On Internet Authentication
RFC 1704
| Document | Type |
RFC - Informational
(October 1994; No errata)
Was draft-haller-auth-requirements (individual)
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | Legacy | ||
| Formats | plain text pdf html bibtex | ||
| Stream | Legacy state | (None) | |
| Consensus Boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | RFC 1704 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group N. Haller
Request for Comments: 1704 Bell Communications Research
Category: Informational R. Atkinson
Naval Research Laboratory
October 1994
On Internet Authentication
Status of this Memo
This document provides information for the Internet community. This
memo does not specify an Internet standard of any kind. Distribution
of this memo is unlimited.
1. INTRODUCTION
The authentication requirements of computing systems and network
protocols vary greatly with their intended use, accessibility, and
their network connectivity. This document describes a spectrum of
authentication technologies and provides suggestions to protocol
developers on what kinds of authentication might be suitable for some
kinds of protocols and applications used in the Internet. It is
hoped that this document will provide useful information to
interested members of the Internet community.
Passwords, which are vulnerable to passive attack, are not strong
enough to be appropriate in the current Internet [CERT94]. Further,
there is ample evidence that both passive and active attacks are not
uncommon in the current Internet [Bellovin89, Bellovin92, Bellovin93,
CB94, Stoll90]. The authors of this paper believe that many
protocols used in the Internet should have stronger authentication
mechanisms so that they are at least protected from passive attacks.
Support for authentication mechanisms secure against active attack is
clearly desirable in internetworking protocols.
There are a number of dimensions to the internetwork authentication
problem and, in the interest of brevity and readability, this
document only describes some of them. However, factors that a
protocol designer should consider include whether authentication is
between machines or between a human and a machine, whether the
authentication is local only or distributed across a network,
strength of the authentication mechanism, and how keys are managed.
Haller & Atkinson [Page 1]
RFC 1704 On Internet Authentication October 1994
2. DEFINITION OF TERMS
This section briefly defines some of the terms used in this paper to
aid the reader in understanding these suggestions. Other references
on this subject might be using slightly different terms and
definitions because the security community has not reached full
consensus on all definitions. The definitions provided here are
specifically focused on the matters discussed in this particular
document.
Active Attack: An attempt to improperly modify data, gain
authentication, or gain authorization by inserting false
packets into the data stream or by modifying packets
transiting the data stream. (See passive attacks and replay
attacks.)
Asymmetric Cryptography: An encryption system that uses different
keys, for encryption and decryption. The two keys have an
intrinsic mathematical relationship to each other. Also
called Public~Key~Cryptography. (See Symmetric Cryptography)
Authentication: The verification of the identity of the source of
information.
Authorization: The granting of access rights based on an
authenticated identity.
Confidentiality: The protection of information so that someone not
authorized to access the information cannot read the
information even though the unauthorized person might see the
information's container (e.g., computer file or network
packet).
Encryption: A mechanism often used to provide confidentiality.
Integrity: The protection of information from unauthorized
modification.
Key Certificate: A data structure consisting of a public key, the
identity of the person, system, or role associated with that
key, and information authenticating both the key and the
association between that identity and that public key. The
keys used by PEM are one example of a key certificate
[Kent93].
Passive Attack: An attack on an authentication system that inserts
no data into the stream, but instead relies on being able to
passively monitor information being sent between other
Haller & Atkinson [Page 2]
RFC 1704 On Internet Authentication October 1994
parties. This information could be used a later time in what
appears to be a valid session. (See active attack and replay
attack.)
Plain-text: Unencrypted text.
Replay Attack: An attack on an authentication system by recording
Show full document text