7 INTERNET DRAFT Joel N. Weber II
9 Expires January 24, 2004
11 Kerberos Perfect Forward Secrecy
12 draft-weber-krb-wg-kerberos-pfs-00.txt
14 This document is an Internet-Draft and is subject to all the
15 provisions of Section 10 of RFC2026.
17 Internet-Drafts are working documents of the Internet Engineering
18 Task Force (IETF), its areas, and its working groups. Note that
19 other groups may also distribute working documents as Internet-
22 Internet-Drafts are draft documents valid for a maximum of six months
23 and may be updated, replaced, or obsoleted by other documents at any
24 time. It is inappropriate to use Internet-Drafts as reference
25 material or to cite them other than as "work in progress."
27 The list of current Internet-Drafts can be accessed at
28 http://www.ietf.org/1id-abstracts.html
30 The list of Internet-Draft Shadow Directories can be accessed at
31 http://www.ietf.org/shadow.html
33 The distribution of this memo is unlimited. It is filed as draft-
34 weber-krb-wg-kerberos-pfs-00.txt, and expires 24 January 2004.
35 Please send comments to the author or to ietf-krb-wg@anl.gov
39 This document defines the use of a Diffie-Hellman exchange in
40 Kerberos, both with AP-REQ/AP-REP (in order to protect against
41 passive eavesdropping of a session by the realm administrator), and
42 as a preauthentication method (in order to prevent a passive
43 eavesdropper from capturing ciphertext with which an offline
44 dictionary attack can be mounted).
48 Perfect forward secrecy (PFS) is often a desirable property in
49 security protocols; it means that an eavesdropper that has been able
50 to decrypt previous traffic is not likely to be able to decrypt
53 In Kerberos [CLARIFICATIONS], one consequence of the lack of perfect
54 secrecy is that anyone who has access to the keys in the KDC's
58 Weber Kerberos Perfect Forward Secrecy [Page 1]
65 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
68 database can decrypt all traffic in a Kerberos authenticated session,
69 unless the application protocol happens to provide perfect forward
70 secrecy independently of Kerberos. This lack of perfect forward
71 secrecy for sessions also means that a password change authenticated
72 only by a compromised key may not suffice to remove the vulnerability
73 caused by the compromised key, if an attacker is able to eavesdrop
74 the password changing session and decrypt it using the compromised
77 This document defines perfect forward secrecy for the AP-REQ/AP-REP
78 exchange in Kerberos using the Diffie-Hellman exchange.
80 This document also defines a preauthentication method that prevents a
81 passive attacker from capturing ciphertext from which an offline
82 dictionary attack can be mounted.
84 This document draws heavily on the way Diffie-Hellman is used in
85 [SECSH-TRANSPORT], which in turn is based upon work done for the
90 The client generates a random number x, where 1 < x < q. The entropy
91 in x MUST include entropy generated locally by the client; it SHOULD
92 NOT include entropy from the KDC.
94 The client then calculates e = g^x mod p. The client creates an
95 EncryptionKey with a keytype of DH-GROUP1 and a keyvalue of the
96 integer e encoded as an ASN.1 DER INTEGER.
98 The server generates a random number y, where 0 < y < q. The entropy
99 in y MUST include entropy generated locally by the server; it SHOULD
100 NOT include entropy from a message received from the KDC.
102 The server calculates f = g^y mod p. The server creates an
103 EncryptionKey with a keytype of DH-GROUP1 and a keyvalue of the
104 integer f encoded as an ASN.1 DER INTEGER.
106 Any value of e or f received that is not a positive integer, or that
107 is greater than p - 1, MUST be rejected.
109 The server computes K using K = e^y mod p. The client computes K
112 K is then encoded as an ASN.1 DER INTEGER, and fed through the MD5
113 hash described in [KCRYPTO]. The resulting 128 bit value is the
114 output of the Diffie-Hellman exchange.
119 Weber Kerberos Perfect Forward Secrecy [Page 2]
126 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
131 This is the same generator and prime as is used in [SECSH-TRANSPORT].
133 The generator g used is the number 2. q is (p - 1) / 2.
135 The prime p is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
137 179769313486231590770839156793787453197860296048756011706444
138 423684197180216158519368947833795864925541502180565485980503
139 646440548199239100050792877003355816639229553136239076508735
140 759914822574862575007425302077447712589550957937778424442426
141 617334727629299387668709205606050270810842907692932019128194
146 To request a subkey with perfect forward secrecy in the AP-REQ/AP-REP
147 exchange, the client includes in the authenticator of the AP-REQ an
148 authorization-data element of type AD-AP-PFS, with an ad-data field
149 containing an EncryptionKey of keytype DH-GROUP1 and a keyvalue of the
150 number e encoded as an ASN.1 DER INTEGER, as described above.
152 The client MAY place the AD-AP-PFS element inside an AD-IF-RELEVANT if it
153 wishes to operate without PFS if the server does not support PFS.
155 If the server receives an AD-AP-PFS element with a key with an enctype of
156 DH-GROUP1, and also receives one or more AD-AP-PFS elements with other
157 enctype values, it MUST ignore the AD-AP-PFS elements whose enctypes are
160 If the server receives one or more AD-AP-PFS elements, all of which are
161 inside one or more AD-IF-RELEVANT elements, and none of which have an
162 enctype of DH-GROUP1, it MUST ignore all of them.
164 If the server receives one or more AD-AP-PFS elements, one or more of
165 which are not inside an AD-IF-RELEVANT element, and none of which have
166 an enctype of DH-GROUP1, it MUST report an error as appropriate for
167 an unrecognized enctype.
169 When the server receives an AD-AP-PFS element with a key with an enctype
170 of DH-GROUP1, it generates a value f as described above which it sends
171 as a DH-GROUP1 key in the subkey field of the EncAPRepPart which is
174 When no AD-IF-RELEVANT is used, the client SHOULD abort the connection
175 if no DH-GROUP1 key is received in the subkey field of the
176 EncAPRepPart of the AP-REP. When AD-IF-RELEVANT is used, the client
180 Weber Kerberos Perfect Forward Secrecy [Page 3]
187 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
190 MUST fall back to not using perfect forward secrecy if the subkey is
191 omitted from the AP-REP or not of type DH-GROUP1.
193 When DH-GROUP1 keys are successfully exchanged, the MD5 hash
194 generated as the output of the Diffie-Hellman exchange as described
195 above is combined with the session key from the KDC in some fashion
196 which is currently underspecified, and used as the sub-session key
197 for the following KRB-SAFE, KRB-PRIV, and/or KRB-CRED messages.
199 PFS PREAUTHENTICATION
201 The client sends an AS-REQ which contains a PA-DATA element with a
202 padata-type value of PA-PFS-F-REQ and a padata-value of type
205 PA-PFS-F-REQ-ENTRY ::= SEQUENCE {
206 enctypes [0] SEQUENCE OF Int32
209 A client conforming to this version of the specification MUST send an
210 enctype of DH-GROUP1, and only that enctype. A server conforming to
211 this version of this specification MUST use the DH-GROUP1 enctype if
212 it is present in the PA-PFS-F-REQ, and otherwise report the error
213 KDC_ERR_ETYPE_NOSUPP.
215 When sending PA-PFS-F-REQ, the cname field of the KDC-REQ-BODY MAY be
218 The KDC replies with with a KRB-ERROR message of type
219 KDC_ERROR_PREAUTH_REQUIRED containing a PA-DATA element with a
220 padata-type of PA-PFS-F-REP and a padata-value of type PA-PFS-F-REP-
223 PA-PFS-F-REP-ENTRY ::= SEQUENCE {
227 Where f is a DH-GROUP1 key as described above.
229 The KDC MAY include additional preauthentication data elements in
230 this KRB-ERROR, such as PA-ETYPE-INFO2.
232 The client then sends an AS-REQ which contains a PA-DATA element with
233 a padata-type of PA-PFS-REQ and a padata-value of type PA-PFS-ENTRY:
235 PA-PFS-ENTRY ::= SEQUENCE {
237 cookie [1] OCTET STRING
241 Weber Kerberos Perfect Forward Secrecy [Page 4]
248 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
251 cname [2] EncryptedData OPTIONAL, -- PrincipalName
252 timestamp [3] EncryptedData -- PA-ENC-TS-ENC
255 Where e has an keytype of DH-GROUP1 and contents as described above,
256 and cookie is the MD5 hash of the ASN.1 DER encoding of the INTEGER
259 If cname is included in the PA-PFS-ENTRY, it is encrypted using a key
260 derived in some underspecified fashion from the output of the Diffie-
261 Hellman exchange, and the cname field of the KDC-REQ-BODY structure
262 is omitted from the AS-REQ.
264 The timestamp field of the PA-PFS-ENTRY is encrypted using a key
265 derived from the output of the Diffie-Hellman exchange and the user's
266 password, combined in some underspecified fashion.
268 The KDC then sends an AS-REP, encrypting the ticket using a key
269 derived from of the output of the Diffie-Hellman exchange and the
270 user's password, combined in some underspecified fashion.
274 Once the KDC sends a value of f, it MUST to accept the corresponding
275 cookie value in an unlimited number of PA-PFS-REQ requests for at
276 least a half hour plus allowable clock skew. The KDC SHOULD log the
277 MD5 hash of each value of f it sends, in order to facilitate
278 determining which values the real KDC sent.
280 Clients SHOULD record the hash of f and principal name used in cases
281 where authentication fails, so that a determination can be made of
282 which principals may have had ciphertext based upon their possibly
283 weak passwords sent to an attacker.
287 For the preauthentication mechanism described here, a message type
288 should be defined so that after successful authentication, a client
289 can send a list of values of f and principal names that have failed
290 to successfully authenticate on that particular workstation to the
291 KDC. Or perhaps there is a better solution to the problem of
292 detecting man in the middle attacks.
294 A numeric value for the authorization data type AD-AP-PFS needs to be
297 A numeric value for the enctype DH-GROUP1 needs to be assigned.
302 Weber Kerberos Perfect Forward Secrecy [Page 5]
309 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
312 Numeric values need to be assigned for the padata-types PA-PFS-F-REQ,
313 PA-PFS-F-REP, and PA-PFS-REQ.
315 Key combining needs to be better specified.
317 SECURITY CONSIDERATIONS
319 With AP-REQ/AP-REP, if an attacker which knows the client principal's
320 or the application server's long term key, PFS will prevent the
321 attacker from carrying out a passive eavesdropping attack, but
322 provides no protection against and offers no detection of a man in
325 PA-PFS-REQ will prevent a passive eavesdropper from capturing
326 ciphertext encrypted only with a user's weak password. However, an
327 active attacker can easily capture such ciphertext even when PA-PFS-
328 REQ is used. On the other hand, the use of this preauthentication
329 method may make the detection of such attackers significantly more
332 The use of Diffie-Hellman is only effective if the client and server
333 use quality sources of entropy to generate x and y.
335 Having the server consistently send the same value of f for multiple
336 sessions has advantages in reducing the amount of memory an attacker
337 could consume by sending many requests for f, and facilitates
338 detection of man in the middle attacks. However, the author is not
339 aware of implementations of the Diffie-Hellman exchange which
340 deliberately reuse a random number for multiple sessions, and is not
341 entirely confident that there aren't hidden problems lurking which
342 make this a bad idea.
344 [SECSH-TRANSPORT] derives several keys from the output of the Diffie-
345 Hellman exchange, rather than just one. It may be a bug that this
346 version of this spec does not do likewise.
352 Somerville MA 02144-2629
353 Email: weber@joelweber.com
357 [CLARIFICATIONS] To be replaced with the RFC number for draft-ietf-
358 krb-wg-kerberos-clarifications
363 Weber Kerberos Perfect Forward Secrecy [Page 6]
370 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
373 [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for
374 Kerberos 5", draft-ietf-krb-wg-crypto-01.txt, May, 2002. Work in
377 [RFC2026] S. Bradner, RFC2026, BCP 9: "The Internet Standard Process
378 - Revision 3," October 1996, Obsoletes - RFC 1602, Status: Best
381 [RFC2119] S. Bradner, RFC 2119, BCP 14: "Key words for use in RFCs to
382 Indicate Requirement Levels", March 1997.
384 INFORMATIVE REFERENCES
386 [SECSH-TRANSPORT] To be replaced with the RFC number for draft-ietf-
391 The IETF takes no position regarding the validity or scope of any
392 intellectual property or other rights that might be claimed to
393 pertain to the implementation or use of the technology described in
394 this document or the extent to which any license under such rights
395 might or might not be available; neither does it represent that it
396 has made any effort to identify any such rights. Information on the
397 IETF's procedures with respect to rights in standards-track and
398 standards-related documentation can be found in BCP-11. Copies of
399 claims of rights made available for publication and any assurances of
400 licenses to be made available, or the result of an attempt made to
401 obtain a general license or permission for the use of such
402 proprietary rights by implementors or users of this specification can
403 be obtained from the IETF Secretariat.
405 The IETF invites any interested party to bring to its attention any
406 copyrights, patents or patent applications, or other proprietary
407 rights which may cover technology that may be required to practice
408 this standard. Please address the information to the IETF Executive
413 Copyright (C) The Internet Society 2003. All Rights Reserved.
415 This document and translations of it may be copied and furnished to
416 others, and derivative works that comment on or otherwise explain it
417 or assist in its implmentation may be prepared, copied, published and
418 distributed, in whole or in part, without restriction of any kind,
419 provided that the above copyright notice and this paragraph are
420 included on all such copies and derivative works. However, this
424 Weber Kerberos Perfect Forward Secrecy [Page 7]
431 draft-weber-krb-wg-kerberos-pfs-00.txt July 24 2003
434 document itself may not be modified in any way, such as by removing
435 the copyright notice or references to the Internet Society or other
436 Internet organizations, except as needed for the purpose of
437 developing Internet standards in which case the procedures for
438 copyrights defined in the Internet Standards process must be
439 followed, or as required to translate it into languages other than
442 The limited permissions granted above are perpetual and will not be
443 revoked by the Internet Society or its successors or assigns.
445 This document and the information contained herein is provided on an
446 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
447 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
448 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
449 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
450 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
485 Weber Kerberos Perfect Forward Secrecy [Page 8]