7 Network Working Group Love Hornquist Astrand
8 <draft-hornquist-astrand-krb-wg-srp.txt> Stockholms universitet
9 Internet-Draft December, 2003
12 Using SRP for Initial Authentication in Kerberos
16 ftp://ftp.rfc-editor.org/in-notes/rfc-editor/instructions2authors.txt
18 This memo provides information for the Internet community. ...
22 Copyright (C) The Internet Society (2003). All Rights Reserved. ...
27 This document describes how to use SRP as a preauthentication
28 mechanism in Kerberos 5 [RFC1510]. This mechanism makes the initial
29 ticket request and response secure against dictionary attacks on
34 Kerberos without preauthentication make the protocol susceptible to
35 both to password dictionary attacks on initial tickets. There are
36 several pre-authentication mechanisms that tries to solve and/or
37 minimize this problem.
39 Encrypted time stamp have the same problem as Kerberos without
40 preauthentication, opportunities of the attacker to get key material
41 is only fewer. SAM require hardware token and typically, for most
42 SAM types, still require the user to have a password since they don't
43 provide enough key-material for Kerberos to encrypt the response
44 with. PKINIT large and complicated, and like SAM often require
45 hardware. Extra-tgt requires infrastructure to use, a key/bootstrap
46 must be present on each host that the users are expected to use.
48 The dictionary attack can also be solved by forcing the users to
51 XXX Jacques' DH preauth ?
52 XXX tls protected as-req
54 SRP, Secure Remote Password protocol, [RFC2945], is a password
58 Hornquist Astrand [Page 1]
60 Internet Draft December, 2003
63 authentication and key-exchange protocol that can be used over
64 untrusted networks. SRP is designed to be resistable to dictionary
65 attacks (both by passive and active attackers).
69 This document is based on SRP-6.
71 XXX read and think about rfc2944 (SRP over telnet)
73 SRP + Kerberos 5 preauthentication
75 Krb-srp-cookie in the protocol to enable the server be stateless.
77 TBA KRB-SRP-PREAUTH number
79 - Client send the AS-REQ
81 - Server looks up the principal, and finds N, g, v, salt, H. Then
82 the server generates the random number b and calculate B. All
83 operations are performed modulus N.
87 and sends back a KRB-SRP-CHALLENGE md-data in a KRB-ERROR. If the
88 server is stateless, it can store the information (encrypted) it
89 needs in krb-srp-cookie.
91 - If the client chooses to use the SRP preauthentication mechanism it
92 sends back KRB-SRP-CLIENT-RESPONSE. If krb-srp-cookie is present in
93 KRB-SRP-CHALLENGE its copied to KRB-SRP-CLIENT-RESPONSE. The client
94 generates the random number a and calculates
98 M1 = H(DER(A) | DER(B) | DER(S))
100 u is H(DER(A) | DER(B)), where DER(n) is the n encoded with the
103 The client then it calculates the shared key K
105 K = s-to-key-bytes(S)
107 KRB-SRP-CLIENT-RESPONSE-ENC-DATA is filled in by the client,
108 encrypted with the shared key K
110 XXX should a keyed checksum just be used instead ?
114 Hornquist Astrand [Page 2]
116 Internet Draft December, 2003
119 XXX does this replace the need for M1
121 - When the server receives the KRB-SRP-CLIENT-RESPONSE response it
126 and the shared key K,
128 K = s-to-key-bytes(S)
130 verifies the content in krb-srp-enc, and M1. If everything checks
131 out ok, the server sends back the AS-REP. The key that the AS-REP is
132 encrypted with is the SRP session key, K.
134 XXX Should the server send back M2 ?
139 if length of b is even, drop first char
140 b1 = H(b[0] | b[2] | b[4] | ...)
141 b2 = H(b[1] | b[3] | b[5] | ...)
142 K = random-to-key(b1 | b2).
144 random-to-key is the random to key function in [KCRYPTO].
150 KERBEROS-PREAUTH-SRP DEFINITIONS ::=
154 IMPORTS Checksum, Krb-Nonce FROM krb5;
156 KRB-SRP-CHALLENGE ::= SEQUENCE {
157 krb-srp-salt[0] OCTET STRING,
158 krb-srp-N[1] INTEGER,
159 krb-srp-g[2] INTEGER,
160 krb-srp-B[3] INTEGER,
161 krb-srp-hash[4] OBJECT IDENTIFIER,
162 krb-srp-flags[5] INTEGER (SIZE 4),
163 krb-srp-cookie[6] OCTET STRING OPTIONAL -- must include nonce ?
166 -- flags: "use combined s2k + srp key" ?
170 Hornquist Astrand [Page 3]
172 Internet Draft December, 2003
175 KRB-SRP-CLIENT-RESPONSE ::= SEQUENCE {
176 krb-srp-A[0] INTEGER,
177 krb-srp-M1[1] OCTET STRING,
178 krb-srp-hash[2] OBJECT IDENTIFIER,
179 krb-srp-enc[3] EncryptedData, -- bind nonce to pa
180 krb-srp-cookie[4] OCTET STRING OPTIONAL
183 KRB-SRP-CLIENT-RESPONSE-ENC-DATA :: SEQUENCE {
184 krb-srp-checksum[0] Checksum,
185 krb-srp-flags[1] INTEGER (SIZE 4),
186 krb-srp-nonce[2] Krb-Nonce
189 KRB-SRP-SERVER-RESPONSE ::= SEQUENCE {
190 krb-srp-M2[0] OCTET STRING
197 send group/generator by name ?
199 how to bind request to pa data ?
201 what key should be used, the key from SRP, or the compiled key from
202 s2k + SRP, right now its a flag.
204 Requirements on the KDC
206 The KDC needs to know more information for each principal. At least
207 the KDC needs to store:
211 v, the password verifier
212 salt, that salt that the principal used to form the verifier, v
213 H, hash function used to form the verifier, v
215 Also, since the KDC no longer have a list of keys, and thus an
216 implicit list what encryption types the principal is allowed use, it
217 needs to have a list for all the encryption types a user is allowed
218 to use with SRP preauthentication mechanism.
220 Security considerations
226 Hornquist Astrand [Page 4]
228 Internet Draft December, 2003
231 see Security considerations in Nisses SSH SRP draft.
237 SRP preauthentication mechanism doesn't require the client to compute
238 something before the server sends "expensive" cryptographic
241 Preauthentication have the problem that the response is not
242 authenticated, so a active attacker can modify that response from the
243 KDC to remove SRP to have the client choose a weaker initial
244 authentication method.
248 [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
249 Authentication Service (V5)", RFC 1510, September 1993.
251 [SRP] T. Wu, "The Secure Remote Password Protocol", In Proceedings of
252 the 1998 ISOC Network and Distributed System Security Symposium, San
253 Diego, CA, pp. 97-111.
255 [RFC2945] Wu, T, "The SRP Authentication and Key Exchange System",
256 RFC2945, September 2000.
258 [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for
259 Kerberos 5", draft-ietf-krb-wg-crypto-05.txt, June, 2003. Work in
264 Love Hornquist Astrand
265 Enheten for it och media
266 Stockholms universitet
272 Full Copyright Statement
274 Copyright (C) The Internet Society (2003). All Rights Reserved. ...
282 Hornquist Astrand [Page 5]