rfc3079.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,180 行 · 第 1/3 页
TXT
1,180 行
Network Working Group G. Zorn
Request for Comments: 3079 cisco Systems
Category: Informational March 2001
Deriving Keys for use with Microsoft Point-to-Point Encryption (MPPE)
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
The Point-to-Point Protocol (PPP) provides a standard method for
transporting multi-protocol datagrams over point-to-point links.
The PPP Compression Control Protocol provides a method to negotiate
and utilize compression protocols over PPP encapsulated links.
Microsoft Point to Point Encryption (MPPE) is a means of representing
PPP packets in an encrypted form. MPPE uses the RSA RC4 algorithm to
provide data confidentiality. The length of the session key to be
used for initializing encryption tables can be negotiated. MPPE
currently supports 40-bit, 56-bit and 128-bit session keys. MPPE
session keys are changed frequently; the exact frequency depends upon
the options negotiated, but may be every packet. MPPE is negotiated
within option 18 in the Compression Control Protocol.
This document describes the method used to derive initial MPPE
session keys from a variety of credential types. It is expected that
this memo will be updated whenever Microsoft defines a new key
derivation method for MPPE, since its primary purpose is to provide
an open, easily accessible reference for third-parties wishing to
interoperate with Microsoft products.
MPPE itself (including the protocol used to negotiate its use, the
details of the encryption method used and the algorithm used to
change session keys during a session) is described in RFC 3078.
Zorn Informational [Page 1]
RFC 3079 MPPE Key Derivation March 2001
Table of Contents
1. Specification of Requirements ............................... 2
2. Deriving Session Keys from MS-CHAP Credentials .............. 2
2.1. Generating 40-bit Session Keys ............................ 3
2.2. Generating 56-bit Session Keys ............................ 3
2.3. Generating 128-bit Session Keys ........................... 4
2.4. Key Derivation Functions .................................. 5
2.5. Sample Key Derivations .................................... 6
2.5.1. Sample 40-bit Key Derivation ............................ 6
2.5.2. Sample 56-bit Key Derivation ............................ 6
2.5.3. Sample 128-bit Key Derivation ........................... 7
3. Deriving Session Keys from MS-CHAP-2 Credentials ............ 7
3.1. Generating 40-bit Session Keys ............................ 8
3.2. Generating 56-bit Session Keys ............................ 9
3.3. Generating 128-bit Session Keys ...........................10
3.4. Key Derivation Functions ..................................11
3.5. Sample Key Derivations ....................................13
3.5.1. Sample 40-bit Key Derivation ............................13
3.5.2. Sample 56-bit Key Derivation ............................14
3.5.3. Sample 128-bit Key Derivation ...........................15
4. Deriving MPPE Session Keys from TLS Session Keys ............16
4.1. Generating 40-bit Session Keys ............................16
4.2. Generating 56-bit Session Keys ............................17
4.3. Generating 128-bit Session Keys ...........................17
5. Security Considerations .....................................18
5.1. MS-CHAP Credentials .......................................18
5.2. EAP-TLS Credentials .......................................19
6. References ..................................................19
7. Acknowledgements ............................................20
8. Author's Address ............................................20
9. Full Copyright Statement ....................................21
1. Specification of Requirements
In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
"recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as
described in [6].
2. Deriving Session Keys from MS-CHAP Credentials
The Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP-1)
[2] is a Microsoft-proprietary PPP [1] authentication protocol,
providing the functionality to which LAN-based users are accustomed
while integrating the encryption and hashing algorithms used on
Windows networks.
Zorn Informational [Page 2]
RFC 3079 MPPE Key Derivation March 2001
The following sections detail the methods used to derive initial
session keys (40-, 56- and 128-bit) from MS-CHAP-1 credentials.
Implementation Note
The initial session key in both directions is derived from the
credentials of the peer that initiated the call and the challenge
used (if any) is the challenge from the first authentication.
This is true for both unilateral and bilateral authentication, as
well as for each link in a multilink bundle. In the multi-chassis
multilink case, implementations are responsible for ensuring that
the correct keys are generated on all participating machines.
2.1. Generating 40-bit Session Keys
MPPE uses a derivative of the peer's LAN Manager password as the 40-
bit session key used for initializing the RC4 encryption tables.
The first step is to obfuscate the peer's password using the
LmPasswordHash() function (described in [2]). The first 8 octets of
the result are used as the basis for the session key generated in the
following way:
/*
* PasswordHash is the basis for the session key
* SessionKey is a copy of PasswordHash and is the generative session key
* 8 is the length (in octets) of the key to be generated.
*
*/
Get_Key(PasswordHash, SessionKey, 8)
/*
* The effective length of the key is reduced to 40 bits by
* replacing the first three bytes as follows:
*/
SessionKey[0] = 0xd1 ;
SessionKey[1] = 0x26 ;
SessionKey[2] = 0x9e ;
2.2. Generating 56-bit Session Keys
MPPE uses a derivative of the peer's LAN Manager password as the 56-
bit session key used for initializing the RC4 encryption tables.
The first step is to obfuscate the peer's password using the
LmPasswordHash() function (described in [2]). The first 8 octets of
the result are used as the basis for the session key generated in the
following way:
Zorn Informational [Page 3]
RFC 3079 MPPE Key Derivation March 2001
/*
* PasswordHash is the basis for the session key
* SessionKey is a copy of PasswordHash and is the generative session key
* 8 is the length (in octets) of the key to be generated.
*
*/
Get_Key(PasswordHash, SessionKey, 8)
/*
* The effective length of the key is reduced to 56 bits by
* replacing the first byte as follows:
*/
SessionKey[0] = 0xd1 ;
2.3. Generating 128-bit Session Keys
MPPE uses a derivative of the peer's Windows NT password as the 128-
bit session key used for initializing encryption tables.
The first step is to obfuscate the peer's password using
NtPasswordHash() function as described in [2]. The first 16 octets
of the result are then hashed again using the MD4 algorithm. The
first 16 octets of the second hash are used as the basis for the
session key generated in the following way:
/*
* Challenge (as described in [9]) is sent by the PPP authenticator
* during authentication and is 8 octets long.
* NtPasswordHashHash is the basis for the session key.
* On return, InitialSessionKey contains the initial session
* key to be used.
*/
Get_Start_Key(Challenge, NtPasswordHashHash, InitialSessionKey)
/*
* CurrentSessionKey is a copy of InitialSessionKey
* and is the generative session key.
* Length (in octets) of the key to generate is 16.
*
*/
Get_Key(InitialSessionKey, CurrentSessionKey, 16)
Zorn Informational [Page 4]
RFC 3079 MPPE Key Derivation March 2001
2.4. Key Derivation Functions
The following procedures are used to derive the session key.
/*
* Pads used in key derivation
*/
SHApad1[40] =
{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
SHApad2[40] =
{0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2};
/*
* SHAInit(), SHAUpdate() and SHAFinal() functions are an
* implementation of Secure Hash Algorithm (SHA-1) [7]. These are
* available in public domain or can be licensed from
* RSA Data Security, Inc.
*
* 1) InitialSessionKey is 8 octets long for 56- and 40-bit
* session keys, 16 octets long for 128 bit session keys.
* 2) CurrentSessionKey is same as InitialSessionKey when this
* routine is called for the first time for the session.
*/
Get_Key(
IN InitialSessionKey,
IN/OUT CurrentSessionKey
IN LengthOfDesiredKey )
{
SHAInit(Context)
SHAUpdate(Context, InitialSessionKey, LengthOfDesiredKey)
SHAUpdate(Context, SHAPad1, 40)
SHAUpdate(Context, CurrentSessionKey, LengthOfDesiredKey)
SHAUpdate(Context, SHAPad2, 40)
SHAFinal(Context, Digest)
memcpy(CurrentSessionKey, Digest, LengthOfDesiredKey)
}
Get_Start_Key(
IN Challenge,
Zorn Informational [Page 5]
RFC 3079 MPPE Key Derivation March 2001
IN NtPasswordHashHash,
OUT InitialSessionKey)
{
SHAInit(Context)
SHAUpdate(Context, NtPasswordHashHash, 16)
SHAUpdate(Context, NtPasswordHashHash, 16)
SHAUpdate(Context, Challenge, 8)
SHAFinal(Context, Digest)
memcpy(InitialSessionKey, Digest, 16)
}
2.5. Sample Key Derivations
The following sections illustrate 40-, 56- and 128-bit key
derivations. All intermediate values are in hexadecimal.
2.5.1. Sample 40-bit Key Derivation
Initial Values
Password = "clientPass"
Step 1: LmPasswordHash(Password, PasswordHash)
PasswordHash = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2
Step 2: Copy PasswordHash to SessionKey
SessionKey = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2
Step 3: GetKey(PasswordHash, SessionKey, 8)
SessionKey = d8 08 01 53 8c ec 4a 08
Step 4: Reduce the effective key length to 40 bits
SessionKey = d1 26 9e 53 8c ec 4a 08
2.5.2. Sample 56-bit Key Derivation
Initial Values
Password = "clientPass"
Step 1: LmPasswordHash(Password, PasswordHash)
PasswordHash = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2
Step 2: Copy PasswordHash to SessionKey
SessionKey = 76 a1 52 93 60 96 d7 83 0e 23 90 22 74 04 af d2
Step 3: GetKey(PasswordHash, SessionKey, 8)
SessionKey = d8 08 01 53 8c ec 4a 08
Zorn Informational [Page 6]
RFC 3079 MPPE Key Derivation March 2001
Step 4: Reduce the effective key length to 56 bits
SessionKey = d1 08 01 53 8c ec 4a 08
2.5.3. Sample 128-bit Key Derivation
Initial Values
Password = "clientPass"
Challenge = 10 2d b5 df 08 5d 30 41
Step 1: NtPasswordHash(Password, PasswordHash)
PasswordHash = 44 eb ba 8d 53 12 b8 d6 11 47 44 11 f5 69 89 ae
Step 2: PasswordHashHash = MD4(PasswordHash)
PasswordHashHash = 41 c0 0c 58 4b d2 d9 1c 40 17 a2 a1 2f a5 9f 3f
Step 3: GetStartKey(Challenge, PasswordHashHash, InitialSessionKey)
InitialSessionKey = a8 94 78 50 cf c0 ac ca d1 78 9f b6 2d dc dd b0
Step 4: Copy InitialSessionKey to CurrentSessionKey
CurrentSessionKey = a8 94 78 50 cf c0 ac c1 d1 78 9f b6 2d dc dd b0
Step 5: GetKey(InitialSessionKey, CurrentSessionKey, 16)
CurrentSessionKey = 59 d1 59 bc 09 f7 6f 1d a2 a8 6a 28 ff ec 0b 1e
3. Deriving Session Keys from MS-CHAP-2 Credentials
Version 2 of the Microsoft Challenge-Handshake Authentication
Protocol (MS-CHAP-2) [8] is a Microsoft-proprietary PPP
authentication protocol, providing the functionality to which LAN-
based users are accustomed while integrating the encryption and
hashing algorithms used on Windows networks.
The following sections detail the methods used to derive initial
session keys from MS-CHAP-2 credentials. 40-, 56- and 128-bit keys
are all derived using the same algorithm from the authenticating
peer's Windows NT password. The only difference is in the length of
the keys and their effective strength: 40- and 56-bit keys are 8
octets in length, while 128-bit keys are 16 octets long. Separate
keys are derived for the send and receive directions of the session.
Implementation Note
The initial session keys in both directions are derived from the
credentials of the peer that initiated the call and the challenges
used are those from the first authentication. This is true as
well for each link in a multilink bundle. In the multi-chassis
multilink case, implementations are responsible for ensuring that
the correct keys are generated on all participating machines.
Zorn Informational [Page 7]
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?