idnits 2.17.1 draft-wu-telnet-auth-srp-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-23) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([SRP-DRAFT]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 1998) is 9536 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'KERBEROS-AUTH' is mentioned on line 128, but not defined == Unused Reference: 'RFC1416' is defined on line 219, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1416 (Obsoleted by RFC 2941) -- Possible downref: Non-RFC (?) normative reference: ref. 'SRP' -- No information found for draft-wu-srp-auth-XX - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'SRP-DRAFT' Summary: 10 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft T. Wu 3 draft-wu-telnet-auth-srp-01.txt Stanford University 4 Expires 31 September 1998 March 1998 6 Telnet Authentication: SRP 8 Status of this Memo 10 This document is an Internet-Draft. Internet-Drafts are working 11 documents of the Internet Engineering Task Force (IETF), its 12 areas, and its working groups. Note that other groups may also 13 distribute working documents as Internet-Drafts. 15 Internet-Drafts are draft documents valid for a maximum of six 16 months and may be updated, replaced, or obsoleted by other 17 documents at any time. It is inappropriate to use Internet- 18 Drafts as reference material or to cite them other than as 19 "work in progress." 21 To view the entire list of current Internet-Drafts, please check 22 the "1id-abstracts.txt" listing contained in the Internet-Drafts 23 Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net 24 (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au 25 (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu 26 (US West Coast). 28 Abstract 30 This document specifies an authentication scheme for the Telnet 31 protocol under the framework described in RFC 1416, using the 32 SRP authentication mechanism. The specific mechanism, SRP-SHA1, 33 is described in [SRP-DRAFT]. 35 1. Command Names and Codes 37 Authentication Types 39 SRP 5 41 Suboption Commands 43 AUTH 0 44 REJECT 1 45 ACCEPT 2 46 CHALLENGE 3 47 RESPONSE 4 49 EXP 8 50 PARAMS 9 52 2. Command Meanings 54 IAC SB AUTHENTICATION IS AUTH IAC SE 56 This command indicates that the client has supplied the 57 username and is ready to receive that user's field parameters. 58 There is no authentication information to be sent to the remote 59 side of the connection yet. This should only be sent after the 60 IAC SB AUTHENTICATION NAME command has been issued. 62 IAC SB AUTHENTICATION REPLY PARAMS 63 IAC SE 65 This command is used to pass the three parameter values used 66 in the exponentiation to the client. These values are often 67 called n, g, and s. 69 IAC SB AUTHENTICATION IS EXP 70 IAC SE 72 This command is used to pass the client's exponential residue, 73 otherwise known as A, computed against the parameters exchanged 74 earlier. 76 IAC SB AUTHENTICATION REPLY CHALLENGE 77 IAC SE 79 This command is used to pass the server's exponential residue, 80 computed against the same parameters. This quantity is actually 81 the sum of two residues, i.e. g^x + g^b. For details see [SRP] 82 and [SRP-DRAFT]. 84 IAC SB AUTHENTICATION IS RESPONSE 85 IAC SE 87 This command gives the server proof of the client's authenticity 88 with a 160-bit (20 byte) response. 90 IAC SB AUTHENTICATION REPLY ACCEPT 91 IAC SE 93 This command indicates that the authentication was successful. 94 The server will construct its own proof of authenticity and 95 include it as sub-option data. 97 IAC SB AUTHENTICATION REPLY REJECT 98 IAC SE 100 This command indicates that the authentication was not successful, 101 and if there is any more data in the sub-option, it is an ASCII 102 text message of the reason for the rejection. 104 For the PARAMS command, since three pieces of data are being 105 transmitted, each parameter is preceded by a 16-bit (two byte) 106 length specifier in network byte order. The EXP commands do not have 107 a count in front of the data because there is only one piece of data 108 in that suboption. The CHALLENGE, RESPONSE, and ACCEPT data also 109 do not have a count because they are all fixed in size. 111 3. Implementation Rules 113 Currently, only AUTH_CLIENT_TO_SERVER mode is supported. 114 Although the SRP protocol effectively performs implicit mutual 115 authentication as a result of the two-way proofs, only the 116 AUTH_HOW_ONE_WAY authentication mode is currently defined. 117 The AUTH_HOW_MUTUAL setting is being reserved for an explicit 118 mutual-authentication variant of the SRP protocol to be defined 119 in future specifications. 121 All large number data sent in the arguments of the PARAMS and 122 EXP commands must be in network byte order, i.e. most significant 123 byte first. No padding is used. 125 The SRP-SHA1 mechanism, as described in [SRP-DRAFT] generates a 126 40-byte session key, which is much longer than the 8-byte key 127 generated by conventional authentication mechanisms like 128 Kerberos [KERBEROS-AUTH]. This allows implementations to 129 use different keys for incoming and outgoing traffic, 130 increasing the security of the encrypted session. 132 4. Examples 134 User "tjw" may wish to log in on machine "foo". The client would 135 send IAC SB AUTHENTICATION NAME "tjw" IAC SE IAC SB AUTHENTICATION 136 IS SRP AUTH IAC SE. The server would look up the field and salt 137 parameters for "tjw" from its password file and send them back 138 to the client. Client and server would then exchange exponential 139 residues and calculate their session keys (after the client prompted 140 "tjw" for his password). Then, the client would send the server 141 its proof that it knows the session key. The server would either 142 send back an ACCEPT or a REJECT. If the server accepts 143 authentication, it also sends its own proof that it knows the 144 session key to the client. 146 Client Server 147 IAC DO AUTHENTICATION 148 IAC WILL AUTHENTICATION 149 [ The server is now free to request authentication information. 150 ] 151 IAC SB AUTHENTICATION SEND 152 SRP CLIENT|ONE_WAY IAC SE 153 [ The server has requested SRP authentication. This is the 154 only mode currently supported. 155 The client will now respond with the name of the user that it 156 wants to log in as. ] 157 IAC SB AUTHENTICATION NAME 158 "tjw" IAC SE 159 IAC SB AUTHENTICATION IS 160 SRP CLIENT|ONE_WAY AUTH 161 IAC SE 162 [ The server looks up the appropriate information for "tjw" and 163 sends back the parameters in a PARAMS command. ] 164 IAC SB AUTHENTICATION REPLY 165 SRP CLIENT|ONE_WAY PARAMS 166 ss ss nn nn nn nn ... 167 ss ss gg gg gg gg ... 168 ss ss tt tt tt tt ... 169 IAC SE 170 [ Both sides send their exponential residues. In SRP-3, 171 the CHALLENGE message may be computed but not sent before 172 the EXP command. ] 173 IAC SB AUTHENTICATION IS 174 SRP CLIENT|ONE_WAY EXP 175 aa aa aa aa aa aa aa aa ... 176 IAC SE 177 IAC SB AUTHENTICATION REPLY 178 SRP CLIENT|ONE_WAY CHALLENGE 179 bb bb bb bb bb bb bb bb ... 180 IAC SE 182 [ The client sends its response to the server. ] 183 IAC SB AUTHENTICATION IS 184 SRP CLIENT|ONE_WAY RESPONSE 185 xx xx xx xx xx xx xx xx ... 186 IAC SE 187 [ The server accepts the response and sends its own proof. ] 188 IAC SB AUTHENTICATION REPLY 189 SRP CLIENT|ONE_WAY ACCEPT 190 yy yy yy yy yy yy yy yy ... 191 IAC SE 193 5. Security Considerations 195 The ability to negotiate a common authentication mechanism between 196 client and server is a feature of the authentication option that 197 should be used with caution. When the negotiation is performed, no 198 authentication has yet occurred. Therefore, each system has no way 199 of knowing whether or not it is talking to the system it intends. An 200 intruder could attempt to negotiate the use of an authentication 201 system which is either weak, or already compromised by the intruder. 203 Since SRP relies on the security of the underlying public-key 204 cryptosystem, the modulus "n" should be large enough to resist 205 brute-force attack. A length of at least 1024 bits is recommended, 206 and implementations should reject attempts to use moduli that are 207 shorter than 512 bits. 209 Because SRP is believed to offer greater protection against 210 intruders than previous Telnet authentication mechanisms, it is 211 recommended that it be placed ahead of alternatives when negotiating 212 a common authentication mechanism. Some sites may wish to disable 213 other weaker mechanisms completely for maximal security; 214 implementations should permit this policy to be set easily on a 215 site-by-site basis. 217 6. References 219 [RFC1416] D. Borman, "Telnet Authentication Option", RFC 1416, 220 February 1993. 222 [SRP] T. Wu, "The Secure Remote Password Protocol", In Proceedings 223 of the 1998 ISOC Network and Distributed System Security 224 Symposium, San Diego, CA, pp. 97-111. 226 [SRP-DRAFT] T. Wu, "The SRP Authentication and Key Exchange System", 227 draft-wu-srp-auth-XX.txt, Stanford University. 229 7. Author's Address 231 Thomas Wu 232 Stanford University 233 Stanford, CA 94305 234 EMail: tjw@cs.Stanford.EDU