idnits 2.17.1 draft-ietf-sasl-crammd5-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 395. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 372. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 379. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 385. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 91: '...ts). The client MUST NOT interpret or...' RFC 2119 keyword, line 105: '... The client MUST prepare the user na...' RFC 2119 keyword, line 107: '... The resulting values MUST be encoded as UTF-8 [RFC2279] strings. The...' == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 21, 2005) is 6822 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-15) exists of draft-ietf-sasl-rfc2222bis-11 ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234) ** Obsolete normative reference: RFC 2279 (Obsoleted by RFC 3629) ** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564) ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) == Outdated reference: A later version (-09) exists of draft-ietf-sasl-plain-08 -- Obsolete informational reference (is this intentional?): RFC 3501 (Obsoleted by RFC 9051) Summary: 9 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SASL Working Group L. Nerenberg, Ed. 3 Internet-Draft Orthanc Systems 4 Obsoletes: RFC2195 (if approved) August 21, 2005 5 Expires: February 22, 2006 7 The CRAM-MD5 SASL Mechanism 8 draft-ietf-sasl-crammd5-05 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on February 22, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This document defines a simple challenge-response authentication 42 mechanism, using a keyed MD5 digest, for use with the Simple 43 Authentication and Security Layer (SASL). 45 Table of Contents 47 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 48 2. The CRAM-MD5 SASL Mechanism . . . . . . . . . . . . . . . . . 3 49 3. Formal Grammar . . . . . . . . . . . . . . . . . . . . . . . . 4 50 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 51 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 52 5.1. Normative References . . . . . . . . . . . . . . . . . . . 5 53 5.2. Informative References . . . . . . . . . . . . . . . . . . 6 54 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 6 55 A.1. IMAP4 . . . . . . . . . . . . . . . . . . . . . . . . . . 6 56 A.1.1. Example 1: Simple IMAP . . . . . . . . . . . . . . . . 6 57 A.1.2. Example 2: IMAP4 with embedded spaces . . . . . . . . 7 58 A.1.3. Example 3: IMAP4 with Unicode characters . . . . . . . 7 59 A.2. ACAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 60 A.2.1. Example 4: Simple ACAP . . . . . . . . . . . . . . . . 8 61 Appendix B. IANA Considerations . . . . . . . . . . . . . . . . . 8 62 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 8 63 Appendix D. Changes since RFC 2195 . . . . . . . . . . . . . . . 9 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 65 Intellectual Property and Copyright Statements . . . . . . . . . . 11 67 1. Introduction 69 This document defines a simple challenge-response authentication 70 method, using a keyed MD5 [RFC2104] digest, for use with the Simple 71 Security and Authentication Layer (SASL) [I-D.ietf-sasl-rfc2222bis]. 72 The mechanism name associated with CRAM-MD5 is 'CRAM-MD5'. 74 This mechanism is an improvement over plain text authentication 75 schemes, such as the SASL PLAIN [I-D.ietf-sasl-plain] mechanism, in 76 that it transmits the clients' authentication credentials in a secure 77 manner. 79 This mechanism does not provide a security layer. 81 2. The CRAM-MD5 SASL Mechanism 83 The mechanism starts with the server issuing a . The data 84 encoded in the challenge contains a presumptively arbitrary string of 85 random data. 87 The client makes note of the data and then responds with a 88 consisting of the , a space, and a . The digest is 89 computed by applying the keyed MD5 algorithm from [RFC2104] where the 90 key is a shared secret and the digested text is the challenge 91 (including angle-brackets). The client MUST NOT interpret or attempt 92 to validate the contents of the challenge in any way. 94 This shared secret is a string known only to the client and server. 95 The digest parameter itself is a 16-octet value which is sent in a 96 restricted hexadecimal format (see the production in 97 Section 3). 99 When the server receives this client response, it verifies the digest 100 provided. Since the user name may contain the space character, the 101 server must take care to ensure the right-most space is recognised as 102 the token separating the user name from the digest. If the digest is 103 correct, the server should consider the client authenticated. 105 The client MUST prepare the user name and shared secret strings using 106 the SASLprep [RFC4013] profile of the Stringprep [RFC3454] algorithm. 107 The resulting values MUST be encoded as UTF-8 [RFC2279] strings. The 108 server may store the prepared string instead of, or as well as, the 109 unprepared string, so that it does not have to prepare it every time 110 it is needed for computation. However, if the original, unprepared 111 string, is not stored, it may render the computed secret to be 112 incompatible with a future revisions of SASLprep that support 113 currently unassigned code points (compare section 7 of Stringprep). 115 It is therefor recommended to store the unprepared string in the 116 database. 118 3. Formal Grammar 120 The following grammar specification uses the Augmented Backus-Naur 121 Form (ABNF) as specified in [RFC2234], and incorporates by reference 122 the Core Rules defined in that document. 124 challenge = "<" 3*(%x21-3B / %x3D / %x3F-7E) ">" 125 ; a bracketed string of printing ASCII characters, not 126 ; containing embedded "<" or ">" 128 digest = 32(DIGIT / %x61-66) 129 ; A hexadecimal string, using ONLY lower-case 130 ; letters 132 response = username SP digest 134 username = 1*OCTET 135 ; Must be well-formed UTF-8. 137 4. Security Considerations 139 It is conjectured that use of the CRAM-MD5 authentication mechanism 140 provides replay protection for a session. 142 This mechanism does not obscure the user name in any way. 143 Accordingly, a server that implements both a clear-text password 144 command and this authentication type should not allow both methods of 145 access for a given user name. 147 Keyed MD5 is chosen for this application because of the greater 148 security imparted to authentication of short messages. In addition, 149 the use of the techniques described in [RFC2104] for pre-computation 150 of intermediate results make it possible to avoid explicit clear-text 151 storage of the shared secret on the server system by instead storing 152 the intermediate results which are known as "contexts." While the 153 saving, on the server, of the MD5 context is marginally better than 154 saving the shared secrets in clear-text, it is not sufficient to 155 protect the secrets if the server itself is compromised. 156 Consequently, servers that store the secrets or contexts must both be 157 protected to a level appropriate to the potential information value 158 in the data and services protected by this mechanism. In other 159 words, techniques like this one involve a trade-off between 160 vulnerability to network sniffing and I/O buffer snooping and 161 vulnerability of the server host's databases. If one believes that 162 the host and its databases are subject to compromise, and the network 163 is not, this technique (and all others like it) is unattractive. It 164 is perhaps even less attractive than clear-text passwords, which are 165 typically stored on hosts in one-way hash form. On the other hand, 166 if the server databases are perceived as reasonably secure, and one 167 is concerned about client-side or network interception of the 168 passwords (secrets), then this (and similar) techniques are 169 preferable to clear-text passwords by a wide margin. 171 As the length of the shared secret increases, so does the difficulty 172 of deriving it. 174 While there are now suggestions in the literature that the use of MD5 175 and keyed MD5 in authentication procedures probably has a limited 176 effective lifetime, the technique is now widely deployed and widely 177 understood. It is believed that this general understanding may 178 assist with the rapid replacement, by CRAM-MD5, of the current uses 179 of permanent clear-text passwords in many protocols. This document 180 has been deliberately written to permit easy upgrading to use SHA (or 181 whatever alternatives emerge) when they are considered to be widely 182 available and adequately safe. 184 Even with the use of CRAM-MD5, users are still vulnerable to active 185 attacks. An example of an increasingly common active attack is 'TCP 186 Session Hijacking' as described in CERT Advisory CA-95:01. 188 CRAM-MD5 does not authenticate the server and does not include a 189 client-supplied nonce. As a result, it is possible to construct a 190 server with a fixed challenge string that has pre-computed the hashes 191 for all possible passwords up to a certain length (or from a 192 dictionary). Such a server could then immediately determine the 193 user's password if it is sufficiently short. 195 5. References 197 5.1. Normative References 199 [I-D.ietf-sasl-rfc2222bis] 200 Melnikov, A., "Simple Authentication and Security Layer 201 (SASL)", draft-ietf-sasl-rfc2222bis-11 (work in progress), 202 June 2005. 204 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 205 Hashing for Message Authentication", RFC 2104, 206 February 1997. 208 [RFC2234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 209 Specifications: ABNF", RFC 2234, November 1997. 211 [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 212 10646", RFC 2279, January 1998. 214 [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of 215 Internationalized Strings ("stringprep")", RFC 3454, 216 December 2002. 218 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names 219 and Passwords", RFC 4013, February 2005. 221 5.2. Informative References 223 [I-D.ietf-sasl-plain] 224 Zeilenga, K., "The Plain SASL Mechanism", 225 draft-ietf-sasl-plain-08 (work in progress), March 2005. 227 [RFC2244] Newman, C. and J. Myers, "ACAP -- Application 228 Configuration Access Protocol", RFC 2244, November 1997. 230 [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 231 4rev1", RFC 3501, March 2003. 233 Appendix A. Examples 235 The examples in this appendix DO NOT form part of the specification. 236 Where conflicts exist between the examples and the formal grammar or 237 the normative text in Section 2, the latter are authoritative. 239 A.1. IMAP4 241 These examples show the use of the CRAM-MD5 mechanism with the IMAP4 242 [RFC3501] AUTHENTICATE command. The base64 encoding of the 243 challenges and responses is part of the IMAP4 AUTHENTICATE command, 244 and not part of the CRAM-MD5 specification itself. 246 A.1.1. Example 1: Simple IMAP 248 In this example the shared secret is the string 'tanstaaftanstaaf'. 250 S: * OK [CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED AUTH=CRAM-MD5] 251 C: A0001 AUTHENTICATE CRAM-MD5 252 S: + PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UuZXhhbXBsZS5uZXQ+ 253 C: am9lIDNkYmM4OGYwNjI0Nzc2YTczN2IzOTA5M2Y2ZWI2NDI3 254 S: A0001 OK CRAM-MD5 authentication successful 256 Hence, the keyed MD5 digest is produced by calculating 258 MD5((SASLprep(tanstaaftanstaaf) XOR opad), 259 MD5((SASLprep(tanstaaftanstaaf) XOR ipad), 260 <1896.697170952@postoffice.example.net>)) 262 where ipad and opad are as defined in RFC 2104 and the string shown 263 in the challenge is the base64 encoding of 264 '<1896.697170952@postoffice.example.net>'. The shared secret is 265 null-padded to a length of 64 bytes. If the shared secret is longer 266 than 64 bytes, the MD5 digest of the shared secret is used as a 16 267 byte input to the keyed MD5 calculation. 269 This produces a digest value (in hexadecimal) of 270 '3dbc88f0624776a737b39093f6eb6427'. The user name is then prepended 271 to it, forming 'joe 3dbc88f0624776a737b39093f6eb6427', which is then 272 base64 encoded to meet the requirements of the IMAP4 AUTHENTICATE 273 command yielding 'am9lIDNkYmM4OGYwNjI0Nzc2YTczN2IzOTA5M2Y2ZWI2NDI3'. 275 A.1.2. Example 2: IMAP4 with embedded spaces 277 This example uses the user name 'Ali Baba' and the shared secret 278 'Open, Sesame'. It illustrates that both user names and passwords 279 may contain non-alphanumeric characters. 281 S: <68451038525716401353.0@localhost> 282 C: Ali Baba 6fa32b6e768f073132588e3418e00f71 284 A.1.3. Example 3: IMAP4 with Unicode characters 286 This example demonstrates the processing of Unicode strings. The raw 287 user name is 'Alddin' where is the 288 Unicode Latin symbol , is , and is the . Preparing the raw 290 user name with SASLprep returns 'Aladdin' which we then 291 encode into the UTF-8 string 'Aladdin\xC2\xAE' (shown here and below 292 using C-style string format notation). As before, the shared secret 293 is 'Open, Sesame'. 295 S: <92230559549732219941.0@localhost> 296 C: Aladdin\xC2\xAE 9950ea407844a71e2f0cd3284cbd912d 298 A.2. ACAP 300 An example of using CRAM-MD5 with ACAP [RFC2244]. 302 A.2.1. Example 4: Simple ACAP 304 This example uses the user name 'joe' and the shared secret 305 'tanstaaftanstaaf'. 307 S: * ACAP (IMPLEMENTATION "Infotrope ACAP Server, version 0.1.3, 308 Copyright 2002-2004 Dave Cridland ") 309 (SASL "PLAIN" "DIGEST-MD5" "CRAM-MD5" "ANONYMOUS") (STARTTLS) 310 C: AUTH AUTHENTICATE "CRAM-MD5" 311 S: + {43} 312 S: <2262304172.6455022@gw2.gestalt.entity.net> 313 C: {36+} 314 C: joe 2aa383bf320a941d8209a7001ef6aeb6 315 S: AUTH OK "You're logged in as joe. Frooby." 317 Appendix B. IANA Considerations 319 It is requested that the Internet Assigned Numbers Authority (IANA) 320 update the SASL Mechanism Registry entry for CRAM-MD5 to refer to 321 this document. 323 To: iana@iana.org 324 Subject: Updated Registration of SASL CRAM-MD5 mechanism. 326 SASL mechanism name: CRAM-MD5 327 Security considerations: See RFC XXXX 328 Published specification: RFC XXXX 329 Person & email address to contact for further information: 330 Lyndon Nerenberg 331 IETF SASL WG 333 Appendix C. Contributors 335 The CRAM-MD5 mechanism was originally specified in RFC 2095, IMAP/POP 336 AUTHorize Extension for Simple Challenge/Response. The authors of 337 that document -- John C. Klensin, Paul Krumviede, and Randy Catoe -- 338 are to be credited with the design and specification of CRAM-MD5, and 339 they are the original authors of the majority of the text in this 340 document. This memo serves only to re-state CRAM-MD5 within the 341 formal context of SASL, which specification it preceded by several 342 months. 344 Dave Cridland and Simon Josefsson contributed updated examples. 346 Appendix D. Changes since RFC 2195 348 The syntax of the has been relaxed. 350 Both the user name and the shared secret (password) must be prepared 351 using SASLprep, and the resulting values encoded as UTF-8 strings. 353 Author's Address 355 Lyndon Nerenberg (editor) 356 Orthanc Systems 357 304 - 1755 Robson Street 358 Vancouver, BC V6G 3B7 359 Canada 361 Email: lyndon+rfc-crammd5@orthanc.ca 363 Intellectual Property Statement 365 The IETF takes no position regarding the validity or scope of any 366 Intellectual Property Rights or other rights that might be claimed to 367 pertain to the implementation or use of the technology described in 368 this document or the extent to which any license under such rights 369 might or might not be available; nor does it represent that it has 370 made any independent effort to identify any such rights. Information 371 on the procedures with respect to rights in RFC documents can be 372 found in BCP 78 and BCP 79. 374 Copies of IPR disclosures made to the IETF Secretariat and any 375 assurances of licenses to be made available, or the result of an 376 attempt made to obtain a general license or permission for the use of 377 such proprietary rights by implementers or users of this 378 specification can be obtained from the IETF on-line IPR repository at 379 http://www.ietf.org/ipr. 381 The IETF invites any interested party to bring to its attention any 382 copyrights, patents or patent applications, or other proprietary 383 rights that may cover technology that may be required to implement 384 this standard. Please address the information to the IETF at 385 ietf-ipr@ietf.org. 387 Disclaimer of Validity 389 This document and the information contained herein are provided on an 390 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 391 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 392 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 393 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 394 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 395 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 397 Copyright Statement 399 Copyright (C) The Internet Society (2005). This document is subject 400 to the rights, licenses and restrictions contained in BCP 78, and 401 except as set forth therein, the authors retain all their rights. 403 Acknowledgment 405 Funding for the RFC Editor function is currently provided by the 406 Internet Society.