A Simple Anonymous GSS-API Mechanism

The Generic Security Service Application Program Interface (GSS-API) provides a framework for authentication and message protection services through a common programming interface. The Simple Anonymous mechanism described in this document (hereafter SAnon) is a simple protocol based on the X25519 elliptic curve Diffie–Hellman (ECDH) key agreement scheme defined in . No authentication of initiator or acceptor is provided. A potential use of SAnon is to provide a degree of privacy when bootstrapping unkeyed entities.

The GSS-API protocol involves a client, known as the initiator, sending an initial security context token of a chosen GSS-API security mechanism to a peer, known as the acceptor. The two peers subsequently exchange, synchronously, as many security context tokens as necessary to complete the authentication or fail. The specific number of context tokens exchanged varies by security mechanism: in the case of the SAnon mechanism, it is two (i.e. a single round trip). Once authentication is complete, the initiator and acceptor share a security context which can be used for integrity or confidentiality, protecting subsequent application messages.

GSS-API provides a number of a services to the calling application: integrity and optional confidentiality for a message integrity for a message sent separately shared key derivation (e.g., for keying external confidentiality and integrity layers) These services are used with security contexts having a shared session key to protect application-layer messages.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

The means of discovering GSS-API peers and their supported mechanisms is out of this specification's scope. To avoid multiple negotiation layers and implementation complexity, this specification is deliberately not crypto-agile. A future variant using a different key exchange algorithm would be assigned a different mechanism OID. If anonymity is not desired then SAnon MUST NOT be used. Either party can test for the presence of GSS_C_ANON_FLAG to check if anonymous authentication was performed.

The GSS-API provides a rich security principal naming model. At its most basic the query forms of names consist of a user-entered/displayable string and a "name-type". Name-types are constants with names prefixed with "GSS_C_NT_" in the GSS-API.

This name type is supported when the input name string is the well known anonymous name string, WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS. In all other cases, importing the name MUST fail.

This name type identifies a host-based service and is generally used by acceptors. To allow existing applications to work unmodified with SAnon, it is useful to allow anonymous acceptor credentials to be acquired regardless of the service name. (It follows from SAnon not performing mutual authentication that the acceptor identity is meaningless.) When importing a name of this type the name string SHOULD be ignored.

The name type, along with all other acceptor name types, are treated identically to GSS_C_NT_HOSTBASED_SERVICE.

When importing a name of this type the name string MUST be ignored. Functions that return a name type to the caller MUST always return this name type. The display form is the well known anonymous name string, WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS. This is always the name observed by a SAnon peer.

The SAnon GSS-API mechanism has a single anonymous identity, the well known anonymous name. The canonical form is the well known anonymous name string with the GSS_C_NT_ANONYMOUS name type.

Many deployed applications do not have explicit support for anonymous authentication. To ease deployment, we recommend allowing anonymous authentication to be requested by the initiator acquiring a credential with a well known anonymous name. This may allow the end-user to request anonymous authentication directly, without requiring the application be modified to support GSS_C_ANON_FLAG. The well known anonymous name has the same display form as in Kerberos , allowing acceptors to perform name-based authorization in a mechanism-agnostic manner. This approach may, however, disadvantage applications that wish to use GSS_C_ANON_FLAG to select anonymous authentication, as importing a non-anonymous initiator name would fail with this approach. We consider this an acceptable compromise given the limited deployment of GSS_C_ANON_FLAG in existing implementations.

The mechanism attributes for this mechanism are: GSS_C_MA_MECH_CONCRETE GSS_C_MA_ITOK_FRAMED GSS_C_MA_AUTH_INIT_ANON GSS_C_MA_AUTH_TARG_ANON GSS_C_MA_INTEG_PROT GSS_C_MA_CONF_PROT GSS_C_MA_MIC GSS_C_MA_WRAP GSS_C_MA_REPLAY_DET GSS_C_MA_OOS_DET GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_CTX_TRANS

The initial context token is framed per Section 1 of :

GSS-API DEFINITIONS ::= BEGIN MechType ::= OBJECT IDENTIFIER -- representing SAnon mechanism GSSAPI-Token ::= [APPLICATION 0] IMPLICIT SEQUENCE { thisMech MechType, innerToken ANY DEFINED BY thisMech -- 32 byte initiator public key } END On the first call to GSS_Init_sec_context(), the mechanism checks for one of the following: The caller set anon_req_flag (GSS_C_ANON_FLAG); or The claimant_cred_handle identity is the well known anonymous name; or The claimant_cred_handle is the default credential and targ_name an anonymous name. If none of the above are the case, the call MUST fail with GSS_S_UNAVAILABLE. If proceeding, the initiator generates a fresh secret and public key pair per Section 6.1 of and returns GSS_S_CONTINUE_NEEDED indicating that a subsequent context token from the acceptor is expected. The innerToken field of the output_token contains the initiator's 32 byte public key.

Upon receiving a context token from the initiator, the acceptor validates that the token is well formed and contains a public key of the requisite length. The acceptor generates a fresh secret and public key pair. A session key is computed as specified in . The acceptor constructs an output_token by concatenating its public key with the token emitted by calling GSS_GetMIC() with the default QOP and zero-length octet string. The output token is sent to the initiator without additional framing. The acceptor then returns GSS_S_COMPLETE, setting src_name to the well known anonymous name. The reply_det_state (GSS_C_REPLAY_FLAG), sequence_state (GSS_C_SEQUENCE_FLAG), conf_avail (GSS_C_CONF_FLAG), integ_avail (GSS_C_INTEG_FLAG) and anon_state (GSS_C_ANON_FLAG) security context flags are set to TRUE. The context is ready to use.

Upon receiving the acceptor context token and verifying it is well formed, the initiator extracts the acceptor's public key (being the first 32 bytes of the input token) and computes the session key per . The initiator then calls GSS_VerifyMIC() with the MIC sent by the acceptor and the zero-length octet string. If successful, the initiator returns GSS_S_COMPLETE to the caller, to indicate the initiator is authenticated and the context is ready for use. No output token is emitted. Security context flags are set as for the acceptor context.

The per-message tokens definitions are imported from Section 4.2. The base key used to derive specific keys for signing and sealing messages is the session key defined in . The encryption and checksum algorithms use the aes128-cts-hmac-sha256-128 encryption type defined in . The AcceptorSubkey flag as defined in Section 4.2.2 MUST be set.

Context deletion tokens are empty in this mechanism. The behavior of GSS_Delete_sec_context() is as specified in Section 4.3.

The exported name token format for the SAnon GSS-API mechanism is the same as the display form, plus the standard exported name token format header mandated by the GSS-API .

The ECDH shared secret k is computed by calling the X25519 function with the local secret key and the peer's public key, as specified in Section 6.1 of . The context session key (K1) is computed using a key derivation function from Section 5.1 of with HMAC as the PRF: K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | context | k) where: the ECDH shared secret computed previously the iteration count from Section 5.1 of the string "sanon-x25519" (without quotation marks) the concatenation of the initiator and acceptor public keys, along with the channel binding application data (if present), in that order The inclusion of channel bindings in the key derivation function means that the acceptor cannot ignore initiator channel bindings; this differs from some other mechanisms. This session key is equivalent to the acceptor-asserted subkey defined in Section 2 and is used as the base key for generating keys for per-message tokens and the GSS-API PRF. The session key encryption type is aes128-cts-hmac-sha256-128 as defined in . The algorithm protocol parameters are as given in Section 5.

The GSS-API pseudo-random function for this mechanism imports the definitions from , using the context session key as the base key for both GSS_C_PRF_KEY_FULL and GSS_C_PRF_KEY_PARTIAL usages.

When SAnon is negotiated by , the authentication scheme identifier is DEE384FF-1086-4E86-BE78-B94170BFD376. The initiator and acceptor keys for NegoEx checksum generation and verification are derived using the PRF from the previous section, with the input data "sanon-x25519-initiator-negoex-key" and "sanon-x25519-acceptor-negoex-key" respectively (without quotation marks). No NegoEx metadata is specified. Any metadata present MUST be ignored.

The mechanism OID for SAnon is 1.3.6.1.4.1.5322.26.1.110.

69 df cc 04 2b 7a 33 f8 1a 43 fb f0 33 0a b5 3fbc 20 e6 c1 4f f8 26 ce 6a 4d bc 8c 6e e4 2b a9 d2 1e 3e 58 60 b0 16 6c d1 cb 38 1a aa 89 62 9307 13 ae e1 76 86 93 10 46 57 a7 a1 9c 1d 76 2e 60 2c 06 0a 2b 06 01 04 01 a9 4a 1a 01 6e d2 1e3e 58 60 b0 16 6c d1 cb 38 1a aa 89 62 93 07 13ae e1 76 86 93 10 46 57 a7 a1 9c 1d 76 2e 3e 4f e6 5b ea 85 94 3b 5a a2 b7 83 f6 26 84 1a10 39 d5 d3 6d af 85 aa a1 6f 12 97 57 99 6c ff a8 32 14 9d 58 33 13 ce 1c 55 7b 2b d1 8a e7 a559 8c a6 4b 02 20 83 5e 16 be 09 ca 2f 90 60 31 af f1 8d b7 45 c6 27 cd a8 da d4 9b d7 e7 01 25 a8 32 14 9d 58 33 13 ce 1c 55 7b 2b d1 8a e7 a559 8c a6 4b 02 20 83 5e 16 be 09 ca 2f 90 60 3104 04 05 ff ff ff ff ff 00 00 00 00 00 00 00 0045 02 7b a8 15 1c 33 05 22 bb c4 36 84 d2 e1 8c

This document defines a GSS-API security mechanism, and therefore deals in security and has security considerations text embedded throughout. This section only addresses security considerations associated with the SAnon mechanism described in this document. It does not address security considerations associated with the GSS-API itself. This mechanism provides only for key agreement. It does not authenticate the identity of either party. It MUST not be selected if either party requires identification of its peer.

AuriStor, Inc funded the design of this protocol, along with an implementation for the Heimdal GSS-API library. Jeffrey Altman, Greg Hudson, Simon Josefsson, and Nicolas Williams provided valuable feedback on this document.