draft-ietf-kitten-krb-spake-preauth-05.txt   draft-ietf-kitten-krb-spake-preauth-06.txt 
Internet Engineering Task Force N. McCallum Internet Engineering Task Force N. McCallum
Internet-Draft S. Sorce Internet-Draft S. Sorce
Intended status: Standards Track R. Harwood Intended status: Standards Track R. Harwood
Expires: August 14, 2018 Red Hat, Inc. Expires: February 22, 2019 Red Hat, Inc.
G. Hudson G. Hudson
MIT MIT
February 10, 2018 August 21, 2018
SPAKE Pre-Authentication SPAKE Pre-Authentication
draft-ietf-kitten-krb-spake-preauth-05 draft-ietf-kitten-krb-spake-preauth-06
Abstract Abstract
This document defines a new pre-authentication mechanism for the This document defines a new pre-authentication mechanism for the
Kerberos protocol that uses a password authenticated key exchange. Kerberos protocol that uses a password authenticated key exchange.
This document has three goals. First, increase the security of This document has three goals. First, increase the security of
Kerberos pre-authentication exchanges by making offline brute-force Kerberos pre-authentication exchanges by making offline brute-force
attacks infeasible. Second, enable the use of second factor attacks infeasible. Second, enable the use of second factor
authentication without relying on FAST. This is achieved using the authentication without relying on FAST. This is achieved using the
existing trust relationship established by the shared first factor. existing trust relationship established by the shared first factor.
skipping to change at page 1, line 35 skipping to change at page 1, line 35
timestamp from the client. timestamp from the client.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 14, 2018. This Internet-Draft will expire on February 22, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
skipping to change at page 11, line 37 skipping to change at page 11, line 37
Group elements are converted to octet strings using the serialization Group elements are converted to octet strings using the serialization
method defined in the IANA "Kerberos SPAKE Groups" registry created method defined in the IANA "Kerberos SPAKE Groups" registry created
by this document. by this document.
The SPAKE algorithm requires constants M and N for each group. These The SPAKE algorithm requires constants M and N for each group. These
constants are defined in the IANA "Kerberos SPAKE Groups" registry constants are defined in the IANA "Kerberos SPAKE Groups" registry
created by this document. created by this document.
The SPAKE algorithm requires a shared secret input w to be used as a The SPAKE algorithm requires a shared secret input w to be used as a
scalar multiplier (see [I-D.irtf-cfrg-spake2] section 2). This value scalar multiplier (see [I-D.irtf-cfrg-spake2] section 3). This value
MUST be produced from the initial reply key as follows: MUST be produced from the initial reply key as follows:
1. Determine the length of the multiplier octet string as defined in 1. Determine the length of the multiplier octet string as defined in
the IANA "Kerberos SPAKE Groups" registry created by this the IANA "Kerberos SPAKE Groups" registry created by this
document. document.
2. Compose a pepper string by concatenating the string "SPAKEsecret" 2. Compose a pepper string by concatenating the string "SPAKEsecret"
and the group number as a big-endian four-byte two's complement and the group number as a big-endian four-byte two's complement
binary number. binary number.
skipping to change at page 12, line 46 skipping to change at page 12, line 46
challenge message, and second with the client's pubkey value. challenge message, and second with the client's pubkey value.
If first optimization is used unsuccessfully (i.e. the client does If first optimization is used unsuccessfully (i.e. the client does
not accept the KDC's selected group), the transcript hash is computed not accept the KDC's selected group), the transcript hash is computed
as in the normal message flow, without including the KDC's optimistic as in the normal message flow, without including the KDC's optimistic
challenge. challenge.
7. Key Derivation 7. Key Derivation
Implementations MUST NOT use the SPAKE result (denoted by K in Implementations MUST NOT use the SPAKE result (denoted by K in
Section 2 of SPAKE [I-D.irtf-cfrg-spake2]) directly for any Section 3 of SPAKE [I-D.irtf-cfrg-spake2]) directly for any
cryptographic operation. Instead, the SPAKE result is used to derive cryptographic operation. Instead, the SPAKE result is used to derive
keys K'[n] as defined in this section. This method differs slightly keys K'[n] as defined in this section. This method differs slightly
from the method used to generate K' in Section 3 of SPAKE from the method used to generate K' in Section 3 of SPAKE
[I-D.irtf-cfrg-spake2]. [I-D.irtf-cfrg-spake2].
First, the hash function associated with the selected group is First, the hash function associated with the selected group is
computed over the concatenation of the following values: computed over the concatenation of the following values:
o The fixed string "SPAKEkey". o The fixed string "SPAKEkey".
skipping to change at page 18, line 31 skipping to change at page 18, line 31
IANA has assigned the following number for PA-SPAKE in the "Pre- IANA has assigned the following number for PA-SPAKE in the "Pre-
authentication and Typed Data" registry: authentication and Typed Data" registry:
+----------+-------+-----------------+ +----------+-------+-----------------+
| Type | Value | Reference | | Type | Value | Reference |
+----------+-------+-----------------+ +----------+-------+-----------------+
| PA-SPAKE | 151 | [this document] | | PA-SPAKE | 151 | [this document] |
+----------+-------+-----------------+ +----------+-------+-----------------+
This document establishes two registries with the following This document establishes two registries with the following
procedure, in accordance with [RFC5226]: procedure, in accordance with [RFC8126]:
Registry entries are to be evaluated using the Specification Required Registry entries are to be evaluated using the Specification Required
method. All specifications must be be published prior to entry method. All specifications must be be published prior to entry
inclusion in the registry. There will be a three-week review period inclusion in the registry. There will be a three-week review period
by Designated Experts on the krb5-spake-review@ietf.org mailing list. by Designated Experts on the krb5-spake-review@ietf.org mailing list.
Prior to the end of the review period, the Designated Experts must Prior to the end of the review period, the Designated Experts must
approve or deny the request. This decision is to be conveyed to both approve or deny the request. This decision is to be conveyed to both
the IANA and the list, and should include reasonably detailed the IANA and the list, and should include reasonably detailed
explanation in the case of a denial as well as whether the request explanation in the case of a denial as well as whether the request
can be resubmitted. can be resubmitted.
skipping to change at page 22, line 6 skipping to change at page 22, line 6
X.680, July 2002. X.680, July 2002.
[CCITT.X690.2002] [CCITT.X690.2002]
International Telephone and Telegraph Consultative International Telephone and Telegraph Consultative
Committee, "ASN.1 encoding rules: Specification of basic Committee, "ASN.1 encoding rules: Specification of basic
encoding Rules (BER), Canonical encoding rules (CER) and encoding Rules (BER), Canonical encoding rules (CER) and
Distinguished encoding rules (DER)", CCITT Recommendation Distinguished encoding rules (DER)", CCITT Recommendation
X.690, July 2002. X.690, July 2002.
[I-D.irtf-cfrg-spake2] [I-D.irtf-cfrg-spake2]
Ladd, W., "SPAKE2, a PAKE", draft-irtf-cfrg-spake2-01 Ladd, W. and B. Kaduk, "SPAKE2, a PAKE", draft-irtf-cfrg-
(work in progress), February 2015. spake2-06 (work in progress), August 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, <https://www.rfc-editor.org/info/ DOI 10.17487/RFC2119, March 1997,
rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February
2005, <https://www.rfc-editor.org/info/rfc3961>. 2005, <https://www.rfc-editor.org/info/rfc3961>.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120, Kerberos Network Authentication Service (V5)", RFC 4120,
DOI 10.17487/RFC4120, July 2005, <https://www.rfc- DOI 10.17487/RFC4120, July 2005,
editor.org/info/rfc4120>. <https://www.rfc-editor.org/info/rfc4120>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, DOI
10.17487/RFC5226, May 2008, <https://www.rfc-
editor.org/info/rfc5226>.
[RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for [RFC6113] Hartman, S. and L. Zhu, "A Generalized Framework for
Kerberos Pre-Authentication", RFC 6113, DOI 10.17487/ Kerberos Pre-Authentication", RFC 6113,
RFC6113, April 2011, <https://www.rfc-editor.org/info/ DOI 10.17487/RFC6113, April 2011,
rfc6113>. <https://www.rfc-editor.org/info/rfc6113>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, DOI (SHA and SHA-based HMAC and HKDF)", RFC 6234,
10.17487/RFC6234, May 2011, <https://www.rfc- DOI 10.17487/RFC6234, May 2011,
editor.org/info/rfc6234>. <https://www.rfc-editor.org/info/rfc6234>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/ Signature Algorithm (EdDSA)", RFC 8032,
RFC8032, January 2017, <https://www.rfc-editor.org/info/ DOI 10.17487/RFC8032, January 2017,
rfc8032>. <https://www.rfc-editor.org/info/rfc8032>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[SEC1] Standards for Efficient Cryptography Group, "SEC 1: [SEC1] Standards for Efficient Cryptography Group, "SEC 1:
Elliptic Curve Cryptography", May 2009. Elliptic Curve Cryptography", May 2009.
[SEC2] Standards for Efficient Cryptography Group, "SEC 2: [SEC2] Standards for Efficient Cryptography Group, "SEC 2:
Recommended Elliptic Curve Domain Parameters", January Recommended Elliptic Curve Domain Parameters", January
2010. 2010.
13.2. Non-normative References 13.2. Non-normative References
skipping to change at page 25, line 12 skipping to change at page 25, line 12
groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32,
factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor factors [1] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor
} }
END END
Appendix B. SPAKE M and N Value Selection Appendix B. SPAKE M and N Value Selection
The M and N constants for the NIST groups are from The M and N constants for the NIST groups are from
[I-D.irtf-cfrg-spake2] section 3. [I-D.irtf-cfrg-spake2] section 4.
The M and N constants for the edwards25519 group were generated using The M and N constants for the edwards25519 group were generated using
the algorithm from [I-D.irtf-cfrg-spake2] section 3 and the seed the algorithm from [I-D.irtf-cfrg-spake2] section 4 and the seed
strings "edwards25519 point generation seed (M)" and "edwards25519 strings "edwards25519 point generation seed (M)" and "edwards25519
point generation seed (N)". point generation seed (N)".
Appendix C. Test Vectors Appendix C. Test Vectors
For the following text vectors: For the following text vectors:
o The key is the string-to-key of "password" with the salt o The key is the string-to-key of "password" with the salt
"ATHENA.MIT.EDUraeburn" for the designated initial reply key "ATHENA.MIT.EDUraeburn" for the designated initial reply key
encryption type. encryption type.
 End of changes. 17 change blocks. 
32 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/