HW-AUTHENT flag question
Nicolas.Williams at sun.com
Tue Feb 9 22:15:04 EST 2010
On Tue, Feb 09, 2010 at 07:05:32PM -0600, Will Fiveash wrote:
> Someone sent me this question:
> Microsoft makes a confusing statement in "[MSKILE]"
> http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-KILE%5D.pdf :
> The HW-AUTHENT flag
> ([RFC4120]<http://go.microsoft.com/fwlink/?LinkId=90458> section 2.1):
> This flag was originally intended to indicate that hardware-supported
> authentication was used during pre-authentication. This flag is no
> longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a
> ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is
> set by another KDC.
> Who said that it "is no longer recommended"? I did not hear anything
> like this elsewhere and IMHO this the exact opposite of what makes
> What is the current take on HW-AUTHENT flag?
RFC4120 says no such thing. It does not say that this flag MUST NOT be
used or propagated.
However, the hardware pre-auth content in RFC4120 was incomplete. That
is, no hardware token pre-auth existed as a standard. There's work
ongoing to add support for OTPs, and PKINIT itself arguably supports
hardware tokens (smartcards) when you know that a private key was
provisioned via some process that ensures that the private key resides
in a hardware token and cannot be extracted from it without defeating
physical tamper resistance (and/or side channels) of the token.
Sadly, RFC4556 says nothing about PKINIT and the HW-AUTHENT ticket flag.
IMO if the KDB says that a client principal's private key is believed to
have been provisioned via an acceptable hardware token and process, then
the AS ought to set the HW-AUTHENT ticket flag in INITIAL tickets
issued to such client principals, and the TGS ought to copy that flag
from TGTs to tickets it issues.
More information about the krbdev