[298] in Kerberos
RFC1004
daemon@TELECOM.MIT.EDU (Jon Rochlis)
Sat Jan 23 18:40:52 1988
From: Jon Rochlis <jon@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU
RCC1004 - "A Distributed-Protocol Authentication Scheme" by Mills is
of releavance to the kerberos crowd. Read kerberos server for cookie
jar and it's just about the same thing (at least the main points are,
3-party authentication, client only talks to the authent server and
then to its associate) ...
-- Jon
----------------------
The purpose of this RFC is to focus discussion on authentication
problems in the Internet and possible methods of solution. The
proposed solutions this document are not intended as standards for
the Internet at this time. Rather, it is hoped that a general
consensus will emerge as to the appropriate solution to
authentication problems, leading eventually to the adoption of
standards. Distribution of this memo is unlimited.
1. Introduction and Overview
This document suggests mediated access-control and authentication
procedures suitable for those cases when an association is to be set
up between multiple users belonging to different trust environments,
but running distributed protocols like the existing Exterior Gateway
Protocol (EGP) [2], proposed Dissimilar Gateway Protocol (DGP) [3]
and similar protocols. The proposed prcedures are evolved from those
described by Needham and Shroeder [5], but specialized to the
distributed, multiple-user model typical of these protocols.
The trust model and threat environment are identical to that used by
Kent and others [1]. An association is defined as the end-to-end
network path between two users, where the users themselves are
secured, but the path between them is not. The network may drop,
duplicate or deliver messages with errors. In addition, it is
possible that a hostile user (host or gateway) might intercept,
modify and retransmit messages. An association is similar to the
traditional connection, but without the usual connection requirements
for error-free delivery. The users of the association are sometimes
called associates.
The proposed procedures require each association to be assigned a
random session key, which is provided by an authentication server
called the Cookie Jar. The procedures are designed to permit only
those associations sanctioned by the Cookie Jar while operating over
arbitrary network topologies, including non-secured networks and
broadcast-media networks, and in the presence of hostile attackers.
However, it is not the intent of these procedures to hide the data
(except for private keys) transmitted via these networks, but only to
authenticate messages to avoid spoofing and replay attacks.
The procedures are intended for distributed systems where each user i
runs a common protocol automaton using private state variables for
each of possibly several associations simultaneously, one for each
user j. An association is initiated by interrogating the Cookie Jar
for a one-time key K(i,j), which is used to encrypt the checksum
which authenticates messages exchanged between the users. The
initiator then communicates the key to its associate as part of a
connection establishment procedure such as described in [3].
