3.2.1 Abstract Data Model

  • Article

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

The KILE client has the following configuration setting for claims, compound authentication, and FAST:

EnableCBACandArmor: A Boolean setting that SHOULD<31> indicate that the Kerberos client is claims-, compound authentication-, and FAST-aware. The default is FALSE.

The KILE client has the following configuration setting for FAST:

RequireFAST: A Boolean setting that SHOULD<32> indicate that the Kerberos FAST client MUST enforce FAST. The default is FALSE.

The KILE client has the following configuration setting for non-KILE realms:

RealmCanonicalize: SHOULD<33> be initialized in an implementation specific way.

After a connection is established through the AP exchange, Kerberos V5 does not directly influence the application protocol. The client parameters MUST be set when establishing a security context that supports the signing or encryption of messages. The higher-layer application protocol will invoke the per-message functions. The following parameters are logically available for the application to set. These logical parameters can influence various protocol-defined flags.

Note The following variables are logical, abstract parameters that an implementation MUST maintain and expose to provide the proper level of service. How these variables are maintained and exposed is up to the implementation.

ChannelBinding: A Boolean setting that indicates the caller's channel binding information ([RFC2743] section 1.1.6 and [RFC2744]).

Confidentiality: A Boolean setting that indicates that the caller is requiring encryption of messages so that they cannot be read while in transit.

DatagramStyle: A Boolean setting that indicates that the caller is requiring the use of datagram semantics (section 3.4.5.2).

DCE Style: A Boolean setting that indicates that the caller requires three-leg, DCE Style authentication ([MS-RPCE] and [C706]).

Delegate: A Boolean setting that indicates that the caller is requiring the use of forwardable tickets.

ExtendedError: A Boolean setting that indicates that the caller requires additional error handling, possibly including retries, with the context of the GSS exchange in progress.

Identify: A Boolean setting that indicates that the caller shares its identity with the server but does not allow the server to impersonate the caller to resources on that system.

Integrity: A Boolean setting that indicates that the caller has elected to sign messages so that they cannot be tampered with while in transit.

MessageBlockSize: An integer that indicates the minimum size of the input_message for GSS_WrapEx (section 3.4.5.4). The size of the input_message MUST be a multiple of this value. This value depends on the encryption type:

  • For AES, the value equals the message block size ([RFC3962] section 6)

  • For RC4, it equals 1 ([RFC4757] section 7.3)

  • For DES, it equals 8 ([RFC1964] section 1.2.2.3)

MutualAuthentication: A Boolean setting that indicates that the client requires authentication of the server. Even with this flag, mutual authentication cannot be assured until the first message is passed by the application protocol and the message is signed or encrypted.

ReplayDetect: A Boolean setting that indicates that the caller requires replay detection so that the application can determine when messages are replayed.

SequenceDetect: A Boolean setting that indicates that the caller requires sequence detection so that messages cannot be received out of order.

UnverifiedTargetName: A Boolean setting that indicates that the caller received the specified target name from an untrusted source (rather than it being deliberately typed/specified by the user).

UseSessionKey: A Boolean setting that indicates that the caller requests user-to-user authentication exchanges ([RFC4120] section 3.7).