/[suikacvs]/webroot/www/2004/id/draft-petke-http-auth-scheme-00.txt
Suika

Contents of /webroot/www/2004/id/draft-petke-http-auth-scheme-00.txt

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (show annotations) (download)
Tue Jun 15 08:37:16 2004 UTC (19 years, 11 months ago) by wakaba
Branch: MAIN
CVS Tags: HEAD
File MIME type: text/plain 
New
1
2
3 INTERNET-DRAFT G Brown
4 draft-petke-http-auth-scheme-00.txt CompuServe
5 Expires: 15-May-97 15 November 1996
6
7
8 Remote Passphrase Authentication
9 Part Three: HTTP Authentication Scheme
10
11
12 Status of this Memo
13
14 This document is an Internet-Draft. Internet-Drafts are working
15 documents of the Internet Engineering Task Force (IETF), its
16 areas, and its working groups. Note that other groups may also
17 distribute working documents as Internet-Drafts.
18
19 Internet-Drafts are draft documents valid for a maximum of six
20 months and may be updated, replaced, or obsoleted by other
21 documents at any time. It is inappropriate to use Internet-
22 Drafts as reference material or to cite them other than as
23 "work in progress."
24
25 To learn the current status of any Internet-Draft, please check
26 the "1id-abstracts.txt" listing contained in the Internet-
27 Drafts Shadow Directories on ftp.is.co.za (Africa),
28 nic.nordu.net (Europe), munnari.oz.au (Pacific Rim),
29 ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast).
30
31
32 Abstract
33
34 Remote Passphrase Authentication provides a way to authenticate a
35 user to a service by using a pass phrase over an insecure network,
36 without revealing the pass phrase to eavesdroppers. In addition, the
37 service need not know and does not learn the user's pass phrase,
38 making this scheme useful in distributed environments where it would
39 be difficult or inappropriate to trust a service with a pass phrase
40 database or to allow the server to learn enough to masquerade as the
41 user in a future authentication attempt.
42
43 This draft is part three of a four part series and explains how to
44 incorporate the RPA mechanism into HTTP. Part one of this series
45 (draft-petke-ext-intro-00.txt) provides an extended introduction to
46 the problems of authentication over insecure networks. Part two
47 (draft-petke-mech-00.txt) explains the RPA mechanism. Part four
48 (draft-petke-serv-deity-protocol-00.txt) explains the protocol
49 between the service and deity.
50
51 This scheme was inspired by Dave Raggett's Mediated Digest
52 Authentication paper.
53
54
55
56
57
58 G Brown [Page 1]
59
60 INTERNET-DRAFT RPA - Part Three 15 November 1996
61
62
63 Table of Contents
64
65 1. INTRODUCTION
66
67 2. USING THIS AUTHENTICATION MECHANISM IN HTTP
68 2.1 AUTHENTICATION
69 2.2 REAUTHENTICATION CHEATING
70 2.3 REAUTHENTICATION
71
72 3. SECURITY CONSIDERATIONS
73
74 4. AUTHOR'S ADDRESS
75
76
77 1. Introduction
78
79 See part two of this series (draft-petke-mech-00.txt) for an
80 explanation of the mechanism, its motivation, and its
81 specification. This part describes only the HTTP encapsulation of the
82 mechanism.
83
84
85 2. Using this authentication mechanism in HTTP
86
87 The HTTP client may indicate that it supports this authentication
88 mechanism by whatever technique is appropriate.
89
90 [For example, a header like "Extension:
91 Security/Remote-Passphrase" might be appropriate, if that
92 extension mechanism is adopted. The extension mechanism is,
93 of course, independent of authentication, but we mention it
94 here to point out the issue. Theoretically, the server does
95 not need to know ahead of time whether the client supports
96 a particular authentication scheme.]
97
98 We begin by defining a security context, which represents a logical
99 connection between a user and Web server. Because the context spans
100 HTTP connections, the server assigns a security context identifier,
101 an opaque string, when it creates a context, and it informs the
102 client of its value in the Security-Context attribute of the
103 WWW-Authenticate header. The client includes the identifier in the
104 Authorization header of subsequent requests that refer to the same
105 context.
106
107 From the client's point of view, the pair (server IP address,
108 security context identifier) uniquely identifies a context; the same
109 is essentially true for the server, although a server can make its
110 security context identifiers unique, rather than (client IP address,
111 identifier) pairs.
112
113
114
115 G Brown [Page 2]
116
117 INTERNET-DRAFT RPA - Part Three 15 November 1996
118
119
120 Note that a client might refer to the same security context from
121 different IP addresses, if he switches proxies (is that possible?).
122 Note also that the client IP address alone is not adequate to
123 identify the security context. A multiple-user host, an HTTP proxy,
124 and a SOCKS server are examples of situations in which the same IP
125 address may be involved in many security contexts. And even an
126 individual PC running two browsers falls into this category--if I
127 connect to you from both browsers, I'll establish two security
128 contexts, which might or might not refer to the same user identity.
129
130 The server should assign security context identifiers that are unique
131 over time. If the client refers to an old context identifier--the
132 user returns to his PC tomorrow morning and clicks a link that was
133 displayed yesterday--it will do no harm if that identifier had been
134 reused, but the server won't be able to recognize it as such.
135
136 The security context "contains" information appropriate to the
137 context, such as the realm name, user and service names, session key,
138 challenges, state, etc. We'll gloss over the details in this
139 explanation. Note that a session using this mechanism is secure;
140 unlike other "cookie"-type mechanisms, we do not depend on the
141 secrecy of the context identifier. However, the content of requests
142 and responses is not authenticated, in this version of the protocol.
143
144 We define the authentication scheme name "Remote-Passphrase", used as
145 described below. The client begins by making a request for which the
146 server requires identification and authentication; because there is
147 no Authorization header in the request, the server will demand
148 authentication.
149
150 All WWW-Authenticate and Authorization headers used with this scheme
151 may include a Version attribute. When omitted, as in the examples
152 below, Version="1" is implied, for this version of the protocol.
153
154
155 2.1 Authentication
156
157 The server creates a new security context, assigns it an identifier,
158 and responds 401 Unauthorized and includes the header
159
160 WWW-Authenticate:
161 Remote-Passphrase
162 Realm="compuserve.com",
163 State="Initial",
164 Realms="foo@compuserve.com
165 bar@aol.com:iso-8859-1,lc,md5",
166 Challenge="base64 encoding of service challenge",
167 Timestamp="19950808132430",
168 Security-Context="opaque"
169
170
171
172 G Brown [Page 3]
173
174 INTERNET-DRAFT RPA - Part Three 15 November 1996
175
176
177 The first token specifies the authentication scheme,
178 Remote-Passphrase. That's followed by a comma-separated list of
179 attribute-value pairs. HTTP requires the first attribute to be called
180 "Realm" and specify the realm in which the user must indicate his
181 identity, but we support multiple realms, so this is merely one realm
182 acceptable to the server, perhaps its preferred realm.
183
184 The State attribute distinguishes this as the initial request for
185 authentication.
186
187 The Realms attribute provides a list of realms in the order preferred
188 by the server, with the server's name in each realm. Each may be
189 followed by a colon and a list of parameters separated by commas, to
190 drive the transformation from pass phrase to 128-bit shared secret
191 for that particular realm. Refer to part two of this specification
192 (draft-petke-mech-00.txt) for more information about the
193 transformation.
194
195 The default transformation, if the colon and parameters are omitted,
196 is specified in part two of this specification
197 (draft-petke-mech-00.txt), the Unicode character set in
198 big-endian ("network") byte order, with all characters converted to
199 lowercase, and the MD5 hash algorithm.
200
201 Otherwise, a single parameter, "none", implies that the client must
202 already possess a 128-bit value, and no transformation from a textual
203 pass phrase is defined.
204
205 Otherwise, three parameters control the transformation from a textual
206 pass phrase to the 128-bit shared secret used by the authentication
207 mechanism, if such a transformation takes place (it might not, if the
208 client believes it already knows a 128-bit value for this user). The
209 three parameters specify the character set: Unicode 1.1
210 ("unicode-1-1") or ISO 8859-1 ("iso-8859-1"); case conversion:
211 convert to all caps ("uc"), all lowercase ("lc"), or as-is with no
212 case conversion ("nc"); and hash function: MD5 ("md5"). Omitting the
213 colon and parameters is equivalent to specifying
214 "unicode-1-1,lc,md5".
215
216 [There's no need for US-ASCII as a character set, because
217 ISO 8859-1 will give the same results. Note that these
218 parameters are part of the base authentication mechanism
219 specification; only the means of conveying them, and the
220 textual names shown above, are specific to this HTTP
221 authentication scheme. Other variations can be added, but
222 they must be added to the authentication mechanism defined
223 by part two of this specification
224 (draft-petke-mech-00.txt) as well as here in part three.]
225
226
227
228
229 G Brown [Page 4]
230
231 INTERNET-DRAFT RPA - Part Three 15 November 1996
232
233
234 We convey this information to the client because there's no reason
235 the client would otherwise know whether a particular realm's pass
236 phrases are case sensitive, etc. The server, on the other hand,
237 simply must "know" how its particular realm uses pass phrases; these
238 characteristics are a part of server's configuration along with its
239 name in the realm, deity addresses, etc.
240
241 The Challenge attribute specifies the service's challenge. It is an
242 arbitrarily long sequence of octets containing arbitrary bit
243 patterns, represented in base64. The client must decode it before
244 using it in the authentication calculations; it might contain nulls
245 or any other bit patterns. The client may decline to trust the server
246 and abort at this point, if it deems the challenge to be too short.
247
248 The Timestamp attribute specifies the server's timestamp. This is a
249 UTC date and time in the format specified by the authentication
250 standard. It may be treated as an opaque string by the client, unless
251 the client chooses to interpret it to make a judgment about its
252 reality; but beware that you probably don't have a reliable source of
253 universal time.
254
255 The Security-Context attribute contains the server-assigned security
256 context identifier, an opaque string.
257
258 The client creates its security context and repeats the request with
259 an Authorization header:
260
261 Authorization:
262 Remote-Passphrase
263 State="Initial",
264 Security-Context="opaque",
265 Realm="compuserve.com",
266 Username="70003.1215",
267 Challenge="base64 encoding of user challenge",
268 Response="base64 encoding of response"
269
270 The first token specifies the authorization scheme. That's followed
271 by the state, "Initial" for the initial authentication; the security
272 context identifier; the realm chosen by the user; the user's identity
273 in that realm; the user's challenge; and the user's response.
274
275 The service looks up the security context. If the security context
276 identifier refers to no context or refers to a context that is
277 already established, the server creates a new security context with a
278 new identifier, then responds 401 Unauthorized and includes a fresh
279 WWW-Authenticate header as shown above, with which the client can
280 repeat the request with correct authentication information.
281
282 [Or does this risk a loop? We could just respond with an
283 error.]
284
285
286 G Brown [Page 5]
287
288 INTERNET-DRAFT RPA - Part Three 15 November 1996
289
290
291 Any existing security context is unaffected; if I send you a request
292 that specifies someone else's security context, you should not delete
293 his context.
294
295 Otherwise--the context identifier is recognized and that context is
296 in the awaiting authentication state--the server performs the
297 authentication process.
298
299 The server may verify that the client's IP address matches that in
300 the previous request that created the "pending" context. The only
301 risk is that someone might change proxies at whim, which seems
302 unlikely.
303
304 If the authentication process fails, the server refuses to process
305 the request, but does not delete the "pending" security context. It
306 generates a 401 Unauthorized response with a WWW-Authenticate header
307 that indicates failure:
308
309 WWW-Authenticate:
310 Remote-Passphrase
311 Realm="nonsense",
312 State="Failed"
313
314 It is up to the client to try the request again (without an
315 Authorization header), restarting the entire process, if it believes
316 that it was using the wrong pass phrase but it now has the right pass
317 phrase.
318
319 [Sending another "Initial" WWW-Authenticate header would
320 provoke a loop: the browser would calculate a new response
321 and retry the request, which is pointless if the browser's
322 idea of the pass phrase is wrong, so we indicate the
323 failure.]
324
325 [One could argue that the browser should forget whichever
326 cached pass phrase it used, in order to prompt for it again
327 if the user tries to next time. But the pass phrase might
328 have been correct, depending on what exactly went wrong at
329 the server.]
330
331 Otherwise, having successfully authenticated the user, the server
332 processes the client's request and returns an appropriate response,
333 including in its reply:
334
335 WWW-Authenticate:
336 Remote-Passphrase
337 Realm="realm in use",
338 State="Authenticated",
339 Session-Key="base64 encoding of session key",
340 Response="base64 encoding of response"
341
342
343 G Brown [Page 6]
344
345 INTERNET-DRAFT RPA - Part Three 15 November 1996
346
347
348 The "Authenticated" state indicates that the user was successfully
349 authenticated, and includes the session key, masked so only the user
350 can extract it (Kusu), and the authentication deity's proof of the
351 service's identity (Au, not Rs). The realm is ignorable, but should
352 indicate the realm in which the identity was authenticated.
353
354
355 2.2 Reauthentication cheating
356
357 In subsequent requests, the client tries to cheat by including an
358 Authorization header in its request:
359
360 Authorization:
361 Remote-Passphrase
362 State="Cheating",
363 Security-Context="opaque",
364 Response="base64 encoding of response"
365
366 where the response is calculated based on the previously agreed-upon
367 values plus the canonicalized method and URI of this request as
368 explained in part two of this specification
369 (draft-petke-mech-00.txt).
370
371 [The HTTP specification suggests that clients be allowed to
372 replay the previous Authorization header, but it includes
373 an escape clause--"for a period of time determined by the
374 authentication scheme"--so we simply declare that period of
375 time to be zero.]
376
377 If the server is willing to accept the use of reauthentication
378 cheating, and the response is correct, the server processes the
379 request without comment. If it recognizes the security context but is
380 not willing to cheat--e.g., it recognizes a replay--the server
381 demands reauthentication. If it does not recognize the security
382 context or if it recognizes the context but the client's response is
383 incorrect, the server demands authentication but does not delete the
384 existing security context.
385
386 [Perhaps the user is referring to a security context that
387 has expired because it's been a long time since the user
388 last referred to it. And this can happen legitimately, if
389 the user refers to an expired security context and the
390 server reuses context identifiers. We do not delete an
391 existing context because that would provide a way for an
392 attacker to delete security contexts.]
393
394 In either of these cases, the server responds 401 Unauthorized and
395 includes the appropriate WWW-Authenticate header. To require
396 authentication, refer to the preceding section; to require
397 reauthentication, refer to the next section.
398
399
400 G Brown [Page 7]
401
402 INTERNET-DRAFT RPA - Part Three 15 November 1996
403
404
405 2.3 Reauthentication
406
407 If the server chooses to require reauthentication, it replies 401
408 Unauthorized and includes the header
409
410 WWW-Authenticate:
411 Remote-Passphrase
412 Realm="realm in use",
413 State="Reauthenticate",
414 Challenge="base64 encoding of service challenge"
415
416 The client retries the request with an Authorization field:
417
418 Authorization:
419 Remote-Passphrase
420 State="Reauthenticate",
421 Security-Context="opaque",
422 Challenge="base64 encoding of user challenge",
423 Response="base64 encoding of response"
424
425 If the response is correct--the user has proven his knowledge of the
426 previously generated Kus for this context--the server processes the
427 request and includes in its reply:
428
429 WWW-Authenticate:
430 Remote-Passphrase
431 Realm="realm in use",
432 State="Reauthenticated",
433 Response="base64 encoding of response"
434
435 The past-tense state indicates successful reauthentication, and
436 includes the server's response; this response is of debatable
437 relevance to HTTP, of course, given that the client's use of
438 reauthentication cheating implies its willingness to trust that the
439 server's identity has not changed.
440
441 If the client's response is incorrect, the server does not process
442 the request. However, there's a possibility that the client attempted
443 to do reauthentication with an old security context identifier that
444 has been reused by the server. Although the server should avoid
445 reusing security context identifiers, it can attempt to avert the
446 problem by forcing authentication by responding 401 Unauthorized and
447 including the header described above under Authentication.
448
449
450 3. Security Considerations
451
452 This entire document is about security.
453
454
455
456
457 G Brown [Page 8]
458
459 INTERNET-DRAFT RPA - Part Three 15 November 1996
460
461
462 4. Author's Address
463
464 Gary S. Brown
465 CompuServe Incorporated
466 5000 Britton Rd
467 P.O. Box 5000
468 Hilliard OH 43026-5000
469 USA
470
471 +1 614 723 1127
472 <gsb@csi.compuserve.com>
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514 G Brown [Page 9]
515
516
admin@suikawiki.org
 ViewVC Help
Powered by ViewVC 1.1.24