Browse Prior Art Database

Authentication Mechanisms for ONC RPC (RFC2695)

IP.com Disclosure Number: IPCOM000003288D
Original Publication Date: 1999-Sep-01
Included in the Prior Art Database: 2000-Sep-13
Document File: 15 page(s) / 36K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

A. Chiu: AUTHOR

Abstract

This document describes two authentication mechanisms created by Sun Microsystems that are commonly used in conjunction with the ONC Remote Procedure Call (ONC RPC Version 2) protocol.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 8% of the total text.

Network Working Group A. Chiu

Request for Comments: 2695 Sun Microsystems

Category: Informational September 1999

Authentication Mechanisms for ONC RPC

Status of this Memo

This memo provides information for the Internet community. It does

not specify an Internet standard of any kind. Distribution of this

memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (1999). All Rights Reserved.

ABSTRACT

This document describes two authentication mechanisms created by Sun

Microsystems that are commonly used in conjunction with the ONC

Remote Procedure Call (ONC RPC Version 2) protocol.

WARNING

The DH authentication as defined in Section 2 in this document refers

to the authentication mechanism with flavor AUTH_DH currently

implemented in ONC RPC. It uses the underlying Diffie-Hellman

algorithm for key exchange. The DH authentication defined in this

document is flawed due to the selection of a small prime for the BASE

field (Section 2.5). To avoid the flaw a new DH authentication

mechanism could be defined with a larger prime. However, the new DH

authentication would not be interoperable with the existing DH

authentication.

As illustrated in [10], a large number of attacks are possible on ONC

RPC system services that use non-secure authentication mechanisms.

Other secure authentication mechanisms need to be developed for ONC

RPC. RFC 2203 describes the RPCSEC_GSS ONC RPC security flavor, a

secure authentication mechanism that enables RPC protocols to use

Generic Security Service Application Program Interface (RFC 2078) to

provide security services, integrity and privacy, that are

independent of the underlying security mechanisms.

Table of Contents

1. Introduction ............................................... 2

2. Diffie-Hellman Authentication .............................. 2

2.1 Naming .................................................... 3

2.2 DH Authentication Verifiers ............................... 3

2.3 Nicknames and Clock Synchronization ....................... 5

2.4 DH Authentication Protocol Specification .................. 5

2.4.1 The Full Network Name Credential and Verifier (Client) .. 6

2.4.2 The Nickname Credential and Verifier (Client) ........... 8

2.4.3 The Nickname Verifier (Server) .......................... 9

2.5 Diffie-Hellman Encryption ................................. 9

3. Kerberos-based Authentication ............................. 10

3.1 Naming ................................................... 11

3.2 Kerberos-based Authentication Protocol Specification ..... 11

3.2.1 The Full Network Name Credential and Verifier (Client) . 12

3.2.2 The Nickname Credential and Verifier (Client) .......... 14

3.2.3 The Nickname Verifier (Server) ......................... 15

3.2.4 Kerbe...