]> Huawei Technologies

guowei90@huawei.com

Huawei Technologies

frank.xialiang@huawei.com

Huawei Technologies

liji100@huawei.com

Huawei Technologies

Yong.Li1@huawei.com

General Internet Engineering Task Force keyword1 keyword2 keyword3 This document defines a new two-factor authentication mechanism for the Kerberos SPAKE pre-authentication. The mechanism uses the time-based one-time password (TOTP) as a second factor, and combines it with the password factor in a more secure way, which can prevent attackers from both impersonating Kerberos clients and obtaining TGTs' session keys in case of any factor leakage.

Introduction A password-derived long-term key is commonly used in the Kerberos pre-authentication stage to protect messages exchanged between a Kerberos client and a Key Distribution Center (KDC). As noted in , an attacker can mount brute-force password attacks via eavesdropping a legitimate credential returned by the KDC or a legitimate authentication message sent by the client, which are both encrypted by the long-term key. A Kerberos SPAKE pre-authentication mechanism is proposed in , it uses a simple password-authenticated key exchange (SPAKE) to protect against brute-force password attacks, and additionally enables two-factor authentication (2FA). For example, the second-factor (SF) authentication may include one-time passwords, challenge/response signatures, and biometric data. As suggested in , the SF authentication data can be first encrypted using the key established by the SPAKE and then securely transferred from the client to the KDC for verification, where the password verification happens implicitly by a successful decryption of the SF authentication data. However, this 2FA methodology does not achieve the security of true two-factor authentication, which requires that the compromise of any factor will not affect the security of whole 2FA protocol. More specifically, in case of password leakage, an attacker can use the leaked password to successfully perform a man-in-the-middle (MITM) attack against the Kerberos SPAKE, i.e., the client establishes a Kerberos SPAKE session A with the attacker and the attacker establishes a Kerberos SPAKE session B with the KDC. In this case, the attacker can obtain the SF authentication data in plaintext from the session A, and can use it as a valid second-factor in session B. Therefore, only the password factor allows the attacker to pass the KDC's two-factor authentication. To remedy the above problem, this document defines a new two-factor authentication mechanism for the Kerberos SPAKE pre-authentication, which uses the widely deployed time-based one-time password (TOTP) as a second factor. The mechanism combines the second factor with the password factor in the following way: the resulting TOTP value is combined with the password-derived long-term key to derive a shared secret, which will be used as an input of the SPAKE algorithm. Therefore, the password and the TOTP value are both protected by the SPAKE to defend against brute-force attacks and required to compute the SPAKE result, and the final encryption keys contain the entropy of both factors. As a result, if an attacker compromises either of factors, it also needs to obtain another factor's authentication data to derive the final encryption keys, which are necessary to pass the two-factor authentication or obtain the TGT's session key. But this is hard to do if the authentication of another factor is still secure.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The terms "encryption type" and "random-to-key" are defined in .

Kerberos SPAKE Pre-authentication with Second-Factor TOTP

Two-Factor Authentication Overview The SPAKE algorithm combined with the TOTP algorithm can be generally described in the following steps:

• Calculation of a shared TOTP value.
• Calculation of an update reply key from the initial reply key and the TOTP value.
• Calculation and exchange of the public key using the update reply key.
• Calculation of a shared SPAKE result (K).
• Derivation of an encryption key (K').
• Verification of the derived encryption key (K').

In this mechanism, key verification happens implicitly by a successful decryption of the SF challenge data specific to the second-factor TOTP.

Introduction of the TOTP Algorithm As defined in , the HOTP algorithm is based on the HMAC-SHA-1 algorithm and is computed as follows: where K and C represent the shared secret and counter value, and Truncate represents the function that can convert an HMAC-SHA-1 value into an HOTP value; see for detailed definitions. Recall that in , the TOTP algorithm is defined as TOTP = HOTP(K, T), where T is an integer and represents the number of time steps between the initial counter time T0 (default value is 0, i.e., the Unix epoch) and the current Unix time. Note that TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, please refer to .

Definition of the Second-Factor TOTP Recall that in , each second factor is represented by a SPAKESecondFactor. The type field is a unique integer that identifies the second-factor type, and the data field contains optional challenge data. This document defines the type as an integer 2 to identify the second-factor TOTP, and defines the data as a random nonce whose length SHOULD match the multiplier length of the negotiated group, where the multiplier length is defined in .

SPAKE Parameters and Conversions Note that the TOTP value is a low-entropy secret, so it can also be protected by the SPAKE to protect against brute-force attacks. More specifically, an update reply key is produced from the initial reply key and the TOTP value as follows, which is used as an input to the SPAKE.

• A pepper string is generated by concatenating the string "SF-TOTP" and the TOTP value as an octet string.
• An octet string is derived using PRF+(initial-reply-key, pepper), where PRF+ is defined in .
• An update reply key is produced from the octet string using the random-to-key function, which has the same encryption type as the initial reply key.

The SPAKE algorithm requires a shared secret input w to be used as a scalar multiplier. Similar to the computation in , this value MUST be produced from the update reply key as follows:

• Determine the length of the multiplier octet string as defined in the "Kerberos SPAKE Groups" registry (see ).
• Compose a pepper string by concatenating the string "SPAKEsecret" and the group number as a big-endian four-byte two's complement binary number.
• Produce an octet string of the required length using PRF+(update-reply-key, pepper), where PRF+ is as defined in .
• Convert the octet string to a multiplier scalar using the multiplier conversion method defined in the "Kerberos SPAKE Groups" registry (see ).

Key Derivation The 2FA protocol requires encryption keys to be used for client verification and TGT issuance. Similar to the computation in , the key K'[n] is computed as follows:

• The key K'[n] has the same encryption type as the update reply key, and has the value KRB-FX-CF2(update-reply-key, intermediate-key, "SPAKE", "keyderiv"), where KRB-FX-CF2 is defined in .

Note that the update reply key and the intermediate key both contain the entropy of the password and TOTP factors.

Second-Factor Types This document defines one second-factor type: This second-factor type indicates that the TOTP second factor is used.

IANA Considerations This document defines a new second-factor type "SF-TOTP" with the following contents, and requests that IANA add it to the "Kerberos Second-Factor Types" Registry defined in .

Normative References This document provides an overview and specification of Version 5 of the Kerberos protocol, and it obsoletes RFC 1510 to clarify aspects of the protocol and its intended use that require more detailed or clearer explanation than was provided in RFC 1510. This document is intended to provide a detailed description of the protocol, suitable for implementation, together with descriptions of the appropriate use of protocol messages and fields within those messages. [STANDARDS-TRACK] This document defines a new pre-authentication mechanism for the Kerberos protocol. The mechanism uses a password-authenticated key exchange (PAKE) to prevent brute-force password attacks, and it may incorporate a second factor. This document describes SPAKE2, which is a protocol for two parties that share a password to derive a strong shared key without disclosing the password. This method is compatible with any group, is computationally efficient, and has a security proof. This document predated the Crypto Forum Research Group (CFRG) password-authenticated key exchange (PAKE) competition, and it was not selected; however, given existing use of variants in Kerberos and other applications, it was felt that publication was beneficial. Applications that need a symmetric PAKE, but are unable to hash onto an elliptic curve at execution time, can use SPAKE2. This document is a product of the Crypto Forum Research Group in the Internet Research Task Force (IRTF). This document describes an extension of the One-Time Password (OTP) algorithm, namely the HMAC-based One-Time Password (HOTP) algorithm, as defined in RFC 4226, to support the time-based moving factor. The HOTP algorithm specifies an event-based OTP algorithm, where the moving factor is an event counter. The present work bases the moving factor on a time value. A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable for enhanced security. The proposed algorithm can be used across a wide range of network applications, from remote Virtual Private Network (VPN) access and Wi-Fi network logon to transaction-oriented Web applications. The authors believe that a common and shared algorithm will facilitate adoption of two-factor authentication on the Internet by enabling interoperability across commercial and open-source implementations. This document is not an Internet Standards Track specification; it is published for informational purposes. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document describes a framework for defining encryption and checksum mechanisms for use with the Kerberos protocol, defining an abstraction layer between the Kerberos protocol and related protocols, and the actual mechanisms themselves. The document also defines several mechanisms. Some are taken from RFC 1510, modified in form to fit this new framework and occasionally modified in content when the old specification was incorrect. New mechanisms are presented here as well. This document does NOT indicate which mechanisms may be considered "required to implement". [STANDARDS-TRACK] Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a facility called pre-authentication. Pre-authentication mechanisms can use this facility to extend the Kerberos protocol and prove the identity of a principal. This document describes a more formal model for this facility. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre-authentication mechanisms. One of these tools is a secure channel between the client and the key distribution center with a reply key strengthening mechanism; this secure channel can be used to protect the authentication exchange and thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm. [STANDARDS-TRACK] This document describes an algorithm to generate one-time password values, based on Hashed Message Authentication Code (HMAC). A security analysis of the algorithm is presented, and important parameters related to the secure deployment of the algorithm are discussed. The proposed algorithm can be used across a wide range of network applications ranging from remote Virtual Private Network (VPN) access, Wi-Fi network logon to transaction-oriented Web applications. This work is a joint effort by the OATH (Open AuTHentication) membership to specify an algorithm that can be freely distributed to the technical community. The authors believe that a common and shared algorithm will facilitate adoption of two-factor authentication on the Internet by enabling interoperability across commercial and open-source implementations. This memo provides information for the Internet community.