Kerberos v5 Related Specs and RFCs

Ashley Van Haeften / Hercules Capturing Cerberus LACMA 47.31.158

This post lists all of the related RFCs and specifications to Kerberos v5 that have been published over the years. It is part of my Kerberos and Windows Security Series. When I was researching this series, finding all of this information together in one place was quite challenging. As noted in my Kerberos and Windows Security: History, Kerberos is the oldest identity protocol in widespread use today. As such, it has a lot of history and many specs (obsolete and current) describing it and its extensions.

Assumptions

• This list only has Kerberos v5 related specs.
• I only listed published RFCs and specifications. So, no drafts.
• I did include the relevant Microsoft extensions.
• This list does change every now and then. I will make it a point to update it every so often, but consider it current as of May, 2018.

Kerberos V5

• RFC 1510 (Obsolete): The Kerberos Network Authentication Service (V5)
• RFC 4120: The Kerberos Network Authentication Service (V5) — Updated by RFC 4537, 5021, 5896, 6111, 6112, 6113.

Kerberos V5 Updates (That Don’t fit Elsewhere)

• RFC 4537: Kerberos Cryptosystem Negotiation Extension
• RFC 5021: Extended Kerberos Version 5 Key Distribution Center (KDC) Exchange over TCP
• RFC 6111: Additional Kerberos Naming Constraints
• RFC 6112: Anonymity Support for Kerberos

Pre-Authentication

• RFC 4556: Public Key Cryptography for Initial Authentication in Kerberos (pkinit)
• RFC 4557: Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
• RFC 6113: A Generalized Framework for Kerberos Pre-Authentication
• RFC 6560: One-Time Password (OTP) Pre-Authentication

Encryption Types

• RFC 1320(Obsolete): The MD4 Message-Digest Algorithm Obsoletes
• RFC 1321: The MD5 Message-Digest Algorithm
• RFC 2040: The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms
• RFC 2104: HMAC: Keyed-Hashing for Message Authentication
• RFC 2898: (PKCS #5): Password-Based Cryptography Specification Version 2.0 (PBKDF2)
• RFC 3961: Encryption and Checksum Specifications for Kerberos 5
• RFC 3962: Advanced Encryption Standard (AES) Encryption for Kerberos 5
• RFC 4757: The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
• RFC 5349: Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
• RFC 6150: MD4 to Historic Status
• RFC 6151: Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
• RFC 6649 Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
• RFC 6803: Camellia Encryption for Kerberos 5

These aren’t all specific to Kerberos, but they are important. So, the complete list is given.

GSS-API

• RFC 1508(Obsolete): Generic Security Service Application Program Interface
• RFC 1509(Obsolete): Generic Security Service API : C-bindings
• RFC 1964: The Kerberos Version 5 GSS-API Mechanism
• RFC 2078(Obsolete): Generic Security Service Application Program Interface, Version 2
• RFC 2743: Generic Security Service Application Program Interface Version 2, Update 1
• RFC 2478(Obsolete): The Simple and Protected GSS-API Negotiation Mechanism
• RFC 2744: Generic Security Service API Version 2 : C-bindings
• RFC 2853:(Obsolete): Generic Security Service API Version 2 : Java Bindings
• RFC 4121: The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
• RFC 4178: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
• RFC 4559: SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
• RFC 4752: The Kerberos V5 (“GSSAPI”) Simple Authentication and Security Layer (SASL) Mechanism
• RFC 5554: Clarification and Extensions to the Generic Security Service Application Program Interface (GSS-API) for the Use of Channel Bindings
• RFC 5587: Extended Generic Security Service Mechanism Inquiry APIs
• RFC 5588: Generic Security Service Application Program Interface (GSS-API) Extension for Storing Delegated Credentials
• RFC 5801: Using Generic Security Service Application Program Interface (GSS-API)Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family
• RFC 5896: Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy
• RFC 5653: Generic Security Service API Version 2 : Java Bindings Update
• RFC 6542: Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility

Miscellaneous

• RFC 3244: Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
• RFC 6806: Kerberos Principal Name Canonicalization and Cross-Realm Referrals
• RFC 2942: Telnet Authentication: Kerberos Version 5
• RFC 4430: Kerberized Internet Negotiation of Keys (KINK)
• RFC 3129: Requirements for Kerberized Internet Negotiation of Keys
• RFC 5021: Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
• RFC 5868: Problem Statement on the Cross-Realm Operation of Kerberos
• RFC 6448 :The Unencrypted Form of Kerberos 5 KRB-CRED Message
• RFC 6880: An Information Model for Kerberos Version 5
• RFC 6784: Kerberos Options for DHCPv6
• RFC 6251: Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol

Proprietary Vendor Kerberos Extensions (Microsoft)

• [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol
• [MS-KILE]: Kerberos Protocol Extensions
• [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol

This list was put together from several sources:

[1] https://cybersafe.com/content/security-standards

[2] https://en.wikipedia.org/wiki/Kerberos_(protocol)

Image: Ashley Van Haeften / Hercules Capturing Cerberus LACMA 47.31.158