RFC 1704 - On Internet Authentication - EU-Vietnam Business Network (EVBN)

Network Working Group N. Haller Request for Comments: 1704 Bell Communications Research Category: Informational R. Atkinson Naval Research Laboratory October 1994

On Internet Authentication

Status of this Memo This document provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited. 1 . INTRODUCTIONCERT94]. Further, there is ample evidence that both passive and active attacks are not uncommon in the current Internet [Bellovin89, Bellovin92, Bellovin93, CB94, Stoll90]. The authors of this paper believe that many protocols used in the Internet should have stronger authentication mechanisms so that they are at least protected from passive attacks. Support for authentication mechanisms secure against active attack is clearly desirable in internetworking protocols. There are a number of dimensions to the internetwork authentication problem and, in the interest of brevity and readability, this document only describes some of them. However, factors that a protocol designer should consider include whether authentication is between machines or between a human and a machine, whether the authentication is local only or distributed across a network, strength of the authentication mechanism, and how keys are managed.

Haller & Atkinson [Page 1]

RFC 1704 On Internet Authentication October 19942 . DEFINITION OF TERMSKent93]. Passive Attack: An attack on an authentication system that inserts no data into the stream, but instead relies on being able to passively monitor information being sent between other

Haller & Atkinson [Page 2]

RFC 1704 On Internet Authentication October 19943 . AUTHENTICATION TECHNOLOGIESCERT94]. Disclosing authentication mechanisms are vulnerable to replay attacks. Access keys may be stored on the target system, in which case a

Haller & Atkinson [Page 3]

RFC 1704 On Internet Authentication October 1994Haller94]. It does not use a physical token, so it is also suitable for machine-machine authentication. In addition there are challenge- response systems in which a device or computer program is used to generate a verifiable response from a non-repeating challenge. S/Key authentication does not require the storage of the user's secret key, which is an advantage when dealing with current untrustworthy computing systems. In its current form, the S/Key system is vulnerable to a dictionary attack on the secret password (pass phrase) which might have been poorly chosen. The Point-to- Point Protocol's CHAP challenge-response system is non-disclosing but only useful locally [LS92, Simpson93]. These systems vary in the sensitivity of the information stored in the authenticating host, and thus vary in the security requirements that must be placed on that host. 3.4 Authentication Mechanisms Not Vulnerable to Active Attacks The growing use of networked computing environments has led to the need for stronger authentication. In open networks, many users can gain access to any information flowing over the network, and with additional effort, a user can send information that appears to come from another user. More powerful authentication systems make use of the computation capability of the two authenticating parties. Authentication may be unidirectional, for example authenticating users to a host computer system, or it may be mutual in which case the entity logging in is assured of the identity of the host. Some authentication systems use cryptographic techniques and establish (as a part of the authentication process) a shared secret (e.g., session key) that can be used for further exchanges. For example, a user, after completion of the authentication process, might be granted an authorization ticket that can be used to obtain other services without further authentication. These authentication

Haller & Atkinson [Page 4]

RFC 1704 On Internet Authentication October 19944 . CRYPTOGRAPHYSection 6 of this document. 4.1 Symmetric Cryptography Symmetric Cryptography includes all systems that use the same key for encryption and decryption. Thus if anyone improperly obtains the key, they can both decrypt and read data encrypted using that key and also encrypt false data and make it appear to be valid. This means that knowledge of the key by an undesired third party fully compromises the confidentiality of the system. Therefore, the keys used need to be distributed securely, either by courier or perhaps by use of a key distribution protocol, of which the best known is perhaps that proposed by Needham and Schroeder [NS78, NS87]. The widely used Data Encryption Standard (DES) algorithm, that has been standardized for use to protect unclassified civilian US Government information, is perhaps the best known symmetric encryption algorithm [NBS77]. A well known system that addresses insecure open networks as a part of a computing environment is the Kerberos (TM) Authentication Service that was developed as part of Project Athena at MIT [SNS88, BM91, KN93]. Kerberos is based on Data Encryption Standard (DES) symmetric key encryption and uses a trusted (third party) host that knows the secret keys of all users and services, and thus can generate credentials that can be used by users and servers to prove their identities to other systems. As with any distributed authentication scheme, these credentials will be believed by any computer within the local administrative domain or realm. Hence, if a user's password is disclosed, an attacker would be able to masquerade as that user on any system which trusts Kerberos. As the Kerberos server knows all secret keys, it must be physically secure. Kerberos session keys can be used to provide confidentiality between any entities that trust the key server.

Haller & Atkinson [Page 5]


RFC 1704 On Internet Authentication October 1994RSA78].

      SPX is an experimental system that overcomes the limitations of
      the trusted key distribution center of Kerberos by using RSA
      Public Key Cryptography [TA91].  SPX assumes a global hierarchy of
      certifying authorities at least one of which is trusted by each
      party.  It uses digital signatures that consist of a token
      encrypted in the private key of the signing entity and that are
      validated using the appropriate public key.  The public keys are
      believed to be correct as they are obtained under the signature of
      the trusted certification authority.  Critical parts of the
      authentication exchange are encrypted in the public keys of the
      receivers, thus preventing a replay attack.

   4.3 Cryptographic Checksums

      Cryptographic checksums are one of the most useful near term tools
      for protocol designers.  A cryptographic checksum or message
      integrity checksum (MIC) provides data integrity and
      authentication but not non-repudiation.  For example, Secure SNMP
      and SNMPv2 both calculate a MD5 cryptographic checksum over a
      shared secret item of data and the information to be authenticated
      [Rivest92, GM93].  This serves to authenticate the data origin and
      is believed to be very difficult to forge.  It does not
      authenticate that the data being sent is itself valid, only that
      it was actually sent by the party that claims to have sent it.
      Crytographic checksums can be used to provide relatively strong
      authentication and are particularly useful in host-to-host
      communications.  The main implementation difficulty with
      cryptographic checksums is key distribution.

   4.4 Digital Signatures

      A digital signature is a cryptographic mechanism which is the
      electronic equivalent of a written signature.  It serves to
      authenticate a piece of data as to the sender.  A digital
      signature using asymmetric cryptography (Public Key) can also be
      useful in proving that data originated with a party even if the
      party denies having sent it; this property is called non-
      repudiation.  A digital signature provides authentication without



Haller & Atkinson                                               [Page 6]

RFC 1704 On Internet Authentication October 19945 . USER TO HOST AUTHENTICATIONAnderson84, Kantor91]. This system does not provide adequate protection from replay attacks where an eavesdropper gains remote user ids and remote passwords. 5.1 Protection Against Passive Attack Is Necessary Failure to use at least a non-disclosing password system means that unlimited access is unintentionally granted to anyone with physical access to the network. For example, anyone with physical access to the Ethernet cable can impersonate any user on that portion of the network. Thus, when one has plain-text disclosing passwords on an Ethernet, the primary security system is the guard at the door (if any exist). The same problem exists in other LAN technologies such as Token-Ring or FDDI. In some small internal Local Area Networks (LANs) it may be acceptable to take this risk, but it is an unacceptable risk in an Internet [CERT94]. The minimal defense against passive attacks, such as eavesdropping, is to use a non-disclosing password system. Such a system can be run from a dumb terminal or a simple communications program (e.g., Crosstalk or PROCOMM) that emulates a dumb terminal on a PC class computer. Using a stronger authentication system would certainly defend against passive attacks against remotely accessed systems, but at the cost of not being able to use simple terminals. It is reasonable to expect that the vendors of communications programs and non user-programmable terminals (such as X-Terminals) would build in non-disclosing password or stronger authentication systems if they were standardized or if a large market were offered. One of the advantages of Kerberos is that, if used properly, the user's password never leaves the user's workstation. Instead they are used to decrypt the user's Kerberos tickets, which are themselves encrypted information which are sent

Haller & Atkinson [Page 7]

RFC 1704 On Internet Authentication October 1994Mills92, PR85, Bishop]. Furthermore, the perimeter gateway system must be able to pass without bottleneck the entire traffic load for its security domain.

Haller & Atkinson [Page 8]

RFC 1704 On Internet Authentication October 19946 . KEY DISTRIBUTION & MANAGEMENT

Haller & Atkinson [Page 9]


RFC 1704 On Internet Authentication October 1994DH76].  One advantage
   of using asymmetric techniques is that the central key server can be
   eliminated.  The difference in key management techniques is perhaps
   the primary difference between Kerberos and SPX.  Privacy Enhanced
   Mail has trusted key authorities use digital signatures to sign and
   authenticate the public keys of users [Kent93].  The result of this
   operation is a key certificates which contains the public key of some
   party and authentication that the public key in fact belongs to that
   party.  Key certificates can be distributed in many ways.  One way to
   distribute key certificates might be to add them to existing
   directory services, for example by extending the existing Domain Name
   System to hold each host's the key certificate in a new record type.

   For multicast sessions, key management is harder because the number
   of exchanges required by the widely used techniques is proportional
   to the number of participating parties.  Thus there is a serious
   scaling problem with current published multicast key management
   techniques.

   Finally, key management mechanisms described in the public literature
   have a long history of subtle flaws.  There is ample evidence of
   this, even for well-known techniques such as the Needham & Schroeder
   protocol [NS78, NS87].  In some cases, subtle flaws have only become
   known after formal methods techniques were used in an attempt to
   verify the protocol.  Hence, it is highly desirable that key
   management mechanisms be kept separate from authentication or
   encryption mechanisms as much as is possible.  For example, it is
   probably better to have a key management protocol that is distinct
   from and does not depend upon another security protocol.







Haller & Atkinson                                              [Page 10]

RFC 1704 On Internet Authentication October 19947 . AUTHENTICATION OF NETWORK SERVICESBellovin89]. Some protocols provide for disclosing passwords to be passed along with the protocol information. The original SNMP protocols used this method and a number of the routing protocols continue to use this method [Moy91, LR91, CFSD88]. This method is useful as a transitional aid to slightly increase security and might be appropriate when there is little risk in having a completely insecure protocol. There are many protocols that need to support stronger authentication mechanisms. For example, there was widespread concern that SNMP needed stronger authentication than it originally had. This led to the publication of the Secure SNMP protocols which support optional authentication, using a digital signature mechanism, and optional confidentiality, using DES encryption. The digital signatures used in Secure SNMP are based on appending a cryptographic checksum to the SNMP information. The cryptographic checksum is computed using the MD5 algorithm and a secret shared between the communicating parties so is believed to be difficult to forge or invert. Digital signature technology has evolved in recent years and should be considered for applications requiring authentication but not confidentiality. Digital signatures may use a single secret shared among two or more communicating parties or it might be based on asymmetric encryption technology. The former case would require the use of predetermined keys or the use of a secure key distribution protocol, such as that devised by Needham and Schroeder. In the latter case, the public keys would need to be distributed in an authenticated manner. If a general key distribution mechanism were available, support for optional digital signatures could be added to most protocols with little additional expense. Each protocol could address the key exchange and setup problem, but that might make adding support for digital signatures more complicated and effectively discourage protocol designers from adding digital

Haller & Atkinson [Page 11]

RFC 1704 On Internet Authentication October 1994Linn93, Kent93, Balenson93, Kaliski93]. The recent IETF work on Common Authentication Technology might make it easier to implement a secure distributed or networked application through use of standard security programming interfaces [Linn93a]. 8 . FUTURE DIRECTIONS

Haller & Atkinson [Page 12]

RFC 1704 On Internet Authentication October 1994BFC93]. The implications of this taxonomy are clear. Strong cryptographic authentication is needed in the near future for many protocols. Public key technology should be used when it is practical and cost- effective. In the short term, authentication mechanisms vulnerable to passive attack should be phased out in favour of stronger authentication mechanisms. Additional research is needed to develop improved key management technology and scalable multicast security mechanisms. SECURITY CONSIDERATIONS This entire memo discusses Security Considerations in that it discusses authentication technologies and needs. ACKNOWLEDGEMENTS This memo has benefited from review by and suggestions from the IETF's Common Authentication Technology (CAT) working group, chaired by John Linn, and from Marcus J. Ranum. REFERENCES [Anderson84] Anderson, B., "TACACS User Identification Telnet Option", RFC 927, BBN, December 1984. [Balenson93] Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, TIS, IAB IRTF PSRG, IETF PEM WG, February 1993.

Haller & Atkinson [Page 13]

RFC 1704 On Internet Authentication October 1994BFC93] Ballardie, A., Francis, P., and J. Crowcroft, "Core Based Trees (CBT) An Architecture for Scalable Inter-Domain Multicast Routing", Proceedings of ACM SIGCOMM93, ACM, San Franciso, CA, September 1993, pp. 85-95. [Bellovin89] Bellovin, S., "Security Problems in the TCP/IP Protocol Suite", ACM Computer Communications Review, Vol. 19, No. 2, March 1989. [Bellovin92] Bellovin, S., "There Be Dragons", Proceedings of the 3rd Usenix UNIX Security Symposium, Baltimore, MD, September 1992. [Bellovin93] Bellovin, S., "Packets Found on an Internet", ACM Computer Communications Review, Vol. 23, No. 3, July 1993, pp. 26-31. [BM91] Bellovin S., and M. Merritt, "Limitations of the Kerberos Authentication System", ACM Computer Communications Review, October 1990. [Bishop] Bishop, M., "A Security Analysis of Version 2 of the Network Time Protocol NTP: A report to the Privacy & Security Research Group", Technical Report PCS-TR91-154, Department of Mathematics & Computer Science, Dartmouth College, Hanover, New Hampshire. [CB94] Cheswick W., and S. Bellovin, "Chapter 10: An Evening with Berferd", Firewalls & Internet Security, Addison-Wesley, Reading, Massachusetts, 1994. ISBN 0-201-63357-4. [CERT94] Computer Emergency Response Team, "Ongoing Network Monitoring Attacks", CERT Advisory CA-94:01, available by anonymous ftp from cert.sei.cmu.edu, 3 February 1994. [CFSD88] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1067, University of Tennessee at Knoxville, NYSERNet, Inc., Rensselaer Polytechnic Institute, Proteon, Inc., August 1988. [DH76] Diffie W., and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, Volume IT-11, November 1976, pp. 644-654. [GM93] Galvin, J., and K. McCloghrie, "Security Protocols for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1446, Trusted Information Systems, Hughes LAN Systems, April 1993.

Haller & Atkinson [Page 14]

RFC 1704 On Internet Authentication October 1994NS87] Needham, R., and M. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, 1987. [PR85] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, USC/Information Sciences Institute, October 1985. [Moy91] Moy, J., "OSPF Routing Protocol, Version 2", RFC 1247, Proteon, Inc., July 1991. [RSA78] Rivest, R., Shamir, A., and L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Crypto-systems", Communications of the ACM, Vol. 21, No. 2, February 1978. [Rivest92] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, MIT Laboratory for Computer Science and RSA Data Security, Inc., April 1992. [Simpson93] Simpson, W., "The Point to Point Protocol", RFC 1548, Daydreamer, December 1993. [SNS88] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: "An Authentication Service for Open Network Systems", USENIX Conference Proceedings, Dallas, Texas, February 1988. [Stoll90] Stoll, C., "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage", Pocket Books, New York, NY, 1990. [TA91] Tardo J., and K. Alagappan, "SPX: Global Authentication Using Public Key Certificates", Proceedings of the 1991 Symposium on Research in Security & Privacy, IEEE Computer Society, Los Amitos, California, 1991. pp.232-244.

Haller & Atkinson [Page 16]

RFC 1704 On Internet Authentication October 1994