INTERNET-DRAFT Vipul Gupta SUN Microsystems, Inc Oct 22, 1998 Flexible Authentication for DHCP Messages Status of this Memo This document is an Internet Draft and is in full conformance with all provisions of Section 10 of RFC2026 [Bra96]. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and working groups. Note that other groups may also distribute working documents as Internet Drafts. Internet Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This memo proposes a new protocol (Protocol 2) for DHCP authentication within the general framework outlined by Droms and Arbaugh [DrAr98]. This protocol supports the use of digital signatures and multiple forms of replay detection in authenticating Dynamic Host Configuration Protocol (DHCP) messages. The use of digital signatures simplifies key management and also allows authentication of mobile clients that roam between different administrative domains. 1. Introduction: The Dynamic Host Configuration Protocol (DHCP) [Drom97] provides an extensible framework through which a host can acquire various configuration parameters from a centrally managed server. Configuration parameters that may be obtained through DHCP include (among many others) the host's IP address, subnet mask, default router, DNS domain, DNS server and NTP servers. The protocol as specified in RFC 2131 is susceptible to various Gupta DHCP Authentication (Protocol 2) [Page 1] INTERNET-DRAFT Expires April, 1999 Oct 1999 security attacks including source spoofing, message modification, replays and eavesdropping. [DrAr99] outlines a mechanism (Protocol 1) for adding authentication information to DHCP messages. The mechanism guards against source spoofing, message alteration and replays. It assumes that the entities exchanging authenticated information share a secret key not known to anyone else. The sender uses this key to compute a keyed hash (or MAC) over the information to be protected and a replay detection field. This MAC is sent along with the DHCP message. The receiver recomputes the MAC over the same fields using its copy of the shared key. It compares the result against the MAC value received with the incoming message. A successful match authenticates the sender. Another protocol, Protocol 0, is also described in [DrAr99] but it carries an authentication token (a password) in the clear and only offers weak authentication. This draft proposes a new protocol, Protocol 2, with the aim of supporting public-key based authentication. It also includes hooks for future support of multiple forms of replay detection (e.g. using nonces). Like [DrAr99], this note does not address confidentiality of DHCP messages. This note is not a stand-alone document and must be read in conjunction with [DrAr99]. Additionally, the reader is assumed to be familiar with the following: o Dynamic Host Configuration Protocol [Drom97] o DHCP Continuation Option Code [ArKe97] DISCUSSION: DHCP options use a single byte for the length field and this imposes a limit of 255 bytes on the length of a DHCP option. This draft (like some others) underscores the need to carry options longer than 255 bytes inside DHCP messages. The DHCP Continuation Option Code draft proposes one possible solution. Unfortunately, this draft [ArKe97] is expired. The working group needs to either revive that draft or agree upon another solution (such as implicitly coalescing multiple options whenever they have the same option code). 1.1 Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" Gupta DHCP Authentication (Protocol 2) [Page 2] INTERNET-DRAFT Expires April, 1999 Oct 1999 in this document are to be interpreted as described in RFC 2119 [Brad97]. 2. Protocol 2 The general format of the DHCP authentication option in this draft closely resembles the format in [DrAr99] with minor exceptions. The "Global Replay Counter" field has been renamed "Replay Detection Field" to indicate support for multiple forms of replay detection. Some of these mechanisms may use this field to carry values that are not monotonically increasing. For example, one can envision using nonces for replay detection (as is done in IKE [RFC 2409]). Since nonces are generated randomly, a sequence of nonces will not be monotonically increasing (unlike the replay detection counter specified in [DrAr99]). The Authentication Information field (starting after the byte containing RDM) is now subdivided into two variable length fields: 1. Key ID -- This is a generalization of the "secret ID" field in Protocol 1 and identifies the public-key or shared-key needed to verify the authenticator. Several forms of key ID are supported including X.509 certificates, hashes of X.509 certificates, certificate chains and opaque values. 2. Authenticator -- This is a generalization of the "MAC" field in Protocol 1. It contains either a MAC or a digital signature depending on whether the authentication algorithm uses symmetric- or asymmetric- key cryptography. Gupta DHCP Authentication (Protocol 2) [Page 3] INTERNET-DRAFT Expires April, 1999 Oct 1999 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Length | Protocol (2) | Algorithm | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Replay Detection Field (64-bits) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RDM | RESV | Key ID Type | Key ID length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Key ID Value ... (variable length) ~ ~ ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Authenticator (variable length) ... ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Code for the authentication option is TBD. The Length field contains the length of the entire option except for the code and length bytes. This length equals 11 plus the size of the authentication information (in bytes) and can typically be encoded in a single byte. However, for certain Key ID types (such as certificates) it is possible that the total length of the authentication option exceeds 255. In this case, the DHCP continuation option code [ArKe97] MUST be used and the length field MUST be set accordingly (see DISCUSSION in Section 1). 2.1 Algorithm The Algorithm field determines which of several secret-key or public-key based authentication algorithms is used to compute the authenticator information. The following algorithms are supported (Public-key algorithms are identified by an asterisk next to their name): Algorithm field Description Reference ----- ----------- --------- 1 HMAC-MD5 keyed hash [Rive92], [KBC97] 2 HMAC-SHA keyed hash [NIS94a], [KBC97] 3 DSA* signature [NIS94b] 4 RSA-MD5* RSA encryption [RSA78] of MD5 hash Gupta DHCP Authentication (Protocol 2) [Page 4] INTERNET-DRAFT Expires April, 1999 Oct 1999 Algorithm 1 (HMAC-MD5) MUST be supported. DISCUSSION: Edward Lewis has suggested choosing the same values as used in the DNS records of type KEY and SIG. This needs to be investigated further. 2.2 Replay Detection Field The content and interpretation of this field is controlled by the RDM (Replay Detection Method) bits (described below). As mentioned in Section 2.3, RDM values other than 0 are currently reserved. When RDM is 0, the Replay Detection Field is defined to mimic the "Global Replay Counter" in Protocol 1 [DrA99]. 2.3 The Replay Detection Method (RDM) bits This four-bit field indicates the replay detection method used by the DHCP client and server. It determines how the Replay Detection Field is set by the sender and also how its contents are interpreted at the receiver. RDM field Description --------- ----------- O When the RDM bits are 0, the Replay Detection field is used in exactly the same manner as the "Global Counter Field" of Protocol 1 specified in [DrAr99]. 1-15 These values are RESERVED and some of them will be defined in a subsequent revision. An RDM value of 0 MUST be supported. 2.4 The Resrved bits The lower four bits in the byte containing RDM are reserved. These MUST be set to zero and ignored by the receiver. Subsequent revisions of this protocol may define new processing behavior for these bits. 2.4 Key ID The Key ID field is composed of three sub-fields including a RESERVED byte-long field which MUST be set to zero. Other sub-fields are: Key ID Type This identifies the type of Key ID Gupta DHCP Authentication (Protocol 2) [Page 5] INTERNET-DRAFT Expires April, 1999 Oct 1999 information carried in the Key ID field. Key ID Length Length of the Key ID Value field expressed in bytes. Key ID Value Contains the actual Key ID which identifies either a secret key or a public key needed to verify the authenticator. The following Key ID Types are defined. Implementations MUST support the OPAQUE Key ID type. Key ID Type Description ----- ----------- RESV (0) Reserved OPAQUE (1) Indicates that the Key ID Value contains an opaque value. How the receiver uses it to look up a key is entirely a local matter at the receiver. The presumption here is that the sender and receiver have a previously agreed method of mapping the opaque key ID value to a key. This definition is consistent with that of the "Secret ID" in Protocol 1. X509_CERT_CHAIN Indicates that the Key ID Value subfield (2) contains a chain of one or more DER encoded X.509 certificates. The first certificate in the chain is that of the sender and each subsequent certificate certifies the public key used in signing the immediately preceding certificate. Chains containing multiple certificates are useful if the receiver does not have the authenticated public key of the sender and may need to follow a certificate chain to establish the required trust. The public key contained in the first certificate MUST be for the same algorithm as indicated in the Algorithm field. For example, if the Algorithm field indicates DSA, the first certificate MUST include a DSA public key. Similarly, if the Algorithm field indicates RSA-MD5, the certificate MUST include an RSA public key. After verifying Gupta DHCP Authentication (Protocol 2) [Page 6] INTERNET-DRAFT Expires April, 1999 Oct 1999 the authenticity of the sender's certificate, the receiver MUST cache this trusted certificate and its MD5 hash. Doing so has two benefits -- (i) it speeds verification of subsequent messages from the same sender, and (ii) allows the sender to save bandwidth by including just a certificate hash rather than a complete certificate chain inside subsequent messages. CERT_MD5_HASH Indicates that the Key ID Value is the (3) MD5 hash of a certificate. This is useful in situations where the sender has reason to believe that the corresponding certificate is already available to the receiver (e.g. it may have been sent in a previous message or the receiver is known to have access to a certificate repository containing the sender's certificate). Due to the collision resistance property of MD5, the hash identifies a unique certificate with a high degree of confidence. Sending the hash (16 bytes) rather than the actual certificate results in smaller messages. 4 - 255 RESERVED DISCUSSION: Edward Lewis has suggested the inclusion of other certificate types (e.g. PGP). Need to compile this list based on Working Group input. 2.5 Authenticator The computation and verification of the Authenticator field depends on the type of the authentication Algorithm. When the Algorithm is one of HMAC-MD5 or HMAC-SHA1, the authenticator is computed using the HMAC generation algorithm with the MD5 [Rive2] or SHA [NIS94a] hash functions as described in [KBC97]. When the Algorithm is DSS [NIS94b], the authenticator contains the DER encoding of two 20 byte numbers (r followed by s) representing the DSA signature. When the Algorithm is RSA-MD5, the authenticator contains the RSA encryption output (using the sender's private key) of an MD5 hash. In the case of DSS and RSA-MD5, it is the public-key corresponding to the private-key used for signing that MUST be identified in the Key ID field. Gupta DHCP Authentication (Protocol 2) [Page 7] INTERNET-DRAFT Expires April, 1999 Oct 1999 The input for these computations is the same. It is the entire DHCP message (except as noted below) to be protected upto and including the authentication option. Before signing or computing the MAC, the authentication option (except for the authenticator) must be completely filled out and the authenticator field must be set to zeroes. Since a DHCP relay agent may alter the values of the 'giaddr' and 'hops' fields in the DHCP message, the contents of these two fields MUST also be set to zero for computation of the signature or MAC. A relay agent may append the DHCP relay agent option 82 after the authentication option. Options that appear after the authentication option will not be protected by the Authenticator described above. 3. Client, Server, and Relay Agent Considerations These considerations are not affected in any way by the use of Protocol 2 instead of Protocol 1. Readers are referred to [DrAr99] for the details. 4. Roaming Support for DHCP Clients Roaming can be loosely defined as the ability of a customer to "use any one of multiple Internet service providers (ISPs), while maintaining a formal, customer-vendor relationship with only one" (quoted from [AbBe99]). Each roaming user is uniquely identified by a Network Access Identifier (NAI) [AbBe99] which looks like joe@acme.net and includes enough information to identify the ISP with which that user has a formal customer- vendor relationship. Most ISPs that offer roaming services today use PPP (over dial-up) as the address allocation mechanism. In the future, ISPs that use DHCP for address allocation (such as some Cable Modem ISPs) may also wish to support roaming. In such a scenario, it is logical to use NAIs as DHCP client identifiers so both types of ISPs can identify users in a consistent fashion. This section outlines how the authentication option may be used to support DHCP clients roaming between different administrative domains. For this illustration, we consider a DHCP client associated with ISP-A that roams to a DHCP-enabled network belonging to ISP-B. We assume that these two ISPs have a roaming agreement in place. The agreement may be indirect, e.g. through a broker such as iPass [iPass] or GRIC [GRIC]. Before providing full network connectivity to the client, ISP-B would like to verify that it can bill ISP-A for the service. The following paragraphs describe one possible sequence of steps through which this can be accomplished. We assume that each client has a digital certificate issued by its ISP (the ISP may out Gupta DHCP Authentication (Protocol 2) [Page 8] INTERNET-DRAFT Expires April, 1999 Oct 1999 source the actual issuance of certificates but that is unimportant for our discussion). The certificate is valid as long as the customer's account active and is revoked when the account is closed. Besides its own private key, the client also has a trusted copy of its ISP's public key. These keys may be carried on removable media such as a smart card. If keys are stored on the client's local storage (e.g. a portable computer's hard disk), then the private key MUST be stored encrypted with a user chosen password. Doing so minimizes the risk of a security breach should the client be stolen. The following example uses DSA signatures for authentication. 1. The roaming client, C, establishes link connectivity (e.g. by plugging into an RJ-45 slot for a 10BaseT connection or by completing an 802.11 association) and sends out a DHCPDISCOVER request with a request for authentication. The DHCP client identifier (Option 61 defined in RFC 2132) is set to contain the roaming user's Network Access Identifier. 2. By looking at the NAI from Step 1, a DHCP server, S, on the the visited network can determine the ISP, ISP-A, to which the client belongs. The server checks that its ISP, ISP-B, has a roaming agreement with the client's ISP, ISP-A. If so, it responds with a DHCPOFFER message containing an authentication option. In this option, the Algorithm is set to DSA, the Key ID Type is set to X509_CERT_CHAIN and the Key ID Value is set to include the server's certificate (issued by ISP-B) and ISP-B's certificate signed by ISP-A. If the agreement between ISP-A and ISP-B is through a broker, K, then the certificate chain may instead contain: Server's certificate signed by ISP-B, ISP-B's certificate signed by K and K's certificate signed by ISP-A. Other combinations are also possible depending on the public keys that the client is expected to possess. The authenticator contains a DSA signature computed by the server using its private key. 3. Using a locally available copy of ISP-A's public key, the client can verify the server's public key and signature and and authenticate the offer. If authentication is successful, the client sends out a DHCPREQUEST message. In the authentication option, Algorithm is set to DSA, the Key ID Type is set to X509_CERT_CHAIN, the Key ID Value is set to include the client's certificate issued by ISP-A and the authenticator contains a DSA signature computed by the client using its private key. 4. The server first verifies the client's certificate (this Gupta DHCP Authentication (Protocol 2) [Page 9] INTERNET-DRAFT Expires April, 1999 Oct 1999 may require it to interact with another entity such as a certificate repository) and uses the public key it contains to verify the client's signature. If verification succeeds, it sends back a DHCPACK message completing the sign-on process, otherwise it sends back a DHCPNAK. Unlike typical dial-up roaming situations where only the client is authenticated, the scheme outlined above provides mutual authentication of the client and server. 5. Security Considerations This document describes a mechanism for adding source authentication, integrity protection and replay detection to DHCP messages. This mechanism does not address message confidentiality. 6. Revision History Version Date Comments ------- ---- -------- 00 Jun 23, 1998 Created initial version. 01 Oct 22, 1999 Incorporated feedback from the DHCP working group meeting in Oslo. Changes include: RDM field expanded to 4 bits, algorithm field is now a full byte, key ID length now maintains 16-bit alignment, theft of service discussion moved to a seprate document, removed unnecessary distinction between a single certificate and a certificate chain (the former is a special case). 7. Future Directions: DISCUSSION: It seems reasonable to include an authenticator in the very first message, i.e. DHCPDISCOVER. This gives DHCP servers an opportunity to authenticate the client before sending back any network configuration parameters making "theft of service" even harder for malicious clients. TODO: Add nonce based replay protection. The basic idea is as follows: DHCPDISCOVER message will include a "challenge" from the client, DHCPOFFER will include the server's "response" and its own "challenge", DHCPREQUEST will include the client's "response" etc. Gupta DHCP Authentication (Protocol 2) [Page 10] INTERNET-DRAFT Expires April, 1999 Oct 1999 Such nonce-based replay detection minimizes the amount of replay related state that must be maintained across reboots. References [AbBe99] Aboba, B. and Beadles, M., "Network Access Identifier" RFC 2486, Jan. 1999. [ArKe97] Arbaugh, W. and Keromytis, A., "DHCP Continuation Option Code", Internet-draft , work in progress, Nov. 1997. [Brad96] Bradner, S., "The Internet Standards Process -- Revision 3", RFC 2026, Oct. 1996. [Brad97] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2219, Mar. 1997. [Drom97] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, Mar. 1997. [DrAr99] Droms, R. and Arbaugh, W., "Authentication for DHCP Messages", Internet-draft , work in progress, Jun. 1999. [GRIC] See http://www.gric.com/ [iPass] See http://www.ipass.com/ [KBC97] Krawczyk, H., Bellare, M., and Canetti, R., "HMAC: Keyed-Hashing for Message Authentication," RFC 2104, Feb. 1997. [Mill92] Mills, D., "Network Time Protocol (Version 3)", RFC 1305, Mar. 1992. [NIS94a] NIST, "Secure Hash Standard", FIPS 180-1, National Institute of Standards and Technology, U.S. Department of Commerce, May 1994. [NIS94b] NIST, "Digital Signature Standard", FIPS 186, National Institute of Standards and Technology, U.S. Department of Commerce, May, 1994. [Rive92] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, Apr. 1992. Gupta DHCP Authentication (Protocol 2) [Page 11] INTERNET-DRAFT Expires April, 1999 Oct 1999 [RSA78] Rivest, R., Shamir, A., and Adleman, L., "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, v. 21, n. 2, Feb. 1978. Author's Address Vipul Gupta Sun Microsystems, Inc. 901 San Antonio Rd. Palo Alto, CA 94303 Tel: +1 650 786 3614 Fax: +1 650 786 6445 EMail: vipul.gupta@sun.com Gupta DHCP Authentication (Protocol 2) [Page 12]