rfc2773.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 508 行 · 第 1/2 页
TXT
508 行
Network Working Group R. Housley
Request for Comments: 2773 P. Yee
Updates: 959 SPYRUS
Category: Experimental W. Nace
NSA
February 2000
Encryption using KEA and SKIPJACK
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document defines a method to encrypt a file transfer using the
FTP specification STD 9, RFC 959, "File Transfer Protocol (FTP)",
(October 1985) [3] and RFC 2228, "FTP Security Extensions" (October
1997) [1]. This method will use the Key Exchange Algorithm (KEA) to
give mutual authentication and establish the data encryption keys.
SKIPJACK is used to encrypt file data and the FTP command channel.
1.0 Introduction
The File Transfer Protocol (FTP) provides no protocol security except
for a user authentication password which is transmitted in the clear.
In addition, the protocol does not protect the file transfer session
beyond the original authentication phase.
The Internet Engineering Task Force (IETF) Common Authentication
Technology (CAT) Working Group has proposed security extensions to
FTP. These extensions allow the protocol to use more flexible
security schemes, and in particular allows for various levels of
protection for the FTP command and data connections. This document
describes a profile for the FTP Security Extensions by which these
mechanisms may be provisioned using the Key Exchange Algorithm (KEA)
in conjunction with the SKIPJACK symmetric encryption algorithm.
Housley, et al. Experimental [Page 1]
RFC 2773 Encryption using KEA and SKIPJACK February 2000
FTP Security Extensions [1] provides:
* user authentication -- augmenting the normal password
mechanism;
* server authentication -- normally done in conjunction with user
authentication;
* session parameter negotiation -- in particular, encryption keys
and attributes;
* command connection protection -- integrity, confidentiality, or
both;
* data transfer protection -- same as for command connection
protection.
In order to support the above security services, the two FTP entities
negotiate a mechanism. This process is open-ended and completes when
both entities agree on an acceptable mechanism or when the initiating
party (always the client) is unable to suggest an agreeable
mechanism. Once the entities agree upon a mechanism, they may
commence authentication and/or parameter negotiation.
Authentication and parameter negotiation occur within an unbounded
series of exchanges. At the completion of the exchanges, the
entities will either be authenticated (unilateral or mutually), and
may, additionally, be ready to protect FTP commands and data.
Following the exchanges, the entities negotiate the size of the
buffers they will use in protecting the commands and data that
follow. This process is accomplished in two steps: the client offers
a suggested buffer size and the server may either refuse it, counter
it, or accept it.
At this point, the entities may issue protected commands within the
bounds of the parameters negotiated through the security exchanges.
Protected commands are issued by applying the protection services
required to the normal commands and Base64 encoding the results. The
encoded results are sent as the data field within a ENC (integrity
and confidentiality) command. Base64 is an encoding for mapping
binary data onto a textual character set that is able to pass through
most 7-bit systems without loss. The server sends back responses in
new result codes which allow the identical protections and Base64
encoding to be applied to the results. Protection of the data
transfers can be specified via the PROT command which supports the
Housley, et al. Experimental [Page 2]
RFC 2773 Encryption using KEA and SKIPJACK February 2000
same protections as those afforded the other FTP commands. PROT
commands may be sent on a transfer-by-transfer basis, however, the
session parameters may not be changed within a session.
2.0 Key Exchange Algorithm (KEA) Profile
This paper profiles KEA with SKIPJACK to achieve certain security
services when used in conjunction with the FTP Security Extensions
framework. FTP entities may use KEA to give mutual authentication
and establish data encryption keys. We specify a simple token format
and set of exchanges to deliver these services. Functions that may
be performed by the Fortezza Crypto Card.
The reader should be familiar with the extensions in order to
understand the protocol steps that follow. In the context of the FTP
Security Extensions, we suggest the usage of KEA with SKIPJACK for
authentication, integrity, and confidentiality.
A client may mutually authenticate with a server. What follows are
the protocol steps necessary to perform KEA authentication under the
FTP Security Extensions framework. Where failure modes are
encountered, the return codes follow those specified in the
Extensions. They are not enumerated in this document as they are
invariant among the mechanisms used. The certificates are ASN.1
encoded.
The exchanges detailed below presume a working knowledge of the FTP
Security Extensions. The notation for concatenation is " || ".
Decryption of encrypted data and certification path validation is
implicitly assumed, but is not shown.
---------------------------------------------------------------------
Client Server
AUTH KEA-SKIPJACK -->
<-- 334 ADAT=Base64( Certb || Rb )
ADAT Base64( Certa || Ra ||
WMEK || IV || Encrypt(
Label-Type || Label-Length ||
Label-List || pad || ICV ) ) -->
<-- 235 ADAT=Base64( IV )
---------------------------------------------------------------------
Figure 1
The server and client certificates contain KEA public keys. The
client and server use KEA to generate a shared SKIPJACK symmetric
key, called the TEK. The client uses the random number generator to
create a second SKIPJACK key, called the MEK. The MEK is wrapped in
Housley, et al. Experimental [Page 3]
RFC 2773 Encryption using KEA and SKIPJACK February 2000
the TEK for transfer to the server. An initialization vector (IV)
associated with the MEK is generated by the client and transferred to
the server. A list of security labels that the client wants to use
for this FTP session may be transferred to the server encrypted in
the MEK. As shown in Figure 2, the security label data is formatted
as a one octet type value, a four octet label length, the security
label list, padding, followed by an eight octet integrity check value
(ICV). Figure 3 lists the label types. If the label type is absent
(value of zero length), then the label size must be zero.
In order to ensure that the length of the plain text is a multiple of
the cryptographic block size, padding shall be performed as follows.
The input to the SKIPJACK CBC encryption process shall be padded to a
multiple of 8 octets. Let n be the length in octets of the input.
Pad the input by appending 8 - (n mod 8) octets to the end of the
message, each having the value 8 - (n mod 8), the number of octets
being added. In hexadecimal, he possible pad strings are: 01, 0202,
030303, 04040404, 0505050505, 060606060606, 07070707070707, and
0808080808080808. All input is padded with 1 to 8 octets to produce
a multiple of 8 octets in length. This pad technique is used
whenever SKIPJACK CBC encryption is performed.
An ICV is calculated over the plaintext security label and padding.
The ICV algorithm used is the 32-bit one's complement addition of
each 32-bit block followed by 32 zero bits. This ICV technique is
used in conjunction with SKIPJACK CBC encryption to provide data
integrity.
---------------------------------------------------------------------
Label Type 1 Octet
Label Length 4 octets
Label List variable length
Pad 1 to 8 octets
ICV 8 octets
---------------------------------------------------------------------
Figure 2
---------------------------------------------------------------------
Label Type Label Syntax Reference
0 Absent Not applicable
1 MSP SDN.701[2]
2-255 Reserved for Future Use To Be Determined
---------------------------------------------------------------------
Figure 3
Housley, et al. Experimental [Page 4]
RFC 2773 Encryption using KEA and SKIPJACK February 2000
FTP command channel operations are now confidentiality protected. To
provide integrity, the command sequence number, padding, and ICV are
appended to each command prior to encryption.
Sequence integrity is provided by using a 16-bit sequence number
which is incremented for each command. The sequence number is
initialized with the least significant 16-bits of Ra. The server
response will include the same sequence number as the client command.
An ICV is calculated over the individual commands (including the
carriage return and line feed required to terminate commands), the
sequence number, and pad.
---------------------------------------------------------------------
Client Server
ENC Base64(Encrypt("PBSZ 65535"
|| SEQ || pad || ICV )) -->
<-- 632 Base64(Encrypt("200" ||
SEQ || pad || ICV))
ENC Base64(Encrypt("USER yee"
|| SEQ || pad || ICV)) -->
<-- 632 Base64(Encrypt("331" ||
SEQ || pad || ICV))
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?