News & Information

CyberSafe TrustBroker™ products, for SAP business applications

CyberSafe TrustBroker Support Services

Security Standards

Kerberos

Some of the TrustBroker products include an implementation of the Kerberos protocol, developed entirely by CyberSafe, to conform to the standards. The standard which describes the Kebreros V5 protocol is RFC 4120 (previously RFC 1510), however there are many updates, related standards and extensions to the protocol which have been implemented in TrustBroker products. The tables below, list these standards, grouped according to the standards organization that controls the standard specifications and usage.

More information about Kerberos protocol, and how it is used in TrustBroker products can be found here...

Internet Engineering Task Force (IETF)

These standards are IETF standards, and refer to the Kerberos V5 protocol, related standards and extensions.

Standard Name Comments Implemented
Kerberos V5      
RFC 1510 The Kerberos Network Authentication Service (V5) Obsoleted by RFC 4120 Yes
RFC 4120 The Kerberos Network Authentication Service (V5) Updated by RFC 4537, 5021, 5896, 6111, 6112, 6113
Yes
Updates
     
RFC 4537 Kerberos Cryptosystem Negotiation Extension Updates RFC 4120 No
RFC 5021 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchange over TCP Updates RFC 4120 No
RFC 6111 Additional Kerberos Naming Constraints Updates RFC 4120 No
Pre-Authentication      
draft-ietf-cat-kerberos-pk-init-09 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Obsoleted by RFC 4556. Updates RFC 1510 Yes
RFC 4556
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
Updated by RFC 6112
No (not used by Active Directory)
draft-ietf-krb-wg-preauth-framework-10
A Generalized Framework for Kerberos Pre-Authentication (FAST)
Obsoleted by RFC 6113. Updates RFC 4120
Yes (not shipped yet)
RFC 6113 A Generalized Framework for Kerberos Pre-Authentication (FAST)
Updates RFC 4120 In progress
draft-ietf-krb-wg-otp-preauth-18
OTP Pre-Authentication
  Future release
Encryption Types
     
RFC 1320 The MD4 Message-Digest Algorithm Obsoletes RFC 1186. Obsoleted by RFC 6150 Yes
RFC 6150 MD4 to Historic Status Obsoletes RFC 1320 No
RFC 1321 The MD5 Message-Digest Algorithm Updated by RFC 6151 Yes
RFC 2104 HMAC: Keyed-Hashing for Message Authentication Updated by RFC 6151 Yes
RFC 6151 Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms Updates RFC 1321, 2104 Yes
RFC 3961 Encryption and Checksum Specifications for Kerberos 5   Yes
RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows   Yes
RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5   Yes
RFC 2898 PKCS #5: Password-Based Cryptography Specification Version 2.0
(PBKDF2 used in RFC 3962)
RFC 2040 The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms
(CTS used in RFC 3962)
GSS-API
     
RFC 1508 Generic Security Service Application Program Interface Obsoleted by RFC 2078 Yes
RFC 2078 Generic Security Service Application Program Interface, Version 2 Obsoletes RFC 1508. Obsoleted by RFC 2743
Yes
RFC 2743 Generic Security Service Application Program Interface Version 2, Update 1 Obsoletes RFC 2078. Updated by RFC 5554
Yes (mostly)
RFC 5554 Clarification and Extensions to the Generic Security Service Application Program Interface (GSS-API) for the Use of Channel Bindings Updates RFC 2743 Yes
RFC 5896 Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy Updates RFC 4120 No
RFC 1509 Generic Security Service API : C-bindings Obsoleted by RFC 2744 Yes
RFC 2744 Generic Security Service API Version 2 : C-bindings Obsoletes RFC 1509 Yes
RFC 2853 Generic Security Service API Version 2 : Java Bindings
Obsoleted by RFC 5653 Yes
RFC 5653 Generic Security Service API Version 2 : Java Bindings Update Obsoletes RFC 2853 No
RFC 1964 The Kerberos Version 5 GSS-API Mechanism Updated by RFC 4121 Yes
RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 Updates RFC 1964. Updated by RFC 6112
Yes
RFC 6112 Anonymity Support for Kerberos Updates RFC 4120, 4121, 4556 No
RFC 4559
SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

In TrustBroker Adapter, CSTBsapwaLoginModule
RFC 2478 The Simple and Protected GSS-API Negotiation Mechanism Obsoleted by RFC 4178 No
RFC 4178
The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
Obsoletes RFC 2478
In TrustBroker Adapter, CSTBsapwaLoginModule
Miscellaneous      
draft-ietf-cat-kerb-chg-password-02 Kerberos Change Password Protocol   Yes
RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols   Yes
draft-ietf-krb-wg-kerberos-referrals-11
Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals
Updates RFC 4120
Client implemented.
Server in future release.
RFC 1411
Telnet Authentication: Kerberos Version 4
  Yes
RFC 2942
Telnet Authentication: Kerberos Version 5
  Yes
draft-ietf-krb-wg-krb-dns-locate-03
Distributing Kerberos KDC and Realm Information with DNS

Used in ICAM code
External
     
RFC 2251 Lightweight Directory Access Protocol (v3)
For key table management
In OpenLDAP library
RFC 3352 Connection-less Lightweight Directory Access Protocol (CLDAP)
For Active Directory Site Discovery
In OpenLDAP library
RFC 4752 The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism
For key table management
In CyrusSASL library
RFC 2631 Diffie-Hellman Key Agreement Method

In RSA BSAFE
RFC 3279 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

In RSA BSAFE
RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

In RSA BSAFE
RFC 3370 Cryptographic Message Syntax (CMS) Algorithms

In RSA BSAFE
Potential future consideration      
draft-skibbie-krb-kdc-ldap-schema-02
Kerberos KDC LDAP Schema
   
draft-ietf-krb-wg-hw-auth-00
Passwordless Initial Authentication to Kerberos by Hardware Preauthentication
Superseeded by FAST Pre-Authentication
 
draft-ietf-krb-wg-utf8-profile-01 Preparation of Internationalized Strings Profile for Kerberos UTF-8 Strings    
draft-skibbie-krb-kdckeys-ldap-schema-00 Keys Extension for the Kerberos KDC LDAP Schema    
draft-ietf-krb-wg-kerberos-sam-03 Integrating Single-use Authentication Mechanisms with Kerberos    
RFC 4430 Kerberized Internet Negotiation of Keys (KINK)    
RFC 3129 Requirements for Kerberized Internet Negotiation of Keys    
draft-ietf-cat-kerberos-pk-cross-08 Public Key Cryptography for Cross-Realm Authentication in Kerberos    
draft-ietf-cat-user2user-02 User to User Kerberos Authentication using GSS-API    
draft-trostle-lwkerb-01 The Lightweight Kerberos Protocol    
draft-ietf-krb-wg-iakerb-02 Initial and Pass Through Authentication Using Kerberos V5 and the GSS-API (IAKERB)    

International Telecommunications Union (ITU-T)

Formerly known as CCITT.

These standards are used by the Kerberos protocol, to define how protocol messages are encoded when passed over the network.

Standard Name Comments Implemented
X.690 ASN.1 encoding rules   Yes

Federal Information Processing Standards (FIPS)

Standard Name Comments Implemented
FIPS 180-1 Secure Hash Standard (SHA-1)
  Yes
FIPS 197 Advanced Encryption Standard (AES)   Yes
FIPS 46-3 DES
  Yes

Microsoft

Some security standards implemented by Microsoft are used in TrustBroker products.

Standard Name Comments Implemented
Crypto API Cryptographic Application Programming Interface (MS-CAPI)
  Yes

RSA Security (PKCS)

Some PKCS security standards published by RSA Security, are used by TrustBroker products.

Standard Name Comments Implemented
PKCS#11 Cryptographic Token Interface
Sometimes referred to as Cryptoki
Yes
Leave us a message, or ask a question   CyberSafe on Twitter  CyberSafe on LinkedIn  CyberSafe on YouTube