Internet Engineering Task Force (IETF) A. Melnikov Request for Comments: 6331 Isode Limited Obsoletes: 2831 July 2011 Category: Informational ISSN: 2070-1721
Internet Engineering Task Force (IETF) A. Melnikov Request for Comments: 6331 Isode Limited Obsoletes: 2831 July 2011 Category: Informational ISSN: 2070-1721
Moving DIGEST-MD5 to Historic
将DIGEST-MD5移至历史
Abstract
摘要
This memo describes problems with the DIGEST-MD5 Simple Authentication and Security Layer (SASL) mechanism as specified in RFC 2831. It marks DIGEST-MD5 as OBSOLETE in the IANA Registry of SASL mechanisms and moves RFC 2831 to Historic status.
本备忘录描述了RFC 2831中指定的DIGEST-MD5简单身份验证和安全层(SASL)机制的问题。它将DIGEST-MD5标记为SASL机制IANA注册表中的过时版本,并将RFC 2831移至历史状态。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6331.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6331.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2 2. Security Considerations . . . . . . . . . . . . . . . . . . . 5 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Normative References . . . . . . . . . . . . . . . . . . . . 5 5.2. Informative References . . . . . . . . . . . . . . . . . . . 5
1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2 2. Security Considerations . . . . . . . . . . . . . . . . . . . 5 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. Normative References . . . . . . . . . . . . . . . . . . . . 5 5.2. Informative References . . . . . . . . . . . . . . . . . . . 5
[RFC2831] defines how HTTP Digest Authentication [RFC2617] can be used as a Simple Authentication and Security Layer (SASL) [RFC4422] mechanism for any protocol that has a SASL profile. It was intended both as an improvement over CRAM-MD5 [RFC2195] and as a convenient way to support a single authentication mechanism for web, email, the Lightweight Directory Access Protocol (LDAP), and other protocols. While it can be argued that it is an improvement over CRAM-MD5, many implementors commented that the additional complexity of DIGEST-MD5 makes it difficult to implement fully and securely.
[RFC2831]定义了如何将HTTP摘要身份验证[RFC2617]用作任何具有SASL配置文件的协议的简单身份验证和安全层(SASL)[RFC4422]机制。它既可以作为对CRAM-MD5[RFC2195]的改进,也可以作为一种方便的方式来支持web、电子邮件、轻型目录访问协议(LDAP)和其他协议的单一身份验证机制。虽然可以说这是对CRAM-MD5的改进,但许多实现者评论说,DIGEST-MD5的额外复杂性使其难以完全安全地实现。
Below is an incomplete list of problems with the DIGEST-MD5 mechanism as specified in [RFC2831]:
下面是[RFC2831]中指定的DIGEST-MD5机制问题的不完整列表:
1. The mechanism has too many options and modes. Some of them are not well described and are not widely implemented. For example, DIGEST-MD5 allows the "qop" directive to contain multiple values, but it also allows for multiple qop directives to be specified. The handling of multiple options is not specified, which results in minor interoperability problems. Some implementations amalgamate multiple qop values into one, while others treat multiple qops as an error. Another example is the use of an empty authorization identity. In SASL, an empty authorization identity means that the client is willing to authorize as the authentication identity. The document is not clear on whether
1. 该机制有太多选项和模式。其中一些没有得到很好的描述,也没有得到广泛的实施。例如,DIGEST-MD5允许“qop”指令包含多个值,但也允许指定多个qop指令。未指定对多个选项的处理,这会导致较小的互操作性问题。一些实现将多个qop值合并为一个,而另一些实现将多个qop视为一个错误。另一个示例是使用空授权标识。在SASL中,空授权标识意味着客户端愿意授权作为身份验证标识。这份文件不清楚是否
the authzid must be omitted or if it can be specified with an empty value to convey this. The requirement for backward compatibility with HTTP Digest means that the situation is even worse. For example, DIGEST-MD5 requires all usernames/passwords that can be entirely represented in the ISO-8859-1 charset to be down converted from UTF-8 [RFC3629] to ISO-8859-1 [ISO-8859-1]. Another example is the use of quoted strings. Handling of characters that need escaping is not properly described, and the DIGEST-MD5 document has no examples to demonstrate correct behavior.
必须省略authzid,或者如果可以使用空值指定它来传达此信息。对HTTP摘要向后兼容性的要求意味着情况更糟。例如,DIGEST-MD5要求可以完全在ISO-8859-1字符集中表示的所有用户名/密码从UTF-8[RFC3629]向下转换为ISO-8859-1[ISO-8859-1]。另一个例子是使用带引号的字符串。对需要转义的字符的处理没有正确描述,DIGEST-MD5文档也没有示例来演示正确的行为。
2. The DIGEST-MD5 document uses ABNF from RFC 822 [RFC0822], which allows an extra construct and allows for "implied folding whitespace" to be inserted in many places. The difference from a more common ABNF defined in [RFC5234] is confusing for some implementors. As a result, many implementations do not accept folding whitespace in many places where it is allowed.
2. DIGEST-MD5文档使用RFC 822[RFC0822]中的ABNF,它允许额外构造,并允许在许多地方插入“隐含折叠空格”。与[RFC5234]中定义的更为常见的ABNF的区别让一些实现者感到困惑。因此,在许多允许折叠空白的地方,许多实现都不接受折叠空白。
3. The DIGEST-MD5 document uses the concept of a "realm" to define a collection of accounts. A DIGEST-MD5 server can support one or more realms. The DIGEST-MD5 document does not provide any guidance on how realms should be named and, more importantly, how they can be entered in User Interfaces (UIs). As a result, many DIGEST-MD5 clients have confusing UIs, do not allow users to enter a realm, and/or do not allow users to pick one of the server-supported realms.
3. DIGEST-MD5文档使用“领域”的概念来定义帐户集合。DIGEST-MD5服务器可以支持一个或多个领域。DIGEST-MD5文档没有提供任何关于如何命名领域的指导,更重要的是,如何在用户界面(UI)中输入领域的指导。因此,许多DIGEST-MD5客户机具有令人困惑的UI,不允许用户进入领域,和/或不允许用户选择服务器支持的领域之一。
4. Use of username in the inner hash is problematic. The inner hash of DIGEST-MD5 is an MD5 hash of colon-separated username, realm, and password. Implementations may choose to store inner hashes instead of clear text passwords. This has some useful properties, such as protection from compromise of authentication databases containing the same username and password on other servers if a server with the username and password is compromised; however, this is rarely done in practice. First, the inner hash is not compatible with widely deployed Unix password databases, and second, changing the username would invalidate the inner hash.
4. 在内部哈希中使用用户名是有问题的。DIGEST-MD5的内部哈希是以冒号分隔的用户名、域和密码的MD5哈希。实现可以选择存储内部哈希而不是明文密码。这具有一些有用的属性,例如,如果具有用户名和密码的服务器被破坏,则可以保护其他服务器上包含相同用户名和密码的身份验证数据库免受破坏;然而,在实践中很少这样做。首先,内部哈希与广泛部署的Unix密码数据库不兼容,其次,更改用户名将使内部哈希无效。
5. Description of DES/3DES [DES] and RC4 security layers are inadequate to produce independently developed interoperable implementations. In the DES/3DES case, this is partly a problem with existing DES APIs.
5. DES/3DES[DES]和RC4安全层的描述不足以产生独立开发的可互操作实现。在DES/3DES案例中,这部分是现有DES API的问题。
6. DIGEST-MD5 outer hash (the value of the "response" directive) does not protect the whole authentication exchange, which makes the mechanism vulnerable to "man-in-the-middle" (MITM) attacks, such as modification of the list of supported qops or ciphers.
6. DIGEST-MD5外部哈希(“response”指令的值)不能保护整个身份验证交换,这使得该机制容易受到“中间人”(MITM)攻击,例如修改支持的QOP或密码列表。
7. The following features are missing from DIGEST-MD5, making it insecure or unsuitable for use in protocols:
7. DIGEST-MD5缺少以下功能,因此不安全或不适合在协议中使用:
A. Channel bindings [RFC5056].
A.通道绑定[RFC5056]。
B. Hash agility (i.e., no easy way to replace the MD5 hash function with another one).
B.散列灵活性(即,用另一个散列函数替换MD5散列函数并不容易)。
C. Support for SASLPrep [RFC4013] or any other type of Unicode character normalization of usernames and passwords. The original DIGEST-MD5 document predates SASLPrep and does not recommend any Unicode character normalization.
C.支持SASLPrep[RFC4013]或用户名和密码的任何其他类型的Unicode字符规范化。最初的DIGEST-MD5文档早于SASLPrep,不建议进行任何Unicode字符规范化。
8. The cryptographic primitives in DIGEST-MD5 are not up to today's standards, in particular:
8. DIGEST-MD5中的加密原语不符合当今的标准,特别是:
A. The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware [RFC6151].
A.MD5散列足够弱,可以使用普通硬件对DIGEST-MD5进行暴力攻击[RFC6151]。
B. The RC4 algorithm is prone to attack when used as the security layer without discarding the initial key stream output [RFC6229].
B.RC4算法用作安全层时,在不丢弃初始密钥流输出的情况下容易受到攻击[RFC6229]。
C. The DES cipher for the security layer is considered insecure due to its small key space [RFC3766].
C.由于密钥空间小,安全层的DES密码被认为是不安全的[RFC3766]。
Note that most of the problems listed above are already present in the HTTP Digest authentication mechanism.
请注意,上面列出的大多数问题已经存在于HTTP摘要身份验证机制中。
Because DIGEST-MD5 is defined as an extensible mechanism, it is possible to fix most of the problems listed above. However, this would increase implementation complexity of an already complex mechanism even further, so the effort is not worth the cost. In addition, an implementation of a "fixed" DIGEST-MD5 specification would likely either not interoperate with any existing implementation of [RFC2831] or would be vulnerable to various downgrade attacks.
因为DIGEST-MD5被定义为一种可扩展机制,所以可以修复上面列出的大多数问题。然而,这将进一步增加已经很复杂的机制的实现复杂性,因此付出的代价是不值得的。此外,“固定”摘要MD5规范的实现可能无法与[RFC2831]的任何现有实现进行互操作,或者容易受到各种降级攻击。
Note that despite DIGEST-MD5 seeing some deployment on the Internet, this specification recommends obsoleting DIGEST-MD5 because DIGEST-MD5, as implemented, is not a reasonable candidate for further standardization and should be deprecated in favor of one or more new password-based mechanisms currently being designed.
请注意,尽管DIGEST-MD5在Internet上进行了一些部署,但本规范建议淘汰DIGEST-MD5,因为DIGEST-MD5在实现时并不是进一步标准化的合理候选方案,因此应弃用,以支持目前正在设计的一个或多个新的基于密码的机制。
The Salted Challenge Response Authentication Mechanism (SCRAM) family of SASL mechanisms [RFC5802] has been developed to provide similar features as DIGEST-MD5 but with a better design.
SASL机制的Salted Challenge-Response Authentication Mechanism(SCRAM)系列[RFC5802]已经开发出来,以提供与DIGEST-MD5类似的功能,但具有更好的设计。
Security issues are discussed throughout this document.
本文档中讨论了安全问题。
IANA has changed the "Intended usage" of the DIGEST-MD5 mechanism registration in the SASL mechanism registry to OBSOLETE. The SASL mechanism registry is specified in [RFC4422] and is currently available at:
IANA已将SASL机制注册表中DIGEST-MD5机制注册的“预期用途”更改为过时。SASL机制注册表在[RFC4422]中指定,目前可在以下位置获得:
http://www.iana.org/assignments/sasl-mechanisms
http://www.iana.org/assignments/sasl-mechanisms
The author gratefully acknowledges the feedback provided by Chris Newman, Simon Josefsson, Kurt Zeilenga, Sean Turner, and Abhijit Menon-Sen. Various text was copied from other RFCs, in particular, from [RFC2831].
作者非常感谢Chris Newman、Simon Josefsson、Kurt Zeilenga、Sean Turner和Abhijit Menon-Sen提供的反馈。各种文本是从其他RFC复制的,特别是从[RFC2831]复制的。
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999.
[RFC2617]Franks,J.,Hallam Baker,P.,Hostetler,J.,Lawrence,S.,Leach,P.,Lootonen,A.,和L.Stewart,“HTTP认证:基本和摘要访问认证”,RFC 26171999年6月。
[RFC2831] Leach, P. and C. Newman, "Using Digest Authentication as a SASL Mechanism", RFC 2831, May 2000.
[RFC2831]Leach,P.和C.Newman,“使用摘要认证作为SASL机制”,RFC 28312000年5月。
[DES] National Institute of Standards and Technology, "Data Encryption Standard (DES)", FIPS PUB 46-3, October 1999.
[DES]国家标准与技术研究所,“数据加密标准(DES)”,FIPS PUB 46-3,1999年10月。
[ISO-8859-1] International Organization for Standardization, "Information technology - 8-bit single-byte coded graphic character sets - Part 1: Latin alphabet No. 1", ISO/IEC 8859-1, 1998.
[ISO-8859-1]国际标准化组织,“信息技术-8位单字节编码图形字符集-第1部分:拉丁字母表1”,ISO/IEC 8859-11998。
[RFC0822] Crocker, D., "Standard for the format of ARPA Internet text messages", STD 11, RFC 822, August 1982.
[RFC0822]Crocker,D.,“ARPA互联网文本信息格式标准”,STD 11,RFC 822,1982年8月。
[RFC2195] Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2195, September 1997.
[RFC2195]Klensin,J.,Catoe,R.,和P.Krumviede,“简单质询/响应的IMAP/POP授权扩展”,RFC 21951997年9月。
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For Public Keys Used For Exchanging Symmetric Keys", BCP 86, RFC 3766, April 2004.
[RFC3766]Orman,H.和P.Hoffman,“确定用于交换对称密钥的公钥的强度”,BCP 86,RFC 3766,2004年4月。
[RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names and Passwords", RFC 4013, February 2005.
[RFC4013]Zeilenga,K.,“SASLprep:用户名和密码的Stringprep配置文件”,RFC40113,2005年2月。
[RFC4422] Melnikov, A. and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006.
[RFC4422]Melnikov,A.和K.Zeilenga,“简单身份验证和安全层(SASL)”,RFC 4422,2006年6月。
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure Channels", RFC 5056, November 2007.
[RFC5056]Williams,N.,“关于使用通道绑定保护通道”,RFC 5056,2007年11月。
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008.
[RFC5234]Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,STD 68,RFC 5234,2008年1月。
[RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010.
[RFC5802]Newman,C.,Menon Sen,A.,Melnikov,A.,和N.Williams,“盐渍挑战响应认证机制(SCRAM)SASL和GSS-API机制”,RFC 5802,2010年7月。
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms", RFC 6151, March 2011.
[RFC6151]Turner,S.和L.Chen,“MD5消息摘要和HMAC-MD5算法的更新安全注意事项”,RFC 61512011年3月。
[RFC6229] Strombergson, J. and S. Josefsson, "Test Vectors for the Stream Cipher RC4", RFC 6229, May 2011.
[RFC6229]Strombergson,J.和S.Josefsson,“流密码RC4的测试向量”,RFC 6229,2011年5月。
Author's Address
作者地址
Alexey Melnikov Isode Limited 5 Castle Business Village 36 Station Road Hampton, Middlesex TW12 2BX UK
英国米德尔塞克斯郡汉普顿车站路36号城堡商业村5号Alexey Melnikov Isode Limited TW12 2BX
EMail: Alexey.Melnikov@isode.com URI: http://www.melnikov.ca/
EMail: Alexey.Melnikov@isode.com URI: http://www.melnikov.ca/