1 / 11

Enhancing Credential Selection in IETF Protocols for Improved User Authentication

This proposal discusses the challenges faced by clients with multiple credentials during authentication in various IETF protocols. Using the TLS and X.509 case study as a foundation, it highlights the need for a common data structure for credential selection that transcends protocol boundaries. The proposed design emphasizes simplicity, extensibility, and agnosticism towards new credential formats, ensuring that clients can easily navigate the complexities of authentication. The document outlines required criteria and features for this new structure, promoting improved interoperability and user experience.

presley
Télécharger la présentation

Enhancing Credential Selection in IETF Protocols for Improved User Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enhancing Credential Selection in IETF Protocols Stefan Santesson stefans@microsoft.com

  2. Problem • The client user has a set of credentials • The service request the user to authenticate using a credential • The user has several credential matching the criteria from the service

  3. Case study TLS and X.509 • Criteria restricted to CA names and public key algorithms • We have encountered many situations where this is not sufficient • Multipple roles • Different services under common roots

  4. Proposal • http://www.ietf.org/internet-drafts/draft-santesson-credsel-01.txt • A comon data construct for credential selection that can be sent in multipple protocols • Currently generic, but may be restricted to X.509.

  5. Design criteria • Generic • Simple design • Easy to use for clients • Agnostic to new credential format development • Extensible

  6. Structure SelectionCriteria ::= SEQUENCE OF Criteria Criteria ::= { credentialType OBJECT IDENTIFIER --identifier for --credential type selectData SelectData } SelectData ::= SEQUENCE { basicSelectData [0] BasicSelectData OPTIONAL advancedSelectData [1] AdvancedSelectData OPTIONAL} AdvancedSelectData ::= { selectSyntaxID OBJECT IDENTIFIER selectData ANY DEFINED BY selectSyntaxID ] BasicSelectData ::= SEQUENCE { includeStrings [0] SelectStrings OPTIONAL excludeStrings [1] SelectStrings OPTIONAL } SelectStrings ::= SEQUENCE OF AltValues AltValues ::= SEQUENCE OF OCTET STRING

  7. Example X.509 BasicSelectData (SEQUENCE) Include strings (SEQUENCE) - Altvalues (SEQUENCE) - Certificate policy 1 OID - Certificate policy 2 OID - Altvalues (SEQUENCE) - Key usage extension (with only digital signature bit set) Exclude strings (SEQUENCE) - Altvalues (SEQUENCE) - EKU A OID - EKU B OID Certificate match if all of the following is true: • includes certificate policy 1 or certificate policy 2 (or both) • includes a key usage extension with only the digital signature bit set • does not contain EKU OID A • does not contain EKU OID B

  8. Example – Name attribute search Tag Length Value __________________________________________________________________ 30 37 SEQUENCE 06 3 OBJECT IDENTIFIER commonName (2 5 4 3) 13 30 PrintableString 'Microsoft Corp Enterprise CA 2' Search octet string DER: 30 2506 03 85 04 03 13 1e 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 20 45 6e 74 65 72 70 72 69 73 65 20 43 41 20 32

  9. X.509 – Can and can’t do • Can do • Search for specific OIDs and attributes such as Certificate policies, EKUs • Search for complete extensions, such as acceptable key usage extensions • Can’t do • Search for an extension with specific partial content when length of extension is unknown • Search for X somewhere in part Y'

  10. Kerberos ticket – RFC 4120 • Search possible on Realm and Principal Name only • Is it useful? Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, sname [2] PrincipalName, enc-part [3] EncryptedData -- EncTicketPart }

  11. Way Forward • Good or bad idea? • Terminology – Credential? • Progress as individual submission or within a work group? • Implementation in Protocols

More Related