Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication

	draft-ietf-kitten-scram-2fa-05.txt
	Date:	02/12/2024
	Authors:	Alexey Melnikov
	Working Group:	Common Authentication Technology Next Generation (kitten)

This specification describes an extension to family of Simple Authentication and Security Layer (SASL; RFC 4422) authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which provides support for 2 factor authentication. It also includes a separate extension for quick reauthentication. This specification also gives 2 examples of second factors: TOTP (RFC 6238) and FIDO CTAP1/U2F (Passkey).

Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Common Authentication Technology Next Generation (kitten)

WG	Name	Common Authentication Technology Next Generation
	Acronym	kitten
	Area	Security Area (sec)
	State	Active
	Charter	charter-ietf-kitten-08 Approved
	Status update	Show Changed 2017-11-15
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	Github organization Issue tracker Wiki Zulip stream
Personnel	Chairs	Alexey Melnikov, Benjamin Kaduk
	Area Director	Paul Wouters
Mailing list	Address	kitten@ietf.org
	To subscribe	https://www.ietf.org/mailman/listinfo/kitten
	Archive	https://mailarchive.ietf.org/arch/browse/kitten/
Chat	Room address	https://zulip.ietf.org/#narrow/stream/kitten

Charter for Working Group

The purpose of the Common Authentication Technology Next Generation
(Kitten) working group (WG) is to develop extensions/improvements to the
GSS-API and to the Kerberos authentication system, shepherd specific
GSS-API security mechanisms, and provide guidance for any new
SASL-related submissions.

This charter combines the work of the Kerberos WG and the kitten WG
(under the aegis of the kitten WG). In places, it identifies which WG
was previously home for that work.

The working group will develop extensions and/or updates to the GSS-API,
working on specific items regarding credential management, replay cache
avoidance, error reporting, and supporting stateless and/or distributed
acceptors.

The working group will also maintain and improve upon the Kerberos
protocol, working on items regarding internationalization considering
alignment with the precis work, new initial authentication types,
authorization framework/data, replay cache avoidance, cryptography
advances, interop with 3rd party authentication, and identity
management.

In detail, both existing and new work items include:

Existing Working Group Items

SASL Mechanism for OAuth (draft-ietf-kitten-sasl-oauth)
SASL Mechansim for SAML-EC (draft-ietf-kitten-sasl-saml-ec)
GSS-API IANA Registry (draft-ietf-kitten-gssapi-extensions-iana)
KDC Model (draft-ietf-krb-wg-kdc-model)
PKINIT Hash Agility (draft-ietf-krb-wg-pkinit-alg-agility)
Kerberos IANA Registry (draft-ietf-kitten-kerberos-iana-registries)
Initial and Pass Through Authentication in Kerberos 5 (draft-ietf-krb-wg-iakerb)
Unencrypted Portion of Ticket Extensions (draft-ietf-krb-wg-ticket-extensions)

Provide new interfaces for credential management, which include the
following:
initializing credentials
iterating credentials
exporting/importing credentials

Negotiable replay cache avoidance

Define interfaces for better error message reporting.

Specify an option for exporting partially-established security
contexts and possibly a utility function for exporting security
contexts in an encrypted form, as well as a corresponding utility
function to decrypt and import such security context tokens.

Specify one-time password / two-factor authentication needs for SASL
applications. This could be achieved through an explicit new
GSS-API/SASL mechanism (e.g.,
http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00) or if
the consensus is that due to usability reasons, it is preferable
to do OTP/2FA through an higher level protocol
(Kerberos/OpenID/SAML/SAML20EC/EAP?) then prepare a document
explaining the usability problem and provide pointers for
implementers.

Prepare, review, and advance standards-track and informational
specifications defining new authorization data types for carrying
supplemental information about the client to which a Kerberos
ticket has been issued and/or restrictions on what the ticket can
be used for. To enhance this ongoing authorization data work, a
container format supporting the use cases of draft-ietf-krb-wg-pad
may be standardized.

Prepare a standards-track protocol to solve the use cases addressed
by draft-hotz-kx509-01 including new support for digital
signatures.

Today Kerberos requires a replay cache to be used in AP exchanges in
almost all cases. Replay caches are quite complex to implement
correctly, particularly in clustered systems. High-performance
replay caches are even more difficult to implement. The WG will
pursue extensions to minimize the need for replay caching,
optimize replay caching, and/or elide the need for replay caching.

Prepare, review, and advance standards-track and informational
specifications defining use of new cryptographic algorithms in the
Kerberos protocol using the RFC3961 framework, on an ongoing
basis. Cryptographic algorithms intended for standards track
status must be of good quality, have broad international support,
and fill a definite need.

Prepare, review, and advance standards-track and informational
specifications of new pre-authentication types for the Kerberos
protocol, on an ongoing basis.

Prepare, review, and advance standards track updates and extensions to
RFC4121, as needed and on an ongoing basis.

Milestones

Date	Milestone	Associated documents
Dec 2022	draft-ietf-kitten-sasl-saml-ec to IESG
Nov 2022	Submit "Best practices for password hashing and storage" to IESG	draft-ietf-kitten-password-storage
Oct 2022	Submit document on 2-Factor Authentication in SASL to IESG
Apr 2022	Decide on preferred solution(s) for 2-Factor Authentication in SASL	draft-ietf-kitten-scram-2fa
Mar 2022	Submit "SPAKE Pre-Authentication" document to IESG	rfc9588 (was draft-ietf-kitten-krb-spake-preauth)
Sep 2013	Adopt work on the GSS-API for replay cache avoidance
Aug 2013	draft-ietf-krb-wg-ticket-extensions to IESG
Aug 2013	Adopt work on exporting partially-established GSS-API contexts
Jul 2013	Adopt work on one or more items for GSS-API cred management
Jul 2013	Adopt work on better error reporting in the GSS-API
Jun 2013	draft-ietf-krb-wg-pad to IESG
Jun 2013	draft-ietf-kitten-kerberos-iana-registries to IESG
May 2013	draft-ietf-kitten-gssapi-extensions-iana to IESG

Done milestones

Date	Milestone	Associated documents
Done	Submit "Channel Bindings for TLS 1.3" to IESG	rfc9266 (was draft-ietf-kitten-tls-channel-bindings-for-tls13)
Done	draft-ietf-krb-wg-pkinit-alg-agility to IESG
Done	draft-ietf-krb-wg-cammac to IESG
Done	draft-ietf-kitten-sasl-oauth to IESG