idnits 2.17.1 draft-ietf-sasl-crammd5-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 401. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 412. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 419. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 425. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 89: '...ts). The client MUST NOT interpret or...' RFC 2119 keyword, line 99: '... server MUST ensure the right-most s...' RFC 2119 keyword, line 120: '... ; SHOULD be well-formed...' RFC 2119 keyword, line 144: '... The client SHOULD prepare the user ...' RFC 2119 keyword, line 146: '... algorithm. The resulting values SHOULD be encoded as UTF-8 [RFC3629]...' (1 more instance...) == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 11, 2008) is 5761 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC4616' is defined on line 255, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Obsolete normative reference: RFC 3454 (Obsoleted by RFC 7564) ** Obsolete normative reference: RFC 4013 (Obsoleted by RFC 7613) ** Obsolete normative reference: RFC 4234 (Obsoleted by RFC 5234) -- Obsolete informational reference (is this intentional?): RFC 2095 (Obsoleted by RFC 2195) -- Obsolete informational reference (is this intentional?): RFC 3501 (Obsoleted by RFC 9051) Summary: 6 errors (**), 0 flaws (~~), 3 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SASL Working Group L. Nerenberg, Ed. 3 Internet-Draft Orthanc Systems 4 Obsoletes: RFC2195 July 11, 2008 5 (if approved) 6 Intended status: Standards Track 7 Expires: January 12, 2009 9 The CRAM-MD5 SASL Mechanism 10 draft-ietf-sasl-crammd5-10 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on January 12, 2009. 37 Abstract 39 This document defines a simple challenge-response authentication 40 mechanism, using a keyed MD5 digest, for use with the Simple 41 Authentication and Security Layer (SASL). 43 Table of Contents 45 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 46 2. The CRAM-MD5 SASL Mechanism . . . . . . . . . . . . . . . . . 3 47 3. Formal Grammar . . . . . . . . . . . . . . . . . . . . . . . . 3 48 4. Interoperability Considerations . . . . . . . . . . . . . . . 4 49 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 50 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 51 6.1. Normative References . . . . . . . . . . . . . . . . . . . 6 52 6.2. Informative References . . . . . . . . . . . . . . . . . . 6 53 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 7 54 A.1. IMAP4 . . . . . . . . . . . . . . . . . . . . . . . . . . 7 55 A.1.1. Example 1: Simple IMAP . . . . . . . . . . . . . . . . 7 56 A.1.2. Example 2: IMAP4 with embedded spaces . . . . . . . . 8 57 A.1.3. Example 3: IMAP4 with Unicode characters . . . . . . . 8 58 A.2. ACAP . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 59 A.2.1. Example 4: Simple ACAP . . . . . . . . . . . . . . . . 8 60 Appendix B. IANA Considerations . . . . . . . . . . . . . . . . . 9 61 Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 9 62 Appendix D. Changes since RFC 2195 . . . . . . . . . . . . . . . 9 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 Intellectual Property and Copyright Statements . . . . . . . . . . 10 66 1. Introduction 68 This document defines a simple challenge-response authentication 69 method, using a keyed MD5 [RFC2104] digest, for use with the Simple 70 Security and Authentication Layer (SASL) [RFC4422]. The mechanism 71 name associated with CRAM-MD5 is 'CRAM-MD5'. 73 This mechanism does not provide a security layer. 75 The CRAM-MD5 mechanism is intended to have limited use on the 76 Internet. The mechanism offers inadequate protection against common 77 attacks against application-level protocols (see Section 5) and is 78 prone to interoperability problems (see Section 4). 80 2. The CRAM-MD5 SASL Mechanism 82 The mechanism starts with the server issuing a . The data 83 contained in the challenge contains a string of random data. 85 The client makes note of the data and then responds with a 86 consisting of the , a space, and a . The digest is 87 computed by applying the keyed MD5 algorithm from [RFC2104] where the 88 key is a shared secret and the digested text is the 89 (including angle-brackets). The client MUST NOT interpret or attempt 90 to validate the contents of the challenge in any way. 92 This shared secret is a string known only to the client and server. 93 The digest parameter itself is a 16-octet value which is sent in a 94 restricted hexadecimal format (see the production in 95 Section 3). 97 When the server receives this client response, it verifies the digest 98 provided. Since the user name may contain the space character, the 99 server MUST ensure the right-most space character is recognised as 100 the token separating the user name from the digest. If the digest is 101 correct, the server should consider the client authenticated. 103 3. Formal Grammar 105 The following grammar specification uses the Augmented Backus-Naur 106 Form (ABNF) as specified in [RFC4234], and incorporates by reference 107 the Core Rules defined in that document. 109 challenge = "<" 3*(%x21-3B / %x3D / %x3F-7E) ">" 110 ; a bracketed string of printing ASCII characters, not 111 ; containing embedded "<" or ">" 113 digest = 32(DIGIT / %x61-66) 114 ; A hexadecimal string, using ONLY lower-case 115 ; letters 117 response = username SP digest 119 username = 1*OCTET 120 ; SHOULD be well-formed UTF-8 122 4. Interoperability Considerations 124 The design of CRAM-MD5 [RFC2095] pre-dated any widespread use of 125 UTF-8 to encode protocol elements. It was initially deployed as an 126 extension to the IMAP4 protocol at a time when authentication and 127 authorization identifiers were almost exclusively encoded in the US- 128 ASCII character set, therefore it is silent about the encoding and 129 representation of non-US-ASCII data elements. When sites first began 130 using alternate character sets to encode user names (and passwords) 131 they simply used the raw 8-bit character representation. This works 132 - for the most part - but only because these enclaves tend to use a 133 common character set amongst themselves. When a second group of 134 users using a different character set is introduced into the mix, 135 interoperability suffers. 137 So as not to render existing implementations non-compliant this 138 update preserves the existing opaque nature of user names and 139 passwords. However, implementors are strongly encouraged to process 140 the user name and password data as described in the next paragraph. 141 Doing so prevents interoperability problems caused by incompatible 142 character set encodings. 144 The client SHOULD prepare the user name and shared secret strings 145 using the SASLprep [RFC4013] profile of the Stringprep [RFC3454] 146 algorithm. The resulting values SHOULD be encoded as UTF-8 [RFC3629] 147 strings. The server may store the prepared string instead of, or as 148 well as, the unprepared string, so that it does not have to prepare 149 it every time it is needed for computation. However, if the original 150 (unprepared) string is not stored, it may render the computed secret 151 to be incompatible with a future revisions of SASLprep that support 152 currently unassigned code points (see section 7 of [RFC3454]). It is 153 therefor recommended to store the unprepared string in the database. 155 5. Security Considerations 157 CRAM-MD5 is no longer considered to provide adequate protection. 159 This mechanism is vulnerable to dictionary attack by any passive 160 listener able to observe the user name, challenge and response. An 161 attacker can use the user name and challenge to compute a series of 162 responses based on a pass-phrase dictionary, looking for a match to 163 the response sent by the client. 165 CRAM-MD5 does not authenticate the server and does not include a 166 client-supplied nonce. Consequently, it is possible to construct a 167 server with a fixed challenge string that has pre-computed the hashes 168 for all possible passwords up to a certain length (or from a 169 dictionary). Such a server could then immediately determine the 170 user's password if it is sufficiently short or non-random. 172 This mechanism does not obscure the user name in any way. 173 Accordingly, a server that implements both a clear-text password 174 command and this authentication type should not allow both methods of 175 access for a given user name. 177 For the reasons described above, CRAM-MD5 SHOULD NOT be used unless 178 the application protocol session is protected by an encryption layer, 179 such as provided by TLS. 181 Keyed MD5 is chosen for this application because of the greater 182 security imparted to authentication of short messages. In addition, 183 the use of the techniques described in [RFC2104] for pre-computation 184 of intermediate results make it possible to avoid explicit clear-text 185 storage of the shared secret on the server system by instead storing 186 the intermediate results which are known as "contexts." While the 187 saving, on the server, of the MD5 context is marginally better than 188 saving the shared secrets in clear-text, it is not sufficient to 189 protect the secrets if the server itself is compromised. 190 Consequently, servers that store the secrets or contexts must both be 191 protected to a level appropriate to the potential information value 192 in the data and services protected by this mechanism. In other 193 words, techniques like this one involve a trade-off between 194 vulnerability to network sniffing and I/O buffer snooping and 195 vulnerability of the server host's databases. If one believes that 196 the host and its databases are subject to compromise, and the network 197 is not, this technique (and all others like it) is unattractive. It 198 is perhaps even less attractive than clear-text passwords, which are 199 typically stored on hosts in one-way hash form. On the other hand, 200 if the server databases are perceived as reasonably secure, and one 201 is concerned about client-side or network interception of the 202 passwords (secrets), then this (and similar) techniques are 203 preferable to clear-text passwords by a wide margin. 205 While there are now suggestions in the literature that the use of MD5 206 and keyed MD5 in authentication procedures probably has a limited 207 effective lifetime, the technique is now widely deployed and widely 208 understood. It is believed that this general understanding may 209 assist with the rapid replacement, by CRAM-MD5, of the current uses 210 of permanent clear-text passwords in many protocols. This document 211 has been deliberately written to permit easy upgrading to use SHA (or 212 whatever alternatives emerge) when they are considered to be widely 213 available and adequately safe. 215 Even with the use of CRAM-MD5, users are still vulnerable to active 216 attacks. An example of an increasingly common active attack is 'TCP 217 Session Hijacking' as described in CERT Advisory CA-95:01. 219 6. References 221 6.1. Normative References 223 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 224 Hashing for Message Authentication", RFC 2104, 225 February 1997. 227 [RFC3454] Hoffman, P. and M. Blanchet, "Preparation of 228 Internationalized Strings ("stringprep")", RFC 3454, 229 December 2002. 231 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 232 10646", STD 63, RFC 3629, November 2003. 234 [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names 235 and Passwords", RFC 4013, February 2005. 237 [RFC4234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 238 Specifications: ABNF", RFC 4234, October 2005. 240 [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and 241 Security Layer (SASL)", RFC 4422, June 2006. 243 6.2. Informative References 245 [RFC2095] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP 246 AUTHorize Extension for Simple Challenge/Response", 247 RFC 2095, January 1997. 249 [RFC2244] Newman, C. and J. Myers, "ACAP -- Application 250 Configuration Access Protocol", RFC 2244, November 1997. 252 [RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 253 4rev1", RFC 3501, March 2003. 255 [RFC4616] Zeilenga, K., "The PLAIN Simple Authentication and 256 Security Layer (SASL) Mechanism", RFC 4616, August 2006. 258 Appendix A. Examples 260 The examples in this appendix DO NOT form part of the specification. 261 Where conflicts exist between the examples and the formal grammar or 262 the normative text in Section 2, the latter are authoritative. 264 A.1. IMAP4 266 These examples show the use of the CRAM-MD5 mechanism with the IMAP4 267 [RFC3501] AUTHENTICATE command. The base64 encoding of the 268 challenges and responses is part of the IMAP4 AUTHENTICATE command, 269 and not part of the CRAM-MD5 specification itself. 271 A.1.1. Example 1: Simple IMAP 273 In this example the shared secret is the string 'tanstaaftanstaaf'. 275 S: * OK [CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED AUTH=CRAM-MD5] 276 C: A0001 AUTHENTICATE CRAM-MD5 277 S: + PDE4OTYuNjk3MTcwOTUyQHBvc3RvZmZpY2UuZXhhbXBsZS5uZXQ+ 278 C: am9lIDNkYmM4OGYwNjI0Nzc2YTczN2IzOTA5M2Y2ZWI2NDI3 279 S: A0001 OK CRAM-MD5 authentication successful 281 Hence, the keyed MD5 digest is produced by calculating 283 MD5((SASLprep(tanstaaftanstaaf) XOR opad), 284 MD5((SASLprep(tanstaaftanstaaf) XOR ipad), 285 <1896.697170952@postoffice.example.net>)) 287 where ipad and opad are as defined in RFC 2104 and the string shown 288 in the challenge is the base64 encoding of 289 '<1896.697170952@postoffice.example.net>'. The shared secret is 290 null-padded to a length of 64 bytes. If the shared secret is longer 291 than 64 bytes, the MD5 digest of the shared secret is used as a 16 292 byte input to the keyed MD5 calculation. 294 This produces a digest value (in hexadecimal) of 295 '3dbc88f0624776a737b39093f6eb6427'. The user name is then prepended 296 to it, forming 'joe 3dbc88f0624776a737b39093f6eb6427', which is then 297 base64 encoded to meet the requirements of the IMAP4 AUTHENTICATE 298 command yielding 'am9lIDNkYmM4OGYwNjI0Nzc2YTczN2IzOTA5M2Y2ZWI2NDI3'. 300 A.1.2. Example 2: IMAP4 with embedded spaces 302 This example uses the user name 'Ali Baba' and the shared secret 303 'Open, Sesame'. It illustrates that both user names and passwords 304 may contain non-alphanumeric characters. 306 S: <68451038525716401353.0@localhost> 307 C: Ali Baba 6fa32b6e768f073132588e3418e00f71 309 A.1.3. Example 3: IMAP4 with Unicode characters 311 This example demonstrates the processing of Unicode strings. The raw 312 user name is 'Alddin' where is the 313 Unicode Latin symbol , is , and is the . Preparing the raw 315 user name with SASLprep returns 'Aladdin' which we then 316 encode into the UTF-8 string 'Aladdin\xC2\xAE' (shown here and below 317 using C-style string format notation). As before, the shared secret 318 is 'Open, Sesame'. 320 S: <92230559549732219941.0@localhost> 321 C: Aladdin\xC2\xAE 9950ea407844a71e2f0cd3284cbd912d 323 A.2. ACAP 325 An example of using CRAM-MD5 with ACAP [RFC2244]. 327 A.2.1. Example 4: Simple ACAP 329 This example uses the user name 'joe' and the shared secret 330 'tanstaaftanstaaf'. 332 S: * ACAP (IMPLEMENTATION "Infotrope ACAP Server, version 0.1.3, 333 Copyright 2002-2004 Dave Cridland ") 334 (SASL "PLAIN" "DIGEST-MD5" "CRAM-MD5" "ANONYMOUS") (STARTTLS) 335 C: AUTH AUTHENTICATE "CRAM-MD5" 336 S: + {43} 337 S: <2262304172.6455022@gw2.gestalt.entity.net> 338 C: {36+} 339 C: joe 2aa383bf320a941d8209a7001ef6aeb6 340 S: AUTH OK "You're logged in as joe. Frooby." 342 Appendix B. IANA Considerations 344 It is requested that the Internet Assigned Numbers Authority (IANA) 345 update the SASL Mechanism Registry entry for CRAM-MD5 to refer to 346 this document. 348 To: iana@iana.org 349 Subject: Updated Registration of SASL CRAM-MD5 mechanism. 351 SASL mechanism name: CRAM-MD5 352 Security considerations: See RFC XXXX 353 Published specification: RFC XXXX 354 Person & email address to contact for further information: 355 Lyndon Nerenberg 356 IETF SASL WG 358 Appendix C. Contributors 360 The CRAM-MD5 mechanism was originally specified in RFC 2095, IMAP/POP 361 AUTHorize Extension for Simple Challenge/Response. The authors of 362 that document -- John C. Klensin, Paul Krumviede, and Randy Catoe -- 363 are to be credited with the design and specification of CRAM-MD5, and 364 they are the original authors of the majority of the text in this 365 document. This memo serves only to re-state CRAM-MD5 within the 366 formal context of SASL, which specification it preceded by several 367 months. 369 Dave Cridland and Simon Josefsson contributed updated examples. 371 Appendix D. Changes since RFC 2195 373 The syntax of the has been relaxed. 375 A section on interoperability concerns has been added. 377 The security considerations have been updated to reflect the current 378 views of the security community. 380 Author's Address 382 Lyndon Nerenberg (editor) 383 Orthanc Systems 385 Email: lyndon+rfc-crammd5@orthanc.ca 387 Full Copyright Statement 389 Copyright (C) The IETF Trust (2008). 391 This document is subject to the rights, licenses and restrictions 392 contained in BCP 78, and except as set forth therein, the authors 393 retain all their rights. 395 This document and the information contained herein are provided on an 396 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 397 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 398 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 399 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 400 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 401 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 403 Intellectual Property 405 The IETF takes no position regarding the validity or scope of any 406 Intellectual Property Rights or other rights that might be claimed to 407 pertain to the implementation or use of the technology described in 408 this document or the extent to which any license under such rights 409 might or might not be available; nor does it represent that it has 410 made any independent effort to identify any such rights. Information 411 on the procedures with respect to rights in RFC documents can be 412 found in BCP 78 and BCP 79. 414 Copies of IPR disclosures made to the IETF Secretariat and any 415 assurances of licenses to be made available, or the result of an 416 attempt made to obtain a general license or permission for the use of 417 such proprietary rights by implementers or users of this 418 specification can be obtained from the IETF on-line IPR repository at 419 http://www.ietf.org/ipr. 421 The IETF invites any interested party to bring to its attention any 422 copyrights, patents or patent applications, or other proprietary 423 rights that may cover technology that may be required to implement 424 this standard. Please address the information to the IETF at 425 ietf-ipr@ietf.org.