News & Information
CyberSafe TrustBroker™ products, for SAP business applications
CyberSafe TrustBroker Support Services
We are a global security software vendor, providing mature, proven, standards-based solutions that enable true enterprise-class security for mission critical business applications – on the intranet or in the cloud. Our TrustBroker products leverage two decades of Kerberos expertise and existing infrastructures, such as Microsoft Active Directory – for authentication and key management, to lower costs and deliver exceptional return on investment. TrustBroker integrates seamlessly with solutions from leading vendors, including SAP and Sybase, to reliably deliver strong authentication, single sign-on and end-to-end protection of application data in transit. |
Security Standards
Kerberos
Some of the TrustBroker products include an implementation of the Kerberos protocol, developed entirely by CyberSafe, to conform to the standards. The standard which describes the Kebreros V5 protocol is RFC 4120 (previously RFC 1510), however there are many updates, related standards and extensions to the protocol which have been implemented in TrustBroker products. The tables below, list these standards, grouped according to the standards organization that controls the standard specifications and usage.
More information about Kerberos protocol, and how it is used in TrustBroker products can be found here...
Internet Engineering Task Force (IETF)
These standards are IETF standards, and refer to the Kerberos V5 protocol, related standards and extensions.
Standard | Name | Comments | Implemented |
---|---|---|---|
Kerberos V5 | |||
RFC 1510 | The Kerberos Network Authentication Service (V5) | Obsoleted by RFC 4120 | Yes |
RFC 4120 | The Kerberos Network Authentication Service (V5) | Updated by RFC 4537, 5021, 5896, 6111, 6112, 6113 |
Yes |
Updates |
|||
RFC 4537 | Kerberos Cryptosystem Negotiation Extension | Updates RFC 4120 | No |
RFC 5021 | Extended Kerberos Version 5 Key Distribution Center (KDC) Exchange over TCP | Updates RFC 4120 | No |
RFC 6111 | Additional Kerberos Naming Constraints | Updates RFC 4120 | No |
Pre-Authentication | |||
draft-ietf-cat-kerberos-pk-init-09 | Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) | Obsoleted by RFC 4556. Updates RFC 1510 | Yes |
RFC 4556 |
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) |
Updated by RFC 6112 |
No (not used by Active Directory) |
draft-ietf-krb-wg-preauth-framework-10 |
A Generalized Framework for Kerberos Pre-Authentication (FAST) |
Obsoleted by RFC 6113. Updates RFC 4120 |
Yes (not shipped yet) |
RFC 6113 | A Generalized Framework for Kerberos Pre-Authentication (FAST) |
Updates RFC 4120 | In progress |
draft-ietf-krb-wg-otp-preauth-18 |
OTP Pre-Authentication |
Future release | |
Encryption Types |
|||
RFC 1320 | The MD4 Message-Digest Algorithm | Obsoletes RFC 1186. Obsoleted by RFC 6150 | Yes |
RFC 6150 | MD4 to Historic Status | Obsoletes RFC 1320 | No |
RFC 1321 | The MD5 Message-Digest Algorithm | Updated by RFC 6151 | Yes |
RFC 2104 | HMAC: Keyed-Hashing for Message Authentication | Updated by RFC 6151 | Yes |
RFC 6151 | Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms | Updates RFC 1321, 2104 | Yes |
RFC 3961 | Encryption and Checksum Specifications for Kerberos 5 | Yes | |
RFC 4757 | The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows | Yes | |
RFC 3962 | Advanced Encryption Standard (AES) Encryption for Kerberos 5 | Yes | |
RFC 2898 | PKCS #5: Password-Based Cryptography Specification Version 2.0 | (PBKDF2 used in RFC 3962) |
|
RFC 2040 | The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms | (CTS used in RFC 3962) | |
GSS-API |
|||
RFC 1508 | Generic Security Service Application Program Interface | Obsoleted by RFC 2078 | Yes |
RFC 2078 | Generic Security Service Application Program Interface, Version 2 | Obsoletes RFC 1508. Obsoleted by RFC 2743 |
Yes |
RFC 2743 | Generic Security Service Application Program Interface Version 2, Update 1 | Obsoletes RFC 2078. Updated by RFC 5554 |
Yes (mostly) |
RFC 5554 | Clarification and Extensions to the Generic Security Service Application Program Interface (GSS-API) for the Use of Channel Bindings | Updates RFC 2743 | Yes |
RFC 5896 | Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy | Updates RFC 4120 | No |
RFC 1509 | Generic Security Service API : C-bindings | Obsoleted by RFC 2744 | Yes |
RFC 2744 | Generic Security Service API Version 2 : C-bindings | Obsoletes RFC 1509 | Yes |
RFC 2853 | Generic Security Service API Version 2 : Java Bindings |
Obsoleted by RFC 5653 | Yes |
RFC 5653 | Generic Security Service API Version 2 : Java Bindings Update | Obsoletes RFC 2853 | No |
RFC 1964 | The Kerberos Version 5 GSS-API Mechanism | Updated by RFC 4121 | Yes |
RFC 4121 | The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 | Updates RFC 1964. Updated by RFC 6112 |
Yes |
RFC 6112 | Anonymity Support for Kerberos | Updates RFC 4120, 4121, 4556 | No |
RFC 4559 |
SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows |
In TrustBroker Adapter, CSTBsapwaLoginModule | |
RFC 2478 | The Simple and Protected GSS-API Negotiation Mechanism | Obsoleted by RFC 4178 | No |
RFC 4178 |
The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism |
Obsoletes RFC 2478 |
In TrustBroker Adapter, CSTBsapwaLoginModule |
Miscellaneous | |||
draft-ietf-cat-kerb-chg-password-02 | Kerberos Change Password Protocol | Yes | |
RFC 3244 | Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols | Yes | |
draft-ietf-krb-wg-kerberos-referrals-11 |
Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals |
Updates RFC 4120 |
Client implemented. Server in future release. |
RFC 1411 |
Telnet Authentication: Kerberos Version 4 |
Yes |
|
RFC 2942 |
Telnet Authentication: Kerberos Version 5 |
Yes | |
draft-ietf-krb-wg-krb-dns-locate-03 |
Distributing Kerberos KDC and Realm Information with DNS |
Used in ICAM code | |
External |
|||
RFC 2251 | Lightweight Directory Access Protocol (v3) |
For key table management |
In OpenLDAP library |
RFC 3352 | Connection-less Lightweight Directory Access Protocol (CLDAP) |
For Active Directory Site Discovery |
In OpenLDAP library |
RFC 4752 | The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism |
For key table management |
In CyrusSASL library |
RFC 2631 | Diffie-Hellman Key Agreement Method |
In RSA BSAFE | |
RFC 3279 | Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile |
In RSA BSAFE | |
RFC 3280 | Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile |
In RSA BSAFE | |
RFC 3370 | Cryptographic Message Syntax (CMS) Algorithms |
In RSA BSAFE | |
Potential future consideration | |||
draft-skibbie-krb-kdc-ldap-schema-02 |
Kerberos KDC LDAP Schema |
||
draft-ietf-krb-wg-hw-auth-00 |
Passwordless Initial Authentication to Kerberos by Hardware Preauthentication |
Superseeded by FAST Pre-Authentication |
|
draft-ietf-krb-wg-utf8-profile-01 | Preparation of Internationalized Strings Profile for Kerberos UTF-8 Strings | ||
draft-skibbie-krb-kdckeys-ldap-schema-00 | Keys Extension for the Kerberos KDC LDAP Schema | ||
draft-ietf-krb-wg-kerberos-sam-03 | Integrating Single-use Authentication Mechanisms with Kerberos | ||
RFC 4430 | Kerberized Internet Negotiation of Keys (KINK) | ||
RFC 3129 | Requirements for Kerberized Internet Negotiation of Keys | ||
draft-ietf-cat-kerberos-pk-cross-08 | Public Key Cryptography for Cross-Realm Authentication in Kerberos | ||
draft-ietf-cat-user2user-02 | User to User Kerberos Authentication using GSS-API | ||
draft-trostle-lwkerb-01 | The Lightweight Kerberos Protocol | ||
draft-ietf-krb-wg-iakerb-02 | Initial and Pass Through Authentication Using Kerberos V5 and the GSS-API (IAKERB) |
International Telecommunications Union (ITU-T)
Formerly known as CCITT.
These standards are used by the Kerberos protocol, to define how protocol messages are encoded when passed over the network.
Standard | Name | Comments | Implemented |
---|---|---|---|
X.690 | ASN.1 encoding rules | Yes | |
Federal Information Processing Standards (FIPS)
Standard | Name | Comments | Implemented |
---|---|---|---|
FIPS 180-1 | Secure Hash Standard (SHA-1) |
Yes | |
FIPS 197 | Advanced Encryption Standard (AES) | Yes | |
FIPS 46-3 | DES |
Yes |
Microsoft
Some security standards implemented by Microsoft are used in TrustBroker products.
Standard | Name | Comments | Implemented |
---|---|---|---|
Crypto API | Cryptographic Application Programming Interface (MS-CAPI) |
Yes |
RSA Security (PKCS)
Some PKCS security standards published by RSA Security, are used by TrustBroker products.
Standard | Name | Comments | Implemented |
---|---|---|---|
PKCS#11 | Cryptographic Token Interface |
Sometimes referred to as Cryptoki |
Yes |