Network Working Group R. Harwood Internet-Draft Red Hat, Inc. Updates: 4556 (if approved) 6 August 2021 Intended status: Standards Track Expires: 7 February 2022 Deprecate Use of 1024-bit Diffie-Hellman Moduli in Public Key Cryptography for Initial Authentication in Kerberos draft-harwood-krb-pkinit-dh-upsize-01 Abstract Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) permits a client and a Kerberos Domain Controller (KDC) to use a Diffie-Hellman (DH) exchange to derive an encryption key. The group with minimum modulus size permitted for this exchange is 1024 bits, which recent security research has shown to provide insufficient protection against organizations with sufficient computing resources, such as state-sponsored actors. This document updates RFC 4556 to increase the minimum group size to 2048 bits and define permitted groups of size larger than 4096-bits. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 February 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Harwood Expires 7 February 2022 [Page 1] Internet-Draft PKINIT DH Modulus Size August 2021 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions used in this document . . . . . . . . . . . . . . 2 3. Modulus Size Increases . . . . . . . . . . . . . . . . . . . 2 4. Additional Groups . . . . . . . . . . . . . . . . . . . . . . 3 5. Interoperability . . . . . . . . . . . . . . . . . . . . . . 3 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 8.1. Normative References . . . . . . . . . . . . . . . . . . 4 8.2. Informative References . . . . . . . . . . . . . . . . . 5 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 5 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction [RFC4556] specified three permitted groups for DH, which have modulus sizes 1024, 2048, and 4096 bits, respectively. It requires implementation of the 1024-bit and 2048-bit groups, while the 4096-bit group is optional albeit recommended. This document updates [RFC4556] such that the 1024-bit group is no longer permitted and implementation of the 4096-bit group is required based on more recent understanding of DH group weaknesses [LOGJAM]. It also defines two larger groups for futureproofing. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Modulus Size Increases In 2015, [LOGJAM] showed by example that it is very possible to break 768-bit DH groups. The authors extend their method to 1024-bit DH groups as well, and their analysis shows breaking 1024-bit DH groups to be within the reach of state-sponsored actors (or others with that level of computing resources). Accordingly, this document prohibits the use of the previously permitted 1024-bit group and recommends the use of the 4096-bit group. Harwood Expires 7 February 2022 [Page 2] Internet-Draft PKINIT DH Modulus Size August 2021 [RFC4556] specifies three groups that can be used for Diffie-Hellman (DH) [RFC2631] key exchange between the client and Kerberos Domain Controller (KDC) [RFC4120]: Oakley 1024-bit Modular Exponential (MODP) well-known group 2 from [RFC2412], Oakley 2048-bit MODP well- known group 14 from [RFC3526], and Oakley 4096-bit MODP well-known group 16 from [RFC3526]. Of the three, implementations were required to support the 1024-bit and 2048-bit groups, while the 4096-bit group was optional. Specifically, this document updates [RFC4556] Section 3.2.1, Item 8, Paragraph 1 as follows: * implementations MUST NOT support Oakley 1024-bit MODP well-known group 2 [RFC2412] or any other group with modulus size strictly less than 2048 bits * implementations MAY support Oakley 2048-bit MODP well-known group 14 [RFC3526] * implementations MUST support Oakley 4096-bit MODP well-known group 16 [RFC3526] 4. Additional Groups For futureproofing, we define two additional DH groups with larger modulus size. Implementations MAY support 6114-bit MODP group 17 and/or 8192-bit MODP group 18, both as defined by [RFC3526]. 5. Interoperability [RFC4556] mandated the implementation of two groups (of modulus size 1024-bit and 2048-bit respectively). While this document prohibits use of the 1024-bit group, use of the 2048-bit group is still permitted. Thus, pre-existing implementations could use either that 2048-bit group or the optional 4096-bit group for communication with an implementation that conforms to this document. [RFC4556] permits KDC policy to reject DH groups with error code KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. Conforming implementations are thus already prepared to handle group selection failure. Two major implementations of Kerberos, MIT krb5 and Heimdal, have a configuration option for group selection (pkinit_dh_min_bits). In particular, the default value has always been 2048 for MIT krb5, which added PKINIT support in 2007. Harwood Expires 7 February 2022 [Page 3] Internet-Draft PKINIT DH Modulus Size August 2021 6. Security Considerations The security considerations of [RFC4556] continue to apply. As that document states: | Kerberos error messages are not integrity protected; as a result, | the domain parameters sent by the KDC as TD-DH-PARAMETERS can be | tampered with by an attacker so that the set of domain parameters | selected could be either weaker or not mutually preferred. Local | policy can configure sets of domain parameters acceptable locally, | or disallow the negotiation of DH domain parameters. By removing known-dangerous groups, this document attempts to mitigate this attack. This document also permits implementation of only the 4096-bit group, which would effectively disallow parameter negotiation. However, as the field remains unprotected, it is still subject to Denial of Service from tampering in transit. 7. IANA Considerations There are no IANA actions requested by this document. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2412] Orman, H., "The OAKLEY Key Determination Protocol", RFC 2412, DOI 10.17487/RFC2412, November 1998, . [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, DOI 10.17487/RFC2631, June 1999, . [RFC3526] Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)", RFC 3526, DOI 10.17487/RFC3526, May 2003, . [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, DOI 10.17487/RFC4120, July 2005, . Harwood Expires 7 February 2022 [Page 4] Internet-Draft PKINIT DH Modulus Size August 2021 [RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)", RFC 4556, DOI 10.17487/RFC4556, June 2006, . 8.2. Informative References [LOGJAM] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J., Heninger, N., Springall, D., Thome, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Beguelin, S., and P. Zimmermann, "Imperfect Forward Secrect: How Diffie-Hellman Fails in Practice", ACM Conference on Computer and Communications Security (CCS) 2015, DOI 10.1145/2810103.2813707, 2015, . Appendix A. Acknowledgments This document builds on prior work by the IETF CURves, Deprecating and a Little more Encryption Working Group (curdle), especially that of Loganaden Velvindron and Mark D. Baushke. Author's Address Robbie Harwood Red Hat, Inc. Email: rharwood@redhat.com Harwood Expires 7 February 2022 [Page 5]