Internet-Draft | PKINIT DH Modulus Size | August 2021 |
Harwood | Expires 7 February 2022 | [Page] |
Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) permits a client and a Kerberos Domain Controller (KDC) to use a Diffie-Hellman (DH) exchange to derive an encryption key. The group with minimum modulus size permitted for this exchange is 1024 bits, which recent security research has shown to provide insufficient protection against organizations with sufficient computing resources, such as state-sponsored actors. This document updates RFC 4556 to increase the minimum group size to 2048 bits and define permitted groups of size larger than 4096-bits.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 February 2022.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
[RFC4556] specified three permitted groups for DH, which have modulus sizes 1024, 2048, and 4096 bits, respectively. It requires implementation of the 1024-bit and 2048-bit groups, while the 4096-bit group is optional albeit recommended. This document updates [RFC4556] such that the 1024-bit group is no longer permitted and implementation of the 4096-bit group is required based on more recent understanding of DH group weaknesses [LOGJAM]. It also defines two larger groups for futureproofing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
In 2015, [LOGJAM] showed by example that it is very possible to break 768-bit DH groups. The authors extend their method to 1024-bit DH groups as well, and their analysis shows breaking 1024-bit DH groups to be within the reach of state-sponsored actors (or others with that level of computing resources). Accordingly, this document prohibits the use of the previously permitted 1024-bit group and recommends the use of the 4096-bit group.¶
[RFC4556] specifies three groups that can be used for Diffie-Hellman (DH) [RFC2631] key exchange between the client and Kerberos Domain Controller (KDC) [RFC4120]: Oakley 1024-bit Modular Exponential (MODP) well-known group 2 from [RFC2412], Oakley 2048-bit MODP well-known group 14 from [RFC3526], and Oakley 4096-bit MODP well-known group 16 from [RFC3526]. Of the three, implementations were required to support the 1024-bit and 2048-bit groups, while the 4096-bit group was optional.¶
Specifically, this document updates [RFC4556] Section 3.2.1, Item 8, Paragraph 1 as follows:¶
For futureproofing, we define two additional DH groups with larger modulus size. Implementations MAY support 6114-bit MODP group 17 and/or 8192-bit MODP group 18, both as defined by [RFC3526].¶
[RFC4556] mandated the implementation of two groups (of modulus size 1024-bit and 2048-bit respectively). While this document prohibits use of the 1024-bit group, use of the 2048-bit group is still permitted. Thus, pre-existing implementations could use either that 2048-bit group or the optional 4096-bit group for communication with an implementation that conforms to this document.¶
[RFC4556] permits KDC policy to reject DH groups with error code KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. Conforming implementations are thus already prepared to handle group selection failure. Two major implementations of Kerberos, MIT krb5 and Heimdal, have a configuration option for group selection (pkinit_dh_min_bits). In particular, the default value has always been 2048 for MIT krb5, which added PKINIT support in 2007.¶
The security considerations of [RFC4556] continue to apply. As that document states:¶
Kerberos error messages are not integrity protected; as a result, the domain parameters sent by the KDC as TD-DH-PARAMETERS can be tampered with by an attacker so that the set of domain parameters selected could be either weaker or not mutually preferred. Local policy can configure sets of domain parameters acceptable locally, or disallow the negotiation of DH domain parameters.¶
By removing known-dangerous groups, this document attempts to mitigate this attack. This document also permits implementation of only the 4096-bit group, which would effectively disallow parameter negotiation. However, as the field remains unprotected, it is still subject to Denial of Service from tampering in transit.¶
There are no IANA actions requested by this document.¶
This document builds on prior work by the IETF CURves, Deprecating and a Little more Encryption Working Group (curdle), especially that of Loganaden Velvindron and Mark D. Baushke.¶