1
2
3
4
5
6
7Network Working Group Love Hornquist Astrand
8<draft-hornquist-astrand-krb-wg-srp.txt> Stockholms universitet
9Internet-Draft December, 2003
10Expire in six months
11
12 Using SRP for Initial Authentication in Kerberos
13
14Status of this Memo
15
16ftp://ftp.rfc-editor.org/in-notes/rfc-editor/instructions2authors.txt
17
18 This memo provides information for the Internet community. ...
19
20Copyright Notice
21
22 Copyright (C) The Internet Society (2003). All Rights Reserved. ...
23
24
25Abstract
26
27 This document describes how to use SRP as a preauthentication
28 mechanism in Kerberos 5 [RFC1510]. This mechanism makes the initial
29 ticket request and response secure against dictionary attacks on
30 users passwords.
31
32Introduction
33
34 Kerberos without preauthentication make the protocol susceptible to
35 both to password dictionary attacks on initial tickets. There are
36 several pre-authentication mechanisms that tries to solve and/or
37 minimize this problem.
38
39 Encrypted time stamp have the same problem as Kerberos without
40 preauthentication, opportunities of the attacker to get key material
41 is only fewer. SAM require hardware token and typically, for most
42 SAM types, still require the user to have a password since they don't
43 provide enough key-material for Kerberos to encrypt the response
44 with. PKINIT large and complicated, and like SAM often require
45 hardware. Extra-tgt requires infrastructure to use, a key/bootstrap
46 must be present on each host that the users are expected to use.
47
48 The dictionary attack can also be solved by forcing the users to
49 select good password.
50
51 XXX Jacques' DH preauth ?
52 XXX tls protected as-req
53
54 SRP, Secure Remote Password protocol, [RFC2945], is a password
55
56
57
58Hornquist Astrand [Page 1]
59�
60Internet Draft December, 2003
61
62
63 authentication and key-exchange protocol that can be used over
64 untrusted networks. SRP is designed to be resistable to dictionary
65 attacks (both by passive and active attackers).
66
67Specification
68
69 This document is based on SRP-6.
70
71 XXX read and think about rfc2944 (SRP over telnet)
72
73 SRP + Kerberos 5 preauthentication
74
75 Krb-srp-cookie in the protocol to enable the server be stateless.
76
77 TBA KRB-SRP-PREAUTH number
78
79 - Client send the AS-REQ
80
81 - Server looks up the principal, and finds N, g, v, salt, H. Then
82 the server generates the random number b and calculate B. All
83 operations are performed modulus N.
84
85 B = 3v + g^b
86
87 and sends back a KRB-SRP-CHALLENGE md-data in a KRB-ERROR. If the
88 server is stateless, it can store the information (encrypted) it
89 needs in krb-srp-cookie.
90
91 - If the client chooses to use the SRP preauthentication mechanism it
92 sends back KRB-SRP-CLIENT-RESPONSE. If krb-srp-cookie is present in
93 KRB-SRP-CHALLENGE its copied to KRB-SRP-CLIENT-RESPONSE. The client
94 generates the random number a and calculates
95
96 A = g^a
97 S = (B - 3g^x)^(a+ux)
98 M1 = H(DER(A) | DER(B) | DER(S))
99
100 u is H(DER(A) | DER(B)), where DER(n) is the n encoded with the
101 integer tag.
102
103 The client then it calculates the shared key K
104
105 K = s-to-key-bytes(S)
106
107 KRB-SRP-CLIENT-RESPONSE-ENC-DATA is filled in by the client,
108 encrypted with the shared key K
109
110 XXX should a keyed checksum just be used instead ?
111
112
113
114Hornquist Astrand [Page 2]
115�
116Internet Draft December, 2003
117
118
119 XXX does this replace the need for M1
120
121 - When the server receives the KRB-SRP-CLIENT-RESPONSE response it
122 calculates
123
124 S = (Av^u)^b
125
126 and the shared key K,
127
128 K = s-to-key-bytes(S)
129
130 verifies the content in krb-srp-enc, and M1. If everything checks
131 out ok, the server sends back the AS-REP. The key that the AS-REP is
132 encrypted with is the SRP session key, K.
133
134 XXX Should the server send back M2 ?
135
136 s-to-key defined as:
137
138 b = DER(S)
139 if length of b is even, drop first char
140 b1 = H(b[0] | b[2] | b[4] | ...)
141 b2 = H(b[1] | b[3] | b[5] | ...)
142 K = random-to-key(b1 | b2).
143
144 random-to-key is the random to key function in [KCRYPTO].
145
146ASN.1 specification
147
148 XXX Krb-Nonce
149
150 KERBEROS-PREAUTH-SRP DEFINITIONS ::=
151
152 BEGIN
153
154 IMPORTS Checksum, Krb-Nonce FROM krb5;
155
156 KRB-SRP-CHALLENGE ::= SEQUENCE {
157 krb-srp-salt[0] OCTET STRING,
158 krb-srp-N[1] INTEGER,
159 krb-srp-g[2] INTEGER,
160 krb-srp-B[3] INTEGER,
161 krb-srp-hash[4] OBJECT IDENTIFIER,
162 krb-srp-flags[5] INTEGER (SIZE 4),
163 krb-srp-cookie[6] OCTET STRING OPTIONAL -- must include nonce ?
164 }
165
166 -- flags: "use combined s2k + srp key" ?
167
168
169
170Hornquist Astrand [Page 3]
171�
172Internet Draft December, 2003
173
174
175 KRB-SRP-CLIENT-RESPONSE ::= SEQUENCE {
176 krb-srp-A[0] INTEGER,
177 krb-srp-M1[1] OCTET STRING,
178 krb-srp-hash[2] OBJECT IDENTIFIER,
179 krb-srp-enc[3] EncryptedData, -- bind nonce to pa
180 krb-srp-cookie[4] OCTET STRING OPTIONAL
181 }
182
183 KRB-SRP-CLIENT-RESPONSE-ENC-DATA :: SEQUENCE {
184 krb-srp-checksum[0] Checksum,
185 krb-srp-flags[1] INTEGER (SIZE 4),
186 krb-srp-nonce[2] Krb-Nonce
187 }
188
189 KRB-SRP-SERVER-RESPONSE ::= SEQUENCE {
190 krb-srp-M2[0] OCTET STRING
191 }
192
193 END
194
195Issues
196
197 send group/generator by name ?
198
199 how to bind request to pa data ?
200
201 what key should be used, the key from SRP, or the compiled key from
202 s2k + SRP, right now its a flag.
203
204Requirements on the KDC
205
206 The KDC needs to know more information for each principal. At least
207 the KDC needs to store:
208
209 N, the safe prime
210 g, the generator
211 v, the password verifier
212 salt, that salt that the principal used to form the verifier, v
213 H, hash function used to form the verifier, v
214
215 Also, since the KDC no longer have a list of keys, and thus an
216 implicit list what encryption types the principal is allowed use, it
217 needs to have a list for all the encryption types a user is allowed
218 to use with SRP preauthentication mechanism.
219
220Security considerations
221
222 SRP
223
224
225
226Hornquist Astrand [Page 4]
227�
228Internet Draft December, 2003
229
230
231 see Security considerations in Nisses SSH SRP draft.
232
233 Kerberos
234
235 Preauthentication
236
237 SRP preauthentication mechanism doesn't require the client to compute
238 something before the server sends "expensive" cryptographic
239 operations.
240
241 Preauthentication have the problem that the response is not
242 authenticated, so a active attacker can modify that response from the
243 KDC to remove SRP to have the client choose a weaker initial
244 authentication method.
245
246References
247
248 [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
249 Authentication Service (V5)", RFC 1510, September 1993.
250
251 [SRP] T. Wu, "The Secure Remote Password Protocol", In Proceedings of
252 the 1998 ISOC Network and Distributed System Security Symposium, San
253 Diego, CA, pp. 97-111.
254
255 [RFC2945] Wu, T, "The SRP Authentication and Key Exchange System",
256 RFC2945, September 2000.
257
258 [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for
259 Kerberos 5", draft-ietf-krb-wg-crypto-05.txt, June, 2003. Work in
260 progress.
261
262Author's Address
263
264 Love Hornquist Astrand
265 Enheten for it och media
266 Stockholms universitet
267 S-106 91 STOCKHOLM
268 SWEDEN
269
270 EMail: lha@it.su.se
271
272Full Copyright Statement
273
274 Copyright (C) The Internet Society (2003). All Rights Reserved. ...
275
276
277
278
279
280
281
282Hornquist Astrand [Page 5]
283�
284