📄 rfc1704.txt
字号:
implement a secure distributed or networked application through use of standard security programming interfaces [Linn93a].8. FUTURE DIRECTIONS Systems are moving towards the cryptographically stronger authentication mechanisms described earlier. This move has two implications for future systems. We can expect to see the introduction of non-disclosing authentication systems in the near term and eventually see more widespread use of public key crypto- systems. Session authentication, integrity, and privacy issues are growing in importance. As computer-to-computer communication becomes more important, protocols that provide simple human interfaces will become less important. This is not to say that human interfaces are unimportant; they are very important. It means that these interfaces are the responsibility of the applications, not the underlying protocol. Human interface design is beyond the scope of this memo. The use of public key crypto-systems for user-to-host authentication simplifies many security issues, but unlike simple passwords, a public key cannot be memorized. As of this writing, public key sizes of at least 500 bits are commonly used in the commercial world. It is likely that larger key sizes will be used in the future. Thus, users might have to carry their private keys in some electrically readable form. The use of read-only storage, such as a floppy disk or a magnetic stripe card provides such storage, but it might require the user to trust their private keys to the reading device. Use of a smart card, a portable device containing both storage and program might be preferable. These devices have the potential to perform the authenticating operations without divulging the private key they contain. They can also interact with the user requiring a simpler form of authentication to "unlock" the card.Haller & Atkinson [Page 12]
RFC 1704 On Internet Authentication October 1994 The use of public key crypto-systems for host-to-host authentication appears not to have the same key memorization problem as the user- to-host case does. A multiuser host can store its key(s) in space protected from users and obviate that problem. Single user inherently insecure systems, such as PCs and Macintoshes, remain difficult to handle but the smart card approach should also work for them. If one considers existing symmetric algorithms to be 1-key techniques, and existing asymmetric algorithms such as RSA to be 2- key techniques, one might wonder whether N-key techniques will be developed in the future (i.e., for values of N larger than 2). If such N-key technology existed, it might be useful in creating scalable multicast key distribution protocols. There is work currently underway examining the possible use of the Core Based Tree (CBT) multicast routing technology to provide scalable multicast key distribution [BFC93]. The implications of this taxonomy are clear. Strong cryptographic authentication is needed in the near future for many protocols. Public key technology should be used when it is practical and cost- effective. In the short term, authentication mechanisms vulnerable to passive attack should be phased out in favour of stronger authentication mechanisms. Additional research is needed to develop improved key management technology and scalable multicast security mechanisms.SECURITY CONSIDERATIONS This entire memo discusses Security Considerations in that it discusses authentication technologies and needs.ACKNOWLEDGEMENTS This memo has benefited from review by and suggestions from the IETF's Common Authentication Technology (CAT) working group, chaired by John Linn, and from Marcus J. Ranum.REFERENCES [Anderson84] Anderson, B., "TACACS User Identification Telnet Option", RFC 927, BBN, December 1984. [Balenson93] Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, TIS, IAB IRTF PSRG, IETF PEM WG, February 1993.Haller & Atkinson [Page 13]
RFC 1704 On Internet Authentication October 1994 [BFC93] Ballardie, A., Francis, P., and J. Crowcroft, "Core Based Trees (CBT) An Architecture for Scalable Inter-Domain Multicast Routing", Proceedings of ACM SIGCOMM93, ACM, San Franciso, CA, September 1993, pp. 85-95. [Bellovin89] Bellovin, S., "Security Problems in the TCP/IP Protocol Suite", ACM Computer Communications Review, Vol. 19, No. 2, March 1989. [Bellovin92] Bellovin, S., "There Be Dragons", Proceedings of the 3rd Usenix UNIX Security Symposium, Baltimore, MD, September 1992. [Bellovin93] Bellovin, S., "Packets Found on an Internet", ACM Computer Communications Review, Vol. 23, No. 3, July 1993, pp. 26-31. [BM91] Bellovin S., and M. Merritt, "Limitations of the Kerberos Authentication System", ACM Computer Communications Review, October 1990. [Bishop] Bishop, M., "A Security Analysis of Version 2 of the Network Time Protocol NTP: A report to the Privacy & Security Research Group", Technical Report PCS-TR91-154, Department of Mathematics & Computer Science, Dartmouth College, Hanover, New Hampshire. [CB94] Cheswick W., and S. Bellovin, "Chapter 10: An Evening with Berferd", Firewalls & Internet Security, Addison-Wesley, Reading, Massachusetts, 1994. ISBN 0-201-63357-4. [CERT94] Computer Emergency Response Team, "Ongoing Network Monitoring Attacks", CERT Advisory CA-94:01, available by anonymous ftp from cert.sei.cmu.edu, 3 February 1994. [CFSD88] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", RFC 1067, University of Tennessee at Knoxville, NYSERNet, Inc., Rensselaer Polytechnic Institute, Proteon, Inc., August 1988. [DH76] Diffie W., and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, Volume IT-11, November 1976, pp. 644-654. [GM93] Galvin, J., and K. McCloghrie, "Security Protocols for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1446, Trusted Information Systems, Hughes LAN Systems, April 1993.Haller & Atkinson [Page 14]
RFC 1704 On Internet Authentication October 1994 [Haller94] Haller, N., "The S/Key One-time Password System", Proceedings of the Symposium on Network & Distributed Systems Security, Internet Society, San Diego, CA, February 1994. [Kaufman93] Kaufman, C., "Distributed Authentication Security Service (DASS)", RFC 1507, Digital Equipment Corporation, September 1993. [Kaliski93] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services", RFC 1424, RSA Laboratories, February 1993. [Kantor91] Kantor, B., "BSD Rlogin", RFC 1258, Univ. of Calif San Diego, September 1991. [Kent93] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management", RFC 1422, BBN, IAB IRTF PSRG, IETF PEM, February 1993. [KN93] Kohl, J., and C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, Digital Equipment Corporation, USC/Information Sciences Institute, September 1993. [Linn93] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures", RFC 1421, IAB IRTF PSRG, IETF PEM WG, February 1993. [Linn93a] Linn, J., "Common Authentication Technology Overview", RFC 1511, Geer Zolot Associate, September 1993. [LS92] Lloyd B., and W. Simpson, "PPP Authentication Protocols", RFC 1334, L&A, Daydreamer, October 1992. [LR91] Lougheed K., and Y. Rekhter, "A Border Gateway protocol 3 (BGP-3)", RFC 1267, cisco Systems, T.J. Watson Research Center, IBM Corp., October 1991. [Mills92] Mills, D., "Network Time Protocol (Version 3) - Specification, Implementation, and Analysis", RFC 1305, UDEL, March 1992. [NBS77] National Bureau of Standards, "Data Encryption Standard", Federal Information Processing Standards Publication 46, Government Printing Office, Washington, DC, 1977. [NS78] Needham, R., and M. Schroeder, "Using Encryption for Authentication in Large Networks of Computers", Communications of the ACM, Vol. 21, No. 12, December 1978.Haller & Atkinson [Page 15]
RFC 1704 On Internet Authentication October 1994 [NS87] Needham, R., and M. Schroeder, "Authentication Revisited", ACM Operating Systems Review, Vol. 21, No. 1, 1987. [PR85] Postel J., and J. Reynolds, "File Transfer Protocol", STD 9, RFC 959, USC/Information Sciences Institute, October 1985. [Moy91] Moy, J., "OSPF Routing Protocol, Version 2", RFC 1247, Proteon, Inc., July 1991. [RSA78] Rivest, R., Shamir, A., and L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Crypto-systems", Communications of the ACM, Vol. 21, No. 2, February 1978. [Rivest92] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, MIT Laboratory for Computer Science and RSA Data Security, Inc., April 1992. [Simpson93] Simpson, W., "The Point to Point Protocol", RFC 1548, Daydreamer, December 1993. [SNS88] Steiner, J., Neuman, C., and J. Schiller, "Kerberos: "An Authentication Service for Open Network Systems", USENIX Conference Proceedings, Dallas, Texas, February 1988. [Stoll90] Stoll, C., "The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage", Pocket Books, New York, NY, 1990. [TA91] Tardo J., and K. Alagappan, "SPX: Global Authentication Using Public Key Certificates", Proceedings of the 1991 Symposium on Research in Security & Privacy, IEEE Computer Society, Los Amitos, California, 1991. pp.232-244.Haller & Atkinson [Page 16]
RFC 1704 On Internet Authentication October 1994 AUTHORS' ADDRESSES Neil Haller Bell Communications Research 445 South Street -- MRE 2Q-280 Morristown, NJ 07962-1910 Phone: (201) 829-4478 EMail: nmh@thumper.bellcore.com Randall Atkinson Information Technology Division Naval Research Laboratory Washington, DC 20375-5320 Phone: (DSN) 354-8590 EMail: atkinson@itd.nrl.navy.milHaller & Atkinson [Page 17]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -