{"draft":"draft-ietf-krb-wg-preauth-framework-17","doc_id":"RFC6113","title":"A Generalized Framework for Kerberos Pre-Authentication","authors":["S. Hartman","L. Zhu"],"format":["ASCII","HTML"],"page_count":"48","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Kerberos WG","abstract":"Kerberos is a protocol for verifying the identity of principals\r\n(e.g., a workstation user or a network server) on an open network.\r\nThe Kerberos protocol provides a facility called pre-authentication.\r\nPre-authentication mechanisms can use this facility to extend the\r\nKerberos protocol and prove the identity of a principal.\r\n\r\nThis document describes a more formal model for this facility.  The\r\nmodel describes what state in the Kerberos request a\r\npre-authentication mechanism is likely to change.  It also describes\r\nhow multiple pre-authentication mechanisms used in the same request\r\nwill interact.\r\n\r\nThis document also provides common tools needed by multiple\r\npre-authentication mechanisms.  One of these tools is a secure channel\r\nbetween the client and the key distribution center with a reply key\r\nstrengthening mechanism; this secure channel can be used to protect\r\nthe authentication exchange and thus eliminate offline dictionary\r\nattacks.  With these tools, it is relatively straightforward to chain\r\nmultiple authentication mechanisms, utilize a different key management\r\nsystem, or support a new key agreement algorithm.  [STANDARDS-TRACK]","pub_date":"April 2011","keywords":["[--------]"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC4120"],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC6113","errata_url":null}