directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1444169 - in /directory/site/trunk/content/apacheds/kerberos-ug: 1.1.2-principals.mdtext 1.1.3-keys.mdtext
Date Fri, 08 Feb 2013 17:56:28 GMT
Author: elecharny
Date: Fri Feb  8 17:56:28 2013
New Revision: 1444169

URL: http://svn.apache.org/r1444169
Log:
Added the Keys page

Added:
    directory/site/trunk/content/apacheds/kerberos-ug/1.1.3-keys.mdtext
Modified:
    directory/site/trunk/content/apacheds/kerberos-ug/1.1.2-principals.mdtext

Modified: directory/site/trunk/content/apacheds/kerberos-ug/1.1.2-principals.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/kerberos-ug/1.1.2-principals.mdtext?rev=1444169&r1=1444168&r2=1444169&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/kerberos-ug/1.1.2-principals.mdtext (original)
+++ directory/site/trunk/content/apacheds/kerberos-ug/1.1.2-principals.mdtext Fri Feb  8 17:56:28
2013
@@ -52,9 +52,9 @@ For hosts, we use "host" as a primary, a
 Those are examples of valid **Principals**
 
     ::test
-    john@APACHE.ORG
-    john/admin@APACHE.ORG
-    host/www.apache.org/apache.org@APACHE.ORG
-    ldap/www.apache.org@APACHE.ORG
+    john@APACHE.ORG                             A user
+    john/admin@APACHE.ORG                       A user who is an admin
+    host/www.apache.org/apache.org@APACHE.ORG   A host with two hostnames
+    ldap/www.apache.org@APACHE.ORG              A service (Ldap server)
 
 

Added: directory/site/trunk/content/apacheds/kerberos-ug/1.1.3-keys.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/kerberos-ug/1.1.3-keys.mdtext?rev=1444169&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/kerberos-ug/1.1.3-keys.mdtext (added)
+++ directory/site/trunk/content/apacheds/kerberos-ug/1.1.3-keys.mdtext Fri Feb  8 17:56:28
2013
@@ -0,0 +1,110 @@
+Title: 1.1.3 - Keys
+NavPrev: 1.1.2-principals.html
+NavPrevText: 1.1.2 - Principals
+NavUp: 1.1-introduction.html
+NavUpText: 1.1 - Introduction
+NavNext: 1.1.4-kdc.html
+NavNextText: 1.1.4 - KDC (Key Distribution Center)
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+# Keys
+
+The **Kerberos** server generates keys based on the password we provide. Those keys are stored
in the **KDC** and used to encrypt and decrypt the data being exchanged with the client.
+
+The Key is computed using either the user's password or a random value, and is salted with
the realm. 
+
+<DIV class="INFO" markdown="1">
+Using the realm as the salt is a protection : if one's key is broken on a realm, that does
not mean the password is compromised. The key on another realm would still be safe.
+</DIV>
+
+## How it works in ApacheDS ?
+
+When you add a new entry in the server, it generates a secret key using the password and
the **Principal** of the added entry. For instance, say we add this entry :
+
+    :::text
+    dn: uid=hnelson,ou=users,dc=example,dc=com
+    objectClass: inetOrgPerson
+    objectClass: organizationalPerson
+    objectClass: person
+    objectClass: krb5principal
+    objectClass: krb5kdcentry
+    objectClass: top
+    uid: hnelson
+    userPassword: secret
+    krb5PrincipalName: hnelson@EXAMPLE.COM
+    krb5KeyVersionNumber: 0
+    cn: Horatio Nelson
+    sn: Nelson
+
+the server will compute the krb5key values automatically, and add it the the entry. 
+
+<DIV class="INFO" mardown="1">
+There is a special case : if the password is "randomkey", the key will be generated using
a random number created on the fly.
+</DIV>
+
+<DIV class="INFO" mardown="1">
+Note that we will generate more than one key : we generate one key per configured cipher.

+
+ApacheDS Kerberos server default set of ciphers is :
+
+    * DES_CBC_MD5
+    * DES3_CBC_SHA1_KD
+    * RC4_HMAC
+    * AES128_CTS_HMAC_SHA1_96
+    * AES256_CTS_HMAC_SHA1_96
+</DIV>
+
+<DIV class="WARN" mardown="1">
+Note that the key generation is an extremely costly operation. If you have many supported
ciphers, you will multiply the time it takes to generate the keys by the number of ciphers.
It's smart to limit the configured ciphers to the minimal, accordingly to your needs.
+
+Provisionning thousands of users will inheritently be a slow operation.
+</DIV>
+
+Once the keys have been computed, we modify the entry to inject an ASN.1 BER encoded EncryptionKey
instance into it.
+
+The EncryptionKey structure is the following ASN.1 desciption :
+    
+    ::text
+    EncryptionKey   ::= SEQUENCE {
+        keytype         [0] Int32 -- actually encryption type --,
+        keyvalue        [1] OCTET STRING
+    }
+
+The modified entry will now looks like :
+
+    :::text
+    dn: uid=hnelson,ou=users,dc=example,dc=com
+    objectClass: inetOrgPerson
+    objectClass: organizationalPerson
+    objectClass: person
+    objectClass: krb5principal
+    objectClass: krb5kdcentry
+    objectClass: top
+    uid: hnelson
+    userPassword: secret
+    krb5PrincipalName: hnelson@EXAMPLE.COM
+    krb5KeyVersionNumber: 0
+    cn: Horatio Nelson
+    sn: Nelson
+    krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20 0x3D 0x33 0x31 0x8F
0xBE ...'
+    krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18 0x57 0x07 0xCE 0x29
0x52 ...'
+    krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10 0x87 0x8D 0x80 0x14
0x60 ...'
+    krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08 0xF4 0xA7 0x13 0x64
0x8A ...'
+    krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10 0xAD 0x21 0x4B 0x38
0xB6 ...'
+
+Each of these keys match one of the EncryptionType.
\ No newline at end of file



Mime
View raw message