rfc1704.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                          N. Haller
Request for Comments: 1704                  Bell Communications Research
Category: Informational                                      R. Atkinson
                                               Naval Research Laboratory
                                                            October 1994


                       On Internet Authentication

Status of this Memo

   This document provides information for the Internet community.  This
   memo does not specify an Internet standard of any kind.  Distribution
   of this memo is unlimited.

1. INTRODUCTION

   The authentication requirements of computing systems and network
   protocols vary greatly with their intended use, accessibility, and
   their network connectivity.  This document describes a spectrum of
   authentication technologies and provides suggestions to protocol
   developers on what kinds of authentication might be suitable for some
   kinds of protocols and applications used in the Internet.  It is
   hoped that this document will provide useful information to
   interested members of the Internet community.

   Passwords, which are vulnerable to passive attack, are not strong
   enough to be appropriate in the current Internet [CERT94].  Further,
   there is ample evidence that both passive and active attacks are not
   uncommon in the current Internet [Bellovin89, Bellovin92, Bellovin93,
   CB94, Stoll90].  The authors of this paper believe that many
   protocols used in the Internet should have stronger authentication
   mechanisms so that they are at least protected from passive attacks.
   Support for authentication mechanisms secure against active attack is
   clearly desirable in internetworking protocols.

   There are a number of dimensions to the internetwork authentication
   problem and, in the interest of brevity and readability, this
   document only describes some of them.  However, factors that a
   protocol designer should consider include whether authentication is
   between machines or between a human and a machine, whether the
   authentication is local only or distributed across a network,
   strength of the authentication mechanism, and how keys are managed.








Haller & Atkinson                                               [Page 1]

RFC 1704               On Internet Authentication           October 1994


2. DEFINITION OF TERMS

   This section briefly defines some of the terms used in this paper to
   aid the reader in understanding these suggestions.  Other references
   on this subject might be using slightly different terms and
   definitions because the security community has not reached full
   consensus on all definitions.  The definitions provided here are
   specifically focused on the matters discussed in this particular
   document.

   Active Attack:  An attempt to improperly modify data, gain
          authentication, or gain authorization by inserting false
          packets into the data stream or by modifying packets
          transiting the data stream. (See passive attacks and replay
          attacks.)

   Asymmetric Cryptography:  An encryption system that uses different
          keys, for encryption and decryption.  The two keys have an
          intrinsic mathematical relationship to each other.  Also
          called Public~Key~Cryptography.  (See Symmetric Cryptography)

   Authentication:  The verification of the identity of the source of
          information.

   Authorization:  The granting of access rights based on an
          authenticated identity.

   Confidentiality: The protection of information so that someone not
          authorized to access the information cannot read the
          information even though the unauthorized person might see the
          information's container (e.g., computer file or network
          packet).

   Encryption: A mechanism often used to provide confidentiality.

   Integrity:  The protection of information from unauthorized
          modification.

   Key Certificate: A data structure consisting of a public key, the
          identity of the person, system, or role associated with that
          key, and information authenticating both the key and the
          association between that identity and that public key.  The
          keys used by PEM are one example of a key certificate
          [Kent93].

   Passive Attack:  An attack on an authentication system that inserts
          no data into the stream, but instead relies on being able to
          passively monitor information being sent between other



Haller & Atkinson                                               [Page 2]

RFC 1704               On Internet Authentication           October 1994


          parties.  This information could be used a later time in what
          appears to be a valid session.  (See active attack and replay
          attack.)

   Plain-text:  Unencrypted text.

   Replay Attack:  An attack on an authentication system by recording
          and replaying previously sent valid messages (or parts of
          messages).  Any constant authentication information, such as a
          password or electronically transmitted biometric data, can be
          recorded and used later to forge messages that appear to be
          authentic.

   Symmetric Cryptography: An encryption system that uses the same key
          for encryption and decryption.  Sometimes referred to as
          Secret~Key~Cryptography.

3. AUTHENTICATION TECHNOLOGIES

   There are a number of different classes of authentication, ranging
   from no authentication to very strong authentication.  Different
   authentication mechanisms are appropriate for addressing different
   kinds of authentication problems, so this is not a strict
   hierarchical ordering.

   3.1 No Authentication

      For completeness, the simplest authentication system is not to
      have any.  A non-networked PC in a private (secure) location is an
      example of where no authentication is acceptable.  Another case is
      a stand-alone public workstation, such as "mail reading"
      workstations provided at some conferences,  on which the data is
      not sensitive to disclosure or modification.

   3.2 Authentication Mechanisms Vulnerable to Passive Attacks

      The simple password check is by far the most common form of
      authentication.  Simple authentication checks come in many forms:
      the key may be a password memorized by the user, it may be a
      physical or electronic item possessed by the user, or it may be a
      unique biological feature.  Simple authentication systems are said
      to be "disclosing" because if the key is transmitted over a
      network it is disclosed to eavesdroppers.  There have been
      widespread reports of successful passive attacks in the current
      Internet using already compromised machines to engage in passive
      attacks against additional machines [CERT94].  Disclosing
      authentication mechanisms are vulnerable to replay attacks.
      Access keys may be stored on the target system, in which case a



Haller & Atkinson                                               [Page 3]

RFC 1704               On Internet Authentication           October 1994


      single breach in system security may gain access to all passwords.
      Alternatively, as on most systems, the data stored on the system
      can be enough to verify passwords but not to generate them.

   3.3 Authentication Mechanisms Vulnerable to Active Attacks

      Non-disclosing password systems have been designed to prevent
      replay attacks.  Several systems have been invented to generate
      non-disclosing passwords.  For example, the SecurID Card from
      Security Dynamics uses synchronized clocks for authentication
      information.  The card generates a visual display and thus must be
      in the possession of the person seeking authentication.  The S/Key
      (TM) authentication system developed at Bellcore generates
      multiple single use passwords from a single secret key [Haller94].
      It does not use a physical token, so it is also suitable for
      machine-machine authentication.  In addition there are challenge-
      response systems in which a device or computer program is used to
      generate a verifiable response from a non-repeating challenge.
      S/Key authentication does not require the storage of the user's
      secret key, which is an advantage when dealing with current
      untrustworthy computing systems.  In its current form, the S/Key
      system is vulnerable to a dictionary attack on the secret password
      (pass phrase) which might have been poorly chosen.  The Point-to-
      Point Protocol's CHAP challenge-response system is non-disclosing
      but only useful locally [LS92, Simpson93].  These systems vary in
      the sensitivity of the information stored in the authenticating
      host, and thus vary in the security requirements that must be
      placed on that host.

   3.4 Authentication Mechanisms Not Vulnerable to Active Attacks

      The growing use of networked computing environments has led to the
      need for stronger authentication.  In open networks, many users
      can gain access to any information flowing over the network, and
      with additional effort, a user can send information that appears
      to come from another user.

      More powerful authentication systems make use of the computation
      capability of the two authenticating parties.  Authentication may
      be unidirectional, for example authenticating users to a host
      computer system, or it may be mutual in which case the entity
      logging in is assured of the identity of the host.  Some
      authentication systems use cryptographic techniques and establish
      (as a part of the authentication process) a shared secret (e.g.,
      session key) that can be used for further exchanges.  For example,
      a user, after completion of the authentication process, might be
      granted an authorization ticket that can be used to obtain other
      services without further authentication.  These authentication



Haller & Atkinson                                               [Page 4]

RFC 1704               On Internet Authentication           October 1994


      systems might also provide confidentiality (using encryption) over
      insecure networks when required.

4. CRYPTOGRAPHY

   Cryptographic mechanisms are widely used to provide authentication,
   either with or without confidentiality, in computer networks and
   internetworks.  There are two basic kinds of cryptography and these
   are described in this section.  A fundamental and recurring problem
   with cryptographic mechanisms is how to securely distribute keys to
   the communicating parties.  Key distribution is addressed in Section
   6 of this document.

   4.1 Symmetric Cryptography

      Symmetric Cryptography includes all systems that use the same key
      for encryption and decryption.  Thus if anyone improperly obtains
      the key, they can both decrypt and read data encrypted using that
      key and also encrypt false data and make it appear to be valid.
      This means that knowledge of the key by an undesired third party
      fully compromises the confidentiality of the system.  Therefore,
      the keys used need to be distributed securely, either by courier
      or perhaps by use of a key distribution protocol, of which the
      best known is perhaps that proposed by Needham and Schroeder
      [NS78, NS87].  The widely used Data Encryption Standard (DES)
      algorithm, that has been standardized for use to protect
      unclassified civilian US Government information, is perhaps the
      best known symmetric encryption algorithm [NBS77].

      A well known system that addresses insecure open networks as a
      part of a computing environment is the Kerberos (TM)
      Authentication Service that was developed as part of Project
      Athena at MIT [SNS88, BM91, KN93].  Kerberos is based on Data
      Encryption Standard (DES) symmetric key encryption and uses a
      trusted (third party) host that knows the secret keys of all users
      and services, and thus can generate credentials that can be used
      by users and servers to prove their identities to other systems.
      As with any distributed authentication scheme, these credentials
      will be believed by any computer within the local administrative
      domain or realm.  Hence, if a user's password is disclosed, an
      attacker would be able to masquerade as that user on any system
      which trusts Kerberos.  As the Kerberos server knows all secret
      keys, it must be physically secure.  Kerberos session keys can be
      used to provide confidentiality between any entities that trust
      the key server.






Haller & Atkinson                                               [Page 5]

RFC 1704               On Internet Authentication           October 1994


   4.2 Asymmetric Cryptography

      In the late 1970s, a major breakthrough in cryptology led to the
      availability of Asymmetric Cryptography.  This is different from
      Symmetric Cryptography because different keys are used for
      encryption and decryption, which greatly simplifies the key
      distribution problem.  The best known asymmetric system is based
      on work by Rivest, Shamir, and Adleman and is often referred to as
      "RSA" after the authors' initials [RSA78].

      SPX is an experimental system that overcomes the limitations of
      the trusted key distribution center of Kerberos by using RSA
      Public Key Cryptography [TA91].  SPX assumes a global hierarchy of
      certifying authorities at least one of which is trusted by each
      party.  It uses digital signatures that consist of a token
      encrypted in the private key of the signing entity and that are
      validated using the appropriate public key.  The public keys are
      believed to be correct as they are obtained under the signature of
      the trusted certification authority.  Critical parts of the
      authentication exchange are encrypted in the public keys of the
      receivers, thus preventing a replay attack.

   4.3 Cryptographic Checksums

      Cryptographic checksums are one of the most useful near term tools
      for protocol designers.  A cryptographic checksum or message
      integrity checksum (MIC) provides data integrity and
      authentication but not non-repudiation.  For example, Secure SNMP
      and SNMPv2 both calculate a MD5 cryptographic checksum over a
      shared secret item of data and the information to be authenticated
      [Rivest92, GM93].  This serves to authenticate the data origin and
      is believed to be very difficult to forge.  It does not
      authenticate that the data being sent is itself valid, only that