3.3.1.5.2.2 Using a Security Context
After a security context is built, the security context can be used by the RPC runtime and higher-level protocols to perform authorization decisions. Besides using the security context for authorization decisions, the RPC runtime can also use the security context to create a logical stream of data that is protected from tampering and information disclosure on the network.
The amount of protection applied depends on the authentication level for the security context requested by the client when the security context is created. The authentication level is applied in two dimensions:
In the first dimension, it controls what capabilities the RPC runtime MUST request from the security provider when the security context is being built, as detailed in the first table that follows. It is possible for a security provider to not be able to provide a certain capability. In this case, the lack of the capability MUST be considered by the RPC runtime as equivalent to the security provider returning an error and MUST be handled as specified in the previous section.
In the second dimension, the authentication level controls how the security provider runtime MUST perform PDU protection on the different PDU segments using the security context, as detailed in the second table that follows.
The following table specifies the abstract capability that the RPC runtime MUST request from the security provider when the security context is being created. The capabilities in the following table are further specified in [RFC2743] section 1.2.1.2. The capabilities requested at each level include the ones requested at the previous level.
Authentication level |
Capability requested |
---|---|
RPC_C_AUTHN_LEVEL_CONNECT |
None |
RPC_C_AUTHN_LEVEL_PKT |
Replay Detect |
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY |
Sequence Detect, integrity |
RPC_C_AUTHN_LEVEL_PKT_PRIVACY |
Confidentiality |
As specified earlier, once the security context is built, the RPC runtime MUST also use the authentication level to control how the security context is used to protect request and response PDUs sent to the other side.
One of the first decisions that needs to be negotiated is whether the security provider on each side supports what this specification calls header signing. Header signing is an operation in which a security provider can provide integrity protection to a segment of the PDU such that the integrity protection does not modify the content of that segment. The segments of the PDU are specified in section 2.2.2.1. The RPC runtime on the client determines in an implementation-specific way if the security provider on the client supports header signing. If it does, the first bind or alter_context PDU that the client sends on a connection that carries authentication information and whose authentication level is integrity or higher MUST have its PFC_SUPPORT_HEADER_SIGN bit set. The RPC runtime on the server also determines in an implementation-specific way whether the security provider on the server supports header signing, and, if it does not, it MUST respond to the client with a PDU whose PFC_SUPPORT_HEADER_SIGN bit is cleared. If it does support header signing, it MUST respond to the client with a PDU whose PFC_SUPPORT_HEADER_SIGN bit is set.
Using this mechanism, the client and server agree if header signing should be done for this connection. If both the client and server support header signing, both set the connection's Supports Header Signing Flag to TRUE. Once agreed, the client and server apply protection to request and response PDUs in the same way.
If the client and server Supports Header Signing Flag is TRUE, the party that sends the PDU asks the security provider to apply the following protection to the different PDU segments.
Authentication level |
PDU header |
PDU body |
sec_trailer |
---|---|---|---|
RPC_C_AUTHN_LEVEL_CONNECT |
None |
None |
None |
RPC_C_AUTHN_LEVEL_PKT |
None |
None |
None |
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY |
Integrity |
Integrity |
Integrity |
RPC_C_AUTHN_LEVEL_PKT_PRIVACY |
Integrity |
Confidentiality |
Integrity |
If either the client or server Supports Header Signing Flag is FALSE, the RPC runtime on the sending side asks the security provider to apply the following protection to the different PDU segments.
Authentication level |
PDU header |
PDU body |
sec_trailer |
---|---|---|---|
RPC_C_AUTHN_LEVEL_CONNECT |
None |
None |
None |
RPC_C_AUTHN_LEVEL_CALL |
None |
None |
None |
RPC_C_AUTHN_LEVEL_PKT |
None |
None |
None |
RPC_C_AUTHN_LEVEL_PKT_INTEGRITY |
None |
Integrity |
None |
RPC_C_AUTHN_LEVEL_PKT_PRIVACY |
None |
Confidentiality |
None |
In the preceding tables, "None" means no protection, "Integrity" means an integrity check per [RFC2743] section 2.3.1 MUST be applied, and "Confidentiality" means that the segment MUST be encrypted.
The PDU header, PDU body, and sec_trailer MUST be passed in the input message, in this order, to GSS_WrapEx, GSS_UnwrapEx, GSS_GetMICEx, and GSS_VerifyMICEx. For integrity protection the sign flag for that PDU segment MUST be set to TRUE, else it MUST be set to FALSE. For confidentiality protection, the conf_req_flag for that PDU segment MUST be set to TRUE, else it MUST be set to FALSE.
The PDU header, PDU body, and sec_trailer from the output message of GSS_WrapEx and GSS_VerifyMICEx MUST be sent to the other side (client or server) as part of the request or response PDU, and the signature output MUST be sent to the other side (client or server) as the authentication token as specified in section 2.2.2.12.
If the authentication level is RPC_C_AUTHN_LEVEL_PKT_PRIVACY, the PDU body will be encrypted. The PDU body from the output message of GSS_UnwrapEx represents the plain text version of the PDU body. The PDU header and sec_trailer output from the output message SHOULD be ignored. Similarly the signature output SHOULD be ignored.
For further details on GSS_WrapEx, see [MS-NLMP] section 3.4.6 , [MS-KILE] section 3.4.5.4 and [MS-TLSP] section 3.1.5.1.
For details on GSS_UnwrapEx, see [MS-NLMP] section 3.4.7 , [MS-KILE] section 3.4.5.5 and [MS-TLSP] section 3.1.5.2.
For further details on GSS_GetMICEx, see [MS-NLMP] section 3.4.8 and [MS-KILE] section 3.4.5.6.
For further details on GSS_VerifyMICEx, see [MS-NLMP] section 3.4.9 and [MS-KILE] section 3.4.5.7.
If the authentication level is connect, the security provider MUST use for request and response PDUs an authentication token that is optional and that does not need to be transmitted to the other side.
This protocol does not specify whether the authentication token itself is protected from tampering by the security provider. It also does not specify how the security provider applies integrity or confidentiality protection to a PDU segment. The algorithms for doing so are specific to the security provider. For details about a security provider, see the documentation for that security provider.