get the prototype right for yyparse, it returns an int

[heimdal.git] / doc / standardisation / draft-srp.txt

Network Working Group                             Love Hornquist Astrand
<draft-hornquist-astrand-krb-wg-srp.txt>          Stockholms universitet
Internet-Draft                                            December, 2003
Expire in six months

            Using SRP for Initial Authentication in Kerberos

Status of this Memo

ftp://ftp.rfc-editor.org/in-notes/rfc-editor/instructions2authors.txt

   This memo provides information for the Internet community. ...

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved. ...


Abstract

   This document describes how to use SRP as a preauthentication
   mechanism in Kerberos 5 [RFC1510].  This mechanism makes the initial
   ticket request and response secure against dictionary attacks on
   users passwords.

Introduction

   Kerberos without preauthentication make the protocol susceptible to
   both to password dictionary attacks on initial tickets.  There are
   several pre-authentication mechanisms that tries to solve and/or
   minimize this problem.

   Encrypted time stamp have the same problem as Kerberos without
   preauthentication, opportunities of the attacker to get key material
   is only fewer.  SAM require hardware token and typically, for most
   SAM types, still require the user to have a password since they don't
   provide enough key-material for Kerberos to encrypt the response
   with.  PKINIT large and complicated, and like SAM often require
   hardware.  Extra-tgt requires infrastructure to use, a key/bootstrap
   must be present on each host that the users are expected to use.

   The dictionary attack can also be solved by forcing the users to
   select good password.

   XXX Jacques' DH preauth ?
   XXX tls protected as-req

   SRP, Secure Remote Password protocol, [RFC2945], is a password



Hornquist Astrand                                               [Page 1]
\f
Internet Draft                                            December, 2003


   authentication and key-exchange protocol that can be used over
   untrusted networks.  SRP is designed to be resistable to dictionary
   attacks (both by passive and active attackers).

Specification

   This document is based on SRP-6.

   XXX read and think about rfc2944 (SRP over telnet)

   SRP + Kerberos 5 preauthentication

   Krb-srp-cookie in the protocol to enable the server be stateless.

   TBA KRB-SRP-PREAUTH number

   - Client send the AS-REQ

   - Server looks up the principal, and finds N, g, v, salt, H.  Then
   the server generates the random number b and calculate B.  All
   operations are performed modulus N.

        B = 3v + g^b

   and sends back a KRB-SRP-CHALLENGE md-data in a KRB-ERROR. If the
   server is stateless, it can store the information (encrypted) it
   needs in krb-srp-cookie.

   - If the client chooses to use the SRP preauthentication mechanism it
   sends back KRB-SRP-CLIENT-RESPONSE.  If krb-srp-cookie is present in
   KRB-SRP-CHALLENGE its copied to KRB-SRP-CLIENT-RESPONSE.  The client
   generates the random number a and calculates

        A = g^a
        S = (B - 3g^x)^(a+ux)
        M1 = H(DER(A) | DER(B) | DER(S))

   u is H(DER(A) | DER(B)), where DER(n) is the n encoded with the
   integer tag.

   The client then it calculates the shared key K

        K = s-to-key-bytes(S)

   KRB-SRP-CLIENT-RESPONSE-ENC-DATA is filled in by the client,
   encrypted with the shared key K

   XXX should a keyed checksum just be used instead ?



Hornquist Astrand                                               [Page 2]
\f
Internet Draft                                            December, 2003


   XXX does this replace the need for M1

   - When the server receives the KRB-SRP-CLIENT-RESPONSE response it
   calculates

        S = (Av^u)^b

   and the shared key K,

        K = s-to-key-bytes(S)

   verifies the content in krb-srp-enc, and M1.  If everything checks
   out ok, the server sends back the AS-REP.  The key that the AS-REP is
   encrypted with is the SRP session key, K.

   XXX Should the server send back M2 ?

   s-to-key defined as:

        b = DER(S)
        if length of b is even, drop first char
        b1 = H(b[0] | b[2] | b[4] | ...)
        b2 = H(b[1] | b[3] | b[5] | ...)
        K = random-to-key(b1 | b2).

   random-to-key is the random to key function in [KCRYPTO].

ASN.1 specification

   XXX Krb-Nonce

   KERBEROS-PREAUTH-SRP DEFINITIONS ::=

   BEGIN

   IMPORTS Checksum, Krb-Nonce FROM krb5;

   KRB-SRP-CHALLENGE ::= SEQUENCE {
           krb-srp-salt[0]         OCTET STRING,
           krb-srp-N[1]            INTEGER,
           krb-srp-g[2]            INTEGER,
           krb-srp-B[3]            INTEGER,
           krb-srp-hash[4]         OBJECT IDENTIFIER,
           krb-srp-flags[5]        INTEGER (SIZE 4),
           krb-srp-cookie[6]       OCTET STRING OPTIONAL -- must include nonce ?
   }

   -- flags: "use combined s2k + srp key" ?



Hornquist Astrand                                               [Page 3]
\f
Internet Draft                                            December, 2003


   KRB-SRP-CLIENT-RESPONSE ::= SEQUENCE {
           krb-srp-A[0]            INTEGER,
           krb-srp-M1[1]           OCTET STRING,
           krb-srp-hash[2]         OBJECT IDENTIFIER,
           krb-srp-enc[3]          EncryptedData, -- bind nonce to pa
           krb-srp-cookie[4]       OCTET STRING OPTIONAL
   }

   KRB-SRP-CLIENT-RESPONSE-ENC-DATA :: SEQUENCE {
           krb-srp-checksum[0]     Checksum,
           krb-srp-flags[1]        INTEGER (SIZE 4),
           krb-srp-nonce[2]        Krb-Nonce
   }

   KRB-SRP-SERVER-RESPONSE ::= SEQUENCE {
           krb-srp-M2[0]           OCTET STRING
   }

   END

Issues

   send group/generator by name ?

   how to bind request to pa data ?

   what key should be used, the key from SRP, or the compiled key from
   s2k + SRP, right now its a flag.

Requirements on the KDC

   The KDC needs to know more information for each principal.  At least
   the KDC needs to store:

   N, the safe prime
   g, the generator
   v, the password verifier
   salt, that salt that the principal used to form the verifier, v
   H, hash function used to form the verifier, v

   Also, since the KDC no longer have a list of keys, and thus an
   implicit list what encryption types the principal is allowed use, it
   needs to have a list for all the encryption types a user is allowed
   to use with SRP preauthentication mechanism.

Security considerations

   SRP



Hornquist Astrand                                               [Page 4]
\f
Internet Draft                                            December, 2003


   see Security considerations in Nisses SSH SRP draft.

   Kerberos

   Preauthentication

   SRP preauthentication mechanism doesn't require the client to compute
   something before the server sends "expensive" cryptographic
   operations.

   Preauthentication have the problem that the response is not
   authenticated, so a active attacker can modify that response from the
   KDC to remove SRP to have the client choose a weaker initial
   authentication method.

References

   [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network
   Authentication Service (V5)", RFC 1510, September 1993.

   [SRP] T. Wu, "The Secure Remote Password Protocol", In Proceedings of
   the 1998 ISOC Network and Distributed System Security Symposium, San
   Diego, CA, pp. 97-111.

   [RFC2945] Wu, T, "The SRP Authentication and Key Exchange System",
   RFC2945, September 2000.

   [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for
   Kerberos 5", draft-ietf-krb-wg-crypto-05.txt, June, 2003.  Work in
   progress.

Author's Address

   Love Hornquist Astrand
   Enheten for it och media
   Stockholms universitet
   S-106 91  STOCKHOLM
   SWEDEN

   EMail: lha@it.su.se

Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved. ...







Hornquist Astrand                                               [Page 5]
\f