On Internet Authentication (RFC1704)
Original Publication Date: 1994-Oct-01
Included in the Prior Art Database: 2019-Feb-12
Internet Society Requests For Comment (RFCs)
N. Haller: AUTHOR [+1]
This document describes a spectrum of authentication technologies and provides suggestions to protocol developers on what kinds of authentication might be suitable for some kinds of protocols and applications used in the Internet. This document provides information for the Internet community. This memo does not specify an Internet standard of any kind.
Network Working Group N. Haller Request for Comments: 1704 Bell Communications Research Category: Informational R. Atkinson Naval Research Laboratory October 1994
On Internet Authentication
Status of this Memo
This document provides information for the Internet community. This memo does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
The authentication requirements of computing systems and network protocols vary greatly with their intended use, accessibility, and their network connectivity. This document describes a spectrum of authentication technologies and provides suggestions to protocol developers on what kinds of authentication might be suitable for some kinds of protocols and applications used in the Internet. It is hoped that this document will provide useful information to interested members of the Internet community.
Passwords, which are vulnerable to passive attack, are not strong enough to be appropriate in the current Internet [CERT94]. Further, there is ample evidence that both passive and active attacks are not uncommon in the current Internet [Bellovin89, Bellovin92, Bellovin93, CB94, Stoll90]. The authors of this paper believe that many protocols used in the Internet should have stronger authentication mechanisms so that they are at least protected from passive attacks. Support for authentication mechanisms secure against active attack is clearly desirable in internetworking protocols.
There are a number of dimensions to the internetwork authentication problem and, in the interest of brevity and readability, this document only describes some of them. However, factors that a protocol designer should consider include whether authentication is between machines or between a human and a machine, whether the authentication is local only or distributed across a network, strength of the authentication mechanism, and how keys are managed.
Haller & Atkinson [Page 1]
RFC 1704 On Internet Authentication October 1994
2. DEFINITION OF TERMS
This section briefly defines some of the terms used in this paper to aid the reader in understanding these suggestions. Other references on this subject might be using slightly different terms and definitions because the security community has not reached full consensus on all definitions. The definitions provided here are specifically focused on the matters discussed in this particular document.
Active Attack: An attempt to improperly modify data, gain authentication, or gain authorization by inserting false packets into the data stream or by modifying packets transiting the data stream. (See passive attacks and replay attacks.)
Asymmetric Cryptography: An encryption system that uses different keys, for encryption and decryption. The two keys have an intrinsic mathematical relationship to each other. Also called Public˜Key˜Cryptography. (See Symmetric Cryptography)
Authentication: The verification of the identity of the source of information.