Internet Engineering Task Force (IETF) A. Melnikov Request for Comments: 5803 Isode Limited Category: Informational July 2010 ISSN: 2070-1721
Internet Engineering Task Force (IETF) A. Melnikov Request for Comments: 5803 Isode Limited Category: Informational July 2010 ISSN: 2070-1721
Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted Challenge Response Authentication Mechanism (SCRAM) Secrets
轻量级目录访问协议(LDAP)模式,用于存储SALT质询响应身份验证机制(SCRAM)机密
Abstract
摘要
This memo describes how the "authPassword" Lightweight Directory Access Protocol (LDAP) attribute can be used for storing secrets used by the Salted Challenge Response Authentication Message (SCRAM) mechanism in the Simple Authentication and Security Layer (SASL) framework.
本备忘录描述了如何使用“authPassword”轻量级目录访问协议(LDAP)属性来存储简单身份验证和安全层(SASL)框架中Salted Challenge-Response身份验证消息(SCRAM)机制使用的机密。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5803.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5803.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Overview ........................................................2 2. Conventions Used in This Document ...............................3 3. Security Considerations .........................................3 4. Acknowledgements ................................................4 5. Normative References ............................................4
1. Overview ........................................................2 2. Conventions Used in This Document ...............................3 3. Security Considerations .........................................3 4. Acknowledgements ................................................4 5. Normative References ............................................4
This document describes how the authPassword LDAP attribute [AUTHPASS] can be used for storing secrets used by [SCRAM] Simple Authentication and Security Layer [RFC4422] Mechanisms.
本文档介绍如何使用authPassword LDAP属性[AUTHPASS]存储[SCRAM]简单身份验证和安全层[RFC4422]机制使用的机密。
The "scheme" part of the authPassword attribute is the SCRAM mechanism name (always without the "-PLUS" suffix), e.g., "SCRAM-SHA-1". See [SCRAM] for the exact syntax of SCRAM mechanism names.
authPassword属性的“scheme”部分是紧急停堆机制名称(始终不带“-PLUS”后缀),例如“SCRAM-SHA-1”。有关紧急停堆机构名称的确切语法,请参见[紧急停堆]。
The "authInfo" part of the authPassword attribute is the iteration count (iter-count in the ABNF below), followed by ":" and base64- encoded [BASE64] salt.
authPassword属性的“authInfo”部分是迭代计数(下面ABNF中的iter计数),后跟“:”和base64编码的[base64]salt。
The "authValue" part of the authPassword attribute is the base64- encoded [BASE64] StoredKey [SCRAM], followed by ":" and base64- encoded [BASE64] ServerKey [SCRAM].
authPassword属性的“authValue”部分是base64编码的[base64]StoredKey[SCRAM],后跟“:”和base64编码的[base64]ServerKey[SCRAM]。
Syntax of the attribute can be expressed using ABNF [RFC5234]. Non-terminal references in the following ABNF are defined in either [AUTHPASS], [RFC4422], or [RFC5234].
属性的语法可以使用ABNF[RFC5234]表示。以下ABNF中的非终端引用在[AUTHPASS]、[RFC4422]或[RFC5234]中定义。
scram-mech = "SCRAM-SHA-1" / scram-mech-ext ; Complies with ABNF for <scheme> ; defined in [AUTHPASS].
紧急停堆机械=“紧急停堆-SHA-1”/紧急停堆机械分机;符合《方案》的ABNF;在[AUTHPASS]中定义。
scram-authInfo = iter-count ":" salt ; Complies with ABNF for <authInfo> ; defined in [AUTHPASS].
紧急停堆认证信息=iter计数“:”盐;符合ABNF的<authInfo>;在[AUTHPASS]中定义。
scram-authValue = stored-key ":" server-key ; Complies with ABNF for <authValue> ; defined in [AUTHPASS].
scram authValue=存储密钥“:”服务器密钥;符合ABNF的<authValue>;在[AUTHPASS]中定义。
iter-count = %x31-39 *DIGIT ; SCRAM iteration count. ; A positive number without leading zeros.
iter-count = %x31-39 *DIGIT ; SCRAM iteration count. ; A positive number without leading zeros.
salt = <base64-encoded value>
salt = <base64-encoded value>
stored-key = <base64-encoded value> ; See definition in [SCRAM].
stored-key = <base64-encoded value> ; See definition in [SCRAM].
server-key = <base64-encoded value> ; See definition in [SCRAM].
server-key = <base64-encoded value> ; See definition in [SCRAM].
scram-mech-ext = "SCRAM-" 1*9mech-char ; Other SCRAM mechanisms registered ; in the IANA registry for SASL ; mechanism names.
scram-mech-ext = "SCRAM-" 1*9mech-char ; Other SCRAM mechanisms registered ; in the IANA registry for SASL ; mechanism names.
mech-char = <Defined in RFC 4422>
mech-char = <Defined in RFC 4422>
Note that the authPassword attribute is multivalued. For example, it may contain multiple SCRAM hashes for different hashing algorithms.
请注意,authPassword属性是多值的。例如,它可能包含用于不同散列算法的多个紧急停堆散列。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This document defines how the authPassword attribute can be used to store SCRAM secrets. Therefore, security considerations relevant to [SCRAM] and hash functions used with it are also relevant to this document.
本文档定义了如何使用authPassword属性存储紧急停堆机密。因此,与[紧急停堆]相关的安全注意事项及其使用的哈希函数也与本文件相关。
General security considerations related to the authPassword attribute (as specified in [AUTHPASS]) also apply to the use of authPassword as specified in this document. In particular, the values of authPassword SHOULD be protected as if they were cleartext passwords. A read operation on this attribute that is not protected by a privacy layer (such as IPsec or TLS) can expose this attribute to an attacker who a) would be able to use the intercepted value to impersonate the user to all servers providing SCRAM access using the same hash function, password, iteration count, and salt or b) would be able to perform an offline dictionary or brute-force attack in order to recover the user's password.
与authPassword属性(如[AUTHPASS]中所述)相关的一般安全注意事项也适用于本文档中所述的authPassword的使用。特别是,authPassword的值应该像明文密码一样受到保护。未受隐私层(如IPsec或TLS)保护的对此属性的读取操作可能会将此属性暴露给攻击者,而攻击者(A)将能够使用截获的值模拟用户到使用相同哈希函数、密码、迭代计数提供紧急停堆访问的所有服务器,salt或b)将能够执行离线字典或暴力攻击,以恢复用户的密码。
Servers MUST validate the format of the authPassword attribute before using it for performing a SCRAM authentication exchange. It is possible that an attacker compromised the LDAP server or got access to the entry containing the attribute in order to exploit a vulnerability in the subsystem performing the SCRAM authentication
服务器必须先验证authPassword属性的格式,然后才能将其用于执行紧急停堆身份验证交换。攻击者可能破坏LDAP服务器或访问包含该属性的条目,以利用执行紧急停堆身份验证的子系统中的漏洞进行攻击
exchange. Big iteration counts and invalid base64 encoding are two possible (but not the only) exploits in the format specified in the document.
交换大迭代计数和无效的base64编码是两种可能(但不是唯一)利用文档中指定格式的漏洞。
The author gratefully acknowledges the feedback provided by Chris Newman, Kurt Zeilenga, Chris Lonvick, Peter Saint-Andre, Barry Leiba, and Chris Ridd.
作者感谢Chris Newman、Kurt Zeilenga、Chris Lonvick、Peter Saint Andre、Barry Leiba和Chris Ridd提供的反馈。
[AUTHPASS] Zeilenga, K., "LDAP Authentication Password Schema", RFC 3112, May 2001.
[AUTHPASS]Zeilenga,K.,“LDAP身份验证密码模式”,RFC31122001年5月。
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006.
[BASE64]Josefsson,S.,“Base16、Base32和BASE64数据编码”,RFC4648,2006年10月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006.
[RFC4422]Melnikov,A.和K.Zeilenga,“简单身份验证和安全层(SASL)”,RFC 4422,2006年6月。
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5234]Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,2008年1月。
[SCRAM] Menon-Sen, A., Newman, C., Melnikov, A., and N. Williams, "Salted Challenge Response Authentication Message (SCRAM) SASL Mechanisms", RFC 5802, July 2010.
[SCRAM]Menon Sen,A.,Newman,C.,Melnikov,A.,和N.Williams,“盐渍挑战响应认证消息(SCRAM)SASL机制”,RFC 5802,2010年7月。
Author's Address
作者地址
Alexey Melnikov Isode Limited 5 Castle Business Village 36 Station Road Hampton, Middlesex TW12 2BX UK
英国米德尔塞克斯郡汉普顿车站路36号城堡商业村5号Alexey Melnikov Isode Limited TW12 2BX
EMail: alexey.melnikov@isode.com URI: http://www.melnikov.ca/
EMail: alexey.melnikov@isode.com URI: http://www.melnikov.ca/