Network Working Group C. Newman Internet Draft: Internet Password Change Protocol Innosoft Document: draft-newman-pwchange-00.txt R. Gellens Qualcomm July 1997 Expires in six months Internet Password Change Protocol (IPCP) Status of this memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Introduction As the Internet continues to migrate from using centralized login servers to distributed client/server technology, the need for a protocol to remotely change passwords increases. Two protocols are currently in use for this purpose. Kerberos includes its own password change protocol, although client support is relatively limited. A very simple ad-hoc protocol called "poppassd" has been used in conjunction with POP [POP3] servers. This protocol is supported by many popular POP3 servers and clients but it has the unfortunate property of sending the old and new passwords in plain text over the network. This document specifies a new protocol for changing passwords or passphrases. It is based on the SASL [SASL] framework and intended to be as simple as possible while also being fully extensible. This is designed to work well with the APOP [POP3] command and Newman [Page 1] Internet Draft Internet Password Change Protocol July 1997 similar simple mechanisms to avoid sending plaintext passwords over the network whenever feasible. 1. Conventions used in this document The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "OPTIONAL" and "MAY" in this document are to be interpreted as defined in "Key words for use in RFCs to Indicate Requirement Levels" [KEYWORDS]. The formal grammar in this document uses Augmented BNF [ABNF]. In examples, "C:" and "S:" indicate lines sent by the client and server respectively. If such lines are wrapped without a new "C:" or "S:" label, then the wrapping is for editorial clarity and is not part of the command. Non-text information in examples is hex- encoded and shown in angle-brackets (e.g., "<5F601D>") for readability, although the actual exchange involves binary data transmission. 2. Protocol Overview This protocol is a simple text-based protocol. The basic concept is to use the SASL [SASL] framework with the addition of special-purpose password-change mechanisms. A protocol-level integrity service is optionally included to prevent active attacks which alter the list of available mechanisms. The protocol consists of a server greeting, followed by client commands and server responses. Clients are permitted to send multiple commands at once and will receive responses in order from the server. Commands and responses are sent as CRLF terminated lines. The protocol is designed to be extensible so that more sophisticated mechanisms can be added in the future. A simple exchange involves a server greeting, a client AUTHCHANGE command and associated SASL exchange, followed by a server acknowledgement, and a client LOGOUT command. 3. IPCP Protocol Framework This section contains the specification of the IPCP protocol. When IPCP is used over TCP/IP the server runs on port 586. The SASL Newman [Page 2] Internet Draft Internet Password Change Protocol July 1997 service name for IPCP is "ipcp". 3.1. Protocol Elements This section specifies basic components of the protocol. 3.1.1. Protocol keywords Protocol keywords are short fixed strings used to describe client commands and server responses. They have the following formal grammar: ALPHA = %x41-5A / %x61-7A ;; A US-ASCII letter KCHAR = %x21 / %x23-27 / %x2A-5B / %x5D-7A / %x7C-7E ;; All printable US-ASCII characters except SPACE, ;; <">, "(", ")", "\", and "{" keyword = ALPHA *63KCHAR 3.1.2. Quoted Strings Data sent between client and server may be represented as a quoted string. Quoted strings are surrounded by double quotes, must not exceed 1024 octets, and must not contain NUL, CR or LF. The characters <"> and "\" may be included by preceding them with "\". When quoted strings are used to represent human readable text, they are in the form of a "utf8-quoted" string [UTF8]. All other quoted strings are in the form of a regular "quoted-string" as follows: QCHAR = US-ASCII-SAFE / %x80-FF ;; UTF8 is used for text QCHAR-QUOTED = QCHAR / QUOTED QUOTED = "\" QUOTED-SPECIAL QUOTED-SPECIAL = "\" / <"> US-ASCII-SAFE = %x01-09 / %x0B-0C / %x0E-21 / %x23-5B / %x5D-7F ;; US-ASCII except QUOTED-SPECIALs, CR, LF, NUL UTF8-NON-NUL = UTF8-SAFE / CR / LF / QUOTED-SPECIAL Newman [Page 3] Internet Draft Internet Password Change Protocol July 1997 UTF8-QUOTED = UTF8-SAFE / QUOTED UTF8-SAFE = US-ASCII-SAFE / UTF8-1 / UTF8-2 / UTF8-3 / UTF8-4 / UTF8-5 UTF8-CONT = %x80-BF UTF8-1 = %xC0-DF UTF8-CONT UTF8-2 = %xE0-EF 2UTF8-CONT UTF8-3 = %xF0-F7 3UTF8-CONT UTF8-4 = %xF8-FB 4UTF8-CONT UTF8-5 = %xFC-FD 5UTF8-CONT quoted-string = <"> *QCHAR-QUOTED <"> ;; limited to 1024 octets utf8-qstring = <"> *UTF8-QUOTED <"> ;; limited to 1024 octets 3.1.3. Literal/Binary Strings Arbitrary data may be sent between the client and the server using literal strings. Literal strings begin with an unsigned 32 bit number enclosed in braces ("{", "}") representing the length, followed by a CRLF, followed by length octets, followed by the remainder of the command line. Note that non-text literal strings MAY contain a 0 or NUL octet, so implementations MUST NOT use NUL- terminated strings to store binary literal strings internally. Text literal strings are interpreted according to UTF-8. Literals have the following formal grammar: DIGIT = "0" / "1" / "2" / "3" / "4" / "5" / "6" / "7" / "8" / "9" OCTET = %x00-FF OCTET-NZ = %x01-FF number = 1*DIGIT ;; limited to 0 <= number < 4,294,967,296 Newman [Page 4] Internet Draft Internet Password Change Protocol July 1997 literal = "{" number "}" CRLF *OCTET ;; number indicates the number of OCTETs. ;; UTF-8 is used for text string = literal / quoted-string Servers are required to skip client literals even if a command contains a syntax error. 3.1.4. Groupings Parentheses are used to group related strings and keywords together. 3.2. Server responses Each server response begins with a slash ("/") separated hierarchical response code. The first component of the code is "OK", "NO", "BAD", "CONT" or "GOODBYE". "OK" indicates successful connection or successful completion of a client command. "NO" indicates the command failed for some reason. "BAD" indicates a protocol syntax error, usually the result of a client bug. "CONT" indicates the successful receipt of a partial command and includes server data which the client may use to continue the command. And "GOODBYE" indicates some event forced the server to close the connection. Clients MAY interpret only the first one or two hierarchical components of the response code, but MUST ignore any response detail beyond those components recognized. For responses other than "CONT", the initial response code is followed by an optional grouping of response-specific data. This is followed by a UTF-8 quoted string describing any status or errors as human readable text. After a successful AUTHCHANGE command is received (see below), a signature of the response line SHOULD be included with the response if a shared secret is present. This prevents active attacks which alter the initial greeting line or the response code. The signature is computed by taking the AUTHCHANGE random number from the client and appending the server greeting line and the current response line up to and including the space before the signature, then applying the requested signature mechanism using the original shared secret. The resulting signature is then attached as a literal to the end of the response. Newman [Page 5] Internet Draft Internet Password Change Protocol July 1997 The formal grammar for server responses follows: response = resp-continue / resp-done resp-continue = "CONT" SPACE string response-data = resp-group resp-detail = *("/" keyword) ;; MUST be registered with IANA resp-done = resp-status resp-detail [SPACE response-data] SPACE utf8-quoted [SPACE signature] resp-group = "(" resp-extend *(SPACE resp-extend) ")" resp-status = "OK" / "NO" / "BAD" / "GOODBYE" resp-extend = keyword / number / string / resp-group signature = literal ;; a signature computed over the response ;; using the algorithm specified in the AUTHCHANGE ;; command 3.3. Client Commands Client commands consist of a keyword followed by arguments. 3.4. Signature Mechanisms IPCP supports signature mechanisms for signing the server greeting and protocol response lines. The mechanism HMAC-SHA1 [HMAC, SHA1] MUST be supported and additional mechanisms can be registered with IANA. The mechanism NONE MUST be supported if any mechanisms are offered which don't involve a shared secret, but servers MAY reject NONE in combination with any mechanism that includes a shared secret. 4. Protocol Exchange This section documents the protocol exchange. Newman [Page 6] Internet Draft Internet Password Change Protocol July 1997 4.1. Server Greeting The server greeting takes the form of a response. A GOODBYE greeting indicates the server is not available and MAY include response detail indicating the reason. An OK greeting indicates the server is ready. 4.1.1. Server Referral If a server is unavailable, it may include a referral to a different server. It may be useful to run a referral-only server on a less secure system which refers to a more secure system. For example, a POP3 [POP3] client should be able connect to the IPCP port on a POP3 server and either change the password there or be refered to a proper IPCP server. This way clients don't need to be configured with an additional server. A referral is represented by a NO/REFER response with one or more domain names for the response-data. Example: S: NO/REFER ("ipcp.server.domain") "IPCP not available here" 4.1.2. Server Ready A server ready greeting is an OK/IPCP response. The response-data includes a server random string followed by capability information for the server. The "SIG-MECH" capability MUST be included and is followed by a list of signature mechanisms. The "SASL" capability MUST be included and is followed by a list of supported SASL mechanisms. Other capabilities MAY be defined by standards track or IESG approved experimental extensions to this protocol. Example: S: OK/IPCP ((SIG-MECH "HMAC-SHA1" "NONE") (SASL "SHA1-CHANGE")) "Joe's IPCP server v1.0 Ready" 4.1.3. Server Too Busy The "GOODBYE/TOOBUSY" response indicates the server is too busy to process the request at the current time. GOODBYE with no additional detail may also be used to indicate other conditions which prevent the server from accepting client commands. Example: S: GOODBYE/TOOBUSY "Server too busy at the present time" Newman [Page 7] Internet Draft Internet Password Change Protocol July 1997 4.2. AUTHCHANGE command An AUTHCHANGE command selects the IPCP signature mechanism, a random challenge for the signature mechanism, a SASL authentication and passphrase change mechanism and an optional sasl-data argument for SASL mechanisms where the client sends the first non-empty message. The command is followed by a SASL exchange with server data in the string following the "CONT" response, and client data as a single string followed by a CRLF. The authorization identity included in the SASL exchange indicates the user whose passphrase should be changed, the authentication identity indicates the user whose credentials are being used to initiate the change. This allows IPCP to be used by an administrator to set passwords for other users. The client MUST wait at least one minute for the server to issue the final success or failure response. This permits the server limited time to perform a dictionary attack on the passphrase verifier for those mechanisms which pass a one-way function applied to the passphrase. AUTHCHANGE has the following syntax: command-authchg = "AUTHCHANGE" SPACE sig-mech SPACE random SPACE sasl-mech [SPACE sasl-data] CRLF *(string CRLF) random = literal ;; client-generated random data sasl-data = string ;; A mechanism based client initial string. sasl-mech = "PLAIN-CHANGE" / "SHA1-CHANGE" / keyword ;; MUST be registered with IANA according to ;; procedures in SASL and listed in server greeting sig-mech = "HMAC-SHA1" / "NONE" / keyword ;; MUST be registered with IANA Example: [TODO - use change mechanism] S: OK/IPCP ((SIG-MECH "HMAC-SHA1" "NONE") (SASL "SHA1-CHANGE")) "Joe's IPCP server v1.0 Ready" C: AUTHCHANGE HMAC-SHA1 {20} C: CRAM-MD5 S: CONT "<1896.697170952@postoffice.reston.mci.net>" C: "tim b913a602c7eda7a495b4e6e7334d3890" Newman [Page 8] Internet Draft Internet Password Change Protocol July 1997 S: OK "Welcome, tim" {20} S: 4.3. Responses to AUTHCHANGE command An OK response indicates successful authentication and password change, a NO response indicates a failure at some point in the process. The response line SHOULD be signed by the server as requested by the client. The client SHOULD verify the signature on the server's response. An initial set of failure responses are listed in this section. Not all responses are appropriate for all change mechanisms. 4.3.1. NO/AUTH/FAILED response This indicates that no secret could be found for the specified user or the client's authentication did not verify correctly. There is no response to indicate unknown user in order to avoid attacks which probe for users on the system. 4.3.2. NO/AUTH/EXPIRED response This indicates that the passphrase has expired and the account owner needs to contact the system administrator for new credentials. The human readable string MAY contain contact information. 4.3.3. NO/AUTH/SUSPENDED response This indicates the account has been suspended until further notice and no access to that account of any sort is permitted. 4.3.4. NO/AUTH/ENCRYPT response This indicates the requested mechanism is not permitted unless an external encryption layer is applied. 4.3.5. NO/AUTH/TRANSITION-NEEDED response This indicates that the server has an entry for the user in a legacy authentication database from which the secret can not be recovered. It also indicates that a one-time use of the SASL PLAIN Newman [Page 9] Internet Draft Internet Password Change Protocol July 1997 [SASL-PLAIN] mechanism MAY be used by the client to initialize an entry in a newer authentication database so that future connections and password change requests can be secure. 4.3.6. NO/AUTH/SECURE-TRANSITION-NEEDED response This indicates that the server has an entry for the user in a legacy authentication database from which the secret can not be recovered. The client is required to use some secure mechanism to change the passphrase (e.g., secure remote login, or an encryption extension to this protocol) before future changes can be made. 4.3.7. NO/AUTH/UTF-8 response This indicates that the authentication or authorization user name specified did not meet UTF-8 syntax. Servers are encouraged to enforce UTF-8 syntax as this is likely to prevent non-interoperable use of non-US-ASCII characters in user names. The "NO/AUTH/FAILED" response MUST be used if the user name has valid syntax but does not exist. 4.3.8. NO/SIG/WEAK response This indicates the signature mechanism requested was too weak to meet server requirements for the specified SASL mechanism. 4.3.9. NO/SIG/NONE response This indicates the SASL mechanism specified does not support signatures and that the NONE signature mechanism has to be used instead. 4.3.9. NO/REFER response A server referral as defined in section 4.1.1. can occur in response to an AUTHCHANGE command. 4.3.10. NO/NEWPASS response This indicates that the new password does not meet site policy, syntax or authorization rules. Newman [Page 10] Internet Draft Internet Password Change Protocol July 1997 4.3.11. NO/NEWPASS/AUTHORIZE response This indicates the authenticated user does not have permission to change the password for the authorization user name specified. 4.3.12. NO/NEWPASS/UTF-8 response This indicates the new passphrase does not meet the syntax requirements for UTF-8. Servers are encouraged to enforce UTF-8 syntax as this is likely to prevent non-interoperable use of non- US-ASCII characters in passwords. 4.3.13. NO/NEWPASS/SHORT response This indicates the passphrase is too short for server requirements. The minimum length is a number at the beginning of the included response-data. 4.3.14. NO/NEWPASS/LONG response This indicates the passphrase is too long for server requirements. The maximum length is a number at the beginning of the included response-data. Maximum lengths below 64 characters are strongly discouraged. 4.3.15. NO/NEWPASS/SIMPLE response This indicates the new passphrase is too easy to guess. For example, entirely lower-case letters. 4.3.16. NO/NEWPASS/COMPLEX response This indicates the new passphrase is too complex. Specifically, it contains a character which is inappropriate for use with the supported authentication mechanisms. For example, use of the CR and LF characters in a passphrase are usually not permitted in plaintext mechanisms. 4.3.17. NO/NEWPASS/SAME response This indicates that the new passphrase is the same as the old passphrase. There is deliberately no failure error code to Newman [Page 11] Internet Draft Internet Password Change Protocol July 1997 indicate that an older passphrase is being reused. Although this may seem like a security measure, it has the effect of encouraging users to write down a series of passphrases and thus reduces the overall security of the system. 4.3.18. NO/NEWPASS/DICT response This indicates that the new passphrase was found in a server dictionary and is therefore likely to be found by a dictionary attack. The dictionary MAY include static files such as /usr/dict/words on Unix in addition to algorithms applied to the username or personal information associated with the user. 4.4. LOGOUT command The LOGOUT command indicates the client is completed. The client MAY disconnect any time after LOGOUT is successfully sent, and the server will disconnect immediately upon receipt of a LOGOUT command after any other outstanding responses have been successfully sent. The formal grammar is as follows: command-logout = "LOGOUT" CRLF 4.5. AUTH command The AUTH command is syntactically identical to the AUTHCHANGE command. It is used with regular SASL mechanisms which activate an encryption layer. For the client, the encryption layer takes effect on the first octet of the command immediately following a successful AUTH command. For the server, the encryption layer takes effect immediately after the last octet of an OK response line to the AUTH command. The AUTH command fails with a NO/AUTH/ENCRYPT error if negotiation of an encryption layer fails. The authorization identity is ignored by the AUTH command. Once an encryption layer is active clients and servers MUST NOT request another encryption layer. 5. Initial SASL mechanisms for IPCP The section defines some initial SASL change mechanisms for IPCP. All implementations of IPCP MAY support the PLAIN-CHANGE mechanism, but if supported, there MUST be a way to disable the mechanism. All server implementations which support PLAIN-CHANGE SHOULD have a way to disable the mechanism on a per-user basis in favor of Newman [Page 12] Internet Draft Internet Password Change Protocol July 1997 stronger mechanisms. All server implementations of IPCP with access to an authentication database which stores the plaintext password itself (e.g., after applying invertible encryption) MUST support the SHA1-CHANGE mechanism. All client implementations of IPCP MUST support the SHA1-CHANGE mechanism. 5.1. PLAIN-CHANGE SASL mechanism Support for the PLAIN-CHANGE mechanism is included only to support legacy authentication systems. Its use is strongly discouraged since it exposes both the old and new passphrase to a network evesdropper. This mechanism has no shared secret because the primary use of plaintext passwords is only when the server stores the plaintext password after applying a one-way function. For this reason, the NONE signature mechanism is used with the PLAIN-CHANGE SASL mechanism. The mechanism consists of a single message from the client to the server including the user whose password is to be changed, the authentication id, the passphrase for the authentication id and the new passphrase for the user, separated by US-ASCII NUL characters. The formal grammar for this mechanism is as follows: plain-change = change-user NUL auth-user NUL auth-pass NUL new-pass change-user = *UTF8-SAFE ;; if empty, then is same as auth-user auth-user = 1*UTF8-SAFE auth-pass = 1*256UTF8-SAFE new-pass = 1*256UTF8-SAFE NUL = %x00 ;; zero octet, US-ASCII NUL 5.2. SHA1-CHANGE SASL mechanism This mechanism is suitable for changing the passphrase for any mechanism which stores the passphrase on the server without applying a one-way function; such as APOP [POP3] or some implementations of CRAM-MD5 [CRAM-MD5]. Note that this mechanism is susceptible to offline dictionary attacks. Specifically, if an evesdropper records a session, that evesdropper may run values for the old password through the HMAC-SHA1 process until matching Newman [Page 13] Internet Draft Internet Password Change Protocol July 1997 output results. For this reason, it is vital to use longer and more complex passphrases. The shared secret for use with the signature mechanism is the old plaintext passphrase unencrypted. This mechanism begins with an initial server challenge. The client responds with the user whose password is to be changed, the authentication user name, a client challenge and an HMAC-SHA1 [HMAC] signature computed over the server challenge using the old passphrase. If the client's signature verifies, the server signs a string consisting of the client's challenge appended to the server's initial challenge, using the old passphrase. If the server's signature verifies, the client transmits the new passphrase using the following algorithm: (1) First, an octet representing the length of the new passphrase is pre-pended to the passphrase and this is placed in a buffer rounded up to a 20 octet boundary with arbitrary padding octets. (2) Apply HMAC-SHA1 to the server's signature using the old passphrase. (3) The output of step (2) is exclusive-ored with the first 20 octets of the buffer. If the passphrase is less than 20 octets the process completes. (4) If the buffer is longer than 20 octets, then the 20 octet output of step (3) is re-signed with the old passphrase using HMAC-SHA1. (5) The output of step (4) is exclusive ored with the next 20 octet segment of the buffer. Repeat steps (4) and (5) until done. The formal grammar for the exchange follows: server-message-1 = challenge client-message-1 = change-user NUL auth-user NUL challenge NUL signature server-message-2 = signature client-message-2 = sha1-new-pass signature = 20OCTET ;; 20 octet output of HMAC-SHA1 Newman [Page 14] Internet Draft Internet Password Change Protocol July 1997 challenge = 20*OCTET-NZ ;; randomly generated challenge with no NUL ;; octets. MUST be at least 20 octets long sha1-new-pass = 1*13xor-sig-block xor-sig-block = 20OCTET ;; signature exclusive ored with new passphrase ;; buffer as described above 6. Examples TODO 7. Security Considerations Security considerations are discussed throughout this document. Clients are encouraged to record the occurance of a successful authentication for a given user and server combination and refuse to use plain text passwords for that user and that server in the future. This will prevent a man in the middle or a spoof server from aquiring the user's password by pretending a transition is needed. Use of password change SASL mechanisms with protocols other than this one is discouraged, since general purpose application servers may not be treated with the same level of security analysis a system administrator is likely to apply to a server running a password change protocol. 8. References [ABNF] Crocker, D., "Augmented BNF for Syntax Specifications: ABNF", Work in progress: draft-ietf-drums-abnf-xx.txt [CRAM-MD5] Klensin, Catoe, Krumviede, "IMAP/POP AUTHorize Extension for Simple Challenge/Response", RFC 2095, MCI, January 1997. [HMAC] Krawczyk, Bellare, Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, IBM, UCSD, February 1997. Newman [Page 15] Internet Draft Internet Password Change Protocol July 1997 [KEYWORDS] Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997. [POP3] Myers, J., Rose, M., "Post Office Protocol - Version 3", RFC 1939, Carnegie Mellon, Dover Beach Consulting, Inc., May 1996. [SASL] Myers, J., "Simple Authentication and Security Layer (SASL)", Work in progress: draft-myers-auth-sasl-xx.txt [SASL-PLAIN] Newman, "Plaintext Password SASL Mechanism and Transition Strategy", Work in progress: draft-newman-sasl- plaintrans-xx.txt. [SHA1] NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995. [UTF8] Yergeau, F. "UTF-8, a transformation format of Unicode and ISO 10646", RFC 2044, Alis Technologies, October 1996. 9. Authors' Addresses Chris Newman Innosoft International, Inc. 1050 East Garvey Ave. South West Covina, CA 91790 USA Email: chris.newman@innosoft.com Randall Gellens Qualcomm, Inc. 6455 Lusk Blvd. San Diego, CA 92121-2779 USA Email: Randy@Qualcomm.Com Newman [Page 16]