| blob | 5baae0f096081941ac9619f90d85fee3e162bfb6 |
3 INTERNET-DRAFT Clifford Neuman
4 <draft-ietf-cat-kerberos-passwords-00.txt> ISI
5 Updates: RFC 1510 Glen Zorn
6 November 28, 1994 CyberSAFE Corporation
10 Integrating One-time Passwords with Kerberos
13 0. Status Of this Memo
15 This document is an Internet-Draft. Internet-Drafts are working
16 documents of the Internet Engineering Task Force (IETF), its areas,
17 and its working groups. Note that other groups may also distribute
18 working documents as Internet-Drafts.
20 Internet-Drafts are draft documents valid for a maximum of six
21 months and may be updated, replaced, or obsoleted by other docu-
22 ments at any time. It is inappropriate to use Internet-Drafts as
23 reference material or to cite them other than as ``work in pro-
24 gress.''
26 To learn the current status of any Internet-Draft, please check the
27 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Sha-
28 dow Directories on ds.internic.net (US East Coast), nic.nordu.net
29 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
30 Rim).
32 The distribution of this memo is unlimited. It is filed as
33 <draft-ietf-cat-kerberos-passwords-00.txt>, and expires June 3, 1995.
34 Please send comments to the authors.
37 1. Abstract
39 This document defines extensions to the Kerberos protocol specifi-
40 cation (RFC 1510, "The Kerberos Network Authentication Service
41 (V5)", September 1993) which provide a method by which a variety of
42 one-time password mechanisms may be supported within the protocol.
43 The method defined specifies a standard fashion in which the preau-
44 thentication data and error data fields in Kerberos messages may be
45 used to transport one-time password data.
48 2. Motivation
49 One-time (or single use) passwords are, as the name suggests, pass-
50 words which may be used at most once as a means of authentication.
51 Several one-time password mechanisms are currently in widespread
52 use, including hardware-based schemes from vendors such as Enigma
53 Logic, Digital Pathways and Security Dynamics and software-based
54 mechanisms like S/Key. The hardware-based schemes typically
55 require that the authenticating user carry a small, credit-card-
56 sized electronic device (called a token) which is used to generate
60 Neuman & Zorn [Page 1]
61 \f
62 INTERNET-DRAFT November 28, 1994
65 the one-time password. Some tokens require the user to enter data
66 into the device. This input may take the form of a Personal Iden-
67 tification Number (PIN), a server generated challenge string or
68 both. The token uses the challenge string to help generate the
69 single-use password. Other tokens do not use a challenge-response
70 technique, instead spontaneously generating a new, unique password
71 every few seconds. These tokens are usually time-synchronized with
72 a server. The use of one-time passwords and token cards as an
73 authentication mechanism has steadily increased over the past few
74 years; in addition, the Internet Activity Board has encouraged the
75 use of one-time passwords to improve Internet security.
77 The popularity of the Kerberos authentication protocol is also
78 increasing, and with it the demand for the integration of one-time
79 password technology with it. Several currently available implemen-
80 tations of Kerberos include support for some types of token cards,
81 but the implementations are either not interoperable, or would
82 require the release of source code (not always an option) to make
83 them interoperate. This memo represents an attempt to remedy that
84 problem. For the sake of brevity, "one-time password" will often
85 be abbreviated to "passcode" in the remainder of this document.
88 3. Generic Approach - Two Models
90 As outlined above, there are essentially two types of passcode
91 mechanisms: challenge/response and time-based. In order to support
92 challenge/response mechanisms, the Kerberos Key Distribution Center
93 (KDC) must communicate the appropriate challenge string to the
94 user, via some client software. Furthermore, some
95 challenge/response mechanisms require tight synchronization between
96 all instances of the KDC and the client. One example is S/Key and
97 its variants. If the KDC and client do not perform the same number
98 of message digest iterations, the protocol will fail; worse, it
99 might be possible for an eavesdopping attacker to capture a valid
100 S/Key passcode and replay it to a KDC replica which had an outdated
101 iteration number. In the time-based case, no challenge is
102 required. This naturally gives rise to two modes of client
103 behavior, described below. Note, however, that the KDC is not
104 required to know which mode the client is using, nor is the client
105 required to support both modes: if the client supports just the
106 challenge/response model, the protocol will still work (at the
107 expense of one extra exchange of messages with the KDC).
110 3.1 Challenge/Response Model
112 The client begins with an initial KRB_AS_REQ message to the KDC,
113 using whatever form of preauthentication is common (none,
114 PA_ENC_TIMESTAMP (encrypted timestamp), PA_OSF_DCE (DCE), etc.).
115 Depending on the type of preauthentication used, the user may or
116 may not be prompted at this time for her Kerberos password. If
117 (for example) encrypted timestamp preauthentication is used, then
118 the user will be prompted; on the other hand, if no
122 Neuman & Zorn [Page 2]
123 \f
124 INTERNET-DRAFT November 28, 1994
127 preauthentication is in use the prompt for the password may be
128 deferred. Note that the use of preauthentication here may allow an
129 offline guessing attack against the Kerberos password separate from
130 the one-time passcode, but that if a passcode is required, then the
131 password by itself is not sufficient for authentication.
133 If the client is required to present a one time passcode, then the
134 KDC will respond with a KRB_ERROR message, with the error-code
135 field set to KDC_ERR_PREAUTH_REQUIRED and the e-data field contain-
136 ing the ASN.1 structure that is a sequence of PA-DATA fields.
138 If the type of one of the PA-DATA fields is PA-OT-PASSCODE-
139 REDIRECT-TO-PRIMARY, the client should re-execute the authentica-
140 tion protocol from the beginning, directing messages to the primary
141 KDC for the realm. This is done to allow some methods to require
142 that a single KDC be used for passcode authentication if tight syn-
143 chronization is needed between all replicas, and the KDC database
144 propogation code does not provide such synchronization.
146 Otherwise, if one of the PA-DATA fields has the type PA-OT-
147 PASSCODE-CHALLENGE, the exchange will continue as described in sec-
148 tion 4, below; otherwise, the KDC will respond as specified by RFC
149 1510.
152 3.2 Time-based Model
154 For mechanisms where no challenge is required, the user (or the
155 client software being utilized) may or may not know whether a one
156 time password is required. If it does not know, then the initial
157 exchange may proceed as above. If it is known that a one time
158 password is required then the first exchange can be skipped and the
159 authentication will continue as follows.
162 4. Authentication Using Passcodes
164 Prior to performing preauthentication using a single use password,
165 the client must know whether a challenge is required (if the client
166 doesn't have this information prior to its sending the first
167 KRB_AS_REQ message, it will be informed of the requirement by the
168 KDC, as described in section 3.1). The client does NOT need to know
169 the specific kind of passcode in use other than to know whether it
170 requires a challenge. This means that a client supporting one-time
171 passwords will be able to work with new methods without modifica-
172 tion.
174 If a KRB_ERROR message was received from the KDC indicating that a
175 passcode is required, that message includes in its e-data field a
176 PA-DATA structure that encodes information about the passcode that
177 is needed. This includes whether a challenge is required, if so,
178 what the challenge is, and informational data about the type of
179 passcode that is needed, and how to prompt for the passcode. The
180 type of the passcode is informational only and does not affect the
184 Neuman & Zorn [Page 3]
185 \f
186 INTERNET-DRAFT November 28, 1994
189 behavior of the client. The prompt is also informational and may
190 be presented to the user by the client, or it may be safely
191 ignored.
193 The ASN.1 definition for the passcode challenge is:
195 PA-OT-PASSCODE-CHALLENGE ::= SEQUENCE {
196 otpc-type INTEGER,
197 otpc-flags OTPCFlags,
198 otpc-type-name GeneralString OPTIONAL,
199 otpc-track-id GeneralString OPTIONAL,
200 otpc-challenge-label GeneralString OPTIONAL,
201 otpc-challenge GeneralString OPTIONAL,
202 otpc-response-prompt GeneralString OPTIONAL,
203 otpc-pk-for-passcode EncryptionKey OPTIONAL,
204 otpc-nonce INTEGER OPTIONAL,
205 otpc-cksum Checksum OPTIONAL
206 }
208 OTPCFlags ::= BIT STRING {
209 use-passcode-as-key(0),
210 send-encrypted-passcode(1),
211 must-pk-encrypt-passcode(2)
212 }
214 The otpc-type field is informational only, but it must be specified
215 and otpc-type values must be registered. The values that are
216 presently defined are:
218 PA_OTPC_TYPE_ENIGMA 1 -- Enigma Logic
219 PA_OTPC_TYPE_DIGI_PATH 2 -- Digital Pathways
220 PA_OTPC_TYPE_SKEY_K0 3 -- S/Key where KDC has key 0
221 PA_OTPC_TYPE_SKEY 4 -- Traditional S/Key
222 PA_OTPC_TYPE_SECURID 5 -- Security Dynamics
224 PA_OTPC_TYPE_ENIGMA, PA_OTPC_TYPE_DIGI_PATH and
225 PA_OTPC_TYPE_SECURID are popular token cards.
227 [NOTE: It will probably be necessary to fine-tune this list, since
228 some vendors offer more than one type of device, each of which may
229 require a different algorithm for verification.]
231 PA_OTPC_TYPE_SKEY is the traditional S/Key protocol, in which the
232 KDC will not know the passcode. PA_OTPC_TYPE_SKEY_K0 is a variant
233 of S/Key that uses the same passcodes and PC software or hardware
234 device, but where the zeroth key (the S/Key secret) is actually
235 stored on, and can be used by, the KDC to generate the the correct
236 passcode.
238 [NOTE: Using PA_OTPC_TYPE_SKEY_K0 gives up one advantage of S/Key,
239 e.g., that the information needed to generate the key not be stored
240 on the host, but since the KDC is assumed to be more secure than
241 other hosts on the network, it may be acceptable to give up this
242 advantage in some situations. The advantage of this S/Key variant
246 Neuman & Zorn [Page 4]
247 \f
248 INTERNET-DRAFT November 28, 1994
251 is that security of the network protocol is stronger since the
252 passcode is known by the KDC and can be used as part of the encyp-
253 tion key, rather than being sent protected by an encryption key
254 that has been subject to possible prior exposure to an attacker
255 (see the limitations section). In any case, there seems to be a
256 definite advantage to being interoperable with the S/Key algo-
257 rithm.]
259 The otpc-flags field indicates whether the passcode is known by the
260 KDC (in which case it can be used as part of the encryption key for
261 the response), or if it must be provided to the KDC in a recover-
262 able manner. If it is known to the KDC, use-passcode-as-key indi-
263 cates that the passcode alone will be used to generate the encryp-
264 tion key for the forthcoming KRB_AS_REQ and KRB_AS_REP messages,
265 and that the user will not need to also enter a password. If the
266 passcode is not known by the KDC, then send-encrypted-passcode will
267 be set, indicating that the passcode must be sent to the KDC
268 encrypted under the key used in the response. If neither use-
269 passcode-as-key nor send-encrypted-passcode are set, the client may
270 assume that the KDC knows the passcode, but the Kerberos password
271 should be used along with the passcode in the derivation of the
272 encryption key (see below). If must-pk-encrypt-passcode is set,
273 then the passcode must additionally be encrypted in the public key
274 returned by the KDC in the otpc-pk-for-passcode field. Note that
275 there are specific constraints on the integrity of the PA-OT-
276 PASSCODE-CHALLENGE when some of these options are specified. In
277 particular, if any of these flags are specified, a crypyographic
278 checksum must be present and verified. If absent, or the checksum
279 does not match the request, the challenge must be considered
280 invalid and the user notified.
282 [NOTE: The flags (and their interpretations) provide generality,
283 but complicate things considerably. Should some be dropped in the
284 interest of simplicity?]
286 The optional otpc-type-name field is informational only. It may be
287 used by the client to display a short description of the type of
288 passcode required.
290 The optional otpc-track-id field may be returned by the KDC in the
291 KRB_ERROR message. If present, the client should copy this field
292 into the corresponding field of the challenge response sent in the
293 subsequent KRB_AS_REQ message. This field may be used by the KDC
294 to match challenges and responses. It might be a suitably encoded
295 integer, or even be encrypted data with the KDC state encoded so
296 that the KDC doesn't have to maintain the state internally.
298 The otpc-challenge-label field is informational and optional. If
299 present, a client may choose to precede the presentation of the
300 challenge with the label; however, it should not be used if the
301 otpc-checksum field is empty, since in that case it may have been
302 modified by an adversary. For example, if the challenge is 135773
303 and the string in the otpc-challenge-label field is "Enter the fol-
304 lowing number on your card", the client may choose to display to
308 Neuman & Zorn [Page 5]
309 \f
310 INTERNET-DRAFT November 28, 1994
313 the user:
315 Enter the following number on your card: 135773
317 If no challenge label was presented, or if the client chooses to
318 ignore it, the client might display instead:
320 Challenge from authentication server: 135773
322 The optional otpc-challenge field contains a string that will be
323 needed by the user to generate a suitable response. If the otpc-
324 challenge field is left out, it indicates that the type of passcode
325 in use does not require a challenge, and that the authorized user
326 should be able to enter the correct passcode without one. If the
327 otpc-challenge field is present, it is the data that is input to
328 the one time password mechanism to generate the response.
330 The otpc-response-prompt field is informational and optional. If
331 present, a client may choose to precede the prompt for the response
332 with the specified string; however, it should not be used if the
333 otpc-checksum field is empty, since in that case the prompt may
334 have been modified by an adversary. Otherwise the prompt displayed
335 will be hardcoded into the application, such as
337 Passcode:
339 [NOTE: Are the otpc-challenge-label and otpc-response-prompt fields
340 useful if the KRB_ERROR message isn't integrity-protected?]
342 otpc-pk-for-passcode is an optional field containing a public key
343 generated by the KDC and returned to the client for use in encrypt-
344 ing the passcode before returning it to the server. This addi-
345 tional encryption is intended for use with passcode mechanisms in
346 which the passcode is not known by the KDC. Its purpose is to
347 prevent an attacker who has already obtained the users password
348 from also obtaining the passcode, which might otherwise be possible
349 by eavesdropping on the exchange (if the passcode had been
350 encrypted solely in the user's password). If this field is
351 present, its integrity must be assured by a checksum.
353 [NOTE: The otpc-pk-for-passcode field and its use are not fully
354 specified. This is basically a placeholder for future use.]
357 The otpc-nonce field is optional. If present, it should conform to
358 the specification of the nonce field in a KRB_KDC_REQ message (see
359 RFC 1510, section 5.4.1).
361 The optional otpc-cksum field contains a cryptographic checksum of
362 the preceding fields, protected using the same key as that used for
363 preauthentication in the intial KRB_AS_REQ message. While any
364 secure checksum method may be used, the RSA-MD5-DES type is recom-
365 mended. This field should always be present if the initial
366 KRB_AS_REQ message included a type of cryptographic
370 Neuman & Zorn [Page 6]
371 \f
372 INTERNET-DRAFT November 28, 1994
375 preauthentication (such as PA_ENC_TIMESTAMP). If the intial mes-
376 sage included preauthentication, but this field is missing in the
377 response, the client should reject the response. If this field is
378 present, the client should verify its correctness: if the otpc-
379 cksum field is present in the KRB_ERROR message, but not verified
380 by the client, then an attacker can change the message contents at
381 will. Such a change could cause unexpected instructions to be
382 displayed to the user in the prompt string, or allow the denial of
383 service through the proffering of an invalid challenge. Another
384 effect of a change might be to effect a limited chosen plaintext
385 attack on the Kerberos password where the attacker picks the nonce,
386 and the challenge.
388 [NOTE: It is possible for the KDC to generate a cryptographic
389 checksum for this message using the users' secret key even though
390 no cryptographic preauthentication was present in the initial
391 AS_REQ message. Doing so, however, makes available material which
392 enables an offline guessing attack against the key. Is this
393 acceptable? Should the use of the otpc-cksum field be allowed or
394 prohibited in the absence of cryptographic preauthentication?
395 Should it be left as a matter of realm policy? Feedback is
396 encouraged.]
398 If the client is performing passcode preauthentication in the ini-
399 tial message, without receipt of a PA-OT-PASSCODE-CHALLENGE (i.e.
400 without waiting for the KRB_ERROR message), and the passcode scheme
401 in use does not require a challenge, the client will prompt for the
402 passcode in an application-specific manner.
404 Once the user has been prompted for and entered passcode and possi-
405 bly the password), the client will derive a key to be used to
406 encrypt the preauthentication data for a KRB_AS_REQ message. This
407 key will be determined as follows:
409 By default, the key is derived from the password and the
410 passcode by runnning each through the string_to_key function
411 (see RFC 1510, Section 6.3.4) separately, then XORing the
412 results.
414 If the use-passcode-as-key flag is set and the integrity of the
415 PA-OT-PASSCODE-CHALLENGE PADATA field can be verified using the
416 otpc-cksum field, then the passcode is run through the
417 string_to_key function and the result is used as the encryption
418 key for the request. WARNING: the use of a passcode in this
419 manner is NOT recommended unless the range of the passcode is
420 large enough to make an exhaustive off-line search impractical
421 and the risks involved in the use of a passcode alone are fully
422 considered. Also, note that without the availabilty to the KDC
423 of a relatively static, unique secret key shared with the user,
424 the only mechanisms that can be used to protect the integrity
425 of the PA-OT-PASSCODE-CHALLENGE PADATA field are based on
426 either public key cryptography or the KDC's knowledge of the
427 passcode itself. In the latter case, the client must obtain
428 the passcode from the user and use it to verify the integrity
432 Neuman & Zorn [Page 7]
433 \f
434 INTERNET-DRAFT November 28, 1994
437 of the challenge before the new KRB_AS_REQ message is sent.
439 If the otpc-pk-for-passcode field is not empty, the client sup-
440 ports public key cryptography, and the integrity of the PA-OT-
441 PASSCODE-CHALLENGE PADATA field can be verified, then the
442 response will be encrypted twice: first, in the key from the
443 otpc-pk-for-passcode field; and next, in the conventional key
444 obtained in the manner described above.
446 The client will then send another KRB_AS_REQ message to the KDC, but
447 with a padata field with padata-type equal to PA-OTP-RESPONSE and
448 padata-value defined as follows:
450 PA-OT-PASSCODE-RESPONSE ::= SEQUENCE {
451 otpc-type INTEGER,
452 otpc-track-id GeneralString OPTIONAL,
453 otpc-enc-nonce-or-ts EncryptedData
454 -- PA-ENC-PASSCODE-RESPONSE-ENC,
455 otpc-nonce INTEGER OPTIONAL
456 otpc-patimestamp KerberosTime OPTIONAL
457 }
459 PA-ENC-PASSCODE-RESPONSE-ENC ::= CHOICE {
460 otpc-nonce INTEGER,
461 SEQUENCE {
462 patimestamp KerberosTime,
463 pausec INTEGER
464 }
465 }
467 The source of the data included in the PA-OT-PASSCODE-RESPONSE struc-
468 ture depends upon whether or not a KRB_ERROR message was received by
469 the client from the KDC.
471 If an error reply was received, the otpc-type field will contain a
472 copy of the otpc-type field from the error message. If the otpc-nonce
473 field was present in the KRB_ERROR message, then the PA-ENC-PASSCODE-
474 RESPONSE-ENC structure returned to the KDC will include that value,
475 encrypted as described above, the otpc_nonce field in the KRB_AS_REQ
476 message will contain a plaintext copy of the same value and the otpc-
477 patimestamp field of the message will be empty. If either no KRB_ERROR
478 message was received or the otpc-nonce field was omitted from it, the
479 encrypted data will contain a timestamp encrypted in the same manner,
480 the otpc-patimestamp field will contain an unencrypted copy of the
481 same value, and the otpc-nonce field will be empty.
483 Upon receipt the KDC validates this PADATA in much the same way that
484 it validates the PA-ENC-TS preauthentication method except that it
485 determines the appropriate passcode and uses it (possibly in conjunc-
486 tion with saved state information or portions of the preauthentication
487 data) to determine the correct key(s) required to verify the encrypted
488 data. Note that if the KDC uses the otpc-track-id field to encode its
489 state, the KDC is responsible for including information in that field
490 to prevent modification or replay by an attacker.
494 Neuman & Zorn [Page 8]
495 \f
496 INTERNET-DRAFT November 28, 1994
499 The rest of the processing of the request proceeds normally, except
500 that instead of being encrypted in the users password, the KRB_AS_REP
501 message is encrypted in the key obtained above.
504 5. Limitations
506 If the passcode implementation on the KDC results in the sending of
507 PA-OT-PASSCODE-REDIRECT-TO-PRIMARY, the availability of the KDC for
508 clients using such a passcode is limited to the availablility of
509 the single primary KDC, and the benefits of replication of the KDC
510 are lost.
512 Passcode implementations requiring the use of the send-encrypted-
513 passcode option are discouraged as their use on the network is less
514 secure than the case where a combination of the users password and
515 passcode is used as the encryption key. In particular, when the
516 send-encrypted-passcode option is used, an attacker who observes
517 the response and is in possession of the users' encryption key
518 (which doesn't change from login to login) can use the key do
519 decrypt the response and obtain the passcode.
521 It also appears to be the case that an attacker in possession of
522 the users encryption key (again, which doesn't change from login to
523 login) would be able to generate/modify a passcode challenge and
524 attach the appropriate checksum. This affects the security of both
525 the send-encrypted-passcode option and the must-pk-encrypt option.
526 We would like input on whether these options should be dropped
527 entirely, whether there is sufficient need or potential need to
528 integrate such forms of passcodes that we leave it but with a warn-
529 ing, or whether there are better options for integrity protecting
530 the challenge (e.g. eventually a digital signature generated using
531 the KDC's RSA private key, but that introduces the problem of the
532 certification of the KDC's public key).
535 6. Expiration
537 This Internet-Draft expires on June 3, 1995.
540 7. Authors' Addresses
542 B. Clifford Neuman
543 USC/Information Sciences Institute
544 4676 Admiralty Way #1001
545 Marina del Rey, CA 90292-6695
547 Phone: 310-822-1511
548 EMail: bcn@isi.edu
551 Glen Zorn
552 CyberSAFE Corporation
556 Neuman & Zorn [Page 9]
557 \f
558 INTERNET-DRAFT November 28, 1994
561 2443 152nd Avenue N.E.
562 Redmond, WA 98052
564 Phone: 206-883-8721
565 EMail: gwz@cybersafe.com
618 Neuman & Zorn [Page 10]
619 \f