1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
|
Kerberos Working Group Matt Crawford
Internet Draft Fermilab
21 October 2006
Passwordless Initial Authentication to Kerberos
by Hardware Preauthentication
<draft-ietf-krb-wg-hw-auth-04.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet- Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html.
To view the list Internet-Draft Shadow Directories, see
http://www.ietf.org/shadow.html.
Abstract
This document specifies an extension to the Kerberos protocol for
performing initial authentication of a user without using that
user's long-lived password. Any "hardware preauthentication" method
may be employed instead of the password, and the key of another
principal must be nominated to encrypt the returned credential.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
Expires April 26, 2007 Crawford [Page 1]
Internet Draft Passwordless Hardware Authentication 21 October 2006
document are to be interpreted as described in [KWORD].
1. Motivation
Many sites using Kerberos for authentication have users who are
often, or even always, away from the site. Sometimes these users
may need to connect to their site while they have no immediate
access to a trustworthy computer with Kerberos software or any other
trusted secure remote-access mechanism. Requiring hardware
preauthentication in addition to a password for all such users is an
incomplete solution because an eavesdropper with access to both the
remote users' path to the host in the site and that host's path to
the KDC can still steal the user's credential.
This document specifies a method by which a Kerberos application
server can request that a KDC authenticate a user using a hardware
preauthentication method and use a key held by the server in the
decryption of the KDC's reply, in place of the user's password.
2. Definitions
The following terms used here are defined in [KRB5] and [KRB5bis]:
KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED, KRB_AS_REQ,
KRB_ERROR, PrincipalName, e-data, enc-part, error-code, kdc-
options, padata-type, padata-value.
These terms are defined in [KRB5bis]:
PA-SAM-CHALLENGE, PA-SAM-CHALLENGE2, PA-SAM-RESPONSE, PA-SAM-
RESPONSE2.
The term "service" denotes some Kerberos service which normally
requires a client/server authentication exchange [KRB5] for access
and which is capable of both communicating with the KDC's
Authentication Service and interacting with the user to the extent
required to carry out a single-use authentication mechanism (SAM).
It must have access to some principal's long-lived key. Telnet and
FTP services are examples.
The Kerberos Authentication Service will be denoted by "AS" to avoid
confusion with the service.
Expires April 26, 2007 Crawford [Page 2]
Internet Draft Passwordless Hardware Authentication 21 October 2006
3. Method
This mechanism is intended to be employed when a user connects to a
service which normally allows only Kerberos-authenticated access.
When the service determines that the user will not authenticate (for
example, it receives a telnet "WONT AUTHENTICATION" command
[TELAUTH], or an FTP "USER" command without a preceding "AUTH"
command [FTPSEC]), it may accept a user principal name and attempt
to perform passwordless hardware authentication in the following
manner.
3.1. Initial AS Request and reply
The service, on behalf of the user, prepares a KRB_AS_REQ [KRB5]
message with the flag OPT-HARDWARE-AUTH set in the kdc-options
field, in addition to any other desired options and lifetimes. The
service sends this message to a KDC. If the KDC's policy permits
this form of authentication for the user named in the request, and
the request is acceptable in all other respects, the KDC determines
what hardware preauthentication methods are available for the user
principal and constructs a KRB_ERROR message with the error-code set
to KDC_ERR_PREAUTH_REQUIRED. The e-data field of this KRB_ERROR
message contains a sequence of PA-DATA which includes an element
with padata-type equal to PA-ALT-PRINC and an empty padata-value.
In addition to that are any elements needed for hardware
preauthentication of the user. Typically this will include an
element with padata-type PA-SAM-CHALLENGE or PA-SAM-CHALLENGE2 and
padata-value appropriate to the authentication method.
3.2. Second AS Request
The service, upon receiving the KRB_ERROR message from the KDC, must
process the PA-ALT-PRINC element by selecting a principal whose
long-lived key it has access to, and which is in the same realm as
the client. This principal will be referred to as the alternate
principal. It processes the PA-SAM-CHALLENGE normally, except that
whenever the user's long-lived (password-derived) encryption key is
called for, it uses the alternate principal's key instead.
The service constructs a second KRB_AS_REQ, again with the OPT-
HARDWARE-AUTH flag set in the kdc-options field, and this time with
a padata field which includes at least these two PA-DATA items, in
this order:
One with padata-type equal to PA-ALT-PRINC and as padata-value
the encoded PrincipalName of the alternate principal,
Expires April 26, 2007 Crawford [Page 3]
Internet Draft Passwordless Hardware Authentication 21 October 2006
One with padata-type appropriate for hardware token-based
preauthentication, such as PA-SAM-RESPONSE or PA-SAM-RESPONSE2,
and padata-value constructed as it would be for normal hardware
preauthentication, but with the alternate principal's key used
in place of the user's key.
Other PA-DATA may be present before, between or after these items.
The service sends this second KRB_AS_REQ to a KDC.
3.3. Final AS Reply
The KDC begins processing the AS request normally. When the PA-ALT-
PRINC field is encountered, the KDC does the following:
First, if this use of the alternate principal named in the
request is against local policy, or if the alternate principal
does not exist in the database, a KRB_ERROR message with error-
code KDC_ERR_PREAUTH_FAILED is returned and processing ends.
Then, the alternate principal's key is fetched from the database
and held for use in subsequent processing. It will be needed to
process the PA-SAM-RESPONSE, PA-SAM-RESPONSE2, or similar
preauthentication data, and to encrypt the enc-part of the
KRB_AS_REP if authentication is successful.
The remainder of the AS request processing is normal, with the noted
substitution of the alternate principal's key for the user's.
The service, upon receiving a KRB_AS_REP, uses the alternate
principal's key to decrypt the enc-part, saves the user's credential
and takes appropriate measures to ensure that the KRB_AS_REP came
from a legitimate KDC and not an imposter.
4. IANA Considerations
No new naming or numbering spaces are created by this specification.
Two values from existing spaces are defined in [KRB5bis] for the
mechanism of this document:
The flag OPT-HARDWARE-AUTH is bit 11 in the kdc-options field of
a KDC-REQ-BODY.
The preauthentication type PA-ALT-PRINC is denoted by padata-
type 24.
Expires April 26, 2007 Crawford [Page 4]
Internet Draft Passwordless Hardware Authentication 21 October 2006
5. Security Considerations
There are no means provided here for protecting the traffic between
the user and the service, so it may be susceptible to eavesdropping,
hijacking and alteration. This authentication mechanism is not
intended to be used as an alternative to the Kerberos client/server
authentication exchange, but as an improvement over making an
unprotected connection with a Kerberos password alone, or a password
plus a single-use authenticator.
The alternate principal's key MUST be involved in construction of
the PA-SAM-RESPONSE (or PA-SAM-RESPONSE2) padata-value, to prevent
an adversary constructing a KRB_AS_REQ using that data but a
different alternate principal. In practice, this means that the
response data alone must not determine the encryption key for the
padata-value.
A service impersonator can obtain a presumably-valid SAM response
from the user which may (or may not) be usable for impersonating the
user at a later time. And of course in the case of successful
authentication the service obtains access to the user's credentials.
As always, if the service host is compromised, so are the
credentials; but, with this mechanism, at least the service host
never has access to the user's password.
A service host which accepts a Kerberos password for access
typically protects itself against an impostor KDC by using the
received ticket-granting credential to get a ticket for a service
for which it has the key. This step may be unnecessary when the
service host has already successfully used such a key to decrypt the
ticket-granting credential itself.
Use of this authentication method employs the service's long-term
key, providing more ciphertext in that key to an eavesdropper. This
key is generally of better quality than a password-derived key and
any remaining concerns about the strength of the KRB_AS_REP are
better addressed by a general mechanism applicable to all AS
exchanges.
6. Acknowledgments
The first implementation of this extension grew from a beginning by
Ken Hornstein, which in turn was built on code released by the MIT
Kerberos Team.
Expires April 26, 2007 Crawford [Page 5]
Internet Draft Passwordless Hardware Authentication 21 October 2006
7. References
[FTPSEC] Horowitz, M. and S. Lunt, "FTP Security Extensions", RFC
2228.
[KRB5] Kohl, J., and C. Neuman, "The Kerberos Network
Authentication Service (V5)", RFC 1510.
[KRB5bis] Neuman, C., T. Yu, S. Hartman, and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120.
[KWORD] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels," RFC 2119, March 1997.
[TELAUTH] Ts'o, T. and J. Altman, "Telnet Authentication Option",
RFC 2941.
8. Author's Address
Matt Crawford
Fermilab MS 368
PO Box 500
Batavia, IL 60510
USA
Phone: +1 630 840-3461
EMail: crawdad@fnal.gov
Disclaimer of Validity
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Trust (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Expires April 26, 2007 Crawford [Page 6]
Internet Draft Passwordless Hardware Authentication 21 October 2006
Funding for the RFC Editor function is currently provided by the
Internet Society.
Expires April 26, 2007 Crawford [Page 7]
|