Network Working Group C. Newman Internet Draft: PASSDSS-3DES-1 SASL Mechanism Innosoft Document: draft-newman-sasl-passdss-01.txt March 1998 Expires in six months DSS Secured Password Authentication Mechanism Status of this memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract Some system administrators are faced with a choice between deploying a new authentication infrastructure or sending unencrypted passwords in the clear over the Internet. Deploying a new authentication infrastructure often involves modifying operating system services or keeping parallel authentication databases up to date and is thus unacceptable to many administrators. Solutions which encrypt the entire session are often crippled with weak keys (due to government restrictions) which are unsuitable for passwords. In addition, such solutions often reduce performance of the entire session to an unacceptable level. This specification defines a SASL [SASL] mechanism which is compatible with existing password-based authentication databases and does not require a security layer for the remainder of the session. [NOTE: Public discussion of this mechanism may take place on the Newman [Page 1] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 ietf-sasl@imc.org mailing list with a subscription address of ietf-sasl-request@imc.org. Private comments may be sent to the author]. 1. How to Read This Document This document is intended primarily for a programmer. If successful, it should be possible for a competent programmer to write a client implementation using this specification, the SASL [SASL] specification, an understanding of how to generate random numbers [RANDOM], a description or implementation of the DES and SHA1 [SHA1] algorithms and a multi-precision integer math library. A cryptographic library or a copy of "Applied Cryptography" [SCHNEIER] or similar reference is helpful for any implementation and necessary for server DSS key generation. The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in this document are to be interpreted as defined in "Key words for use in RFCs to Indicate Requirement Levels" [KEYWORDS]. 1.1. Data Types Used in this Document A list of data types used in this document follows. Note that the majority of this section is copied from the secure shell specification [SSH-ARCH]. octet A basic 8-bit unit of data. uint32 A 32-bit unsigned integer. Stored as four octets in network byte order (also known as big endian or most significant byte [MSB] first). For example, the decimal value 699921578 (hexadecimal 29b7f4aa) is represented with the hexadecimal octet sequence 29 b7 f4 aa. string A string is a length-prefixed octet string. The length is represented as a uint32 with the data immediately following. A length of 0 indicates an empty string. The string MAY contain NUL or 8-bit octets. When used to represent textual strings, the characters are interpreted in UTF-8 [UTF-8]. Other character encoding schemes MUST NOT be used. mpint Represents multiple precision integers in two's complement format, stored as a string, most significant octet first. Negative numbers have one in the most significant bit of the first octet of the string data. If the most significant bit would be set for a positive number, the number MUST be preceded by a zero byte. Unnecessary leading zero or 255 Newman [Page 2] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 bytes MUST NOT be included. The value zero MUST be stored as a string with zero bytes of data. By convention, a number that is used in modular computations in the field of integers mod n SHOULD be represented in the range 0 <= x < n. Examples: value (hex) representation (hex) ----------------------------------------------------------- 0 00 00 00 00 9a378f9b2e332a7 00 00 00 08 09 a3 78 f9 b2 e3 32 a7 80 00 00 00 02 00 80 -1234 00 00 00 02 ed cc -deadbeef 00 00 00 05 ff 21 52 41 11 1.2. Glossary This section includes some acronyms used in this document. DES The U.S. Government Data Encryption Standard is a symmetric encryption algorithm introduced in 1975 which uses a 56 bit key. The algorithm is documented in [SCHNEIER]. DSA The U.S. Government Digital Signature Algorithm standard. A public key signature algorithm available for unrestricted use without a license. DSS The U.S. Government Digital Signature Standard [DSS] which employs the DSA algorithm. HMAC A hash-based message authentication code [HMAC] summarized in Appendix A.4. Test cases are available in [HMAC-TEST]. SHA The Secure Hash Algorithm (version 1) which is part of the DSS standard. triple-DES Use of the DES algorithm three times in an encrypt-decrypt- encrypt mode with three independent keys as described in appendix A.3. 2. Overview This section includes a brief discussion of design goals, intended use and an overview for this SASL mechanism. An overview of some of the algorithms used is in Appendix A. Newman [Page 3] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 2.1. Design Goals The ideal authentication mechanism would be simple, fast, fully secure, freely distributable without restrictions and backwards compatible with deployed back-end authentication databases. Unfortunately, it is not possible to achieve all these goals so priorities and tradeoffs are necessary. This mechanism has compatibility with deployed back-end authentication databases and protection from passive and active attacks on the underlying connection as primary design goals. Simplicity and unrestricted binary distribution are secondary design goals. Backwards compatibility is achieved by using plain-text passphrases. Protection from passive and active attacks is achieved by using public and symmetric key technology to encrypt the passphrase and optionally protect the remainder of the session. Some simplicity is achieved by avoiding complicated public key certification issues and formats as well as making the SASL session security layer and certification by the client optional. Unrestricted binary distribution is hopefully achieved by using unencumbered algorithms and making the SASL privacy layer optional. 2.2. Intended Use This is intended as a plug-and-play mechanism for services layered on top of deployed passphrase-based back-end authentication databases. When no security layer is implemented it can be added to a SASL-based protocol without modifying or substituting network read and write APIs. When the optional session privacy protection is omitted, the author speculates that it may be possible to make a binary implementation which would be exportable from the United States. For cases where simplicity, speed or unrestricted source code distribution is more desirable than backwards compatibility or security, a mechanism such as CRAM-MD5 [CRAM-MD5] or SCRAM [SCRAM] is preferred. The optional SASL integrity and privacy protection is provided as a simple alternative to full service security layers such as TLS [TLS] or Secure Shell [SSH-ARCH]. However, there are many advantages to full service security layers such as compression, faster symmetric cipher options, and the ability to leverage other public key infrastructures. An implementation which supports TLS may have no incentive to support SASL security layers at all. The complexity verses functionality tradeoff is significant enough that these mechanisms do not compete. Newman [Page 4] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 2.3. Mechanism Overview The PASSDSS-3DES-1 mechanism uses three components to perform a secure authentication against a legacy passphrase database. In order to protect against active attacks, a DSS public key in a format compatible with Secure Shell [SSH-TRANS] is used to authenticate the server to the client. The client is presumed to have the server's public key or a SHA-1 hash thereof stored locally in a secure database. If the client is willing to risk exposure to active attacks, it may skip the public key certification step altogether or do a one-time initialization of its local database, perhaps with user interaction. In addition to the DSS public key, a Diffie-Hellman key exchange is used to generate a key for encrypting the passphrase. The "PASSDSS-3DES-1" variant of this mechanism uses the same fixed Diffie-Hellman group used by Secure Shell's diffie-hellman-group1- sha1 key exchange [SSH-TRANS]. If more groups are necessary, they will be assigned to mechanism variants "PASSDSS-3DES-2" and so forth. Finally, the triple-DES algorithm is used to encrypt the client's passphrase and send it to the server. 2.4. Message Format Overview This section provides a quick overview of the format of the messages. The formal definition of the syntax for these messages is in section 6. A detailed discussion of their implementation on clients and servers is in sections 3 and 4 respectively. First message from client to server: string azname ; the user name to login as, may be empty if same as authentication name string authname ; the authentication name mpint X ; Diffie-Hellman parameter X The challenge from server to client is as follows: uint32 pklength ; length of SSH-style DSA server public key string "ssh-dss" ; constant string "ssh-dss" (lower case) mpint p ; DSA public key parameters mpint q mpint g mpint y mpint Y ; Diffie-Hellman parameter Y OCTET ssecmask ; SASL security layers offered 3 OCTET sbuflen ; maximum server security layer block size Newman [Page 5] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 uint32 siglength ; length of SSH-style dss signature string "ssh-dss" ; constant string "ssh-dss" (lower case) mpint r ; DSA signature parameters mpint s The client then sends the following message encrypted with triple-DES: OCTET csecmask ; SASL security layer selection 3 OCTET cbuflen ; maximum client block size string passphrase ; the user's passphrase 20 OCTET cli-hmac ; a client HMAC-SHA-1 signature 3. Client Implementation of PASSDSS-3DES-1 This section includes a step-by-step guide for client implementors. Although section 6 contains the formal definition of the syntax and is the authoritative reference in case of errors here, this section should be sufficient to build a correct implementation. The SASL mechanism name is "PASSDSS-3DES-1". The value of n used for the Diffie-Hellman exchange is as follows (represented as an unsigned hexadecimal integer): FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 FFFFFFFF FFFFFFFF. When represented as an "mpint", this would have a prefix of "0000008100." The value of g is 2. This group was taken from the ISAKMP/Oakley specification, and was originally generated by Richard Schroeppel at the University of Arizona. Properties of this prime are described in [Orm96]. The client begins by doing the following: (A) Generate the Diffie-Hellman private value "x". This should be less than (n - 1)/2. The number of bits of entropy to use in "x" is an important decision, as shorter lengths will be less secure and longer lengths will noticeably reduce performance. At the time this was written, 192 bits of entropy [RANDOM] is probably sufficient. For more information on this topic, see [SHORT-EXP]. Newman [Page 6] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 (B) Compute the Diffie-Hellman public value "X" as follows. If X has a value of 0, repeat step (A). x X = 2 mod n The client then sends the following three pieces of information to the server: (1) An authorization identity represented as a string. When the empty string is used, this defaults to the authentication identity. This is used by system administrators or proxy servers to login with a different user identity. (2) An authentication identity represented as a string. This is the identity whose passphrase will be used. (3) The "X" result from step (B) represented as an mpint. The server responds by sending a message containing the following information: (4) An "ssh-dss" public key compatible with Secure Shell, including the 32-bit length prefix in network byte order, the Secure Shell string "ssh-dss" and mpints for "p", "q", "g" and "y" (see Appendix A.1). (5) The mpint "Y" as defined for the Diffie-Hellman key exchange (see Appendix A.2). (6) A single octet bit mask representing the security layers available in the same format used by the KERBEROS_V4 mechanism [SASL]. Bit 0 (value 1) indicates it is permissible to have no security layer. Bit 1 (value 2) indicates integrity protection is permissible. Bit 2 (value 4) indicates privacy protection for the rest of the session is available. The remaining bits are reserved for future use. (7) A three octet unsigned integer in network byte order representing the maximum cipher-text buffer size the server is able to receive. If this is less than 32, it indicates that a SASL security layer is not supported. (8) A DSA signature, including a 32-bit length, the Secure Shell string "ssh-dss" and mpints for "r" and "s". The client then does the following: (C) Verify that "Y" is between 1 and n - 1 inclusive. If "Y" is Newman [Page 7] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 outside this range, the client MUST cancel the authentication. (D) Verify that the public key from step (4) belongs to the server. This can be done either with a database of SSH public keys or with a database of SHA1 hashes of such public keys. If the client does not have a matching entry for the server or does not have a public key database, it MAY skip this step although it SHOULD alert the user that the connection is susceptible to active attacks if it does so. It MAY also record the public key (or SHA1 hash thereof) in its database with permission from the user. (E) Compute the Diffie-Hellman key K as follows. It may be necessary to mask timing attacks [TIMING]. x K = Y mod n (F) Create a buffer containing data from steps (1) through (7) in order immediately followed by K represented as an mpint. (G) Compute the SHA1 hash of the buffer from (F). This produces a 20 octet result. (H) If the public key from step (4) was not certified, this step MAY be skipped. Otherwise, verify that the DSS signature is a signature of (G). This computation is done as defined in appendix A.1 where the output of step (G) represents the message "m" (note that this results in SHA1 being applied twice). (I) Compute the following 20-octet values. K represents the output of step (E) in mpint format. H represents the output of step (G). The || symbol represents string concatenation. "A" represents a single octet containing the US-ASCII value of capital letter A. cs-encryption-iv = SHA1( K || "A" || H ) sc-encryption-iv = SHA1( K || "B" || H ) cs-encryption-key-1 = SHA1( K || "C" || H ) cs-encryption-key-2 = SHA1( K || cs-encryption-key-1 ) cs-encryption-key = cs-encryption-key-1 || cs-encryption-key-2 sc-encryption-key-1 = SHA1( K || "D" || H ) sc-encryption-key-2 = SHA1( K || sc-encryption-key-1 ) sc-encryption-key = sc-encryption-key-1 || sc-encryption-key-2 cs-integrity-key = SHA1( K || "E" || H ) sc-integrity-key = SHA1( K || "F" || H ) (J) Create a buffer beginning with a bit mask for the selected security layer (it MUST be one offered in 6) followed by three octets representing the maximum cipher-text buffer size (at least 32) the client can accept in network byte order. This is followed by a string containing the passphrase. Note that integrity Newman [Page 8] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 protection is pointless unless the public key was certified in step (D) and the signature was verified in step (H). (K) Create a buffer containing items (1) through (7) immediately followed by the first four octets of (J). (L) Compute HMAC-SHA-1 with (K) as the data and the cs-integrity- key from step (I) as the key. This produces a 20 octet result. A summary of the HMAC-SHA-1 algorithm [HMAC] is in appendix A.4. (M) Create a buffer containing (J) followed by (L) followed by an arbitrary number of zero octets as necessary to reach the block size of DES and conceal the passphrase length from an eavesdropper. (N) Apply the triple-DES algorithm to (M) with the first 8 octets of cs-encryption-iv from step (I) as the initialization vector and the first 24 octets of cs-encryption-key as the key. If optional privacy protection is negotiated on, the triple-DES state is not reset. The client then sends a message to the server containing the following: (9) The output of step (N). If a SASL security layer is negotiated on, the following steps are used when sending a message: (O) Create a buffer containing a uint32 client packet number (starting from 0) immediately followed by the cs-integrity-key from step (I). (P) Compute HMAC-SHA-1 with (O) as the key and the data to transmit as the data. (Q) Create a buffer containing the data to transmit followed by the 20-octet output of (P). If privacy was negotiated on, this is followed by zero to seven padding octets followed by one more octet indicating the number of padding octets. The total size MUST be a multiple of the DES block size. (R) The result of step (Q) is encrypted with triple-DES if privacy was negotiated and is sent prefixed by a uint32 length, as required by SASL. If a SASL security layer was negotiated on, the following steps are taken when receiving a message: Newman [Page 9] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 (S) If privacy was negotiated on, the message is decrypted using triple-DES with the first 24 octets of sc-encryption-key as the key. The value of the last octet plus one indicates the number of octets to ignore at the end of the output. The sc-encryption-iv is used to initialize triple-DES state the first time this is done. (T) Create a buffer containing a uint32 server packet number (starting from 0) immediately followed by the sc-integrity-key. (U) Compute HMAC-SHA-1 with (T) as the key over the portion of the data excluding the 20 octet signature and any encryption padding. If this is the same as the 20 octet signature, then the data is not corrupted. 4. Server Implementation of PASSDSS-3DES-1 The section includes a step-by-step guide for server implementors. It is intended to be read in conjunction with section 3. The server MUST have a persistent DSS-SSH public key. Mechanisms for generating such keys are described in [SCHNEIER] and [DSS]. IMPORTANT NOTE: The server MUST be able to process any message from the client, including messages of any size, messages with invalid content and messages with NULs in the middle of strings. When input is illegal, the server MUST gracefully reject authentication or in extreme cases gracefully terminate the connection. Particular care to avoid buffer overruns is important if the user name or passphrase strings are copied. The server performs the following computations prior to or during the connection by the client: (a) Select a random number k less than (p - 1)/2. It is important to generate a good random number [RANDOM]. (b) Compute signature component "r" as follows: k r = (g mod p) mod q (c) Optionally pre-compute the group inverse of k, mod q and the value xr. (d) Select a random Diffie-Hellman private key y less than (n - 1)/2. Follow the same guidance as in (A) above. Newman [Page 10] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 (e) Compute the Diffie-Hellman public value Y as follows. If Y has a value of 0, repeat step (d) above. y Y = 2 mod n (f) Verify that the value X from the client is between 1 and (n - 1). If it isn't, fail the authentication. (g) Compute the Diffie-Hellman shared key K as follows. It may be necessary to mask timing attacks [TIMING]. y K = X mod n (h) Create a buffer containing items (1) through (7) above followed by K represented as an mpint. (i) Compute the SHA-1 hash of the buffer from (h). This produces a 20 octet result. (j) Generate a DSS signature of (i). The signature is made up of "r" from step (b) and the result following computation (partially completed in step c): -1 s = (k (SHA1(h) + xr)) mod q (k) Create a buffer containing items (4) through (8) and send it to the client. (l) Perform the computations as described in step (I) where K is the result of step (g) in mpint format and H is the result of step (i). (m) Decrypt message (9) from the client using triple-DES with cs- encryption-iv as the initialization vector and the first 24 octets of cs-encryption-key as the key. (n) Verify the passphrase from the output of step (m) against the authentication database. Fail the authentication if verification fails. (o) Verify that the selected security layer is permitted and the cipher text buffer size is at least 32. If not, fail the authentication. (p) Create a buffer containing steps (1) through (7) followed by the first four octets of the result from (m). (q) Compute the HMAC-SHA-1 of (p) with cs-integrity-key as the key. Newman [Page 11] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 This produces a 20-octet result. (r) Compare the output of (q) with the 20 octet signature after the passphrase in the output of (m). If they don't match, fail the authentication. If a SASL security layer is negotiated on, sending and receiving procedures are similar to steps (O)-(U), with client and server roles exchanged (and thus sc-* values and cs-* value exchanged). Note that triple-DES state from step (m) is not reset. 5. Example The following is an example of the PASSDSS-3DES-1 mechanism using the IMAP [IMAP4] profile of SASL. Note that base64 encoding and the lack of an initial client response with the first command are characteristics of the IMAP profile of SASL and not characteristics of SASL or this mechanism. In this example, "C:" represents lines sent from the client to the server and "S:" represents lines sent from the server to the client. The wrapped lines are for editorial clarity -- there are no actual newlines in the middle of the messages. C: a001 AUTHENTICATE PASSDSS-3DES-1 S: + C: AAAAAAAAAAVjaHJpcwAAAIEAhuVbMxdLxrAQVyUWbAp+X09h6QmZ2Jebz H7YhtcbQyLbB9AGi1eIdojZYtAuVeE+PYkKUANLHI9XzWSFliIGMeUvBc bflHr+s9tZ5/5YZh9blb33km3tUYVKyB5XP530bDn+lY1lAv6tXHKZPrx b0zPhc+JGgpWGlmT5k9vx2Wk= S: + AAAA8gAAAAdzc2gtZHNzAAAAQQDPVlO6nFefrq6fA/dQKIoNj75Jjpp kVv3DkyILABCox2dMql0bnO48rHFuo167y6oukT/ocKupIw6bgKmdofgd AAAAFQDRpB6FrxemUGRuLjY/oiH/Qef14QAAAEEAkVr9rOlB58k5XoqmP NYTrVGZKWbCPcYtaL92ANxgWyjyRo49+m0+fHPNhNibQoLddEZF8lHPKW gb7z7qz0QMdgAAAEARcIEiMz5jTZo8COf2njL3BTWRND5NGAgZY7s1YOm 2BfjVyf1/MkOiQMiXeonrsfMc0sWQGgpRYRtJWpe56cc2AAAAgQDoV5Uk bcy3Gjf16MZwPLlJlvmjpSNv2dSSApoddd4+BgZr01zyt7hzb0yRruaN5 fG43DbJLkk7mtL1Hw8aYXBMQQzrPpHtx+anpCDoN2jlersCGFY2cnjxTf HqY139ohA8vVXYpapeXxKXR4//Ib/ApTGmwlOeIikKDrBmEGX/JgEAAAA AAAA8AAAAB3NzaC1kc3MAAAAVAI7j3HG8HyjCOxaGFOUTwZqe0xSHAAAA FHSqU41vPHTCRTqmxNFwXqazPlJH C: Obp6vQ83q1O/OnQDifZB1rWOci9LaSck8VxNB4UAFhRI56BAs4XPLqOWI CoB3LYZ S: a001 OK Authentication Completed The following private values were used in this example. These values are all represented as an mpint in hexadecimal (msb first). Newman [Page 12] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 The client private Diffie-Hellman "x" value: 00000018 666E35B4 3BF4BF2B 40E31359 7A5D3AD0 61FD4F6F 736A6114 The server private Diffie-Hellman "y" value: 00000018 587BDFD6 800D101C 8E82E233 3B5A07AA DB87B8F1 68DC194D The Diffie-Hellman shared secret: 00000080 3B46D3A8 D2163930 1C33D9FE EAFA528D F4B881CF DF906A03 33249A88 42547FF6 49FDC149 1A5084B1 B425A105 CE571283 AC61D896 AF8F7AF7 F95643F3 00A91E57 BCB8CFD7 77A25CBD 35F59A9E 59E98BEA EA866339 7F0F9AA0 2F0F335C 8C6AAFF7 76BDB668 DF4D51AF 5B4FB807 81A70901 F478FB86 BF42055C BAF46094 EC72E98A The DSA private key value (the public key is in the exchange): 00000014 252BCBFA 5634D706 6ED43128 972E181E 66BF9C30 The SHA-1 hash value used to compute the keys: 26 75 97 06 EB FE E3 69 C9 03 7D 49 64 19 D5 D2 97 66 E8 CE 6. Formal Syntax of PASSDSS-3DES-1 Messages This is the formal syntactic definition of the client and server messages. This uses ABNF [ABNF] notation including the core rules. The first three rules define the formal exchange. The later rules define the elements of the exchange. client-msg-1 = [azname] authname diffie-hellman-X server-msg-1 = dss-public-key diffie-hellman-Y ssecmask sbuflen dss-signature client-msg-2 = client-blob authname = string ;; interpreted as UTF-8 [UTF-8] azname = string ;; interpreted as UTF-8 [UTF-8] cbuflen = 3OCTET ;; Big endian binary unsigned integer ;; max length of client read buffer Newman [Page 13] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 cli-hmac = 20OCTET client-blob = 8*OCTET ;; encrypted version of client-encrypted client-encrypted = csecmask cbuflen passphrase cli-hmac *NUL ;; MUST be multiple of DES block size csecmask = OCTET ;; client selected protection layer diffie-hellman-X = mpint diffie-hellman-Y = mpint dss-g = mpint dss-p = mpint dss-public-key = length NUL NUL NUL %x07 "ssh-dss" dss-p dss-q dss-g dss-y ;; length is total length of remainder ;; as defined in [SSH-TRANS] dss-q = mpint dss-r = mpint dss-signature = length NUL NUL NUL %x07 "ssh-dss" dss-r dss-s ;; length is total length of remainder dss-s = mpint dss-y = mpint length = 4OCTET ;; binary number, big endian format (MSB first) mpint = length *OCTET ;; length specifies number of octets ;; see section 1 for detailed mpint definition passphrase = string ;; At least 64 octets MUST be supported Newman [Page 14] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 sbuflen = 3OCTET ;; Big endian binary unsigned integer ;; max length of server read buffer ssecmask = OCTET ;; server protection layer mask string = length *OCTET ;; the length determines the number of octets ;; OCTETs are interpreted as UTF-8 NUL = %x00 ;; US-ASCII NUL character 7. Security Considerations Security considerations are discussed throughout this memo. This mechanism supplies the server with the plain-text passphrase, so the server gains the ability to masquerade as the user to any other services which share the same passphrase. If the public key certification step is skipped, then an active attacker can gain the client's passphrase and thus the ability to masquerade as the user to any other services which share the same passphrase. Negotiating a security layer will fail to provide protection from an active attacker in this case. If no security layer is negotiated, the rest of the protocol session is subject to active and passive attacks. If an integrity-only layer is negotiated, the rest of the protocol is subject to passive eavesdropping. The quality of this mechanism depends on the quality of the random number generator used. See [RANDOM] for more information. 8. Multinational Considerations As remote access is a crucial service, users are encouraged to restrict user names and passphrases to the US-ASCII character set. However, if characters outside the US-ASCII character set are used in user names and passphrases, then they are interpreted according to UTF-8 [UTF-8] and it is a protocol error to include any octet sequences not legal for UTF-8. Servers are encouraged to enforce this restriction to discourage clients from using non-interoperable local character sets in this context. Newman [Page 15] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 9. Intellectual Property Issues and Acknowledgments David Kravitz holds U.S. Patent #5,231,668 on the DSA algorithm. NIST has made this patent available world-wide on a royalty-free basis. Diffie-Hellman was first published in 1976 [DIFFIE-HELLMAN]. U.S. Patent #4,200,770 granted April 1980 has expired. Canada Patent #1,121,480 was granted April 6, 1982 and may still apply at this time. DES is covered under U.S. Patent #3,962,539 granted June 1978, which has expired. The majority of the constructions in this specification were copied from the Secure Shell specifications [SSH-ARCH, SSH-TRANS]. Additional information is paraphrased from "Applied Cryptography" [SCHNEIER]. 10. References [ABNF] Crocker, Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, Internet Mail Consortium, Demon Internet Ltd, November 1997. [CRAM-MD5] Klensin, Catoe, Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, MCI, September 1997. [DIFFIE-HELLMAN] Diffie, W., Hellman, M.E., "Privacy and Authentication: An introduction to Cryptography," Proceedings of the IEEE, v. 67, n. 3, March 1979, pp. 397-427. [DSS] National Institute of Standards and Technology, "Digital Signature Standard," NIST FIPS PUB 186, U.S. Department of Commerce, May 1994. [HMAC] Krawczyk, Bellare, Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, IBM, UCSD, February 1997. [HMAC-TEST] Cheng, Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, IBM, NIST, September 1997. [IMAP4] Crispin, M., "Internet Message Access Protocol - Version 4rev1", RFC 2060, University of Washington, December 1996. [KEYWORDS] Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997. Newman [Page 16] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 [Orm96] Orman, H., "The Oakley Key Determination Protocol", version 1, TR97-92, Department of Computer Science Technical Report, University of Arizona. [RANDOM] Eastlake, Crocker, Schiller, "Randomness Recommendations for Security", RFC 1750, DEC, Cybercash, MIT, December 1994. [SASL] Myers, "Simple Authentication and Security Layer (SASL)", RFC 2222, Netscape Communications, October 1997. [SCHNEIER] Schneier, B., "Applied Cryptography: Protocols, Algorithms and Source Code in C," John Wiley and Sons, Inc., 1996. [SCRAM] Newman, "Salted Challenge Response Authentication Mechanism (SCRAM)", work in progress, January 1998. [SHA1] NIST FIPS PUB 180-1, "Secure Hash Standard," National Institute of Standards and Technology, U.S. Department of Commerce, April 1995. [SHORT-EXP] van Oorschot, P., Wiener, M., "On Diffie-Hellman Key Agreement with Short Exponents", Advances in Cryptography -- EUROCRYPT Springer-Verlag, ISBN 3-540-61186-X, pp. 332-343. [SSH-ARCH] Ylonen, Kivinen, Saarinen, "SSH Protocol Architecture", Work in progress, SSH, October 1997. [SSH-TRANS] Ylonen, Kivinen, Saarinen, "SSH Transport Layer Protocol", Work in progress, SSH, October 1997. [TIMING] Kocher, P., "Timing Attacks on Implementations of Diffie- Hellman, RSA, DSS and Other Systems", Advances in Cryptography -- CRYPTO '96 Proceedings, Lecture Notes in Computer Science, Vol 1109, Springer-Verlag, ISBN 3-540-61512-1, pp. 104-113. [TLS] Dierks, Allen, "The TLS Protocol Version 1.0", Work in progress. [UTF8] Yergeau, "UTF-8, a transformation format of ISO 10646", RFC 2279, Alis Technologies, January 1998. Newman [Page 17] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 11. Author's Address Chris Newman Innosoft International, Inc. 1050 Lakes Drive West Covina, CA 91790 USA Email: chris.newman@innosoft.com Appendix A. Algorithm Overview This section provides a quick overview of the algorithms used. For a full understanding, the reader is encouraged to read "Applied Cryptography" [SCHNEIER]. The follow descriptions are paraphrased from that source. Note that an overview of the DES algorithm is not included as publicly available implementations and descriptions are very common. Appendix A.1. DSA Algorithm The DSA algorithm is a public key algorithm which can be used to sign messages such that the source can be verified using a public key. The algorithm has the following parameters: p is a prime number L bits long. Implementations MUST support L between 512 and 1024 bits. q is a 160-bit prime factor of (p - 1). (p - 1)/q g = h mod p where h is any number less than p - 1 such (p - 1)/q that h is greater than 1. x is a number less than q and represents the private key. x y = g mod p and represents the public key. To sign a message m, the client generates a random number k less than q and computes: k r = (g mod p) mod q Newman [Page 18] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 -1 s = (k (SHA1(m) + xr)) mod q The signature is represented as r and s, and is verified as follows: -1 w = s mod q u1 = (SHA1(m) * w) mod q u2 = (rw) mod q u1 u2 v = ((g * y ) mod p) mod q If v = r then the signature is verified. Appendix A.2. Diffie-Hellman Algorithm The Diffie-Hellman algorithm is a key-exchange algorithm. It allows two ends of a communications channel to establish a shared secret which a passive eavesdropper can not easily determine. This key can then be used in a symmetric algorithm such as triple-DES. The two ends have a prior agreement on two numbers: n a large prime number g a primitive mod n. The client chooses a random large integer x and computes: x X = g mod n and sends X to the server. The server chooses a random large integer y and computes: y Y = g mod n y K = X mod n The server sends Y to the client. The client computes: x K = Y mod n Newman [Page 19] Internet Draft PASSDSS-3DES-1 SASL Mechanism March 1998 At this point, the client and server share the same secret K. Appendix A.3. Triple-DES Algorithm in EDE/outer-CBC Mode The DES algorithm uses an 8 octet (64 bit) key of which 56 bits are significant. The triple-DES EDE algorithm uses a 24 octet (192 bit) key of which roughly 112 bits are significant see [SCHNEIER] for more details. The "EDE" refers to encrypt-decrypt-encrypt, and the "CBC" refers to cipher-block-chaining where each cipher block affects future cipher blocks. If E() is the DES encryption function, D() is the DES decryption function, C is a cipher text block and P is a plain-text block, then triple-DES EDE in CBC mode with outer chaining is: C = E (D (E (P XOR C ))) i K3 K2 K1 i i-1 NOTE: C is the initialization vector 0 and the decryption function is: P = C XOR D (E (D (C ))) i i-1 K3 K2 K1 i K1 is the first 8 octets of the triple-DES key, K2 is the second 8 octets and K3 is the final 8 octets. Appendix A.4. HMAC-SHA-1 Keyed hash function HMAC-SHA-1 uses the SHA-1 hash function to create a keyed hash function suitable for use as an integrity protection function. A more complete description is in [HMAC]. A brief summary of the algorithm follows: (A) If the key is longer than 64 octets, it is run through the SHA-1 function to produce a 20 octet key. (B) The key is exclusive-ored with a 64 octet buffer filled with the octet value 0x36. (C) SHA-1 is computed over (B) followed by the input text. (D) The key is exclusive-ored with a 64 octet buffer filled with the octet value 0x5C. (E) SHA-1 is computed over (D) followed by the output of (C). Newman [Page 20]