 -43111 M
17280 -43111 M
(\255\255 the "bits" further decode into a DASS public key) h
0 -44330 M
5760 -44330 M
(}) h
0 -45549 M
0 -46768 M
(UID ::= BIT STRING) h
0 -47987 M
0 -49206 M
(\255\255 the following definitions are for Digital specified Algorithms) h
0 -50406 M
0 -51625 M
(cryptoAlgorithm OBJECT IDENTIFIER ::= {digital 7}) h
0 -52844 M
0 -54044 M
(decEncryptionAlgorithm) h
11520 -54044 M
(OBJECT IDENTIFIER ::= {cryptoAlgorithm 1}) h
0 -55244 M
(decHashAlgorithm) h
11520 -55244 M
(OBJECT IDENTIFIER ::= {cryptoAlgorithm 2}) h
0 -56444 M
(decSignatureAlgorithm) h
11520 -56444 M
(OBJECT IDENTIFIER ::= {cryptoAlgorithm 3}) h
0 -57663 M
(decDASSLessness) h
11520 -57663 M
(OBJECT IDENTIFIER ::= {cryptoAlgorithm 6}) h
-8503 8502 T
R

showpage
$P e

%%Page: 62 62
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(62) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
0 -1950 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(decMD2withRSA) h
11520 -1950 M
(OBJECT IDENTIFIER ::= {decSignatureAlgorithm 1}) h
0 -3150 M
(decMD4withRSA) h
11520 -3150 M
(OBJECT IDENTIFIER ::= {decSignatureAlgorithm 2}) h
0 -4350 M
(decDEAMAC) h
11520 -4350 M
(OBJECT IDENTIFIER ::= {decSignatureAlgorithm 3}) h
0 -5578 M
0 -6778 M
(decDEA) h
5760 -6778 M
11520 -6778 M
(OBJECT IDENTIFIER ::= {decEncryptionAlgorithm 2}) h
0 -8006 M
0 -9206 M
(decMD2) h
5760 -9206 M
11520 -9206 M
(OBJECT IDENTIFIER ::= {decHashAlgorithm 1}) h
0 -10406 M
(decMD4) h
5760 -10406 M
11520 -10406 M
(OBJECT IDENTIFIER ::= {decHashAlgorithm 2}) h
0 -11634 M
0 -12862 M
0 -14090 M
(ShortPosixTime ::= INTEGER) h
17280 -14090 M
(\255\255 number of seconds since base time) h
0 -15318 M
0 -16546 M
(LongPosixTime ::= SEQUENCE { ) h
0 -17746 M
5760 -17746 M
(INTEGER,) h
11520 -17746 M
17280 -17746 M
(\255\255 number of seconds since base time) h
0 -18946 M
5760 -18946 M
(INTEGER) h
11520 -18946 M
17280 -18946 M
(\255\255 number of nanoseconds since second) h
0 -20146 M
5760 -20146 M
(}) h
0 -21346 M
5760 -21346 M
0 -22574 M
0 -23802 M
(ShortPosixValidity ::=) h
11520 -23802 M
(SEQUENCE {) h
0 -25002 M
5760 -25002 M
(notBefore) h
11520 -25002 M
(ShortPosixTime,) h
0 -26202 M
5760 -26202 M
(notAfter) h
11520 -26202 M
(ShortPosixTime }) h
0 -27402 M
0 -28630 M
(\255\255Note: Annex C of X.509 prescribes the following format for the
representation of a public key, \255\255but) h
0 -29830 M
(does not give the structure a name.) h
0 -31058 M
0 -32286 M
(DASSPublicKey ::=  SEQUENCE {) h
0 -33486 M
5760 -33486 M
(modulus) h
11520 -33486 M
(INTEGER,) h
0 -34686 M
5760 -34686 M
(exponent) h
11520 -34686 M
(INTEGER ) h
0 -35886 M
5760 -35886 M
(}) h
0 -37114 M
0 -38342 M
(DASSPrivateKey ::= SEQUENCE {) h
0 -39542 M
5760 -39542 M
(p) h
11520 -39542 M
(INTEGER ,) h
17280 -39542 M
23040 -39542 M
28800 -39542 M
(\255\255 prime p) h
0 -40742 M
5760 -40742 M
(q [0]) h
11520 -40742 M
(IMPLICIT INTEGER OPTIONAL ,) h
28800 -40742 M
(\255\255 prime q) h
0 -41942 M
5760 -41942 M
(mod[1]) h
11520 -41942 M
(IMPLICIT INTEGER OPTIONAL,) h
28800 -41942 M
(\255\255 modulus) h
0 -43142 M
5760 -43142 M
(exp [2]) h
11520 -43142 M
(IMPLICIT INTEGER OPTIONAL,) h
28800 -43142 M
(\255\255 public exponent) h
0 -44342 M
5760 -44342 M
(dp [3]) h
11520 -44342 M
(IMPLICIT INTEGER OPTIONAL ,) h
28800 -44342 M
(\255\255 exponent mod p) h
0 -45542 M
5760 -45542 M
(dq [4]) h
11520 -45542 M
(IMPLICIT INTEGER OPTIONAL ,) h
28800 -45542 M
(\255\255 exponent mod q) h
0 -46742 M
5760 -46742 M
(cr [5]) h
11520 -46742 M
(IMPLICIT INTEGER OPTIONAL ,) h
28800 -46742 M
(\255\255 Chinese remainder coefficient) h
0 -47942 M
5760 -47942 M
(uid[6]) h
11520 -47942 M
(IMPLICIT UID OPTIONAL,) h
0 -49142 M
5760 -49142 M
(more[7]) h
11520 -49142 M
(IMPLICIT BIT STRING OPTIONAL) h
28800 -49142 M
(\255\255Reserved for future use) h
0 -50342 M
5760 -50342 M
(}) h
0 -51570 M
0 -52798 M
0 -54026 M
(LocalUserName) h
11520 -54026 M
(::= OCTET STRING) h
0 -55254 M
(ChannelId) h
5760 -55254 M
11520 -55254 M
(::= OCTET STRING) h
0 -56482 M
(VersionNumber   ) h
11520 -56482 M
(::= OCTET STRING \(SIZE\(3\)\)) h
0 -57682 M
5760 -57682 M
11520 -57682 M
17280 -57682 M
(\255\255 first octet is major version) h
-8503 8502 T
R

showpage
$P e

%%Page: 63 63
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(63) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
5760 -750 M
11520 -750 M
17280 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(\255\255 second octet is minor version) h
0 -1950 M
5760 -1950 M
11520 -1950 M
17280 -1950 M
(\255\255 third octet is ECO rev.) h
0 -3150 M
(versionZero  VersionNumber ::= '000000'H) h
0 -4350 M
0 -5591 M
(Authenticator ::= SIGNED SEQUENCE {) h
0 -6791 M
5760 -6791 M
(type) h
11520 -6791 M
17280 -6791 M
(BIT STRING,) h
0 -7991 M
5760 -7991 M
11520 -7991 M
17280 -7991 M
(   \255\255 first bit `delegation required') h
0 -9191 M
5760 -9191 M
11520 -9191 M
17280 -9191 M
(   \255\255 second bit `Mutual Authentication Requested') h
0 -10391 M
5760 -10391 M
(whenSigned ) h
17280 -10391 M
(LongPosixTime ,) h
0 -11591 M
5760 -11591 M
(channelId  [3]) h
17280 -11591 M
(IMPLICIT ChannelId OPTIONAL) h
0 -12791 M
5760 -12791 M
11520 -12791 M
(\255\255 channel bindings are included when doing the) h
0 -13991 M
5760 -13991 M
11520 -13991 M
(\255\255 signature, but excluded when transmitting the) h
0 -15191 M
5760 -15191 M
11520 -15191 M
(\255\255 Authenticator) h
0 -16391 M
5760 -16391 M
(} ) h
0 -17591 M
0 -18791 M
5760 -18791 M
11520 -18791 M
(\255\255 uses decDEAMAC \(1.3.12.2.1011.7.3.3\)) h
0 -19991 M
0 -21232 M
(EncryptedKey ::= SEQUENCE {) h
0 -22432 M
5760 -22432 M
(algorithm) h
11520 -22432 M
(        AlgorithmIdentifier,) h
0 -23673 M
5760 -23673 M
11520 -23673 M
17280 -23673 M
(\255\255 uses rsa \(2.5.8.1.1\)) h
0 -24914 M
5760 -24914 M
(encryptedAuthKey) h
17280 -24914 M
(BIT STRING) h
0 -26155 M
5760 -26155 M
11520 -26155 M
17280 -26155 M
(\255\255 as defined in section 4.4.5) h
0 -27355 M
5760 -27355 M
(}) h
0 -28596 M
0 -29837 M
(SignatureOnEncryptedKey ::=  SIGNATURE EncryptedKey) h
0 -31037 M
5760 -31037 M
11520 -31037 M
(\255\255 uses oiwMD2withRSA \(1.3.14.7.2.3.1\)) h
0 -32237 M
5760 -32237 M
11520 -32237 M
(\255\255 Signature bits computed over EncryptedKey structure) h
0 -33478 M
0 -34719 M
0 -35960 M
(LoginTicket ::= SIGNED SEQUENCE {) h
0 -37160 M
5760 -37160 M
(version [0]) h
11520 -37160 M
17280 -37160 M
(IMPLICIT VersionNumber DEFAULT versionZero,) h
0 -38360 M
5760 -38360 M
(validity ) h
11520 -38360 M
17280 -38360 M
(ShortPosixValidity ,) h
0 -39560 M
5760 -39560 M
(subjectUID) h
11520 -39560 M
17280 -39560 M
(UID ,) h
0 -40760 M
5760 -40760 M
(delegatingPublicKey) h
17280 -40760 M
(SubjectPublicKeyInfo) h
0 -41960 M
5760 -41960 M
(} ) h
0 -43160 M
5760 -43160 M
(\255\255 uses oiwMD2withRSA \(1.3.14.7.2.3.1\)) h
0 -44360 M
5760 -44360 M
0 -45601 M
(Delegator ::= SEQUENCE {) h
0 -46801 M
5760 -46801 M
(algorithm) h
11520 -46801 M
17280 -46801 M
(AlgorithmIdentifier ) h
0 -48001 M
5760 -48001 M
11520 -48001 M
17280 -48001 M
(\255\255 decDEA encryption \(1.3.12.1001.7.1.2\)) h
0 -49201 M
5760 -49201 M
(encryptedPrivKey) h
17280 -49201 M
(ENCRYPTED  DASSPrivateKey,) h
0 -50401 M
5760 -50401 M
11520 -50401 M
17280 -50401 M
(\255\255 \(only p is included\)) h
0 -51601 M
5760 -51601 M
(}) h
0 -52842 M
0 -54083 M
(UserClaimant ::=  SEQUENCE {) h
0 -55283 M
5760 -55283 M
(userTicket [0]) h
17280 -55283 M
(IMPLICIT LoginTicket,) h
0 -56483 M
5760 -56483 M
(evidence  CHOICE {) h
0 -57683 M
5760 -57683 M
11520 -57683 M
(delegator [1]) h
23040 -57683 M
(IMPLICIT Delegator ,) h
-8503 8502 T
R

showpage
$P e

%%Page: 64 64
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(64) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
5760 -750 M
11520 -750 M
17280 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(     \255\255 encrypted delegation private key) h
0 -1950 M
5760 -1950 M
11520 -1950 M
17280 -1950 M
(     \255\255 under DES authenticating key) h
0 -3150 M
5760 -3150 M
11520 -3150 M
17280 -3150 M
(     \255\255 present if delegating) h
0 -4350 M
5760 -4350 M
11520 -4350 M
(sharedKeyTicketSignature [2]) h
0 -5550 M
5760 -5550 M
11520 -5550 M
17280 -5550 M
(IMPLICIT SignatureOnEncryptedKey) h
0 -6750 M
5760 -6750 M
11520 -6750 M
17280 -6750 M
(     \255\255 present if not delegating) h
0 -7950 M
5760 -7950 M
11520 -7950 M
(} ,) h
0 -9150 M
5760 -9150 M
(userName [3]) h
17280 -9150 M
(IMPLICIT Name OPTIONAL) h
0 -10350 M
5760 -10350 M
11520 -10350 M
17280 -10350 M
(     \255\255 name of user principal) h
0 -11550 M
5760 -11550 M
(}) h
0 -12783 M
0 -14016 M
(EncryptedKeyandUserName ::= SEQUENCE {) h
0 -15249 M
5760 -15249 M
(encryptedKey) h
17280 -15249 M
(EncryptedKey ,) h
0 -16482 M
5760 -16482 M
(username) h
11520 -16482 M
17280 -16482 M
(LocalUserName) h
0 -17715 M
5760 -17715 M
(}) h
0 -18948 M
(        ) h
0 -20181 M
(SignatureOnEncryptedKeyandUserName ::= ) h
0 -21381 M
5760 -21381 M
(SIGNATURE EncryptedKeyandUserName) h
0 -22581 M
5760 -22581 M
11520 -22581 M
( \255\255 uses oiwMD2withRSA \(1.3.14.7.2.3.1\)) h
0 -23781 M
5760 -23781 M
11520 -23781 M
(\255\255 Signature bits computed over ) h
0 -24981 M
5760 -24981 M
11520 -24981 M
(\255\255 EncryptedKeyandUserName structure) h
0 -26181 M
5760 -26181 M
11520 -26181 M
(\255\255 using node private key) h
0 -27414 M
5760 -27414 M
(}) h
0 -28647 M
0 -29880 M
(NodeClaimant ::= SEQUENCE {) h
0 -31080 M
5760 -31080 M
(nodeTicket Signature[0]) h
17280 -31080 M
(IMPLICIT) h
0 -32280 M
5760 -32280 M
11520 -32280 M
(SignatureOnEncryptedKeyandUserName,) h
0 -33480 M
5760 -33480 M
(nodeName [1]) h
17280 -33480 M
(IMPLICIT Name OPTIONAL,) h
0 -34680 M
5760 -34680 M
(username  [2]) h
17280 -34680 M
(IMPLICIT LocalUserName OPTIONAL) h
0 -35880 M
5760 -35880 M
(}) h
0 -37113 M
0 -38346 M
0 -39579 M
(AuthenticationToken ::= SEQUENCE {) h
0 -40779 M
5760 -40779 M
(version [0]) h
11520 -40779 M
17280 -40779 M
(IMPLICIT VersionNumber DEFAULT versionZero,) h
0 -41979 M
5760 -41979 M
(authenticator [1]) h
17280 -41979 M
(IMPLICIT Authenticator , ) h
0 -43179 M
5760 -43179 M
(encryptedKey [2]) h
17280 -43179 M
(IMPLICIT EncryptedKey OPTIONAL ,) h
0 -44379 M
5760 -44379 M
11520 -44379 M
17280 -44379 M
(     \255\255 required if initiating token) h
0 -45579 M
5760 -45579 M
(userclaimant [3]) h
17280 -45579 M
(IMPLICIT UserClaimant OPTIONAL ,) h
0 -46779 M
5760 -46779 M
11520 -46779 M
17280 -46779 M
(     \255\255 missing if only doing node authentication) h
0 -47979 M
5760 -47979 M
11520 -47979 M
17280 -47979 M
(     \255\255 required if not doing node authentication) h
0 -49179 M
5760 -49179 M
(nodeclaimant [4]) h
17280 -49179 M
(IMPLICIT NodeClaimant OPTIONAL) h
0 -50379 M
5760 -50379 M
11520 -50379 M
17280 -50379 M
(    \255\255 missing if only doing principal authentication) h
0 -51579 M
5760 -51579 M
11520 -51579 M
17280 -51579 M
(    \255\255 required if not doing principal authentication) h
0 -52779 M
5760 -52779 M
(}) h
0 -54012 M
0 -55245 M
(MutualAuthenticationToken ::= CHOICE {) h
0 -56478 M
5760 -56478 M
(v1Response [0] IMPLICIT  OCTET STRING \(SIZE\(6\)\)) h
0 -57678 M
5760 -57678 M
11520 -57678 M
17280 -57678 M
(\255\255 Constructed as follows:  A single DES block) h
-8503 8502 T
R

showpage
$P e

%%Page: 65 65
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(65) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
5760 -750 M
11520 -750 M
17280 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(\255\255 of eight octets is constructed from the two) h
0 -1950 M
5760 -1950 M
11520 -1950 M
17280 -1950 M
(\255\255 integers in the timestamp.  First four bytes) h
0 -3150 M
5760 -3150 M
11520 -3150 M
17280 -3150 M
(\255\255 are the high order integer encoded MSB) h
0 -4350 M
5760 -4350 M
11520 -4350 M
17280 -4350 M
(\255\255 first; Last four bytes are the low order) h
0 -5550 M
5760 -5550 M
11520 -5550 M
17280 -5550 M
(\255\255 integer encoded MSB first.  The block is) h
0 -6750 M
5760 -6750 M
11520 -6750 M
17280 -6750 M
(\255\255 encrypted using the shared DES key, and) h
0 -7950 M
5760 -7950 M
11520 -7950 M
17280 -7950 M
(\255\255 the first six bytes are the OCTET STRING.) h
0 -9150 M
5760 -9150 M
11520 -9150 M
17280 -9150 M
(\255\255 With the [0] type and 6\255byte length, the) h
0 -10350 M
5760 -10350 M
11520 -10350 M
17280 -10350 M
(\255\255 MutualAuthenticationToken has a fixed) h
0 -11550 M
5760 -11550 M
11520 -11550 M
17280 -11550 M
(\255\255 length of eight bytes.) h
0 -12855 M
5760 -12855 M
(}) h
0 -14055 M
0 -15360 M
(END) h
0 -16965 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(4.2 ) h
2126 -16965 M
(Encoding Rules) h
0 -19570 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
139.4 0 32 (Whenever a structure is to be signed it must always be
constructed the same way. This is particularly important) W
0 -20620 M
124.2 0 32 (where a signed structure has to be reconstructed by the
recipient before the signature is verified. The rules listed) W
0 -21670 M
(below are taken from X.509.) h
709 -23825 M
/Symbol F 1000 o f
(-) h
2154 -23825 M
/Times-Roman-ISOLatin1 F 1000 o f
(the definite form of length encoding shall be used, encoded in the
minimum number of octets;) h
709 -25980 M
/Symbol F 1000 o f
(-) h
2154 -25980 M
/Times-Roman-ISOLatin1 F 1000 o f
(for string types, the constructed form of encoding shall not be used;) h
709 -28135 M
/Symbol F 1000 o f
(-) h
2154 -28135 M
/Times-Roman-ISOLatin1 F 1000 o f
(if the value of a type is its default value, it shall be absent;) h
709 -30290 M
/Symbol F 1000 o f
(-) h
2154 -30290 M
/Times-Roman-ISOLatin1 F 1000 o f
(the components of a Set type shall be encoded in ascending order of
their tag value;) h
709 -32445 M
/Symbol F 1000 o f
(-) h
2154 -32445 M
/Times-Roman-ISOLatin1 F 1000 o f
(the components of a Set\255of type shall be encoded in ascending order
of their octet value;) h
709 -34600 M
/Symbol F 1000 o f
(-) h
2154 -34600 M
/Times-Roman-ISOLatin1 F 1000 o f
(if the value of a Boolean type is true, the encoding shall have its
contents octet set to `FF') h
0.0 -448.0 m
(16) h
0 448.0 m
(;) h
709 -36755 M
/Symbol F 1000 o f
(-) h
2154 -36755 M
/Times-Roman-ISOLatin1 F 1000 o f
(each unused bits in the final octet of the encoding of a BitString
value, if there are any, shall be set to zero;) h
709 -38910 M
/Symbol F 1000 o f
(-) h
2154 -38910 M
/Times-Roman-ISOLatin1 F 1000 o f
2.1 0 32 (the encoding of a Real type shall be such that bases 8, 10
and 16 shall not  be used, and the binary scaling factor) W
2154 -39960 M
(shall be zero.) h
0 -42415 M
/Times-Bold-ISOLatin1 F 1400 o f
(4.3 ) h
2126 -42415 M
(Version numbers and forward compatibility) h
0 -45020 M
/Times-Roman-ISOLatin1 F 1000 o f
137.6 0 32 (The LoginTicket and AuthenticationToken structures contain
a three octet version identifier which is intended to) W
0 -46070 M
32.8 0 32 (ease transition to future revisions of this architecture. 
The default value, and the value which should always be sup\255) W
0 -47120 M
69.9 0 32 (plied by implementations of this version of the architecture
is 0.0.0 \(three zero octets\).  The first octet is the major) W
0 -48170 M
96.3 0 32 (version.  An implementation of this version of the
architecture should refuse to process data structures where it is) W
0 -49220 M
68.5 0 32 (other than zero, because changing it indicates that the
interpretation of some subsidiary data structure has changed. ) W
0 -50270 M
22.4 0 32 (The second octet is the minor version.  An implementation of
this version of the architecture should ignore the value) W
0 -51320 M
17.9 0 32 (of this octet.  Some future version of the architecture may
set a value other than zero and may specify some different) W
0 -52370 M
54.9 0 32 (processing of the remainder of the structure based on that
different value.  Such a change would be backward com\255) W
0 -53420 M
2.1 0 32 (patible and interoperable.  The third octet is the ECO
revision.  No implementation should make any processing deci\255) W
0 -54470 M
(sions based on the value of that octet.  It may be logged, however, to
help in debugging interoperability problems.) h
0 -56625 M
21.1 0 32 (In the CDC protocol, there is also a three octet version
numbering scheme, where versions 1.0.0 and 2.0.0 have been) W
0 -57675 M
(defined.  Implementations should follow the same rules above and
reject major version numbers greater than 2.) h
-8503 8502 T
R

showpage
$P e

%%Page: 66 66
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(66) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
43.8 0 32 (ASN.1 is inherently extensible because it allows new fields
to be added "onto the end" of existing data structures in) W
0 -1800 M
31.4 0 32 (an unambiguous way.  Implementations of DASS are encouraged
to ignore any such additional fields in order to en\255) W
0 -2850 M
62.8 0 32 (hance backwards compatibility with future versions of the
architecture.  Unfortunately, commonly available ASN.1) W
0 -3900 M
21.8 0 32 (compilers lack this capability, so this behavior cannot
reasonably be required and may limit options for future exten\255) W
0 -4950 M
(sions.) h
0 -7414 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(4.4 ) h
2126 -7414 M
(Cryptographic Encoding) h
0 -10028 M
/Times-Roman-ISOLatin1 F 1000 o f
52.4 0 32 (Some of the substructures listed in the previous sections
are specified as ENCRYPTED OCTET STRINGs contain\255) W
0 -11078 M
24.9 0 32 (ing encrypted information.  DASS uses the DES, RSA, and MD2
cryptosystems  Each of those cryptosystems speci\255) W
0 -12128 M
50.8 0 32 (fies a function from octet string into another in the
presence of a key \(except MD2, which is keyless\).  This section) W
0 -13178 M
(describes how to form the octet strings on which the DES and RSA
operations are performed. ) h
0 -15492 M
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.1 ) h
2834 -15492 M
(Algorithm Independence vs. Key Parity) h
0 -17756 M
/Times-Roman-ISOLatin1 F 1000 o f
95.1 0 32 (All of the defined encodings for DASS for secret key
encryption are based on DES.  It is intended, however, that) W
0 -18806 M
72.3 0 32 (other cryptosystems could be substituted without any other
changes for formats or algorithms.  The required "form) W
0 -19856 M
17.0 0 32 (factor" for such a cryptosystem is that it have a 64 bit key
and operate on 64 bit blocks \(this appears to be a common) W
0 -20906 M
27.0 0 32 (form factor for a cryptosystem\).  For this reason, DES keys
are in all places treated as though they were 64 bits long) W
0 -21956 M
109.0 0 32 (rather than 56.  Only in the operation of the algorithm
itself are eight bits of the key dropped and key parity bits) W
0 -23006 M
(substituted. Choosing a key always involves picking a 64 bit random number.) h
0 -25320 M
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.2 ) h
2834 -25320 M
(Password Hashing) h
0 -27584 M
/Times-Roman-ISOLatin1 F 1000 o f
66.5 0 32 (Encrypted credentials are encrypted using DES as described
in the next section.  The key for that encryption is de\255) W
0 -28634 M
(rived from the user's password and name by the following algorithm:) h
709 -30798 M
(a\)) h
2154 -30798 M
58.3 0 32 (Put the rightmost RDN of the user's name in canonical form
according to BER and the X.509 encoding rules. ) W
2154 -31848 M
21.4 0 32 (For any string types that are case insensitive, map to upper
case, and where matching is independent of number) W
2154 -32898 M
(of spaces collapse all multiple spaces to a single space and delete
leading and trailing spaces.) h
2154 -33948 M
2154 -34998 M
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
50.8 0 32 (Note:  the RDN is used to add "salt" to the hash calculation
so that someone can't precompute the hash of all) W
2154 -36048 M
76.1 0 32 (the words in a dictionary and then apply them against all
names.  Deriving the salt from the last RDN of the) W
2154 -37098 M
41.3 0 32 (name is a compromise.  If it were derived from the whole
name, all encrypted keys would be obsoleted when a) W
2154 -38148 M
70.4 0 32 (branch of the namespace was renamed.  If it were independent
of name, interaction with a login agent would) W
2154 -39198 M
22.0 0 32 (take two extra messages to retrieve the salt.  With this
scheme, encrypted keys are obsoleted by a change in the) W
2154 -40248 M
23.0 0 32 (last RDN and if a final RDN is common to a large number of
users, dictionary attacks against them are easier;) W
2154 -41298 M
(but the common case works as desired.) h
709 -43462 M
/Times-Roman-ISOLatin1 F 1000 o f
(b\)) h
2154 -43462 M
152.4 0 32 (Compute TEMP as the MD2 message digest of the concatenation
of the password and the RDN computed) W
2154 -44512 M
(above.) h
709 -46676 M
(c\)) h
2154 -46676 M
118.3 0 32 (Repeat the following 40 times:  Use the first 64 bits of
TEMP as a DES key to encrypt the second 64 bits; ) W
2154 -47726 M
(XOR the result with the ) h
(first ) h
(64) h
( b) h
(its of TEMP; and compute a new TEMP as MD2 of the 128 bit result.) h
709 -49890 M
(d\)) h
2154 -49890 M
11.2 0 32 (Use the final 64 bits of the result \(called hash1\) as the
key to decrypt the encrypted credentials.  Use the first 64) W
2154 -50940 M
(bits \(called hash2\) as the proof of knowledge of the password for
presentation to a login agent \(if any\).) h
0 -53254 M
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.3 ) h
2834 -53254 M
(Digital DEA encryption) h
0 -55518 M
/Times-Roman-ISOLatin1 F 1000 o f
(DES encryption is used in the following places:) h
709 -57682 M
/Symbol F 1000 o f
(-) h
2154 -57682 M
/Times-Roman-ISOLatin1 F 1000 o f
(In the encryption of the encrypted credentials structure) h
-8503 8502 T
R

showpage
$P e

%%Page: 67 67
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(67) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Symbol F 1000 o f
(-) h
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(To encrypt the delegator in authentication tokens) h
709 -3097 M
/Symbol F 1000 o f
(-) h
2154 -3097 M
/Times-Roman-ISOLatin1 F 1000 o f
(To encrypt the time in the mutual authenticator) h
0 -5444 M
46.7 0 32 (In the first two cases, a varying length block of
information coded in ASN.1 is encrypted.  This is done by dividing) W
0 -6494 M
56.1 0 32 (the block of information into 8 octet blocks, padding the
last block with zero bytes if necessary, and encrypting the) W
0 -7544 M
(result using the CBC mode of DES.  A zero IV is used.) h
0 -9891 M
98.3 0 32 (In the third case, a fixed length \(8 byte\) quantity \(a
timestamp\) is encrypted.  The timestamp is mapped to a byte) W
0 -10941 M
(string using "big endian" order and the block is encrypted using the
ECB mode of DES.) h
0 -13438 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.4 ) h
2834 -13438 M
( Digital MAC Signing) h
0 -15885 M
/Times-Roman-ISOLatin1 F 1000 o f
7.4 0 32 (DES signing is used in the Authenticator.  Here, the
signature is computed over an ASN.1 structure.  The signature is) W
0 -16935 M
13.6 0 32 (the CBC residue of the structure padded to a multiple of
eight bytes with zeros.  The CBC is computed with an IV of) W
0 -17985 M
(zero.) h
0 -20482 M
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.5 ) h
2834 -20482 M
(RSA Encryption) h
0 -22929 M
/Times-Roman-ISOLatin1 F 1000 o f
112.9 0 32 (RSA encryption is used in the Encrypted Shared Key.  RSA
encryption is best thought of as operating on blocks) W
0 -23979 M
74.8 0 32 (which are integers rather than octet strings and the results
are also integers.  Because an RSA encryption permutes) W
0 -25029 M
87.1 0 32 (the integers between zero and \() W
87.1 0 32 (modulus\2551\)) W
87.1 0 32 (, it is generally thought of as acting on a block of size
\(keysizeinbits\2551\)) W
0 -26079 M
2.0 0 32 (and producing a block of size \(keysizeinbits\) where
keysizeinbits is the smallest number of bits in which the modulus) W
0 -27129 M
(can be represented.) h
0 -29476 M
(DASS only supports key sizes which are a multiple of eight bits.) h
n 0.666 o f
0.0 448.0 m
(9) h
0 -448.0 m
0 -31823 M
n 1.502 o f
(The encrypted shared key structure is laid out as follows:) h
709 -34170 M
/Symbol F 1000 o f
(-) h
2154 -34170 M
/Times-Roman-ISOLatin1 F 1000 o f
(The DES key to be shared is placed in the ) h
(last ) h
(eight) h
( ) h
(bytes) h
709 -36517 M
/Symbol F 1000 o f
(-) h
2154 -36517 M
/Times-Roman-ISOLatin1 F 1000 o f
80.2 0 32 (The ) W
80.2 0 32 (POSIX format ) W
80.2 0 32 (creation time ) W
80.2 0 32 (encoded in four bytes using big endian byte order i) W
80.2 0 32 (s placed in the ) W
80.2 0 32 (next ) W
80.2 0 32 (four) W
2154 -37567 M
(\(from the end\) ) h
(bytes) h
709 -39914 M
/Symbol F 1000 o f
(-) h
2154 -39914 M
/Times-Roman-ISOLatin1 F 1000 o f
36.3 0 32 (The ) W
36.3 0 32 (POSIX format ) W
36.3 0 32 (expiration time ) W
36.3 0 32 (encoded in four bytes using big endian byte order i) W
36.3 0 32 (s placed in the ) W
36.3 0 32 (next ) W
36.3 0 32 (four) W
2154 -40964 M
(\(from the end\) ) h
(bytes) h
709 -43311 M
/Symbol F 1000 o f
(-) h
2154 -43311 M
/Times-Roman-ISOLatin1 F 1000 o f
(Four zero bytes are placed in the ) h
(next f) h
(our ) h
(\(from the end\) ) h
(bytes) h
709 -45658 M
/Symbol F 1000 o f
(-) h
2154 -45658 M
/Times-Roman-ISOLatin1 F 1000 o f
(The ) h
(first ) h
(byte contains the constant '64' \(decimal\)) h
709 -48005 M
/Symbol F 1000 o f
(-) h
2154 -48005 M
/Times-Roman-ISOLatin1 F 1000 o f
110.8 0 32 (All remaining bytes are filled with random bytes \(the
security of the system does not depend on the crypto\255) W
2154 -49055 M
37.4 0 32 (graphic randomness of these bytes, but they should not be a
frequently repeating or predic) W
37.4 0 32 (ta) W
37.4 0 32 (ble value.  Repeat\255) W
2154 -50105 M
(ing the DES key from the l) h
(ast ) h
(bytes would be good\).) h
0 -52452 M
24.3 0 32 (The RSA algorithm is applied to the integer) W
24.3 0 32 ( ) W
24.3 0 32 (formed) W
24.3 0 32 ( by treating the bytes above as an integer in big endian order ) W
24.3 0 32 (and) W
0 -53502 M
(the resulting integer is converted to a) h
( BIT ) h
(STRING by laying out the integer in 'big endian' order.) h
0 -55849 M
0.6 0 32 (On decryption, the process is reversed; the decryptor should
verify the four explicitly zero bytes but should not verify) W
0 -56899 M
(the contents of the high order byte or the random bytes.) h
-8503 8502 T
R

S
8496 -67104 T
N
0 G
576 -900 M
/Times-Roman-ISOLatin1 F 800 o f
0.0 358.0 m
(9) h
0 -358.0 m
976 -900 M
12.6 0 32 (This restriction is only required to support interoperation
with certain existing implementations.  If the key size is not a
multiple of eight bits,) W
576 -1800 M
49.7 0 32 (the high order byte may not be able to hold values as large
as the mandated '64'.  This is not a problem so long as the two high order bytes) W
576 -2600 M
14.7 0 32 (together are non\255zero, but certain early implementations
check for the value '64' and will not interoperate with implementations
that use some) W
576 -3400 M
(other value.) h
-8496 67104 T
R

showpage
$P e

%%Page: 68 68
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(68) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -900 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.6 ) h
2834 -900 M
(oiwMD2withRSA Signatures) h
0 -3050 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
48.8 0 32 (RSA\255MD2 signatures are used on certificates, login
tickets, shared key tickets, and node tickets.  In all cases, a sig\255) W
0 -4100 M
(nature is computed on an ASN.1 encoded string using an) h
( ) h
(RSA private key.  This is done as follows:) h
709 -6150 M
/Symbol F 1000 o f
(-) h
2154 -6150 M
/Times-Roman-ISOLatin1 F 1000 o f
(The MD2 algorithm is applied to the ASN.1 encoded string to produce a
128 bit message digest) h
709 -8200 M
/Symbol F 1000 o f
(-) h
2154 -8200 M
/Times-Roman-ISOLatin1 F 1000 o f
(The message digest is placed in the low order bytes of the RSA block
\(big endian\)) h
709 -10250 M
/Symbol F 1000 o f
(-) h
2154 -10250 M
/Times-Roman-ISOLatin1 F 1000 o f
(The next two lowest order bytes are the ASN.1 'T' and 'L' for an OCTET STRING.) h
709 -12300 M
/Symbol F 1000 o f
(-) h
2154 -12300 M
/Times-Roman-ISOLatin1 F 1000 o f
(The remainder of the RSA block is filled with zeros) h
709 -14350 M
/Symbol F 1000 o f
(-) h
2154 -14350 M
/Times-Roman-ISOLatin1 F 1000 o f
8.4 0 32 (The RSA operation is performed, and the resulting integer is
converted to an octet string by laying out the bytes) W
2154 -15400 M
(in big endian order.) h
0 -17450 M
86.6 0 32 (On verification, a value like the above ) W
/Times-BoldItalic-ISOLatin1 $
/Times-BoldItalic & P
/Times-BoldItalic-ISOLatin1 F 1000 o f
86.6 0 32 (or) W
/Times-Roman-ISOLatin1 F 1000 o f
86.6 0 32 ( one where the message digest is present but the 'T' and 'L'
are missing) W
0 -18500 M
(\(zero\) should be accepted for backwards compatibility with an
earlier definition of this crypto algorithm.) h
0 -20700 M
/Times-Bold-ISOLatin1 F 1200 o f
(4.4.7 ) h
2834 -20700 M
(decMD2withRSA Signatures) h
0 -22850 M
/Times-Roman-ISOLatin1 F 1000 o f
67.5 0 32 (This algorithm is the same as the oiwMD2withRSA algorithm as
defined above.  We allocated an algorithm object) W
0 -23900 M
120.8 0 32 (identifier from the Digital space in case the definition of
that OID should change.  It will not be used unless the) W
0 -24950 M
(meaning of oiwMD2withRSA becomes unstable.) h
-8503 8502 T
R

showpage
$P e

%%Page: 69 69
/$P a D
g N
0 79200 T
S
S
8488 -1910 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39771 -900 M
(October 1991) h
0 -2284 M
-8488 1910 T
R

S
8488 -72021 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42572 -900 M
(Page ) h
(69) h
-8488 72021 T
R

R
S
8590 -8532 T
N
0 G
19926 -1350 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1800 o f
(Annex A ) h
26924 -1350 M
18201 -3350 M
(Typical Usage) h
-8590 8532 T
R

S
8504 -24096 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 F 1000 o f
15.1 0 32 (This annex describes one way a system could use DASS
services \(as described in section 3\) to provide security serv\255) W
0 -1800 M
23.9 0 32 (ices.  While this example provided motivation for some of
the properties of DASS, it is not intended to represent the) W
0 -2850 M
(only way that DASS may be used.  This goes through the steps that
would be needed to install DASS "from scratch".) h
0 -5246 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(A.1 ) h
2411 -5246 M
(Creating a CA) h
0 -7792 M
/Times-Roman-ISOLatin1 F 1000 o f
86.3 0 32 (A CA is created by initializing its state. Each CA can sign
certificates that will be placed in some directory in the) W
0 -8842 M
25.5 0 32 (name service. Before these certificates will be believed in
a wider context than the sub\255tree of the name space which) W
0 -9892 M
40.8 0 32 (is headed by that directory, the CA must be certified by a
CA for the parent directory. The procedure below accom\255) W
0 -10942 M
76.3 0 32 (plishes this. For most secure operation, the CA should run
on an off\255line system and communicate with the rest of) W
0 -11992 M
5.8 0 32 (the network by interchanging files using a simple specialized
mechanism such as an RS232 line or a floppy disk. It is) W
0 -13042 M
(assumed that access to the CA is controlled and that the CA will
accept instructions from an operator.) h
709 -15138 M
/Symbol F 1000 o f
(-) h
2154 -15138 M
/Times-Roman-ISOLatin1 F 1000 o f
(Call Install_CA to create the CA State.) h
2154 -16188 M
(This state is saved within the CA system and is never disclosed.) h
709 -18284 M
/Symbol F 1000 o f
(-) h
2154 -18284 M
/Times-Roman-ISOLatin1 F 1000 o f
13.5 0 32 (If this is the first CA in the namespace and the CA is
intended to certify only members of a single directory, we) W
2154 -19334 M
24.5 0 32 (are done.  Otherwise, the new CA must be linked into the CA
hierarchy by cross\255certifying the parent and chil\255) W
2154 -20384 M
80.2 0 32 (dren of this CA.  There is no requirement that CA
hierarchies be created from the root down, but to simplify) W
2154 -21434 M
16.8 0 32 (exposition, only this case will be described.  The newly
created CA must learn its name, its UID, the UID of its) W
2154 -22484 M
135.6 0 32 (parent directory, and the public key of the parent
directory CA by some out of band reliable means.  Most) W
2154 -23534 M
60.8 0 32 (likely, this would be done by looking up the information in
the naming service and asking the CA operator to) W
2154 -24584 M
47.3 0 32 (verify it.  The CA then forms this information into a ) W
/Times-Italic-ISOLatin1 $
/Times-Italic & P
/Times-Italic-ISOLatin1 F 1000 o f
47.3 0 32 (parent) W
/Times-Roman-ISOLatin1 F 1000 o f
47.3 0 32 ( certificate and signs it using the Create_certificate) W
2154 -25634 M
(function.  It communicates the certificate to the network and posts it
in the naming service.) h
709 -27730 M
/Symbol F 1000 o f
(-) h
2154 -27730 M
/Times-Roman-ISOLatin1 F 1000 o f
81.7 0 32 (This name, UID, and public key of the new CA are taken to
the CA of the parent directory, which verifies it) W
2154 -28780 M
121.5 0 32 (\(again by some unspecified out\255of\255band mechanism\)
and calls Create_Certificate to create a ) W
/Times-Italic-ISOLatin1 F 1000 o f
121.5 0 32 (child ) W
/Times-Roman-ISOLatin1 F 1000 o f
121.5 0 32 (certificate) W
2154 -29830 M
(using its own Name and UID in the issuer fields. This certificate is
also placed in the naming service.) h
0 -31926 M
7.2 0 32 (A CA can sign certificates for more than one directory. In
this case it is possible that a single CA will take the role of) W
0 -32976 M
6.3 0 32 (both CAs in the example above. The above procedure can be
simplified in this case, as no interchange of information) W
0 -34026 M
(is required.) h
0 -36422 M
/Times-Bold-ISOLatin1 F 1400 o f
(A.2 ) h
2411 -36422 M
(Creating a User Principal) h
0 -38968 M
/Times-Roman-ISOLatin1 F 1000 o f
64.8 0 32 (A system manager may create a new user principal by invoking
the Create_principal function supplying the princi\255) W
0 -40018 M
45.9 0 32 (pal's name, UID, and the public key/UID of the parent CA. 
The public key and UID must be obtained in a reliable) W
0 -41068 M
17.3 0 32 (out of band manner.  This is probably by having knowledge of
that information "wired into" the utility which creates) W
-8504 24096 T
R

showpage
$P e

%%Page: 70 70
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(70) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
74.1 0 32 (new principals.  At account creation time, the system
manager must supply what will become the user's password. ) W
0 -1800 M
52.0 0 32 (This might be done by having the user present and directly
enter a password or by having the password selected by) W
0 -2850 M
(some random generator.) h
0 -5037 M
110.1 0 32 (The trusted authority certificate and corresponding user
public key generated by the Create_principal function are) W
0 -6087 M
5.6 0 32 (sent to the CA which verifies its contents \(again by an
out\255of\255band mechanism\) and signs a corresponding certificate. ) W
0 -7137 M
44.3 0 32 (The encrypted credentials, CA signed certificate, and
trusted authority certificates are all placed in the naming serv\255) W
0 -8187 M
(ice.) h
0 -10374 M
(The process by which the password is made known to the user must be
protected by some out\255of\255band mechanism.) h
0 -12561 M
97.1 0 32 (In some cases the principal may wish to generate its own
key, and not use the Encrypted_Credentials. \(E.g. if the) W
0 -13611 M
39.0 0 32 (Principal is represented by a Smart Card\). This may be done
using a procedure similar to the one for creating a new) W
0 -14661 M
(CA.) h
0 -17148 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(A.3 ) h
2411 -17148 M
(Creating a Server Principal) h
0 -19785 M
/Times-Roman-ISOLatin1 F 1000 o f
56.4 0 32 (A server also has a public/private key pair. Conceptually,
the same procedure used to create a user principal can be) W
0 -20835 M
4.4 0 32 (used to create a server.  In practice, the most important
difference  is likely to be how the password is protected when) W
0 -21885 M
(installing it on a server compared to giving it to a user. ) h
0 -24072 M
38.7 0 32 (A server may wish to retrieve \(and store\) its Encrypted
Credentials directly and never have them placed in the nam\255) W
0 -25122 M
90.1 0 32 (ing service. In this case some other mechanism can be used
\(e.g. passing the floppy disk containing the encrypted) W
0 -26172 M
59.4 0 32 (credentials to the server\). This would require a variant of
the Initialize_Server routine which does not fetch the En\255) W
0 -27222 M
(crypted Credentials from the naming service.) h
0 -29709 M
/Times-Bold-ISOLatin1 F 1400 o f
(A.4 ) h
2411 -29709 M
(Booting a Server Principal) h
0 -32346 M
/Times-Roman-ISOLatin1 F 1000 o f
87.3 0 32 (When the server first boots it needs its name \(unreliably\)
and password \(reliably\). It then calls Initialize_Server to) W
0 -33396 M
28.4 0 32 (obtain its credentials and trusted authority certificates
\(which it will later need in order to authenticate users\).  These) W
0 -34446 M
155.7 0 32 (credentials never time out, and are expected to be saved
for a long time.  In particular the associated Incoming) W
0 -35496 M
2.1 0 32 (Timestamp List must be preserved while there are any
timestamps on it. It is desirable to preserve the Cached Incom\255) W
0 -36546 M
(ing Contexts as long as there are any contexts likely to be reused.) h
0 -38733 M
60.5 0 32 (If a server wants to initiate associations on its own behalf
then it must call Generate_Server_Ticket.  It must repeat) W
0 -39783 M
(this at intervals if the expiration period expires.) h
0 -41970 M
85.2 0 32 (A node that wishes to do node authentication \(or which acts
as a server under its own name\) must be created as a) W
0 -43020 M
(server.) h
0 -45507 M
/Times-Bold-ISOLatin1 F 1400 o f
(A.5 ) h
2411 -45507 M
(A user logs on to the network) h
0 -48144 M
/Times-Roman-ISOLatin1 F 1000 o f
2.0 0 32 (The system that the user logs onto finds the user's name and
password. It then calls Network_Login to obtain creden\255) W
0 -49194 M
116.5 0 32 (tials for the user. These credentials are saved until the
user wants to make a network connection. The credentials) W
0 -50244 M
69.2 0 32 (have a time limit, so the user will have to obtain new
credentials in order to make connections after the time limit.) W
0 -51294 M
77.6 0 32 (The credentials are then checked by calling
Verify_Principal_Name, in order to check that the key specified in the) W
0 -52344 M
(encrypted credentials has been certified by the CA.) h
0 -54531 M
118.7 0 32 (If the system does source node authentication it will call
Combine_credentials, once the local username has been) W
0 -55581 M
34.3 0 32 (found. \(This can either be found by looking the principal's
global name up in a file, or the user can be asked to give) W
0 -56631 M
26.9 0 32 (the local name directly. Alternatively the user can be asked
to give his local username, which the system looks up to) W
0 -57681 M
(find the global name\).) h
-8503 8502 T
R

showpage
$P e

%%Page: 71 71
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(71) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -1050 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(A.6 ) h
2411 -1050 M
(An Rlogin \(TCP/IP\) connection is made) h
0 -3550 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
8.9 0 32 (When the user calls a modified version of the rlogin utility,
it calls Create_token in order to create the Initial Authen\255) W
0 -4600 M
48.0 0 32 (tication Token, which is passed to the other system as part
of the rlogin protocol.  The rlogind utility at the destina\255) W
0 -5650 M
69.9 0 32 (tion node calls Accept_token to verify it.  It then looks up
in a local rhosts\255like database to determine whether this) W
0 -6700 M
199.0 0 32 (global user is allowed access to the requested destination
account.  It calls Verify_principal_name and/or Ver\255) W
0 -7750 M
21.2 0 32 (ify_node_name to confirm the identity of the requester.  If
access is allowed, the connection is accepted and the Mu\255) W
0 -8800 M
(tual Authentication Token is returned in the response message.) h
0 -10850 M
20.2 0 32 (The source receives the returned Mutual Authentication Token
and uses it to confirm it communicating with the cor\255) W
0 -11900 M
(rect destination node.) h
0 -13950 M
60.3 0 32 (Rlogind then calls Combine_credentials to combine its
node/account information with the global user identification) W
0 -15000 M
(in the received credentials in case the user accesses any network
resources from the destination system.) h
0 -17350 M
/Times-Bold-ISOLatin1 F 1400 o f
(A.7 ) h
2411 -17350 M
(A Transport\255Independent Connection) h
0 -19850 M
/Times-Roman-ISOLatin1 F 1000 o f
36.6 0 32 (As an alternative to the description in A.6, an application
wishing to be portable between different underlying trans\255) W
0 -20900 M
49.6 0 32 (ports may call create_token to create an authentication
token which it then sends to its peer.  The peer can then call) W
0 -21950 M
(accept_token and verify_principal_name and learn the identity of the requester.) h
-8503 8502 T
R

showpage
$P e

%%Page: 72 72
/$P a D
g N
0 79200 T
S
S
8488 -1910 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39771 -900 M
(October 1991) h
0 -2284 M
-8488 1910 T
R

S
8488 -72021 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42572 -900 M
(Page ) h
(72) h
-8488 72021 T
R

R
S
8590 -8532 T
N
0 G
19975 -1350 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1800 o f
(Annex B ) h
26874 -1350 M
14949 -3350 M
(Support of the GSSAPI) h
-8590 8532 T
R

S
8504 -24096 T
N
0 G
0 -750 M
/Times-Roman-ISOLatin1 F 1000 o f
2.6 0 32 (In order to support applications which need to be portable
across a variety of underlying security mechanisms, a "Ge\255) W
0 -1800 M
94.2 0 32 (neric Security Service API" \(or GSSAPI\) was designed which
gives access to a common core of security services) W
0 -2850 M
106.7 0 32 (expected to be provided by several mechanisms.  The GSSAPI
was designed with DASS, Kerberos V4, and Ker\255) W
0 -3900 M
12.6 0 32 (beros V5 in mind, and could be written as a front end to any
or all of those systems.  It is hoped that it could serve as) W
0 -4950 M
(an interface to other security systems as well.) h
0 -7013 M
40.1 0 32 (Application portability requires that the security services
supported be comparable.  Applications using the GSSAPI) W
0 -8063 M
37.8 0 32 (will not be able to access all of the features of the
underlying security mechanisms.  For example, the GSSAPI does) W
0 -9113 M
61.9 0 32 (not allow access to the "node authentication" features of
DASS.  To the extent the underlying security mechanisms) W
0 -10163 M
108.3 0 32 (do not support all the features of GSSAPI, applications
using those features will not be portable to those security) W
0 -11213 M
44.5 0 32 (mechanisms.  For example, Kerberos V4 does not support
delegation, so applications using that feature of the GSS\255) W
0 -12263 M
(API will not be portable to Kerberos V4.) h
0 -14326 M
(This annex explains how the GSSAPI can be implemented using the
primitive services provided by DASS.) h
0 -16689 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(B.1 ) h
2334 -16689 M
(Summary of GSSAPI) h
0 -19202 M
/Times-Roman-ISOLatin1 F 1000 o f
80.9 0 32 (The latest draft of the GSSAPI specification is available as
an internet draft.  The following is a brief summary of) W
0 -20252 M
148.5 0 32 (that evolving document and should not be taken as
definitive.  Included here are only those aspects of GSSAPI) W
0 -21302 M
(whose implementation would be DASS specific.) h
0 -23365 M
120.9 0 32 (The GSSAPI provides four classes of functions: Credential
Management, Context\255Level Calls, Per\255message calls,) W
0 -24415 M
26.4 0 32 (and Support Calls; two types of objects: Credentials and
Contexts; and two kinds of data structures to be transmitted) W
0 -25465 M
5.6 0 32 (as opaque byte strings: Tokens and Messages. Credentials hold
keys and support information used in creating tokens. ) W
0 -26515 M
(Contexts hold keys and support information used in signing and
encrypting messages.) h
0 -28578 M
105.9 0 32 (The Credential Management functions of GSSAPI are
"incomplete" in the sense that one could not build a useful) W
0 -29628 M
31.9 0 32 (security implementation using only GSSAPI.  Functions which
create credentials based on passwords or smart cards) W
0 -30678 M
51.5 0 32 (are needed but not provided by GSSAPI.  It is envisioned
that such functions would be invoked by security mecha\255) W
0 -31728 M
51.2 0 32 (nism specific functions at user login or via some separate
utility rather than from within applications intended to be) W
0 -32778 M
(portable.  The Credential Management functions available to portable
applications are:) h
709 -34841 M
/Symbol F 1000 o f
(-) h
2154 -34841 M
/Times-Roman-ISOLatin1 F 1000 o f
(GSS_Acquire_cred:  get a handle to an existing credential structure
based on a name or process default.) h
709 -36904 M
/Symbol F 1000 o f
(-) h
2154 -36904 M
/Times-Roman-ISOLatin1 F 1000 o f
(GSS_Release_cred:  release credentials after use.) h
0 -38967 M
135.9 0 32 (The Context\255Level Calls use credentials to establish
contexts.  Contexts are like connections: they are created in) W
0 -40017 M
102.4 0 32 (pairs and are generally used at the two ends of a
connection to process messages associated with that connection. ) W
0 -41067 M
(The Context\255Level Calls of interest are:) h
-8504 24096 T
R

showpage
$P e

%%Page: 73 73
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(73) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
709 -750 M
/Symbol F 1000 o f
(-) h
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
6.4 0 32 (GSS_Init_sec_context:  given credentials and the name of a
destination, create a new context and a token which) W
2154 -1800 M
(will permit the destination to create a corresponding context.) h
709 -3902 M
/Symbol F 1000 o f
(-) h
2154 -3902 M
/Times-Roman-ISOLatin1 F 1000 o f
41.4 0 32 (GSS_Accept_sec_context:  given credentials and an incoming
token, create a context corresponding to the one) W
2154 -4952 M
(at the initiating end and provide information identifying the initiator.) h
709 -7054 M
/Symbol F 1000 o f
(-) h
2154 -7054 M
/Times-Roman-ISOLatin1 F 1000 o f
(GSS_Delete_sec_context:  delete a context after use.) h
0 -9156 M
45.9 0 32 (The Per\255Message Calls use contexts to sign, verify,
encrypt, and decrypt messages between the holders of matching) W
0 -10206 M
(contexts.  The Per\255Message Calls are:) h
709 -12308 M
/Symbol F 1000 o f
(-) h
2154 -12308 M
/Times-Roman-ISOLatin1 F 1000 o f
78.6 0 32 (GSS_Sign:  Given a context and a message, produces a string
of bytes which constitute a signature on a pro\255) W
2154 -13358 M
(vided message.) h
709 -15460 M
/Symbol F 1000 o f
(-) h
2154 -15460 M
/Times-Roman-ISOLatin1 F 1000 o f
140.2 0 32 (GSS_Verify:  Given a context, a message, and the bytes
returned by GSS_Sign, verifies the message to be) W
2154 -16510 M
(authentic \(unaltered since it was signed by the corresponding context\).) h
709 -18612 M
/Symbol F 1000 o f
(-) h
2154 -18612 M
/Times-Roman-ISOLatin1 F 1000 o f
43.6 0 32 (GSS_Seal:  Given a context and a message, produces a string
of bytes which include the message and a signa\255) W
2154 -19662 M
(ture; the message may optionally be encrypted.) h
709 -21764 M
/Symbol F 1000 o f
(-) h
2154 -21764 M
/Times-Roman-ISOLatin1 F 1000 o f
19.7 0 32 (GSS_Unseal:  Given a context and the string of bytes from
GSS_Seal, returns the original message and a status) W
2154 -22814 M
(indicating its authenticity.) h
0 -24916 M
(The Support Calls provide utilities like translating names and status
codes into printable strings.) h
0 -27318 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1400 o f
(B.2 ) h
2334 -27318 M
(Implementation of GSSAPI over DASS) h
0 -30020 M
n 0.857 o f
(B.2.1 ) h
2900 -30020 M
(Data Structures) h
0 -32222 M
/Times-Roman-ISOLatin1 F 1000 o f
74.1 0 32 (The objects and data structures of the GSSAPI do not map
neatly into the objects and data structures of the DASS) W
0 -33272 M
80.6 0 32 (architecture.  This section describes how those data
structures can be implemented using the DASS data structures) W
0 -34322 M
(and primitives) h
0 -36424 M
87.6 0 32 (Credential handles correspond to the credentials structures
in DASS, where the portable API assumes that the cre\255) W
0 -37474 M
(dential structures themselves are kept from applications and handles
are passed to and from the various subroutines.) h
0 -39576 M
22.8 0 32 (Context initialization tokens correspond to the tokens of
DASS. The GSSAPI prescribes a particular ASN.1 encoded) W
0 -40626 M
119.6 0 32 (form for tokens which includes a mechanism specific bit
string within it.  An implementation of GSSAPI should) W
0 -41676 M
(enclose the DASS token within the GSSAPI "wrapper".) h
0 -43778 M
76.7 0 32 (Context handles have no corresponding structure in DASS. The
Create_token and Accept_token calls of DASS re\255) W
0 -44828 M
22.1 0 32 (turn a shared key and instance identifier. An implementation
of the GSSAPI must take those values along with some) W
0 -45878 M
35.6 0 32 (other status information and package it as a "context"
opaque structure.  These data structures must be allocated and) W
0 -46928 M
(freed with the appropriate calls.) h
0 -49030 M
80.5 0 32 (Per\255message tokens and sealed messages have no
corresponding data structure within DASS.  To fully support the) W
0 -50080 M
99.5 0 32 (GSSAPI functionality, DASS must be extended to include this
functionality.  These data structures are created by) W
0 -51130 M
49.2 0 32 (cryptographic routines given the keys and status information
in context structures and the messages passed to them. ) W
0 -52180 M
(While not properly part of the DASS architecture, the formats of these
data structures are included in section C.3.) h
0 -54432 M
/Times-Bold-ISOLatin1 F 1200 o f
(B.2.2 ) h
2900 -54432 M
(Procedures) h
0 -56634 M
/Times-Roman-ISOLatin1 F 1000 o f
22.3 0 32 (This section explains how the functions of the GSSAPI can be
provided in terms of the Services Provided by DASS. ) W
0 -57684 M
(Not all of the DASS features are accessible through the GSSAPI.) h
-8503 8502 T
R

showpage
$P e

%%Page: 74 74
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(74) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -825 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.1 ) h
3484 -825 M
(GSS_Acquire_cred) h
0 -2975 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
87.1 0 32 (The GSSAPI does not provide a mechanism for logging in users
or establishing server credentials. It assumes that) W
0 -4025 M
26.7 0 32 (some system specific mechanism created those credentials and
that applications need some mechanism for getting at) W
0 -5075 M
74.0 0 32 (them. A model implementation might save all credentials in a
node\255global pool indexed by some sort of credential) W
0 -6125 M
48.8 0 32 (name. The credentials in the pool would be access controlled
by some local policy which is not concern of portable) W
0 -7175 M
78.1 0 32 (applications. Those applications would simply call
GSS_Acquire_cred and if they passed the access control check,) W
0 -8225 M
(they would get a handle to the credentials which could be used in
subsequent calls.) h
0 -10375 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.2 ) h
3484 -10375 M
(GSS_Release_cred) h
0 -12525 M
/Times-Roman-ISOLatin1 F 1000 o f
(This call corresponds to the "delete_credentials" call of DASS.) h
0 -14675 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.3 ) h
3484 -14675 M
(GSS_Init_sec_context) h
0 -16825 M
/Times-Roman-ISOLatin1 F 1000 o f
164.1 0 32 (In the course of a normal mutual authentication, this
routine will be called twice. The procedure can determine) W
0 -17875 M
86.1 0 32 (whether this is the first or second call by seeing whether
the "input_context_handle" is zero \(it will be on the first) W
0 -18925 M
10.1 0 32 (call\).  On the first call, it will use the DASS
Create_token service to create a token and it will also allocate and popu\255) W
0 -19975 M
102.4 0 32 (late a "context" structure. That structure will hold the
key, instance identifier, and mutual authentication token re\255) W
0 -21025 M
46.8 0 32 (turned by Create_token and will in addition hold the flags
which were passed into the Init_sec_context call. The to\255) W
0 -22075 M
53.9 0 32 (ken returned by Init_sec_context will be the DASS token
included in the GSSAPI token "wrapper".  The DASS to\255) W
0 -23125 M
(ken will include the optional principal name.) h
0 -25200 M
24.9 0 32 (If mutual authentication is not requested in the GSSAPI
call, the mutual authentication token returned by DASS will) W
0 -26250 M
134.4 0 32 (be ignored and the initial call will return a COMPLETE
status. If mutual authentication is requested, the mutual) W
0 -27300 M
(authentication token will be stored in the context information and a
CONTINUE_NEEDED status returned.) h
0 -29375 M
64.2 0 32 (On the second call to GSS_Init_sec_context \(with
input_context_handle non\255zero\), the returned token will be com\255) W
0 -30425 M
96.9 0 32 (pared to the one in the context information using the
Compare_mutual_token procedure and a COMPLETE status) W
0 -31475 M
(will be returned if they match.) h
0 -33625 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.4 ) h
3484 -33625 M
(GSS_Accept_sec_context) h
0 -35775 M
/Times-Roman-ISOLatin1 F 1000 o f
136.7 0 32 (This routine in GSSAPI accepts an incoming token and
creates a context.  It combines the effects of a series of) W
0 -36825 M
(DASS functions.  It could be implemented as follows:) h
709 -38900 M
/Symbol F 1000 o f
(-) h
2154 -38900 M
/Times-Roman-ISOLatin1 F 1000 o f
256.5 0 32 (Remove the GSSAPI "wrapper" from the incoming token and
pass the rest and the credentials to "Ac\255) W
2154 -39950 M
37.5 0 32 (cept_token".  Accept_token produces a mutual authentication
token and a new credentials structure.  If delega\255) W
2154 -41000 M
25.9 0 32 (tion was requested, the new credentials structure will be an
output of GSS_Accept_sec_context.  In any case, it) W
2154 -42050 M
(will be used in the subsequent steps of this procedure.) h
709 -44125 M
/Symbol F 1000 o f
(-) h
2154 -44125 M
/Times-Roman-ISOLatin1 F 1000 o f
9.1 0 32 (Use the DASS Get_principal_name function to extract the
principal name from the credentials produced by Ac\255) W
2154 -45175 M
(cept_token.  This name is one of the outputs of "GSS_Accept_sec_context.) h
709 -47250 M
/Symbol F 1000 o f
(-) h
2154 -47250 M
/Times-Roman-ISOLatin1 F 1000 o f
5.3 0 32 (Apply the DASS Verify_principal_name to the new credentials
and the retrieved name to authenticate the token) W
2154 -48300 M
(as having come from the named principal.) h
709 -50375 M
/Symbol F 1000 o f
(-) h
2154 -50375 M
/Times-Roman-ISOLatin1 F 1000 o f
76.6 0 32 (Create and populate a context structure with the key and
timestamp returned by Accept_token and a status of) W
2154 -51425 M
(COMPLETE.  Return a handle to that context.) h
709 -53500 M
/Symbol F 1000 o f
(-) h
2154 -53500 M
/Times-Roman-ISOLatin1 F 1000 o f
128.2 0 32 (If delegation was requested, return the new credentials
from GSS_Accept_sec_context.  Otherwise, call De\255) W
2154 -54550 M
(lete_credentials.) h
709 -56625 M
/Symbol F 1000 o f
(-) h
2154 -56625 M
/Times-Roman-ISOLatin1 F 1000 o f
41.3 0 32 (If mutual authentication was requested, wrap the mutual
authentication token from Accept_token in a GSSAPI) W
2154 -57675 M
("wrapper" and return it.  Otherwise return a null string.) h
-8503 8502 T
R

showpage
$P e

%%Page: 75 75
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(75) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -825 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.5 ) h
3484 -825 M
(GSS_Delete_sec_context) h
0 -3152 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(This routine simply deletes the context state.  No calls to DASS are required.) h
0 -5479 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.6 ) h
3484 -5479 M
(GSS_Sign) h
0 -7806 M
/Times-Roman-ISOLatin1 F 1000 o f
22.5 0 32 (This routine takes as input a context handle and a message.
It creates a per_msg_token by computing a digital signa\255) W
0 -8856 M
26.9 0 32 (ture on the message using the key and timestamp in the
context block.  No DASS services are required. If additional) W
0 -9906 M
108.2 0 32 (cryptographic services were requested \(replay detection or
sequencing\), a timestamp or sequence number must be) W
0 -10956 M
(prepended to the message and sent with the signature.  The syntax for
this message is listed in section C.3.) h
0 -13283 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.7 ) h
3484 -13283 M
(GSS_Verify) h
0 -15610 M
/Times-Roman-ISOLatin1 F 1000 o f
53.2 0 32 (This routine repeats the calculation of the sign routine and
verifies the signature provided. If replay detection or se\255) W
0 -16660 M
104.8 0 32 (quencing services are provided, the context must maintain
as part of its state information containing the sequence) W
0 -17710 M
(numbers or timestamps of messages already received and this one must
be checked for acceptability.) h
0 -20037 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.8 ) h
3484 -20037 M
(GSS_Seal) h
0 -22364 M
/Times-Roman-ISOLatin1 F 1000 o f
141.0 0 32 (This routine performs the same functions as Sign but also
optionally encrypts the message for privacy using the) W
0 -23414 M
(shared key and encapsulates the whole thing in a GSSAPI specified ASN.1 wrapper.) h
0 -25741 M
/Times-Bold-ISOLatin1 F 1100 o f
(B.2.2.9 ) h
3484 -25741 M
(GSS_Unseal) h
0 -28068 M
/Times-Roman-ISOLatin1 F 1000 o f
99.6 0 32 (This routine performs the same functions as GSS_Verify but
also parses the data structure including the signature) W
0 -29118 M
(and message and decrypts the message if necessary.) h
0 -31670 M
/Times-Bold-ISOLatin1 F 1400 o f
(B.3 ) h
2334 -31670 M
(Syntax) h
0 -34372 M
/Times-Roman-ISOLatin1 F 1000 o f
225.2 0 32 (The GSSAPI specification recommends the following ASN.1
encoding for the tokens and messages generated) W
0 -35422 M
(through the GSSAPI:) h
3600 -37674 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(\255\255optional top\255level token definitions to frame) h
3600 -38874 M
(\255\255 different mechanisms) h
3600 -40876 M
(GSSAPI DEFINITIONS ::=) h
3600 -42878 M
(BEGIN) h
3600 -44880 M
(MechType ::= OBJECT IDENTIFIER) h
3600 -46080 M
(\255\255 data structure definitions) h
3600 -48082 M
(ContextToken ::=) h
3600 -49282 M
(\255\255 option indication \(delegation, etc.\) indicated) h
3600 -50482 M
(\255\255 within mechanism\255specific token) h
3600 -51682 M
([APPLICATION 0] IMPLICIT SEQUENCE {) h
3600 -52882 M
7072 -52882 M
(thisMech MechType,) h
3600 -54082 M
7072 -54082 M
(responseExpected BOOLEAN,) h
3600 -55282 M
7072 -55282 M
(innerContextToken ANY DEFINED BY MechType) h
3600 -56482 M
7072 -56482 M
8511 -56482 M
(\255\255 contents mechanism\255specific) h
3600 -57682 M
7072 -57682 M
(}) h
-8503 8502 T
R

showpage
$P e

%%Page: 76 76
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(76) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
3600 -750 M
/Courier-ISOLatin1 $
/Courier & P
/Courier-ISOLatin1 F 1000 o f
(PerMsgToken ::=) h
3600 -1950 M
(\255\255 as emitted by GSS_Sign and processed by) h
3600 -3150 M
(\255\255 GSS_Verify) h
3600 -4350 M
([APPLICATION 1] IMPLICIT SEQUENCE {) h
3600 -5550 M
7072 -5550 M
(thisMech MechType,) h
3600 -6750 M
7072 -6750 M
(innerMsgToken ANY DEFINED BY MechType) h
3600 -7950 M
7072 -7950 M
8511 -7950 M
(\255\255 contents mechanism\255specific) h
3600 -9150 M
7072 -9150 M
(}) h
3600 -10964 M
(SealedMessage ::=) h
3600 -12164 M
(\255\255 as emitted by GSS_Seal and processed by) h
3600 -13364 M
(\255\255 GSS_Unseal) h
3600 -14564 M
([APPLICATION 2] IMPLICIT SEQUENCE {) h
3600 -15764 M
7072 -15764 M
(sealingToken PERMSGTOKEN,) h
3600 -16964 M
7072 -16964 M
(confFlag BOOLEAN,) h
3600 -18164 M
7072 -18164 M
(userData OCTET STRING) h
3600 -19364 M
7072 -19364 M
8511 -19364 M
(\255\255 encrypted if confFlag TRUE) h
3600 -20564 M
7072 -20564 M
(}) h
0 -22378 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(The object identifier for the DASS MechType is 1.3.12.2.1011.7.5.) h
0 -24442 M
(The innerContextToken of a token is a DASS token or mutual authentication token.) h
0 -26506 M
27.0 0 32 (The innerMsgToken is a null string in the case where the
message is encrypted and the token is included as part of a) W
0 -27556 M
91.6 0 32 (SealedMessage.  Otherwise, it is an eight octet sequence
computed as the CBC residue computed using a key and) W
0 -28606 M
(string of bytes defined as follows:) h
709 -30670 M
/Symbol F 1000 o f
(-) h
2154 -30670 M
/Times-Roman-ISOLatin1 F 1000 o f
35.8 0 32 (Pad the message provided by the application with 1\2558
bytes of pad to produce a string whose length is a multi\255) W
2154 -31720 M
(ple of 8 octets.  Each pad byte has a value equal to the number of pad bytes.) h
709 -33784 M
/Symbol F 1000 o f
(-) h
2154 -33784 M
/Times-Roman-ISOLatin1 F 1000 o f
21.5 0 32 (Compute the key by taking the timestamp of the association
\(two four byte integers laid out in big endian order) W
2154 -34834 M
22.0 0 32 (with the most significant integer first\), complementing the
high order bit \(to avoid aliasing with mutual authen\255) W
2154 -35884 M
(ticators\), and encrypting the block in ECB mode with the shared key
of the association.) h
0 -37948 M
76.6 0 32 (The userData field of a SealedMessage is exactly the
application provided byte string if confFlag=FALSE.  Other\255) W
0 -38998 M
(wise, it is the application supplied message encrypted as follows:) h
709 -41062 M
/Symbol F 1000 o f
(-) h
2154 -41062 M
/Times-Roman-ISOLatin1 F 1000 o f
54.8 0 32 (Pad the message provided by the application with 1\2558
bytes of pad to produce a string whose length = 4 \(mod) W
2154 -42112 M
(8\).  Each pad byte has a value equal to the number of pad bytes.) h
709 -44176 M
/Symbol F 1000 o f
(-) h
2154 -44176 M
/Times-Roman-ISOLatin1 F 1000 o f
(Append a four byte CRC32 computed over the message + pad.) h
709 -46240 M
/Symbol F 1000 o f
(-) h
2154 -46240 M
/Times-Roman-ISOLatin1 F 1000 o f
62.5 0 32 (Compute a key by taking the timestamp of the association
\(two four byte integers laid out in big endian order) W
2154 -47290 M
22.0 0 32 (with the most significant integer first\), complementing the
high order bit \(to avoid aliasing with mutual authen\255) W
2154 -48340 M
(ticators\), and encrypting the block in ECB mode with the shared key
of the association.) h
709 -50404 M
/Symbol F 1000 o f
(-) h
2154 -50404 M
/Times-Roman-ISOLatin1 F 1000 o f
(Encrypt the message + pad + CRC32 using CBC and the key computed in
the previous step.) h
0 -52468 M
(A note of the logic behind the above:) h
709 -54532 M
/Symbol F 1000 o f
(-) h
2154 -54532 M
/Times-Roman-ISOLatin1 F 1000 o f
30.8 0 32 (Because the shared key of an association may be reused by
many associations between the same pair of princi\255) W
2154 -55582 M
55.1 0 32 (pals, it is necessary to bind the association timestamp into
the messages somehow to prevent messages from a) W
2154 -56632 M
1.6 0 32 (previous association being replayed into a new sequence.  The
technique above of generating an association key) W
2154 -57682 M
76.0 0 32 (accomplishes this and has a side benefit.  An implementation
may with to keep the long term keys out of the) W
-8503 8502 T
R

showpage
$P e

%%Page: 77 77
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(77) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
2154 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
43.8 0 32 (hands of applications for purposes of confinement but may
wish to put the encryption associated with an asso\255) W
2154 -1800 M
(ciation in process context for reasons of performance.  Defining an
association key makes that possible.) h
709 -3850 M
/Symbol F 1000 o f
(-) h
2154 -3850 M
/Times-Roman-ISOLatin1 F 1000 o f
43.9 0 32 (The reason that the association specific key is not
specified as the output of Create_token and Accept_token is) W
2154 -4900 M
27.3 0 32 (that the DCE RPC security implementation requires that a
series of associations between two principals always) W
2154 -5950 M
(have the same key and we did not want to have to support a different
interface in that application.) h
709 -8000 M
/Symbol F 1000 o f
(-) h
2154 -8000 M
/Times-Roman-ISOLatin1 F 1000 o f
(The CRC32 after pad constitutes a cheap integrity check when data is encrypted.) h
709 -10050 M
/Symbol F 1000 o f
(-) h
2154 -10050 M
/Times-Roman-ISOLatin1 F 1000 o f
43.2 0 32 (The fact that padding is done differently for encrypted and
signed messages means that there are no threats re\255) W
2154 -11100 M
83.1 0 32 (lated to sending the same message encrypted and unencrypted
and using the last block of the encrypted mes\255) W
2154 -12150 M
(sage as a signature on the unencrypted one.) h
-8503 8502 T
R

showpage
$P e

%%Page: 78 78
/$P a D
g N
0 79200 T
S
S
8488 -1910 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39771 -900 M
(October 1991) h
0 -2284 M
-8488 1910 T
R

S
8488 -72021 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42572 -900 M
(Page ) h
(78) h
-8488 72021 T
R

R
S
8590 -8532 T
N
0 G
19975 -1350 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1800 o f
(Annex C ) h
26874 -1350 M
13350 -3350 M
(Imported ASN.1 definitions) h
-8590 8532 T
R

S
8504 -24096 T
N
0 G
0 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(This annex contains extracts from the ASN.1 description of X.509 and
X.500 definitions referenced by) h
0 -1950 M
(the DASS ASN.1 definitions.) h
0 -3182 M
0 -4414 M
(CCITT DEFINITIONS ::=) h
0 -5646 M
0 -6878 M
(BEGIN) h
0 -8110 M
(joint\255iso\255ccitt  OBJECT IDENTIFIER ::= {2}) h
0 -9342 M
(ds OBJECT IDENTIFIER ::= {joint\255iso\255ccitt 5}) h
0 -10574 M
(algorithm OBJECT IDENTIFIER ::= {ds 8}) h
0 -11806 M
0 -13038 M
(iso OBJECT IDENTIFIER ::= {1}) h
0 -14270 M
(identified\255organization OBJECT IDENTIFIER ::= {iso 3}) h
0 -15502 M
(ecma OBJECT IDENTIFIER ::= {identified\255organization 12}) h
0 -16734 M
(digital OBJECT IDENTIFIER ::= { ecma 1011 }) h
0 -17966 M
0 -19198 M
(\255\255 X.501 definitions) h
0 -20430 M
0 -21662 M
(AttributeType ::= OBJECT IDENTIFIER) h
0 -22862 M
(AttributeValue ::= ANY) h
0 -24062 M
5760 -24062 M
(\255\255 useful ones are) h
0 -25262 M
5760 -25262 M
11520 -25262 M
(\255\255) h
17280 -25262 M
(OCTET STRING ,) h
0 -26462 M
5760 -26462 M
11520 -26462 M
(\255\255) h
17280 -26462 M
(PrintableString ,) h
0 -27662 M
5760 -27662 M
11520 -27662 M
(\255\255) h
17280 -27662 M
(NumericString ,) h
0 -28862 M
5760 -28862 M
11520 -28862 M
(\255\255) h
17280 -28862 M
(T61String ,) h
0 -30062 M
5760 -30062 M
11520 -30062 M
(\255\255) h
17280 -30062 M
(VisibleString ) h
0 -31262 M
0 -32494 M
(AttributeValueAssertion ::= SEQUENCE {AttributeType, AttributeValue}) h
0 -33726 M
0 -34958 M
(Name ::= CHOICE {\255\255 only one possibility for now \255\255) h
0 -36158 M
5760 -36158 M
11520 -36158 M
(RDNSequence}) h
0 -37358 M
0 -38590 M
(RDNSequence ::= SEQUENCE OF RelativeDistinguishedName) h
0 -39822 M
0 -41054 M
(DistinguishedName ::= RDNSequence) h
-8504 24096 T
R

showpage
$P e

%%Page: 79 79
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(79) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
0 -2113 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(RelativeDistinguishedName ::= SET OF AttributeValueAssertion) h
0 -3476 M
0 -4839 M
(\255\255 X.509 definitions) h
0 -6202 M
0 -7565 M
(Certificate ::= SIGNED SEQUENCE {) h
0 -8765 M
5760 -8765 M
11520 -8765 M
(version) h
17280 -8765 M
([0]) h
23040 -8765 M
28800 -8765 M
(Version DEFAULT 1988 ,) h
0 -9965 M
5760 -9965 M
11520 -9965 M
(serialNumber) h
23040 -9965 M
28800 -9965 M
(SerialNumber ,) h
0 -11165 M
5760 -11165 M
11520 -11165 M
(signature      ) h
23040 -11165 M
28800 -11165 M
(AlgorithmIdentifier ,) h
0 -12365 M
5760 -12365 M
11520 -12365 M
(issuer) h
17280 -12365 M
23040 -12365 M
28800 -12365 M
(Name,) h
0 -13565 M
5760 -13565 M
11520 -13565 M
(valid) h
17280 -13565 M
23040 -13565 M
28800 -13565 M
(Validity,) h
0 -14765 M
5760 -14765 M
11520 -14765 M
(subject) h
17280 -14765 M
23040 -14765 M
28800 -14765 M
(Name,) h
0 -15965 M
5760 -15965 M
11520 -15965 M
(subjectPublicKey) h
23040 -15965 M
(SubjectPublicKeyInfo } ) h
0 -17328 M
0 -18691 M
(Version ::= INTEGER { 1988\(0\)}) h
0 -20054 M
(SerialNumber INTEGER) h
0 -21417 M
(Validity ::= SEQUENCE{) h
0 -22617 M
5760 -22617 M
(notBefore) h
11520 -22617 M
17280 -22617 M
(UTCTime,) h
0 -23817 M
5760 -23817 M
(notAfter) h
11520 -23817 M
17280 -23817 M
(UTCTime}) h
0 -25180 M
0 -26543 M
(SubjectPublicKeyInfo  ::=  SEQUENCE {) h
0 -27743 M
5760 -27743 M
(algorithm) h
11520 -27743 M
17280 -27743 M
(AlgorithmIdentifier ,) h
0 -28943 M
5760 -28943 M
(subjectPublicKey) h
17280 -28943 M
(BIT STRING ) h
0 -30143 M
5760 -30143 M
(}) h
0 -31506 M
0 -32869 M
(AlgorithmIdentifier ::= SEQUENCE {) h
0 -34069 M
5760 -34069 M
(algorithm) h
11520 -34069 M
(OBJECT IDENTIFIER ,) h
0 -35269 M
5760 -35269 M
(             parameters) h
17280 -35269 M
(ANY DEFINED BY algorithm OPTIONAL}) h
0 -36632 M
0 -37995 M
(ALGORITHM MACRO) h
0 -39195 M
(BEGIN) h
0 -40395 M
(TYPE NOTATION) h
11520 -40395 M
(::= "PARAMETER" type) h
0 -41595 M
(VALUE NOTATION) h
11520 -41595 M
(::= value \(VALUE OBJECT IDENTIFIER\)) h
0 -42795 M
(END \255\255 of ALGORITHM) h
0 -44158 M
0 -45521 M
(ENCRYPTED MACRO) h
0 -46721 M
(BEGIN) h
0 -47921 M
(TYPE NOTATION) h
11520 -47921 M
(::=type\(ToBeEnciphered\)) h
0 -49121 M
(VALUE NOTATION) h
11520 -49121 M
(::= value\(VALUE BIT STRING\)) h
0 -50321 M
5760 -50321 M
(\255\255 the value of the bit string is generated by) h
0 -51521 M
5760 -51521 M
(\255\255 taking the octets which form the complete) h
0 -52721 M
5760 -52721 M
(encoding \(using the ASN.1 Basic Encoding Rules\)) h
0 -53921 M
5760 -53921 M
(\255\255 of the value of the ToBeEnciphered type and) h
0 -55121 M
5760 -55121 M
(\255\255 applying an encipherment procedure to those octets\255\255) h
0 -56321 M
(END) h
0 -57684 M
-8503 8502 T
R

showpage
$P e

%%Page: 80 80
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(80) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/NewCenturySchlbk-Roman-ISOLatin1 $
/NewCenturySchlbk-Roman & P
/NewCenturySchlbk-Roman-ISOLatin1 F 1000 o f
(SIGNED MACRO) h
11520 -750 M
(::=) h
0 -1950 M
(BEGIN) h
0 -3150 M
(TYPE NOTATION) h
11520 -3150 M
(::= type \(ToBeSigned\)) h
0 -4350 M
(VALUE NOTATION) h
11520 -4350 M
(::= value\(VALUE) h
0 -5550 M
(SEQUENCE{) h
0 -6750 M
5760 -6750 M
(ToBeSigned,) h
0 -7950 M
5760 -7950 M
(AlgorithIdentifier, \255\255 of the algorithm used to generate the signature) h
0 -9150 M
5760 -9150 M
(ENCRYPTED OCTET STRING) h
0 -10350 M
5760 -10350 M
(\255\255 where the octet string is the result) h
0 -11550 M
5760 -11550 M
(\255\255 of the hashing of the value of) h
0 -12750 M
5760 -12750 M
("ToBeSigned") h
0 -13950 M
(END \255\255 of SIGNED) h
0 -15150 M
0 -16350 M
(SIGNATURE MACRO) h
11520 -16350 M
(::=) h
0 -17550 M
(BEGIN) h
0 -18750 M
(TYPE NOTATION) h
11520 -18750 M
(::= type\(OfSignature\)) h
0 -19950 M
(VALUE NOTATION) h
11520 -19950 M
(::= value\(VALUE) h
0 -21150 M
5760 -21150 M
(SEQUENCE{) h
0 -22350 M
5760 -22350 M
11520 -22350 M
(AlgorithmIdentifier,) h
0 -23550 M
5760 -23550 M
11520 -23550 M
(\255\255 of the algorithm used to compute the signature) h
0 -24750 M
5760 -24750 M
11520 -24750 M
(ENCRYPTED OCTET STRING) h
0 -25950 M
5760 -25950 M
11520 -25950 M
(\255\255 where the octet string is a function \(e.g. a compressed or) h
0 -27150 M
5760 -27150 M
11520 -27150 M
(\255\255 hashed version\) of the value "OfSignature", which may) h
0 -28350 M
5760 -28350 M
11520 -28350 M
(\255\255 include the identifier of  the algorithm used to compute) h
0 -29550 M
5760 -29550 M
11520 -29550 M
(\255\255 the signature\255\255}) h
0 -30750 M
5760 -30750 M
11520 -30750 M
17280 -30750 M
(\)) h
0 -31950 M
(END \255\255 of SIGNATURE) h
0 -33150 M
0 -34350 M
(\255\255 X.509 Annex H \(not part of the standard\)) h
0 -35550 M
0 -36750 M
(encryptionAlgorithm OBJECT IDENTIFIER ::= {algorithm 1} ) h
0 -37950 M
0 -39150 M
(rsa ALGORITHM) h
0 -40350 M
5760 -40350 M
(PARAMETER KeySize) h
0 -41550 M
5760 -41550 M
(::= {encryptionAlgorithm 1}) h
0 -42750 M
0 -43950 M
(KeySize ::= INTEGER) h
0 -45150 M
0 -46350 M
(END) h
-8503 8502 T
R

showpage
$P e

%%Page: 81 81
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(81) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -1800 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 2400 o f
(Glossary) h
9067 -1800 M
0 -10218 M
n 0.417 o f
(authentication) h
8798 -10218 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
43.7 0 32 (The process of determining the identity \(usually the name\)
of the other party in some commu\255) W
3600 -11268 M
(nication exchange.) h
0 -13386 M
/Times-Bold-ISOLatin1 F 1000 o f
(authentication context) h
/Times-Roman-ISOLatin1 F 1000 o f
(  ) h
3600 -14436 M
112.8 0 32 (Cached information used during a particular instance of
authentication and including a shared symmetric) W
3600 -15486 M
(\(DES\) key as well as components of the authentication token conveyed
during establishment of this context.) h
0 -17604 M
/Times-Bold-ISOLatin1 F 1000 o f
(authentication token) h
3600 -18654 M
/Times-Roman-ISOLatin1 F 1000 o f
88.9 0 32 (Information conveyed during a strong authentication exchange
that can be used to authenticate its sender.) W
3600 -19704 M
108.7 0 32 (An authentication token can, but is not necessarily limited
to, include the claimant identity and ticket, as) W
3600 -20754 M
128.9 0 32 (well as signed and encrypted secret key exchange messages
conveying a secret key to be used in future) W
3600 -21804 M
(cryptographic operations. An authentication token names a particular
protocol data structure component.) h
0 -23922 M
/Times-Bold-ISOLatin1 F 1000 o f
(authorization) h
8798 -23922 M
/Times-Roman-ISOLatin1 F 1000 o f
(The process of determining the rights associated with a particular principal.) h
0 -26040 M
/Times-Bold-ISOLatin1 F 1000 o f
(certificate) h
8798 -26040 M
/Times-Roman-ISOLatin1 F 1000 o f
94.4 0 32 (The public key of a particular principal, together with some
other information relating to the) W
3600 -27090 M
61.2 0 32 (names of the principal and the certifying authority,
rendered unforgeable by encipherment with the private) W
3600 -28140 M
(key of the certification authority that issued it.) h
0 -30258 M
/Times-Bold-ISOLatin1 F 1000 o f
(certification authority) h
3600 -31308 M
/Times-Roman-ISOLatin1 F 1000 o f
(An authority trusted by one or more principals to create and assign
certificates.) h
0 -33426 M
/Times-Bold-ISOLatin1 F 1000 o f
(claimant) h
8798 -33426 M
/Times-Roman-ISOLatin1 F 1000 o f
33.8 0 32 (The party that initiates the authentication process. In the
DASS architecture, claimants possess) W
3600 -34476 M
67.9 0 32 (credentials which include their identity, authenticating
private key and a ticket certifying their authenticat\255) W
3600 -35526 M
(ing public key.) h
0 -37644 M
/Times-Bold-ISOLatin1 F 1000 o f
(credentials) h
8798 -37644 M
/Times-Roman-ISOLatin1 F 1000 o f
127.4 0 32 (Information "state" required by principals in order to for
them to authenticate.   Credentials) W
3600 -38694 M
10.8 0 32 (may contain information used to initiate the authentication
process \(claimant information\), information used) W
3600 -39744 M
80.7 0 32 (to respond to an authentication request \(verifier
information\), and cached information useful in improving) W
3600 -40794 M
(performance.) h
0 -42912 M
/Times-Bold-ISOLatin1 F 1000 o f
(cryptographic checksum) h
3600 -43962 M
/Times-Roman-ISOLatin1 F 1000 o f
49.1 0 32 (Information which is derived by performing a cryptographic
transformation on the data unit. This informa\255) W
3600 -45012 M
(tion can be used by the receiver to verify the authenticity of data
passed in cleartext) h
0 -47130 M
/Times-Bold-ISOLatin1 F 1000 o f
(decipher) h
8798 -47130 M
/Times-Roman-ISOLatin1 F 1000 o f
29.3 0 32 (To reverse the effects of encipherment and render a message
comprehensible by use of a cryp\255) W
3600 -48180 M
(tographic key.) h
0 -50298 M
/Times-Bold-ISOLatin1 F 1000 o f
(delegation ) h
8798 -50298 M
/Times-Roman-ISOLatin1 F 1000 o f
(The granting of temporary credentials that allow a process to act on
behalf of a principal.) h
0 -52416 M
/Times-Bold-ISOLatin1 F 1000 o f
(delegation key) h
8798 -52416 M
/Times-Roman-ISOLatin1 F 1000 o f
112.1 0 32 (A short term public/private key pair used by a claimant to
act on behalf of a principal for a) W
3600 -53466 M
37.9 0 32 (bounded period. The delegation public key appears in the
ticket, whereas the delegation private key is used) W
3600 -54516 M
(to sign secret key exchange messages.) h
0 -56634 M
/Times-Bold-ISOLatin1 F 1000 o f
(DES) h
8798 -56634 M
/Times-Roman-ISOLatin1 F 1000 o f
77.8 0 32 (Data Encryption Standard: a symmetric \(secret key\)
encryption algorithm used by DASS. An) W
3600 -57684 M
(alternate encryption algorithm could be substituted with little or no
disruption to the architecture.) h
-8503 8502 T
R

showpage
$P e

%%Page: 82 82
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(82) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
(DES key) h
8798 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
(A 56\255bit secret quantity used as a parameter to the DES encryption algorithm.) h
0 -2865 M
/Times-Bold-ISOLatin1 F 1000 o f
(digital signature) h
8798 -2865 M
/Times-Roman-ISOLatin1 F 1000 o f
48.4 0 32 (A value computed from a block of data and a key which could
only be computed by someone) W
3600 -3915 M
35.5 0 32 (knowing the key. A digital signature computed with a secret
key can only be verified by someone knowing) W
3600 -4965 M
112.3 0 32 (that secret key.  A digital signature computed with a
private key can be verified by anyone knowing the) W
3600 -6015 M
(corresponding public key.) h
0 -8130 M
/Times-Bold-ISOLatin1 F 1000 o f
(encipher) h
8798 -8130 M
/Times-Roman-ISOLatin1 F 1000 o f
30.8 0 32 (To render incomprehensible except to the holder of a
particular key. If you encipher with a se\255) W
3600 -9180 M
93.4 0 32 (cret key, only the holder of the same secret can decipher
the message. If you encipher with a public key,) W
3600 -10230 M
(only the holder of the corresponding private key can decipher it.) h
0 -12345 M
/Times-Bold-ISOLatin1 F 1000 o f
(initial trust certificate) h
/Times-Roman-ISOLatin1 F 1000 o f
(  ) h
3600 -13395 M
30.3 0 32 (A certificate signed by a principal for its own use which
states the name and public key of a trusted author\255) W
3600 -14445 M
(ity.) h
0 -16560 M
/Times-Bold-ISOLatin1 F 1000 o f
(global user name) h
8798 -16560 M
/Times-Roman-ISOLatin1 F 1000 o f
99.3 0 32 (A hierarchical name for a user which is unique within the
entire domain of discussion \(typi\255) W
3600 -17610 M
(cally the network\).) h
0 -19725 M
/Times-Bold-ISOLatin1 F 1000 o f
(local user name) h
8798 -19725 M
/Times-Roman-ISOLatin1 F 1000 o f
4.5 0 32 (A simple \(non\255hierarchical\) name by which a user is
known within a limited context such as on) W
3600 -20775 M
(a single computer.) h
0 -22890 M
/Times-Bold-ISOLatin1 F 1000 o f
(principal) h
8798 -22890 M
/Times-Roman-ISOLatin1 F 1000 o f
134.3 0 32 (Abstract entity which can be authenticated by name. In DASS
there are user principals and) W
3600 -23940 M
(server principals.) h
0 -26055 M
/Times-Bold-ISOLatin1 F 1000 o f
(private key) h
8798 -26055 M
/Times-Roman-ISOLatin1 F 1000 o f
70.8 0 32 (Cryptographic key used in asymmetric \(public key\)
cryptography to decrypt and/or sign mes\255) W
3600 -27105 M
65.7 0 32 (sages. In asymmetric cryptography, knowing the encryption
key is independent of knowing the decryption) W
3600 -28155 M
118.2 0 32 (key. The decryption \(or signing\) private key cannot be
derived from the encrypting \(or verifying\) public) W
3600 -29205 M
(key.) h
0 -31320 M
/Times-Bold-ISOLatin1 F 1000 o f
(proxy) h
8798 -31320 M
/Times-Roman-ISOLatin1 F 1000 o f
19.1 0 32 (A mapping from an external name to a local account name for
purposes of establishing a set of) W
3600 -32370 M
(local access rights. Note that this differs from the definition in ECMA TR/46.) h
0 -34485 M
/Times-Bold-ISOLatin1 F 1000 o f
(public key) h
8798 -34485 M
/Times-Roman-ISOLatin1 F 1000 o f
64.7 0 32 (Cryptographic key used in asymmetric cryptography to encrypt
messages and/or verify signa\255) W
3600 -35535 M
(tures.) h
0 -37650 M
/Times-Bold-ISOLatin1 F 1000 o f
(RSA) h
8798 -37650 M
/Times-Roman-ISOLatin1 F 1000 o f
41.9 0 32 (The Rivest\255Shamir\255Adelman public key cryptosystem
based on modular exponentiation where) W
3600 -38700 M
77.6 0 32 (the modulus is the product of two large primes.  When the
term RSA key is used, it should be clear from) W
3600 -39750 M
(context whether the public key, the private key, or the public/private
pair is intended.) h
0 -41865 M
/Times-Bold-ISOLatin1 F 1000 o f
(secret key) h
8798 -41865 M
/Times-Roman-ISOLatin1 F 1000 o f
94.0 0 32 (Cryptographic key used in symmetric cryptography to encrypt,
sign, decrypt and verify mes\255) W
3600 -42915 M
99.9 0 32 (sages. In symmetric cryptography, knowledge of the
decryption key implies knowledge of the encryption) W
3600 -43965 M
(key, and vice\255versa.) h
0 -46080 M
/Times-Bold-ISOLatin1 F 1000 o f
(sign) h
8798 -46080 M
/Times-Roman-ISOLatin1 F 1000 o f
107.4 0 32 (A process which takes a piece of data and a key and
produces a digital signature which can) W
3600 -47130 M
(only be calculated by someone with the key. The holder of a
corresponding key can verify the signature.) h
0 -49245 M
/Times-Bold-ISOLatin1 F 1000 o f
(source) h
8798 -49245 M
/Times-Roman-ISOLatin1 F 1000 o f
(The initiator of an authentication exchange.) h
0 -51360 M
/Times-Bold-ISOLatin1 F 1000 o f
(strong authentication) h
3600 -52410 M
/Times-Roman-ISOLatin1 F 1000 o f
186.4 0 32 (Authentication by means of cryptographically derived
authentication tokens and credentials. The actual) W
3600 -53460 M
48.0 0 32 (working definition is closer to that of "zero knowledge"
proof: authentication so as to not reveal any infor\255) W
3600 -54510 M
69.8 0 32 (mation usable by either the verifier, or by an eavesdropping
third party, to further their potential ability to) W
3600 -55560 M
(impersonate the claimant.) h
0 -57675 M
/Times-Bold-ISOLatin1 F 1000 o f
(target) h
8798 -57675 M
/Times-Roman-ISOLatin1 F 1000 o f
(The intended second party \(other than the source\) to an
authentication exchange.) h
-8503 8502 T
R

showpage
$P e

%%Page: 83 83
/$P a D
g N
0 79200 T
S
S
8642 -3084 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 $
/Helvetica & P
/Helvetica-ISOLatin1 F 1200 o f
(Internet Draft ) h
( ) h
24825 -900 M
(DASS) h
39769 -900 M
(October 1991) h
0 -2284 M
-8642 3084 T
R

S
8642 -73627 T
N
0 G
0 -900 M
/Helvetica-ISOLatin1 F 1200 o f
(Charles Kaufman) h
26459 -900 M
42570 -900 M
(Page ) h
(83) h
0 -2284 M
-8642 73627 T
R

R
S
8503 -8502 T
N
0 G
0 -750 M
/Times-Bold-ISOLatin1 $
/Times-Bold & P
/Times-Bold-ISOLatin1 F 1000 o f
(ticket ) h
8798 -750 M
/Times-Roman-ISOLatin1 $
/Times-Roman & P
/Times-Roman-ISOLatin1 F 1000 o f
91.9 0 32 (A data structure certifying an authenticating \(public\) key
by virtue of being signed by a user) W
3600 -1800 M
(principal using their \(long term\) private key. The ticket also
includes the UID of the principal.) h
0 -3850 M
/Times-Bold-ISOLatin1 F 1000 o f
(trusted authority) h
8798 -3850 M
/Times-Roman-ISOLatin1 F 1000 o f
13.3 0 32 (The public key, name and UID of a certification authority
trusted in some context to certify the) W
3600 -4900 M
(public keys of other principals.) h
0 -6950 M
/Times-Bold-ISOLatin1 F 1000 o f
(UID) h
8798 -6950 M
/Times-Roman-ISOLatin1 F 1000 o f
(A 128 bit unique identifier produced according to OSF standard specifications.) h
0 -9000 M
/Times-Bold-ISOLatin1 F 1000 o f
(user key) h
8798 -9000 M
/Times-Roman-ISOLatin1 F 1000 o f
137.3 0 32 (A "long term" RSA key whose private portion authenticates
its holder as having the access) W
3600 -10050 M
(rights of a particular person.) h
0 -12100 M
/Times-Bold-ISOLatin1 F 1000 o f
(verify) h
8798 -12100 M
/Times-Roman-ISOLatin1 F 1000 o f
6.8 0 32 (To cryptographically process a piece of data and a digital
signature to determine that the holder) W
3600 -13150 M
(of a particular key signed the data.) h
0 -15200 M
/Times-Bold-ISOLatin1 F 1000 o f
(verifier) h
8798 -15200 M
/Times-Roman-ISOLatin1 F 1000 o f
43.8 0 32 (The party who will perform the operations necessary to
verify the claimed identity of a claim\255) W
3600 -16250 M
(ant.) h
0 -22450 M
/Helvetica-ISOLatin1 F 1200 o f
(Author's Address) h
2397 -23800 M
/Times-Roman-ISOLatin1 F 1000 o f
(Charles Kaufman) h
2397 -24850 M
(Digital Equipment Corporation) h
2397 -25900 M
(LKG 1\2552/A19) h
2397 -26950 M
(550 King Street) h
2397 -28000 M
(Littleton, MA 01460) h
2397 -30050 M
(Phone: \(508\) 486\2557329) h
2397 -32100 M
(Email: kaufman@dsmail.enet.dec.com) h
2397 -34150 M
2397 -36200 M
62.2 0 32 (General comments on this document should be sent to
cat\255ietf@mit.edu.  Minor corrections should be sent to) W
2397 -37250 M
(the author.) h
0 -38600 M
-8503 8502 T
R

showpage
$P e

%%Trailer
$D restore
end % DEC_WRITE_dict
%%Pages: 83
%%DocumentFonts: Helvetica
%%+ Times-Bold
%%+ Times-Roman
%%+ Symbol
%%+ Times-BoldItalic
%%+ Times-Italic
%%+ NewCenturySchlbk-Roman
%%+ Courier
%%+ NewCenturySchlbk-BoldItalic