Network Working Group Love Hornquist Astrand Stockholms universitet Internet-Draft December, 2003 Expire in six months Using SRP for Initial Authentication in Kerberos Status of this Memo ftp://ftp.rfc-editor.org/in-notes/rfc-editor/instructions2authors.txt This memo provides information for the Internet community. ... Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. ... Abstract This document describes how to use SRP as a preauthentication mechanism in Kerberos 5 [RFC1510]. This mechanism makes the initial ticket request and response secure against dictionary attacks on users passwords. Introduction Kerberos without preauthentication make the protocol susceptible to both to password dictionary attacks on initial tickets. There are several pre-authentication mechanisms that tries to solve and/or minimize this problem. Encrypted time stamp have the same problem as Kerberos without preauthentication, opportunities of the attacker to get key material is only fewer. SAM require hardware token and typically, for most SAM types, still require the user to have a password since they don't provide enough key-material for Kerberos to encrypt the response with. PKINIT large and complicated, and like SAM often require hardware. Extra-tgt requires infrastructure to use, a key/bootstrap must be present on each host that the users are expected to use. The dictionary attack can also be solved by forcing the users to select good password. XXX Jacques' DH preauth ? XXX tls protected as-req SRP, Secure Remote Password protocol, [RFC2945], is a password Hornquist Astrand [Page 1] Internet Draft December, 2003 authentication and key-exchange protocol that can be used over untrusted networks. SRP is designed to be resistable to dictionary attacks (both by passive and active attackers). Specification This document is based on SRP-6. XXX read and think about rfc2944 (SRP over telnet) SRP + Kerberos 5 preauthentication Krb-srp-cookie in the protocol to enable the server be stateless. TBA KRB-SRP-PREAUTH number - Client send the AS-REQ - Server looks up the principal, and finds N, g, v, salt, H. Then the server generates the random number b and calculate B. All operations are performed modulus N. B = 3v + g^b and sends back a KRB-SRP-CHALLENGE md-data in a KRB-ERROR. If the server is stateless, it can store the information (encrypted) it needs in krb-srp-cookie. - If the client chooses to use the SRP preauthentication mechanism it sends back KRB-SRP-CLIENT-RESPONSE. If krb-srp-cookie is present in KRB-SRP-CHALLENGE its copied to KRB-SRP-CLIENT-RESPONSE. The client generates the random number a and calculates A = g^a S = (B - 3g^x)^(a+ux) M1 = H(DER(A) | DER(B) | DER(S)) u is H(DER(A) | DER(B)), where DER(n) is the n encoded with the integer tag. The client then it calculates the shared key K K = s-to-key-bytes(S) KRB-SRP-CLIENT-RESPONSE-ENC-DATA is filled in by the client, encrypted with the shared key K XXX should a keyed checksum just be used instead ? Hornquist Astrand [Page 2] Internet Draft December, 2003 XXX does this replace the need for M1 - When the server receives the KRB-SRP-CLIENT-RESPONSE response it calculates S = (Av^u)^b and the shared key K, K = s-to-key-bytes(S) verifies the content in krb-srp-enc, and M1. If everything checks out ok, the server sends back the AS-REP. The key that the AS-REP is encrypted with is the SRP session key, K. XXX Should the server send back M2 ? s-to-key defined as: b = DER(S) if length of b is even, drop first char b1 = H(b[0] | b[2] | b[4] | ...) b2 = H(b[1] | b[3] | b[5] | ...) K = random-to-key(b1 | b2). random-to-key is the random to key function in [KCRYPTO]. ASN.1 specification XXX Krb-Nonce KERBEROS-PREAUTH-SRP DEFINITIONS ::= BEGIN IMPORTS Checksum, Krb-Nonce FROM krb5; KRB-SRP-CHALLENGE ::= SEQUENCE { krb-srp-salt[0] OCTET STRING, krb-srp-N[1] INTEGER, krb-srp-g[2] INTEGER, krb-srp-B[3] INTEGER, krb-srp-hash[4] OBJECT IDENTIFIER, krb-srp-flags[5] INTEGER (SIZE 4), krb-srp-cookie[6] OCTET STRING OPTIONAL -- must include nonce ? } -- flags: "use combined s2k + srp key" ? Hornquist Astrand [Page 3] Internet Draft December, 2003 KRB-SRP-CLIENT-RESPONSE ::= SEQUENCE { krb-srp-A[0] INTEGER, krb-srp-M1[1] OCTET STRING, krb-srp-hash[2] OBJECT IDENTIFIER, krb-srp-enc[3] EncryptedData, -- bind nonce to pa krb-srp-cookie[4] OCTET STRING OPTIONAL } KRB-SRP-CLIENT-RESPONSE-ENC-DATA :: SEQUENCE { krb-srp-checksum[0] Checksum, krb-srp-flags[1] INTEGER (SIZE 4), krb-srp-nonce[2] Krb-Nonce } KRB-SRP-SERVER-RESPONSE ::= SEQUENCE { krb-srp-M2[0] OCTET STRING } END Issues send group/generator by name ? how to bind request to pa data ? what key should be used, the key from SRP, or the compiled key from s2k + SRP, right now its a flag. Requirements on the KDC The KDC needs to know more information for each principal. At least the KDC needs to store: N, the safe prime g, the generator v, the password verifier salt, that salt that the principal used to form the verifier, v H, hash function used to form the verifier, v Also, since the KDC no longer have a list of keys, and thus an implicit list what encryption types the principal is allowed use, it needs to have a list for all the encryption types a user is allowed to use with SRP preauthentication mechanism. Security considerations SRP Hornquist Astrand [Page 4] Internet Draft December, 2003 see Security considerations in Nisses SSH SRP draft. Kerberos Preauthentication SRP preauthentication mechanism doesn't require the client to compute something before the server sends "expensive" cryptographic operations. Preauthentication have the problem that the response is not authenticated, so a active attacker can modify that response from the KDC to remove SRP to have the client choose a weaker initial authentication method. References [RFC1510] Kohl, J. and Neuman, C., "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993. [SRP] T. Wu, "The Secure Remote Password Protocol", In Proceedings of the 1998 ISOC Network and Distributed System Security Symposium, San Diego, CA, pp. 97-111. [RFC2945] Wu, T, "The SRP Authentication and Key Exchange System", RFC2945, September 2000. [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for Kerberos 5", draft-ietf-krb-wg-crypto-05.txt, June, 2003. Work in progress. Author's Address Love Hornquist Astrand Enheten for it och media Stockholms universitet S-106 91 STOCKHOLM SWEDEN EMail: lha@it.su.se Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. ... Hornquist Astrand [Page 5]