Search RFCs

RFC Editor

File formats:

Status:

PROPOSED STANDARD

Updates:

RFC 4120

Authors:

S. Hartman
L. Zhu

Stream:

IETF

Source:

krb-wg (sec)

Cite this RFC:TXT  | XML  |  BibTeX

DOI:  https://doi.org/10.17487/RFC6113

Discuss this RFC: Send questions or comments to the mailing listkitten@ietf.org

Other actions:Submit Errata  | Find IPR Disclosures from the IETF  | View History of RFC 6113

Abstract

Kerberos is a protocol for verifying the identity of principals(e.g., a workstation user or a network server) on an open network.The Kerberos protocol provides a facility called pre-authentication.Pre-authentication mechanisms can use this facility to extend theKerberos protocol and prove the identity of a principal.

This document describes a more formal model for this facility. Themodel describes what state in the Kerberos request apre-authentication mechanism is likely to change. It also describeshow multiple pre-authentication mechanisms used in the same requestwill interact.

This document also provides common tools needed by multiplepre-authentication mechanisms. One of these tools is a secure channelbetween the client and the key distribution center with a reply keystrengthening mechanism; this secure channel can be used to protectthe authentication exchange and thus eliminate offline dictionaryattacks. With these tools, it is relatively straightforward to chainmultiple authentication mechanisms, utilize a different key managementsystem, or support a new key agreement algorithm. [STANDARDS-TRACK]

For the definition ofStatus,seeRFC 2026.

For the definition ofStream, seeRFC 8729.