RFC 2712 (rfc2712) - Page 3 of 7
Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)
Alternative Format: Original Text Document
RFC 2712 Addition of Kerberos Cipher Suites to TLS October 1999
CipherSuite TLS_KRB5_WITH_DES_CBC_SHA = { 0x00,0x1E };
CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_SHA = { 0x00,0x1F };
CipherSuite TLS_KRB5_WITH_RC4_128_SHA = { 0x00,0x20 };
CipherSuite TLS_KRB5_WITH_IDEA_CBC_SHA = { 0x00,0x21 };
CipherSuite TLS_KRB5_WITH_DES_CBC_MD5 = { 0x00,0x22 };
CipherSuite TLS_KRB5_WITH_3DES_EDE_CBC_MD5 = { 0x00,0x23 };
CipherSuite TLS_KRB5_WITH_RC4_128_MD5 = { 0x00,0x24 };
CipherSuite TLS_KRB5_WITH_IDEA_CBC_MD5 = { 0x00,0x25 };
CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA = { 0x00,0x26 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA = { 0x00,0x27 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_SHA = { 0x00,0x28 };
CipherSuite TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 = { 0x00,0x29 };
CipherSuite TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 = { 0x00,0x2A };
CipherSuite TLS_KRB5_EXPORT_WITH_RC4_40_MD5 = { 0x00,0x2B };
To establish a Kerberos-based security context, one or more of the
above cipher suites must be specified in the client hello message.
If the TLS server supports the Kerberos authentication option, the
server hello message, sent to the client, will confirm the Kerberos
cipher suite selected by the server. The server's certificate, the
client
CertificateRequest, and the ServerKeyExchange shown in Figure 1 will
be omitted since authentication and the establishment of a master
secret will be done using the client's Kerberos credentials for the
TLS server. The client's certificate will be omitted for the same
reason. Note that these messages are specified as optional in the
TLS protocol; therefore, omitting them is permissible.
The Kerberos option must be added to the ClientKeyExchange message as
shown in Figure 2.
Medvinsky & Hur Standards Track
