CIFS Authentication Protocol Paul J. Leach Microsoft Preliminary Draft - do not cite Author's draft: 3 This is a preliminary draft of a portion of specification of a proposed new version of the CIFS authentication protocol. It is supplied here as a standalone document for ease of review; if accepted and implemented, it may be incorporated into a future release of the CIFS specification. (This specification is subject to change without notice and should not be construed as a product commitment from Microsoft Corporation.) The original protocol from which this version descends was designed more than a decade ago; recently, quite a few weaknesses have been found in previous versions. This latest revision is an attempt to repair those weaknesses with as small a change to the protocol as possible, so that it can be incrementally and rapidly deployed. In particular, it must not be necessary for all users to change their passwords to deploy the upgraded protocol. Also, efficiency is an issue, so some more robust MAC schemes that could have been used weren't. This portion of the specification describes the authentication protocol abstracted from the implementation details, in order to make scrutiny of its security properties easier. It also only describes the strongest of several variants of the authentication protocol; a brief summary of the other variants is at the end of the document, together with a description of how the real protocols vary from this abstraction. The full details of the protocol are in the CIFS Authentication Specification document; a broader discussion of the security properties, including other attacks, may be found in the CIFS Security Considerations document. 1.1 Overview Session authentication is done via a challenge response protocol based upon the shared knowledge of the user's password. Message authentication is done by attaching a message authentication code (MAC) to each message. The response is computed by DES encrypting a challenge composed of nonces selected by the client and server with two keys derived from the user's password, and extracting half of each of the results. The MAC is a keyed-MD5 construction (see [RFC 1828]), using a key derived from the user's password and the client and server nonces. Each message is either of known fixed length or contains an explicit length, and is longer than an MD5 block, which avoids the known weaknesses of MD5 as a MAC (see [Kal 95]). Each message includes an implicit sequence number, to avoid replay. Paul J. Leach, Microsoft [Page 1] 03/25/97 Preliminary CIFS Authentication ProtocolMay change without notice We describe the authentication protocols as if the CIFS server keeps a database of clients' passwords, but an implementation might actually store the passwords on a key distribution server (KDS) and have servers use a protocol outside the scope of this specification to enable them to perform the steps required by this protocol. 1.2 Definitions Let U be the user's name, blank padded to 16 bytes P(U) be U's password Ks, Ks' be a 128 bit session key Ka, Ka' be a 56 bit DES key extracted from the first seven bytes of Ks Kb, Kb' be another 56 bit DES key extracted from the second seven bytes of Ks Kc, Kc' be another 56 bit DES key extracted from the last two bytes of Ks, padded with zeros SN, SN' be a 32 bit sequence number Km, Km' be a 44 byte key for a keyed-MD5 MAC [s] be the "n" bytes of s starting at byte "m" [s] be the first "n" bytes of s a,b,…z be the concatenation of the byte strings a, b, … z { m }K be the DES encryption [FIPS] of the byte string m with key K MD4(m) be the MD4 message digest [RFC 1320] of the byte string m MD5(m) be the MD5 message digest [RFC 1321] of the byte string m Z(n) be a byte string of zeros of length n CS be an 8 byte nonce chosen by the server, used as a challenge 1.3 Application protocol messages The application protocol being secured is a request/response protocol that has the following characteristics. Authentication is carried out in the process of setting up a session, during which session features are negotiated, the exact details of which do not affect the authentication protocol. Each of the elements of protocol messages is either a fixed length byte string, or contains an explicit length, and is at least 32 bytes long;, and requests are guaranteed to be distinguishable from responses. Mneg be a session negotiation request containing supported features Mnegr be a negotiation response indicating selected features Msess be a session request Msessr be a session response Mreq be a subsequent protocol request Mrsp be a subsequent protocol response Paul J. Leach, Microsoft [Page 2] 03/25/97 Preliminary CIFS Authentication ProtocolMay change without notice 1.4 Session authentication protocol 1. The client computes the session keys from the user's password, initializes its sequence number, and sends a session negotiation request to the server. C: Ks = MD4(P(U)) Ka = [Ks]<7> Kb = [Ks]<7:8> Kc = [Ks]<15:2>, Z(5) SN = 0 C->S: Mneg 2. The server responds with the features negotiated, and a challenge: S->C: Mnegr, CS 3. The client computes a response to the challenge. It computes the MAC key, and the MAC of the message, and send the user name, challenge response, and session request parameters to the server. C: R = {CS}Ka, {CS}Kb, {CS}Kc Km = Ks, R MC = [MD5(Km, SN, Msess, U, R)]<8> C->S: Msess, U, R, MC 4. The server computes the keys by looking up the user's password, and from the keys and the client's challenge, computes the expected response and expected MAC for the request: S: Ks' = MD4(P(U)) Ka' = [Ks']<7> Kb' = [Ks']<7:8> Kc' = [Ks']<15:2>, Z(5) SN' = 0 R' = {CS}Ka', {CS}Kb', {CS}Kc' Km' = Ks, R MC' = [MD5(Km, SN', Msess, U, R)]<8> 5. If R' == R and MC' == MC, then the client has authenticated to the server. The server computes the MAC of its response, then sends the session acknowledgment message, with both nonces, then bumps its sequence number S: MS = [MD5(Km', SN', Msessr)]<8> S->C: Msessr, MS S: SN' = SN' + 1 Paul J. Leach, Microsoft [Page 3] 03/25/97 Preliminary CIFS Authentication ProtocolMay change without notice 6. The client checks if MS' == MS; if so, then the server has authenticated to the client, and the client's sequence number is incremented. C: MS' = [MD5(Km, SN, Msessr, CC, CS)]<8> SN = SN + 1 1.5 Message authentication protocol For each request/response interaction thereafter the following procedure is used: 1. The client send the request together with a MAC of the request: C->S: Mreq, [MD5(Km, SN, Mreq)]<8> 2. The server checks the MAC, and if correct, sends the response, then bumps its sequence number: S->C: Mrsp, [MD5(Km', SN', Mrsp)<8> S: SN' = SN' + 1 3. The client checks the MAC and if correct accepts the response and bumps its sequence number: C: SN = SN + 1 1.6 Summary of other variants and differences There are variants of the authentication protocols; they exist for backwards compatibility. The variants are creating by taking certain allowed combinations of the following differences: · The session key Ks is computed differently. · The message authentication protocol is omitted. · A plaintext password may be sent The feature negotiation step (the exchange of Mneg and Mnegr above) is where the exact variant is selected. Both client and server can force the use of as strong a variant as they require to meet their security policy. The actual authentication protocols differ from the one described in the following ways: · The order of fields in messages may be different · The MAC value is calculated by inserting the implicit sequence number into a field of the message, and computing the MAC; then that field is overwritten with the MAC value for transmission. Paul J. Leach, Microsoft [Page 4] 03/25/97 Preliminary CIFS Authentication ProtocolMay change without notice · Multiple requests or responses may be "batched" together into one message, and single requests or responses may be spread out over multiple messages. It is not believed that any of these differences affect the security of the protocol. The full details of the protocol are in the CIFS Authentication Specification document; a broader discussion of the security properties, including other attacks, may be found in the CIFS Security Considerations document. 1.7 References [FIPS] DES, FIPS PUB xxx [RFC 1320] RFC 1320, R. Rivest, The MD4 Message-Digest Algorithm [RFC 1321] RFC 1321, R. Rivest, The MD5 Message-Digest Algorithm [RFC 1828] RFC 1828, P. Metzger, W. Simpson, "IP Authentication using Keyed MD5", August 1995 {Kal 95] B. Kaliski, M.Robshaw, "Message Authentication with MD5", CryptoBytes, Sping 1995, RSA Inc, (http://www.rsa.com/rsalabs/pubs/cryptobytes/spring95/md5.htm) Paul J. Leach, Microsoft [Page 5] 03/25/97