draft-ietf-kitten-krb-spake-preauth-07.txt   draft-ietf-kitten-krb-spake-preauth-08.txt 
Internet Engineering Task Force N. McCallum Internet Engineering Task Force N. McCallum
Internet-Draft S. Sorce Internet-Draft S. Sorce
Intended status: Standards Track R. Harwood Intended status: Standards Track R. Harwood
Expires: November 1, 2020 Red Hat, Inc. Expires: November 22, 2020 Red Hat, Inc.
G. Hudson G. Hudson
MIT MIT
April 30, 2020 May 21, 2020
SPAKE Pre-Authentication SPAKE Pre-Authentication
draft-ietf-kitten-krb-spake-preauth-07 draft-ietf-kitten-krb-spake-preauth-08
Abstract Abstract
This document defines a new pre-authentication mechanism for the This document defines a new pre-authentication mechanism for the
Kerberos protocol that uses a password authenticated key exchange. Kerberos protocol that uses a password authenticated key exchange.
This document has three goals. First, increase the security of This document has three goals. First, increase the security of
Kerberos pre-authentication exchanges by making offline brute-force Kerberos pre-authentication exchanges by making offline brute-force
attacks infeasible. Second, enable the use of second factor attacks infeasible. Second, enable the use of second factor
authentication without relying on FAST. This is achieved using the authentication without relying on FAST. This is achieved using the
existing trust relationship established by the shared first factor. existing trust relationship established by the shared first factor.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 1, 2020. This Internet-Draft will expire on November 22, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 21 skipping to change at page 3, line 21
13.2. Informative References . . . . . . . . . . . . . . . . . 24 13.2. Informative References . . . . . . . . . . . . . . . . . 24
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 25
Appendix B. SPAKE M and N Value Selection . . . . . . . . . . . 26 Appendix B. SPAKE M and N Value Selection . . . . . . . . . . . 26
Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 27 Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 27
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 36 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction 1. Introduction
When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC
does not require preauthentication), a passive attacker that observes does not require pre-authentication), a passive attacker that
either the AS-REQ or AS-REP can perform an offline brute-force attack observes either the AS-REQ or AS-REP can perform an offline brute-
against the transferred ciphertext. When the client principal's force attack against the transferred ciphertext. When the client
long-term key is based on a password, offline dictionary attacks can principal's long-term key is based on a password, offline dictionary
successfuly recover the key, with only modest effort needed if the attacks can successfuly recover the key, with only modest effort
password is weak. needed if the password is weak.
1.1. Properties of PAKE 1.1. Properties of PAKE
Password authenticated key exchange (PAKE) algorithms provide several Password authenticated key exchange (PAKE) algorithms provide several
properties which defend against offline dictionary attacks and make properties which defend against offline dictionary attacks and make
them ideal for use as a Kerberos pre-authentication mechanism. them ideal for use as a Kerberos pre-authentication mechanism.
1. Each side of the exchange contributes entropy. 1. Each side of the exchange contributes entropy.
2. Passive attackers cannot determine the shared key. 2. Passive attackers cannot determine the shared key.
3. Active attackers cannot perform a man-in-the-middle attack. 3. Active attackers cannot perform a man-in-the-middle attack.
These properties of PAKE allow us to establish high-entropy These properties of PAKE allow us to establish high-entropy
encryption keys resistant to offline brute force attack, even when encryption keys resistant to offline brute force attack, even when
the passwords used are weak (low-entropy). the passwords used are weak (low-entropy).
1.2. PAKE Algorithm Selection 1.2. PAKE Algorithm Selection
The SPAKE algorithm works by encrypting the public keys of a Diffie- The SPAKE algorithm (defined in Section 2) works by encrypting the
Hellman key exchange with a shared secret. SPAKE was selected for public keys of a Diffie-Hellman key exchange with a shared secret.
this pre-authentication mechanism for the following properties: SPAKE was selected for this pre-authentication mechanism for the
following properties:
1. Because SPAKE's encryption method ensures that the result is a 1. Because SPAKE's encryption method ensures that the result is a
member of the underlying group, it can be used with elliptic member of the underlying group, it can be used with elliptic
curve cryptography, which is believed to provide equivalent curve cryptography, which is believed to provide equivalent
security levels to finite-field DH key exchange at much smaller security levels to finite-field DH key exchange at much smaller
key sizes. key sizes.
2. It can compute the shared key after just one message from each 2. It can compute the shared key after just one message from each
party, minimizing the need for additional round trips and state. party, minimizing the need for additional round trips and state.
skipping to change at page 4, line 43 skipping to change at page 4, line 46
without manual configuration of client hosts. SPAKE pre- without manual configuration of client hosts. SPAKE pre-
authentication, in contrast, can create a secure encryption channel authentication, in contrast, can create a secure encryption channel
implicitly, using the key exchange to negotiate a high-entropy implicitly, using the key exchange to negotiate a high-entropy
encryption key. This key can then be used to securely encrypt 2FA encryption key. This key can then be used to securely encrypt 2FA
plaintext data without the need for a secondary trust relationship. plaintext data without the need for a secondary trust relationship.
Further, if the second factor verifiers are sent at the same time as Further, if the second factor verifiers are sent at the same time as
the first factor verifier, and the KDC is careful to prevent timing the first factor verifier, and the KDC is careful to prevent timing
attacks, then an online brute-force attack cannot be used to attack attacks, then an online brute-force attack cannot be used to attack
the factors separately. the factors separately.
For these reasons, this draft departs from the advice given in For these reasons, this document departs from the advice given in
Section 1 of RFC 6113 [RFC6113] which states that "Mechanism Section 1 of RFC 6113 [RFC6113] which states that "Mechanism
designers should design FAST factors, instead of new pre- designers should design FAST factors, instead of new pre-
authentication mechanisms outside of FAST." However, this pre- authentication mechanisms outside of FAST." However, this pre-
authentication mechanism does not intend to replace FAST, and may be authentication mechanism does not intend to replace FAST, and may be
used with it to further conceal the metadata of the Kerberos used with it to further conceal the metadata of the Kerberos
messages. messages.
1.4. SPAKE Overview 1.4. SPAKE Overview
The SPAKE algorithm can be broadly described in a series of four The SPAKE algorithm can be broadly described in a series of four
skipping to change at page 13, line 28 skipping to change at page 13, line 28
not accept the KDC's selected group), the transcript hash is computed not accept the KDC's selected group), the transcript hash is computed
as in the normal message flow, without including the KDC's optimistic as in the normal message flow, without including the KDC's optimistic
challenge. challenge.
7. Key Derivation 7. Key Derivation
Implementations MUST NOT use the shared group element (denoted by K) Implementations MUST NOT use the shared group element (denoted by K)
directly for any cryptographic operation. Instead, the SPAKE result directly for any cryptographic operation. Instead, the SPAKE result
is used to derive keys K'[n] as defined in this section. is used to derive keys K'[n] as defined in this section.
First, the hash function associated with the selected group is First, compute the hash function associated with the selected group
computed over the concatenation of the following values: over the concatenation of the following values:
o The fixed string "SPAKEkey". o The fixed string "SPAKEkey".
o The group number as a big-endian four-byte two's complement binary o The group number as a big-endian four-byte two's complement binary
number. number.
o The encryption type of the initial reply key as a big-endian four- o The encryption type of the initial reply key as a big-endian four-
byte two's complement binary number. byte two's complement binary number.
o The PRF+ output used to compute the initial secret input w as o The PRF+ output used to compute the initial secret input w as
skipping to change at page 20, line 34 skipping to change at page 20, line 34
Name: Brief, unique, human-readable name for this algorithm. Name: Brief, unique, human-readable name for this algorithm.
Reference: URI or otherwise unique identifier for where the details Reference: URI or otherwise unique identifier for where the details
of this algorithm can be found. It should be as specific as of this algorithm can be found. It should be as specific as
reasonably possible. reasonably possible.
12.1.2. Initial Registry Contents 12.1.2. Initial Registry Contents
o ID Number: 1 o ID Number: 1
o Name: SF-NONE o Name: SF-NONE
o Reference: this draft. o Reference: this document.
12.2. Kerberos SPAKE Groups 12.2. Kerberos SPAKE Groups
This section specifies the IANA "Kerberos SPAKE Groups" registry. This section specifies the IANA "Kerberos SPAKE Groups" registry.
This registry records the number, name, specification, serialization, This registry records the number, name, specification, serialization,
multiplier length, multiplier conversion, SPAKE M and N constants, multiplier length, multiplier conversion, SPAKE M and N constants,
and associated hash function. and associated hash function.
12.2.1. Registration Template 12.2.1. Registration Template
 End of changes. 9 change blocks. 
17 lines changed or deleted 18 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/