draft-ietf-kitten-digest-to-historic-01.txt   draft-ietf-kitten-digest-to-historic-02.txt 
Kitten Working Group A. Melnikov Kitten Working Group A. Melnikov
Internet-Draft Isode Limited Internet-Draft Isode Limited
Intended status: Informational September 14, 2010 Intended status: Informational September 22, 2010
Expires: March 18, 2011 Expires: March 26, 2011
Moving DIGEST-MD5 to Historic Moving DIGEST-MD5 to Historic
draft-ietf-kitten-digest-to-historic-01 draft-ietf-kitten-digest-to-historic-02
Abstract Abstract
This memo describes problems with the DIGEST-MD5 Simple This memo describes problems with the DIGEST-MD5 Simple
Authentication and Security Layer (SASL) mechanism as specified in Authentication and Security Layer (SASL) mechanism as specified in
RFC 2831. It recommends that DIGEST-MD5 to be marked as OBSOLETE in RFC 2831. It recommends that DIGEST-MD5 to be marked as OBSOLETE in
the IANA Registry of SASL mechanisms, and that RFC 2831 be moved to the IANA Registry of SASL mechanisms, and that RFC 2831 be moved to
Historic status. Historic status.
Note Note
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 18, 2011. This Internet-Draft will expire on March 26, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 19 skipping to change at page 3, line 19
2. Security Considerations . . . . . . . . . . . . . . . . . . . 6 2. Security Considerations . . . . . . . . . . . . . . . . . . . 6
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Normative References . . . . . . . . . . . . . . . . . . . . 7 5.1. Normative References . . . . . . . . . . . . . . . . . . . . 7
5.2. Informative References . . . . . . . . . . . . . . . . . . . 7 5.2. Informative References . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . 8
1. Overview 1. Overview
[RFC2831] defined how HTTP Digest Authentication [RFC2617] can be [RFC2831] defined how HTTP Digest Authentication [RFC2617] can be
used as a Simple Authentication and Security Layer (SASL) [RFC4422] used as a Simple Authentication and Security Layer (SASL) [RFC4422]
mechanism for any protocol that has a SASL profile. It was intended mechanism for any protocol that has a SASL profile. It was intended
both as an improvement over CRAM-MD5 [RFC2195] and as a convenient both as an improvement over CRAM-MD5 [RFC2195] and as a convenient
way to support a single authentication mechanism for web, mail, LDAP, way to support a single authentication mechanism for web, email,
and other protocols. While it can be argued that it was an LDAP, and other protocols. While it can be argued that it was an
improvement over CRAM-MD5, many implementors commented that the improvement over CRAM-MD5, many implementors commented that the
additional complexity of DIGEST-MD5 made it difficult to implement additional complexity of DIGEST-MD5 made it difficult to implement
fully and securely. fully and securely.
Below is an incomplete list of problems with DIGEST-MD5 mechanism as Below is an incomplete list of problems with DIGEST-MD5 mechanism as
specified in RFC 2831: specified in RFC 2831:
1. The mechanism had too many options and modes. Some of them were 1. The mechanism had too many options and modes. Some of them were
not well described and were not widely implemented. For example, not well described and were not widely implemented. For example,
DIGEST-MD5 allowed the "qop" directive to contain multiple DIGEST-MD5 allowed the "qop" directive to contain multiple
skipping to change at page 5, line 19 skipping to change at page 5, line 19
is an MD5 hash of colon separated username, realm and password. is an MD5 hash of colon separated username, realm and password.
Implementations may choose to store inner hashes instead of clear Implementations may choose to store inner hashes instead of clear
text passwords. While this has some useful properties, such as text passwords. While this has some useful properties, such as
protection from compromise of authentication databases containing protection from compromise of authentication databases containing
the same username and password on other servers, if a server with the same username and password on other servers, if a server with
the username and password is compromised, however this was rarely the username and password is compromised, however this was rarely
done in practice. Firstly, the inner hash is not compatible with done in practice. Firstly, the inner hash is not compatible with
widely deployed Unix password databases, and second, changing the widely deployed Unix password databases, and second, changing the
username would invalidate the inner hash. username would invalidate the inner hash.
5. Description of DES/3DES and RC4 security layers are inadequate to 5. Description of DES/3DES [DES] and RC4 security layers are
produce independently-developed interoperable implementations. inadequate to produce independently-developed interoperable
In the DES/3DES case this was partly a problem with existing DES implementations. In the DES/3DES case this was partly a problem
APIs. with existing DES APIs.
6. DIGEST-MD5 outer hash (the value of the "response" directive) 6. DIGEST-MD5 outer hash (the value of the "response" directive)
didn't protect the whole authentication exchange, which made the didn't protect the whole authentication exchange, which made the
mechanism vulnerable to "man in the middle" (MITM) attacks, such mechanism vulnerable to "man in the middle" (MITM) attacks, such
as modification of the list of supported qops or ciphers. as modification of the list of supported qops or ciphers.
7. The following features are missing from DIGEST-MD5, which make it 7. The following features are missing from DIGEST-MD5, which make it
insecure or unsuitable for use in protocols: insecure or unsuitable for use in protocols:
A. Lack of channel bindings. A. Lack of channel bindings [RFC5056].
B. Lack of hash agility. B. Lack of hash agility.
C. Lack of SASLPrep [RFC4013] support. The original DIGEST-MD5 C. Lack of support for SASLPrep [RFC4013] or any other type of
document predates SASLPrep and doesn't recommend any Unicode Unicode character normalization of usernames and passwords.
character normalization. The original DIGEST-MD5 document predates SASLPrep and
doesn't recommend any Unicode character normalization.
8. The cryptographic primitives in DIGEST-MD5 are not up to today's 8. The cryptographic primitives in DIGEST-MD5 are not up to today's
standards, in particular: standards, in particular:
A. The MD5 hash is sufficiently weak to make a brute force A. The MD5 hash is sufficiently weak to make a brute force
attack on DIGEST-MD5 easy with common hardware. attack on DIGEST-MD5 easy with common hardware [MD5].
B. Using the RC4 algorithm for the security layer without B. Using the RC4 algorithm for the security layer without
discarding the initial key stream output is prone to attack. discarding the initial key stream output is prone to attack
[RC4].
C. The DES cipher for the security layer is considered insecure C. The DES cipher for the security layer is considered insecure
due to its small key space. due to its small key space [RFC3766].
Note that most of the problems listed above are already present in Note that most of the problems listed above are already present in
the HTTP Digest authentication mechanism. the HTTP Digest authentication mechanism.
Because DIGEST-MD5 was defined as an extensible mechanism, it would Because DIGEST-MD5 was defined as an extensible mechanism, it would
be possible to fix most of the problems listed above. However this be possible to fix most of the problems listed above. However this
would increase implementation complexity of an already complex would increase implementation complexity of an already complex
mechanism even further, so the effort would not be worth the cost. mechanism even further, so the effort would not be worth the cost.
In addition, an implementation of a "fixed" DIGEST-MD5 specification In addition, an implementation of a "fixed" DIGEST-MD5 specification
would likely either not interoperate with any existing implementation would likely either not interoperate with any existing implementation
skipping to change at page 6, line 41 skipping to change at page 6, line 44
IANA is requested to change the "Intended usage" of the DIGEST-MD5 IANA is requested to change the "Intended usage" of the DIGEST-MD5
mechanism registration in the SASL mechanism registry to OBSOLETE. mechanism registration in the SASL mechanism registry to OBSOLETE.
The SASL mechanism registry is specified in [RFC4422] and is The SASL mechanism registry is specified in [RFC4422] and is
currently available at: currently available at:
http://www.iana.org/assignments/sasl-mechanisms http://www.iana.org/assignments/sasl-mechanisms
4. Acknowledgements 4. Acknowledgements
The author gratefully acknowledges the feedback provided by Chris The author gratefully acknowledges the feedback provided by Chris
Newman, Simon Josefsson, Kurt Zeilenga and Abhijit Menon-Sen. Newman, Simon Josefsson, Kurt Zeilenga, Sean Turner and Abhijit
[[anchor3: Various text was copied from other RFCs.]] Menon-Sen. [[anchor3: Various text was copied from other RFCs.]]
5. References 5. References
5.1. Normative References 5.1. Normative References
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
[RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a
SASL Mechanism", RFC 2831, May 2000. SASL Mechanism", RFC 2831, May 2000.
skipping to change at page 7, line 16 skipping to change at page 7, line 19
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
Leach, P., Luotonen, A., and L. Stewart, "HTTP Leach, P., Luotonen, A., and L. Stewart, "HTTP
Authentication: Basic and Digest Access Authentication", Authentication: Basic and Digest Access Authentication",
RFC 2617, June 1999. RFC 2617, June 1999.
[RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a [RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a
SASL Mechanism", RFC 2831, May 2000. SASL Mechanism", RFC 2831, May 2000.
5.2. Informative References 5.2. Informative References
[DES] National Institute of Standards and Technology, "Data
Encryption Standard (DES)", FIPS PUB 46-3, October 1999.
[MD5] Turner, S. and L. Chen, "Updated Security Considerations
for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
draft-turner-md5-seccon-update-02.txt (work in progress),
July 2010.
[RC4] Strombergson, J. and S. Josefsson, "Test vectors for the
stream cipher RC4",
draft-josefsson-rc4-test-vectors-01.txt (work in
progress), June 2010.
[RFC0822] Crocker, D., "Standard for the format of ARPA Internet [RFC0822] Crocker, D., "Standard for the format of ARPA Internet
text messages", STD 11, RFC 822, August 1982. text messages", STD 11, RFC 822, August 1982.
[RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP [RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP
AUTHorize Extension for Simple Challenge/Response", AUTHorize Extension for Simple Challenge/Response",
RFC 2195, September 1997. RFC 2195, September 1997.
[RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
Public Keys Used For Exchanging Symmetric Keys", BCP 86,
RFC 3766, April 2004.
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names
and Passwords", RFC 4013, February 2005. and Passwords", RFC 4013, February 2005.
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and [RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and
Security Layer (SASL)", RFC 4422, June 2006. Security Layer (SASL)", RFC 4422, June 2006.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008. Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams,
"Salted Challenge Response Authentication Mechanism "Salted Challenge Response Authentication Mechanism
(SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010.
Author's Address Author's Address
Alexey Melnikov Alexey Melnikov
 End of changes. 16 change blocks. 
20 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.39. The latest version is available from http://tools.ietf.org/tools/rfcdiff/