From 36c993d63feb137156a34000d9f155841740131d Mon Sep 17 00:00:00 2001 From: deniskovalchuk Date: Sun, 24 Mar 2024 20:53:07 +0300 Subject: [PATCH] doc: add RFC2228.txt --- README.md | 1 + doc/RFC2228.txt | 1515 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 1516 insertions(+) create mode 100644 doc/RFC2228.txt diff --git a/README.md b/README.md index 4a0c56c..298ea15 100644 --- a/README.md +++ b/README.md @@ -166,5 +166,6 @@ $ ctest -V ## References - [RFC 959](doc/RFC959.txt) File Transfer Protocol (FTP). J. Postel, J. Reynolds. October 1985. +- [RFC 2228](doc/RFC2228.txt) FTP Security Extensions. October 1997. - [RFC 2428](doc/RFC2428.txt) Extensions for IPv6, NAT, and Extended passive mode. September 1998. - [RFC 3659](doc/RFC3659.txt) Extensions to FTP. P. Hethmon. March 2007. \ No newline at end of file diff --git a/doc/RFC2228.txt b/doc/RFC2228.txt new file mode 100644 index 0000000..1fbfcbf --- /dev/null +++ b/doc/RFC2228.txt @@ -0,0 +1,1515 @@ + + + + + + +Network Working Group M. Horowitz +Request for Comments: 2228 Cygnus Solutions +Updates: 959 S. Lunt +Category: Standards Track Bellcore + October 1997 + + FTP Security Extensions + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1997). All Rights Reserved. + +Abstract + + This document defines extensions to the FTP specification STD 9, RFC + 959, "FILE TRANSFER PROTOCOL (FTP)" (October 1985). These extensions + provide strong authentication, integrity, and confidentiality on both + the control and data channels with the introduction of new optional + commands, replies, and file transfer encodings. + + The following new optional commands are introduced in this + specification: + + AUTH (Authentication/Security Mechanism), + ADAT (Authentication/Security Data), + PROT (Data Channel Protection Level), + PBSZ (Protection Buffer Size), + CCC (Clear Command Channel), + MIC (Integrity Protected Command), + CONF (Confidentiality Protected Command), and + ENC (Privacy Protected Command). + + A new class of reply types (6yz) is also introduced for protected + replies. + + None of the above commands are required to be implemented, but + interdependencies exist. These dependencies are documented with the + commands. + + Note that this specification is compatible with STD 9, RFC 959. + + + +Horowitz & Lunt Standards Track [Page 1] + +RFC 2228 FTP Security Extensions October 1997 + + +1. Introduction + + The File Transfer Protocol (FTP) currently defined in STD 9, RFC 959 + and in place on the Internet uses usernames and passwords passed in + cleartext to authenticate clients to servers (via the USER and PASS + commands). Except for services such as "anonymous" FTP archives, + this represents a security risk whereby passwords can be stolen + through monitoring of local and wide-area networks. This either aids + potential attackers through password exposure and/or limits + accessibility of files by FTP servers who cannot or will not accept + the inherent security risks. + + Aside from the problem of authenticating users in a secure manner, + there is also the problem of authenticating servers, protecting + sensitive data and/or verifying its integrity. An attacker may be + able to access valuable or sensitive data merely by monitoring a + network, or through active means may be able to delete or modify the + data being transferred so as to corrupt its integrity. An active + attacker may also initiate spurious file transfers to and from a site + of the attacker's choice, and may invoke other commands on the + server. FTP does not currently have any provision for the encryption + or verification of the authenticity of commands, replies, or + transferred data. Note that these security services have value even + to anonymous file access. + + Current practice for sending files securely is generally either: + + 1. via FTP of files pre-encrypted under keys which are manually + distributed, + + 2. via electronic mail containing an encoding of a file encrypted + under keys which are manually distributed, + + 3. via a PEM message, or + + 4. via the rcp command enhanced to use Kerberos. + + None of these means could be considered even a de facto standard, and + none are truly interactive. A need exists to securely transfer files + using FTP in a secure manner which is supported within the FTP + protocol in a consistent manner and which takes advantage of existing + security infrastructure and technology. Extensions are necessary to + the FTP specification if these security services are to be introduced + into the protocol in an interoperable way. + + + + + + + +Horowitz & Lunt Standards Track [Page 2] + +RFC 2228 FTP Security Extensions October 1997 + + + Although the FTP control connection follows the Telnet protocol, and + Telnet has defined an authentication and encryption option [TELNET- + SEC], [RFC-1123] explicitly forbids the use of Telnet option + negotiation over the control connection (other than Synch and IP). + + Also, the Telnet authentication and encryption option does not + provide for integrity protection only (without confidentiality), and + does not address the protection of the data channel. + +2. FTP Security Overview + + At the highest level, the FTP security extensions seek to provide an + abstract mechanism for authenticating and/or authorizing connections, + and integrity and/or confidentiality protecting commands, replies, + and data transfers. + + In the context of FTP security, authentication is the establishment + of a client's identity and/or a server's identity in a secure way, + usually using cryptographic techniques. The basic FTP protocol does + not have a concept of authentication. + + Authorization is the process of validating a user for login. The + basic authorization process involves the USER, PASS, and ACCT + commands. With the FTP security extensions, authentication + established using a security mechanism may also be used to make the + authorization decision. + + Without the security extensions, authentication of the client, as + this term is usually understood, never happens. FTP authorization is + accomplished with a password, passed on the network in the clear as + the argument to the PASS command. The possessor of this password is + assumed to be authorized to transfer files as the user named in the + USER command, but the identity of the client is never securely + established. + + An FTP security interaction begins with a client telling the server + what security mechanism it wants to use with the AUTH command. The + server will either accept this mechanism, reject this mechanism, or, + in the case of a server which does not implement the security + extensions, reject the command completely. The client may try + multiple security mechanisms until it requests one which the server + accepts. This allows a rudimentary form of negotiation to take + place. (If more complex negotiation is desired, this may be + implemented as a security mechanism.) The server's reply will + indicate if the client must respond with additional data for the + + + + + + +Horowitz & Lunt Standards Track [Page 3] + +RFC 2228 FTP Security Extensions October 1997 + + + security mechanism to interpret. If none is needed, this will + usually mean that the mechanism is one where the password (specified + by the PASS command) is to be interpreted differently, such as with a + token or one-time password system. + + If the server requires additional security information, then the + client and server will enter into a security data exchange. The + client will send an ADAT command containing the first block of + security data. The server's reply will indicate if the data exchange + is complete, if there was an error, or if more data is needed. The + server's reply can optionally contain security data for the client to + interpret. If more data is needed, the client will send another ADAT + command containing the next block of data, and await the server's + reply. This exchange can continue as many times as necessary. Once + this exchange completes, the client and server have established a + security association. This security association may include + authentication (client, server, or mutual) and keying information for + integrity and/or confidentiality, depending on the mechanism in use. + + The term "security data" here is carefully chosen. The purpose of + the security data exchange is to establish a security association, + which might not actually include any authentication at all, between + the client and the server as described above. For instance, a + Diffie-Hellman exchange establishes a secret key, but no + authentication takes place. If an FTP server has an RSA key pair but + the client does not, then the client can authenticate the server, but + the server cannot authenticate the client. + + Once a security association is established, authentication which is a + part of this association may be used instead of or in addition to the + standard username/password exchange for authorizing a user to connect + to the server. A username specified by the USER command is always + required to specify the identity to be used on the server. + + In order to prevent an attacker from inserting or deleting commands + on the control stream, if the security association supports + integrity, then the server and client must use integrity protection + on the control stream, unless it first transmits a CCC command to + turn off this requirement. Integrity protection is performed with + the MIC and ENC commands, and the 63z reply codes. The CCC command + and its reply must be transmitted with integrity protection. + Commands and replies may be transmitted without integrity (that is, + in the clear or with confidentiality only) only if no security + association is established, the negotiated security association does + not support integrity, or the CCC command has succeeded. + + + + + + +Horowitz & Lunt Standards Track [Page 4] + +RFC 2228 FTP Security Extensions October 1997 + + + Once the client and server have negotiated with the PBSZ command an + acceptable buffer size for encapsulating protected data over the data + channel, the security mechanism may also be used to protect data + channel transfers. + + Policy is not specified by this document. In particular, client and + server implementations may choose to implement restrictions on what + operations can be performed depending on the security association + which exists. For example, a server may require that a client + authorize via a security mechanism rather than using a password, + require that the client provide a one-time password from a token, + require at least integrity protection on the command channel, or + require that certain files only be transmitted encrypted. An + anonymous ftp client might refuse to do file transfers without + integrity protection in order to insure the validity of files + downloaded. + + No particular set of functionality is required, except as + dependencies described in the next section. This means that none of + authentication, integrity, or confidentiality are required of an + implementation, although a mechanism which does none of these is not + of much use. For example, it is acceptable for a mechanism to + implement only integrity protection, one-way authentication and/or + encryption, encryption without any authentication or integrity + protection, or any other subset of functionality if policy or + technical considerations make this desirable. Of course, one peer + might require as a matter of policy stronger protection than the + other is able to provide, preventing perfect interoperability. + +3. New FTP Commands + + The following commands are optional, but dependent on each other. + They are extensions to the FTP Access Control Commands. + + The reply codes documented here are generally described as + recommended, rather than required. The intent is that reply codes + describing the full range of success and failure modes exist, but + that servers be allowed to limit information presented to the client. + For example, a server might implement a particular security + mechanism, but have a policy restriction against using it. The + server should respond with a 534 reply code in this case, but may + respond with a 504 reply code if it does not wish to divulge that the + disallowed mechanism is supported. If the server does choose to use + a different reply code than the recommended one, it should try to use + a reply code which only differs in the last digit. In all cases, the + server must use a reply code which is documented as returnable from + the command received, and this reply code must begin with the same + digit as the recommended reply code for the situation. + + + +Horowitz & Lunt Standards Track [Page 5] + +RFC 2228 FTP Security Extensions October 1997 + + + AUTHENTICATION/SECURITY MECHANISM (AUTH) + + The argument field is a Telnet string identifying a supported + mechanism. This string is case-insensitive. Values must be + registered with the IANA, except that values beginning with "X-" + are reserved for local use. + + If the server does not recognize the AUTH command, it must respond + with reply code 500. This is intended to encompass the large + deployed base of non-security-aware ftp servers, which will + respond with reply code 500 to any unrecognized command. If the + server does recognize the AUTH command but does not implement the + security extensions, it should respond with reply code 502. + + If the server does not understand the named security mechanism, it + should respond with reply code 504. + + If the server is not willing to accept the named security + mechanism, it should respond with reply code 534. + + If the server is not able to accept the named security mechanism, + such as if a required resource is unavailable, it should respond + with reply code 431. + + If the server is willing to accept the named security mechanism, + but requires security data, it must respond with reply code 334. + + If the server is willing to accept the named security mechanism, + and does not require any security data, it must respond with reply + code 234. + + If the server is responding with a 334 reply code, it may include + security data as described in the next section. + + Some servers will allow the AUTH command to be reissued in order + to establish new authentication. The AUTH command, if accepted, + removes any state associated with prior FTP Security commands. + The server must also require that the user reauthorize (that is, + reissue some or all of the USER, PASS, and ACCT commands) in this + case (see section 4 for an explanation of "authorize" in this + context). + + + + + + + + + + +Horowitz & Lunt Standards Track [Page 6] + +RFC 2228 FTP Security Extensions October 1997 + + + AUTHENTICATION/SECURITY DATA (ADAT) + + The argument field is a Telnet string representing base 64 encoded + security data (see Section 9, "Base 64 Encoding"). If a reply + code indicating success is returned, the server may also use a + string of the form "ADAT=base64data" as the text part of the reply + if it wishes to convey security data back to the client. + + The data in both cases is specific to the security mechanism + specified by the previous AUTH command. The ADAT command, and the + associated replies, allow the client and server to conduct an + arbitrary security protocol. The security data exchange must + include enough information for both peers to be aware of which + optional features are available. For example, if the client does + not support data encryption, the server must be made aware of + this, so it will know not to send encrypted command channel + replies. It is strongly recommended that the security mechanism + provide sequencing on the command channel, to insure that commands + are not deleted, reordered, or replayed. + + The ADAT command must be preceded by a successful AUTH command, + and cannot be issued once a security data exchange completes + (successfully or unsuccessfully), unless it is preceded by an AUTH + command to reset the security state. + + If the server has not yet received an AUTH command, or if a prior + security data exchange completed, but the security state has not + been reset with an AUTH command, it should respond with reply code + 503. + + If the server cannot base 64 decode the argument, it should + respond with reply code 501. + + If the server rejects the security data (if a checksum fails, for + instance), it should respond with reply code 535. + + If the server accepts the security data, and requires additional + data, it should respond with reply code 335. + + If the server accepts the security data, but does not require any + additional data (i.e., the security data exchange has completed + successfully), it must respond with reply code 235. + + If the server is responding with a 235 or 335 reply code, then it + may include security data in the text part of the reply as + specified above. + + + + + +Horowitz & Lunt Standards Track [Page 7] + +RFC 2228 FTP Security Extensions October 1997 + + + If the ADAT command returns an error, the security data exchange + will fail, and the client must reset its internal security state. + If the client becomes unsynchronized with the server (for example, + the server sends a 234 reply code to an AUTH command, but the + client has more data to transmit), then the client must reset the + server's security state. + + PROTECTION BUFFER SIZE (PBSZ) + + The argument is a decimal integer representing the maximum size, + in bytes, of the encoded data blocks to be sent or received during + file transfer. This number shall be no greater than can be + represented in a 32-bit unsigned integer. + + This command allows the FTP client and server to negotiate a + maximum protected buffer size for the connection. There is no + default size; the client must issue a PBSZ command before it can + issue the first PROT command. + + The PBSZ command must be preceded by a successful security data + exchange. + + If the server cannot parse the argument, or if it will not fit in + 32 bits, it should respond with a 501 reply code. + + If the server has not completed a security data exchange with the + client, it should respond with a 503 reply code. + + Otherwise, the server must reply with a 200 reply code. If the + size provided by the client is too large for the server, it must + use a string of the form "PBSZ=number" in the text part of the + reply to indicate a smaller buffer size. The client and the + server must use the smaller of the two buffer sizes if both buffer + sizes are specified. + + DATA CHANNEL PROTECTION LEVEL (PROT) + + The argument is a single Telnet character code specifying the data + channel protection level. + + This command indicates to the server what type of data channel + protection the client and server will be using. The following + codes are assigned: + + C - Clear + S - Safe + E - Confidential + P - Private + + + +Horowitz & Lunt Standards Track [Page 8] + +RFC 2228 FTP Security Extensions October 1997 + + + The default protection level if no other level is specified is + Clear. The Clear protection level indicates that the data channel + will carry the raw data of the file transfer, with no security + applied. The Safe protection level indicates that the data will + be integrity protected. The Confidential protection level + indicates that the data will be confidentiality protected. The + Private protection level indicates that the data will be integrity + and confidentiality protected. + + It is reasonable for a security mechanism not to provide all data + channel protection levels. It is also reasonable for a mechanism + to provide more protection at a level than is required (for + instance, a mechanism might provide Confidential protection, but + include integrity-protection in that encoding, due to API or other + considerations). + + The PROT command must be preceded by a successful protection + buffer size negotiation. + + If the server does not understand the specified protection level, + it should respond with reply code 504. + + If the current security mechanism does not support the specified + protection level, the server should respond with reply code 536. + + If the server has not completed a protection buffer size + negotiation with the client, it should respond with a 503 reply + code. + + The PROT command will be rejected and the server should reply 503 + if no previous PBSZ command was issued. + + If the server is not willing to accept the specified protection + level, it should respond with reply code 534. + + If the server is not able to accept the specified protection + level, such as if a required resource is unavailable, it should + respond with reply code 431. + + Otherwise, the server must reply with a 200 reply code to indicate + that the specified protection level is accepted. + + CLEAR COMMAND CHANNEL (CCC) + + This command does not take an argument. + + + + + + +Horowitz & Lunt Standards Track [Page 9] + +RFC 2228 FTP Security Extensions October 1997 + + + It is desirable in some environments to use a security mechanism + to authenticate and/or authorize the client and server, but not to + perform any integrity checking on the subsequent commands. This + might be used in an environment where IP security is in place, + insuring that the hosts are authenticated and that TCP streams + cannot be tampered, but where user authentication is desired. + + If unprotected commands are allowed on any connection, then an + attacker could insert a command on the control stream, and the + server would have no way to know that it was invalid. In order to + prevent such attacks, once a security data exchange completes + successfully, if the security mechanism supports integrity, then + integrity (via the MIC or ENC command, and 631 or 632 reply) must + be used, until the CCC command is issued to enable non-integrity + protected control channel messages. The CCC command itself must + be integrity protected. + + Once the CCC command completes successfully, if a command is not + protected, then the reply to that command must also not be + protected. This is to support interoperability with clients which + do not support protection once the CCC command has been issued. + + This command must be preceded by a successful security data + exchange. + + If the command is not integrity-protected, the server must respond + with a 533 reply code. + + If the server is not willing to turn off the integrity + requirement, it should respond with a 534 reply code. + + Otherwise, the server must reply with a 200 reply code to indicate + that unprotected commands and replies may now be used on the + command channel. + + INTEGRITY PROTECTED COMMAND (MIC) and + CONFIDENTIALITY PROTECTED COMMAND (CONF) and + PRIVACY PROTECTED COMMAND (ENC) + + The argument field of MIC is a Telnet string consisting of a base + 64 encoded "safe" message produced by a security mechanism + specific message integrity procedure. The argument field of CONF + is a Telnet string consisting of a base 64 encoded "confidential" + message produced by a security mechanism specific confidentiality + procedure. The argument field of ENC is a Telnet string + consisting of a base 64 encoded "private" message produced by a + security mechanism specific message integrity and confidentiality + procedure. + + + +Horowitz & Lunt Standards Track [Page 10] + +RFC 2228 FTP Security Extensions October 1997 + + + The server will decode and/or verify the encoded message. + + This command must be preceded by a successful security data + exchange. + + A server may require that the first command after a successful + security data exchange be CCC, and not implement the protection + commands at all. In this case, the server should respond with a + 502 reply code. + + If the server cannot base 64 decode the argument, it should + respond with a 501 reply code. + + If the server has not completed a security data exchange with the + client, it should respond with a 503 reply code. + + If the server has completed a security data exchange with the + client using a mechanism which supports integrity, and requires a + CCC command due to policy or implementation limitations, it should + respond with a 503 reply code. + + If the server rejects the command because it is not supported by + the current security mechanism, the server should respond with + reply code 537. + + If the server rejects the command (if a checksum fails, for + instance), it should respond with reply code 535. + + If the server is not willing to accept the command (if privacy is + required by policy, for instance, or if a CONF command is received + before a CCC command), it should respond with reply code 533. + + Otherwise, the command will be interpreted as an FTP command. An + end-of-line code need not be included, but if one is included, it + must be a Telnet end-of-line code, not a local end-of-line code. + + The server may require that, under some or all circumstances, all + commands be protected. In this case, it should make a 533 reply + to commands other than MIC, CONF, and ENC. + +4. Login Authorization + + The security data exchange may, among other things, establish the + identity of the client in a secure way to the server. This identity + may be used as one input to the login authorization process. + + + + + + +Horowitz & Lunt Standards Track [Page 11] + +RFC 2228 FTP Security Extensions October 1997 + + + In response to the FTP login commands (AUTH, PASS, ACCT), the server + may choose to change the sequence of commands and replies specified + by RFC 959 as follows. There are also some new replies available. + + If the server is willing to allow the user named by the USER command + to log in based on the identity established by the security data + exchange, it should respond with reply code 232. + + If the security mechanism requires a challenge/response password, it + should respond to the USER command with reply code 336. The text + part of the reply should contain the challenge. The client must + display the challenge to the user before prompting for the password + in this case. This is particularly relevant to more sophisticated + clients or graphical user interfaces which provide dialog boxes or + other modal input. These clients should be careful not to prompt for + the password before the username has been sent to the server, in case + the user needs the challenge in the 336 reply to construct a valid + password. + +5. New FTP Replies + + The new reply codes are divided into two classes. The first class is + new replies made necessary by the new FTP Security commands. The + second class is a new reply type to indicate protected replies. + + 5.1. New individual reply codes + + 232 User logged in, authorized by security data exchange. + 234 Security data exchange complete. + 235 [ADAT=base64data] + ; This reply indicates that the security data exchange + ; completed successfully. The square brackets are not + ; to be included in the reply, but indicate that + ; security data in the reply is optional. + + 334 [ADAT=base64data] + ; This reply indicates that the requested security mechanism + ; is ok, and includes security data to be used by the client + ; to construct the next command. The square brackets are not + ; to be included in the reply, but indicate that + ; security data in the reply is optional. + 335 [ADAT=base64data] + ; This reply indicates that the security data is + ; acceptable, and more is required to complete the + ; security data exchange. The square brackets + ; are not to be included in the reply, but indicate + ; that security data in the reply is optional. + + + + +Horowitz & Lunt Standards Track [Page 12] + +RFC 2228 FTP Security Extensions October 1997 + + + 336 Username okay, need password. Challenge is "...." + ; The exact representation of the challenge should be chosen + ; by the mechanism to be sensible to the human user of the + ; system. + + 431 Need some unavailable resource to process security. + + 533 Command protection level denied for policy reasons. + 534 Request denied for policy reasons. + 535 Failed security check (hash, sequence, etc). + 536 Requested PROT level not supported by mechanism. + 537 Command protection level not supported by security mechanism. + + 5.2. Protected replies. + + One new reply type is introduced: + + 6yz Protected reply + + There are three reply codes of this type. The first, reply + code 631 indicates an integrity protected reply. The + second, reply code 632, indicates a confidentiality and + integrity protected reply. the third, reply code 633, + indicates a confidentiality protected reply. + + The text part of a 631 reply is a Telnet string consisting + of a base 64 encoded "safe" message produced by a security + mechanism specific message integrity procedure. The text + part of a 632 reply is a Telnet string consisting of a base + 64 encoded "private" message produced by a security + mechanism specific message confidentiality and integrity + procedure. The text part of a 633 reply is a Telnet string + consisting of a base 64 encoded "confidential" message + produced by a security mechanism specific message + confidentiality procedure. + + The client will decode and verify the encoded reply. How + failures decoding or verifying replies are handled is + implementation-specific. An end-of-line code need not be + included, but if one is included, it must be a Telnet end- + of-line code, not a local end-of-line code. + + A protected reply may only be sent if a security data + exchange has succeeded. + + The 63z reply may be a multiline reply. In this case, the + plaintext reply must be broken up into a number of + fragments. Each fragment must be protected, then base 64 + + + +Horowitz & Lunt Standards Track [Page 13] + +RFC 2228 FTP Security Extensions October 1997 + + + encoded in order into a separate line of the multiline + reply. There need not be any correspondence between the + line breaks in the plaintext reply and the encoded reply. + Telnet end-of-line codes must appear in the plaintext of the + encoded reply, except for the final end-of-line code, which + is optional. + + The multiline reply must be formatted more strictly than the + continuation specification in RFC 959. In particular, each + line before the last must be formed by the reply code, + followed immediately by a hyphen, followed by a base 64 + encoded fragment of the reply. + + For example, if the plaintext reply is + + 123-First line + Second line + 234 A line beginning with numbers + 123 The last line + + then the resulting protected reply could be any of the + following (the first example has a line break only to fit + within the margins): + + 631 base64(protect("123-First line\r\nSecond line\r\n 234 A line + 631-base64(protect("123-First line\r\n")) + 631-base64(protect("Second line\r\n")) + 631-base64(protect(" 234 A line beginning with numbers\r\n")) + 631 base64(protect("123 The last line")) + + 631-base64(protect("123-First line\r\nSecond line\r\n 234 A line b")) + 631 base64(protect("eginning with numbers\r\n123 The last line\r\n")) + +6. Data Channel Encapsulation + + When data transfers are protected between the client and server (in + either direction), certain transformations and encapsulations must be + performed so that the recipient can properly decode the transmitted + file. + + The sender must apply all protection services after transformations + associated with the representation type, file structure, and transfer + mode have been performed. The data sent over the data channel is, + for the purposes of protection, to be treated as a byte stream. + + When performing a data transfer in an authenticated manner, the + authentication checks are performed on individual blocks of the file, + rather than on the file as a whole. Consequently, it is possible for + + + +Horowitz & Lunt Standards Track [Page 14] + +RFC 2228 FTP Security Extensions October 1997 + + + insertion attacks to insert blocks into the data stream (i.e., + replays) that authenticate correctly, but result in a corrupted file + being undetected by the receiver. To guard against such attacks, the + specific security mechanism employed should include mechanisms to + protect against such attacks. Many GSS-API mechanisms usable with + the specification in Appendix I, and the Kerberos mechanism in + Appendix II do so. + + The sender must take the input byte stream, and break it up into + blocks such that each block, when encoded using a security mechanism + specific procedure, will be no larger than the buffer size negotiated + by the client with the PBSZ command. Each block must be encoded, + then transmitted with the length of the encoded block prepended as a + four byte unsigned integer, most significant byte first. + + When the end of the file is reached, the sender must encode a block + of zero bytes, and send this final block to the recipient before + closing the data connection. + + The recipient will read the four byte length, read a block of data + that many bytes long, then decode and verify this block with a + security mechanism specific procedure. This must be repeated until a + block encoding a buffer of zero bytes is received. This indicates + the end of the encoded byte stream. + + Any transformations associated with the representation type, file + structure, and transfer mode are to be performed by the recipient on + the byte stream resulting from the above process. + + When using block transfer mode, the sender's (cleartext) buffer size + is independent of the block size. + + The server will reply 534 to a STOR, STOU, RETR, LIST, NLST, or APPE + command if the current protection level is not at the level dictated + by the server's security requirements for the particular file + transfer. + + If any data protection services fail at any time during data transfer + at the server end (including an attempt to send a buffer size greater + than the negotiated maximum), the server will send a 535 reply to the + data transfer command (either STOR, STOU, RETR, LIST, NLST, or APPE). + + + + + + + + + + +Horowitz & Lunt Standards Track [Page 15] + +RFC 2228 FTP Security Extensions October 1997 + + +7. Potential policy considerations + + While there are no restrictions on client and server policy, there + are a few recommendations which an implementation should implement. + + - Once a security data exchange takes place, a server should require + all commands be protected (with integrity and/or confidentiality), + and it should protect all replies. Replies should use the same + level of protection as the command which produced them. This + includes replies which indicate failure of the MIC, CONF, and ENC + commands. In particular, it is not meaningful to require that + AUTH and ADAT be protected; it is meaningful and useful to require + that PROT and PBSZ be protected. In particular, the use of CCC is + not recommended, but is defined in the interest of + interoperability between implementations which might desire such + functionality. + + - A client should encrypt the PASS command whenever possible. It is + reasonable for the server to refuse to accept a non-encrypted PASS + command if the server knows encryption is available. + + - Although no security commands are required to be implemented, it + is recommended that an implementation provide all commands which + can be implemented, given the mechanisms supported and the policy + considerations of the site (export controls, for instance). + +8. Declarative specifications + + These sections are modelled after sections 5.3 and 5.4 of RFC 959, + which describe the same information, except for the standard FTP + commands and replies. + + 8.1. FTP Security commands and arguments + + AUTH + ADAT + PROT + PBSZ + MIC + CONF + ENC + + ::= + ::= + ; must be formatted as described in section 9 + ::= C | S | E | P + ::= any decimal integer from 1 to (2^32)-1 + + + + +Horowitz & Lunt Standards Track [Page 16] + +RFC 2228 FTP Security Extensions October 1997 + + + 8.2. Command-Reply sequences + + Security Association Setup + AUTH + 234 + 334 + 502, 504, 534, 431 + 500, 501, 421 + ADAT + 235 + 335 + 503, 501, 535 + 500, 501, 421 + Data protection negotiation commands + PBSZ + 200 + 503 + 500, 501, 421, 530 + PROT + 200 + 504, 536, 503, 534, 431 + 500, 501, 421, 530 + Command channel protection commands + MIC + 535, 533 + 500, 501, 421 + CONF + 535, 533 + 500, 501, 421 + ENC + 535, 533 + 500, 501, 421 + Security-Enhanced login commands (only new replies listed) + USER + 232 + 336 + Data channel commands (only new replies listed) + STOR + 534, 535 + STOU + 534, 535 + RETR + 534, 535 + + + + + + + + +Horowitz & Lunt Standards Track [Page 17] + +RFC 2228 FTP Security Extensions October 1997 + + + LIST + 534, 535 + NLST + 534, 535 + APPE + 534, 535 + + In addition to these reply codes, any security command can return + 500, 501, 502, 533, or 421. Any ftp command can return a reply + code encapsulated in a 631, 632, or 633 reply once a security data + exchange has completed successfully. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Horowitz & Lunt Standards Track [Page 18] + +RFC 2228 FTP Security Extensions October 1997 + + +9. State Diagrams + + This section includes a state diagram which demonstrates the flow of + authentication and authorization in a security enhanced FTP + implementation. The rectangular blocks show states where the client + must issue a command, and the diamond blocks show states where the + server must issue a response. + + + ,------------------, USER + __\| Unauthenticated |_________\ + | /| (new connection) | /| + | `------------------' | + | | | + | | AUTH | + | V | + | / \ | + | 4yz,5yz / \ 234 | + |<--------< >------------->. | + | \ / | | + | \_/ | | + | | | | + | | 334 | | + | V | | + | ,--------------------, | | + | | Need Security Data |<--. | | + | `--------------------' | | | + | | | | | + | | ADAT | | | + | V | | | + | / \ | | | + | 4yz,5yz / \ 335 | | | + `<--------< >-----------' | | + \ / | | + \_/ | | + | | | + | 235 | | + V | | + ,---------------. | | + ,--->| Authenticated |<--------' | After the client and server + | `---------------' | have completed authenti- + | | | cation, command must be + | | USER | integrity-protected if + | | | integrity is available. The + | |<-------------------' CCC command may be issued to + | V relax this restriction. + + + + + +Horowitz & Lunt Standards Track [Page 19] + +RFC 2228 FTP Security Extensions October 1997 + + + | / \ + | 4yz,5yz / \ 2yz + |<--------< >------------->. + | \ / | + | \_/ | + | | | + | | 3yz | + | V | + | ,---------------. | + | | Need Password | | + | `---------------' | + | | | + | | PASS | + | V | + | / \ | + | 4yz,5yz / \ 2yz | + |<--------< >------------->| + | \ / | + | \_/ | + | | | + | | 3yz | + | V | + | ,--------------. | + | | Need Account | | + | `--------------' | + | | | + | | ACCT | + | V | + | / \ | + | 4yz,5yz / \ 2yz | + `<--------< >------------->| + \ / | + \_/ | + | | + | 3yz | + V | + ,-------------. | + | Authorized |/________| + | (Logged in) |\ + `-------------' + + + + + + + + + + + +Horowitz & Lunt Standards Track [Page 20] + +RFC 2228 FTP Security Extensions October 1997 + + +10. Base 64 Encoding + + Base 64 encoding is the same as the Printable Encoding described in + Section 4.3.2.4 of [RFC-1421], except that line breaks must not be + included. This encoding is defined as follows. + + Proceeding from left to right, the bit string resulting from the + mechanism specific protection routine is encoded into characters + which are universally representable at all sites, though not + necessarily with the same bit patterns (e.g., although the character + "E" is represented in an ASCII-based system as hexadecimal 45 and as + hexadecimal C5 in an EBCDIC-based system, the local significance of + the two representations is equivalent). + + A 64-character subset of International Alphabet IA5 is used, enabling + 6 bits to be represented per printable character. (The proposed + subset of characters is represented identically in IA5 and ASCII.) + The character "=" signifies a special processing function used for + padding within the printable encoding procedure. + + The encoding process represents 24-bit groups of input bits as output + strings of 4 encoded characters. Proceeding from left to right + across a 24-bit input group output from the security mechanism + specific message protection procedure, each 6-bit group is used as an + index into an array of 64 printable characters, namely "[A-Z][a- + z][0-9]+/". The character referenced by the index is placed in the + output string. These characters are selected so as to be universally + representable, and the set excludes characters with particular + significance to Telnet (e.g., "", "", IAC). + + Special processing is performed if fewer than 24 bits are available + in an input group at the end of a message. A full encoding quantum + is always completed at the end of a message. When fewer than 24 + input bits are available in an input group, zero bits are added (on + the right) to form an integral number of 6-bit groups. Output + character positions which are not required to represent actual input + data are set to the character "=". Since all canonically encoded + output is an integral number of octets, only the following cases can + arise: (1) the final quantum of encoding input is an integral + multiple of 24 bits; here, the final unit of encoded output will be + an integral multiple of 4 characters with no "=" padding, (2) the + final quantum of encoding input is exactly 8 bits; here, the final + unit of encoded output will be two characters followed by two "=" + padding characters, or (3) the final quantum of encoding input is + exactly 16 bits; here, the final unit of encoded output will be three + characters followed by one "=" padding character. + + + + + +Horowitz & Lunt Standards Track [Page 21] + +RFC 2228 FTP Security Extensions October 1997 + + + Implementors must keep in mind that the base 64 encodings in ADAT, + MIC, CONF, and ENC commands, and in 63z replies may be arbitrarily + long. Thus, the entire line must be read before it can be processed. + Several successive reads on the control channel may be necessary. It + is not appropriate to for a server to reject a command containing a + base 64 encoding simply because it is too long (assuming that the + decoding is otherwise well formed in the context in which it was + sent). + + Case must not be ignored when reading commands and replies containing + base 64 encodings. + +11. Security Considerations + + This entire document deals with security considerations related to + the File Transfer Protocol. + + Third party file transfers cannot be secured using these extensions, + since a security context cannot be established between two servers + using these facilities (no control connection exists between servers + over which to pass ADAT tokens). Further work in this area is + deferred. + +12. Acknowledgements + + I would like to thank the members of the CAT WG, as well as all + participants in discussions on the "cat-ietf@mit.edu" mailing list, + for their contributions to this document. I would especially like to + thank Sam Sjogren, John Linn, Ted Ts'o, Jordan Brown, Michael Kogut, + Derrick Brashear, John Gardiner Myers, Denis Pinkas, and Karri Balk + for their contributions to this work. Of course, without Steve Lunt, + the author of the first six revisions of this document, it would not + exist at all. + +13. References + + [TELNET-SEC] Borman, D., "Telnet Authentication and Encryption + Option", Work in Progress. + + [RFC-1123] Braden, R., "Requirements for Internet Hosts -- + Application and Support", STD 3, RFC 1123, October 1989. + + [RFC-1421] Linn, J., "Privacy Enhancement for Internet Electronic + Mail: Part I: Message Encryption and Authentication Procedures", + RFC 1421, February 1993. + + + + + + +Horowitz & Lunt Standards Track [Page 22] + +RFC 2228 FTP Security Extensions October 1997 + + +14. Author's Address + + Marc Horowitz + Cygnus Solutions + 955 Massachusetts Avenue + Cambridge, MA 02139 + + Phone: +1 617 354 7688 + EMail: marc@cygnus.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Horowitz & Lunt Standards Track [Page 23] + +RFC 2228 FTP Security Extensions October 1997 + + +Appendix I: Specification under the GSSAPI + + In order to maximise the utility of new security mechanisms, it is + desirable that new mechanisms be implemented as GSSAPI mechanisms + rather than as FTP security mechanisms. This will enable existing + ftp implementations to support the new mechanisms more easily, since + little or no code will need to be changed. In addition, the + mechanism will be usable by other protocols, such as IMAP, which are + built on top of the GSSAPI, with no additional specification or + implementation work needed by the mechanism designers. + + The security mechanism name (for the AUTH command) associated with + all mechanisms employing the GSSAPI is GSSAPI. If the server + supports a security mechanism employing the GSSAPI, it must respond + with a 334 reply code indicating that an ADAT command is expected + next. + + The client must begin the authentication exchange by calling + GSS_Init_Sec_Context, passing in 0 for input_context_handle + (initially), and a targ_name equal to output_name from + GSS_Import_Name called with input_name_type of Host-Based Service and + input_name_string of "ftp@hostname" where "hostname" is the fully + qualified host name of the server with all letters in lower case. + (Failing this, the client may try again using input_name_string of + "host@hostname".) The output_token must then be base 64 encoded and + sent to the server as the argument to an ADAT command. If + GSS_Init_Sec_Context returns GSS_S_CONTINUE_NEEDED, then the client + must expect a token to be returned in the reply to the ADAT command. + This token must subsequently be passed to another call to + GSS_Init_Sec_Context. In this case, if GSS_Init_Sec_Context returns + no output_token, then the reply code from the server for the previous + ADAT command must have been 235. If GSS_Init_Sec_Context returns + GSS_S_COMPLETE, then no further tokens are expected from the server, + and the client must consider the server authenticated. + + The server must base 64 decode the argument to the ADAT command and + pass the resultant token to GSS_Accept_Sec_Context as input_token, + setting acceptor_cred_handle to NULL (for "use default credentials"), + and 0 for input_context_handle (initially). If an output_token is + returned, it must be base 64 encoded and returned to the client by + including "ADAT=base64string" in the text of the reply. If + GSS_Accept_Sec_Context returns GSS_S_COMPLETE, the reply code must be + 235, and the server must consider the client authenticated. If + GSS_Accept_Sec_Context returns GSS_S_CONTINUE_NEEDED, the reply code + must be 335. Otherwise, the reply code should be 535, and the text + of the reply should contain a descriptive error message. + + + + + +Horowitz & Lunt Standards Track [Page 24] + +RFC 2228 FTP Security Extensions October 1997 + + + The chan_bindings input to GSS_Init_Sec_Context and + GSS_Accept_Sec_Context should use the client internet address and + server internet address as the initiator and acceptor addresses, + respectively. The address type for both should be GSS_C_AF_INET. No + application data should be specified. + + Since GSSAPI supports anonymous peers to security contexts, it is + possible that the client's authentication of the server does not + actually establish an identity. + + The procedure associated with MIC commands, 631 replies, and Safe + file transfers is: + + GSS_Wrap for the sender, with conf_flag == FALSE + + GSS_Unwrap for the receiver + + The procedure associated with ENC commands, 632 replies, and Private + file transfers is: + + GSS_Wrap for the sender, with conf_flag == TRUE + GSS_Unwrap for the receiver + + CONF commands and 633 replies are not supported. + + Both the client and server should inspect the value of conf_avail to + determine whether the peer supports confidentiality services. + + When the security state is reset (when AUTH is received a second + time, or when REIN is received), this should be done by calling the + GSS_Delete_sec_context function. + +Appendix II: Specification under Kerberos version 4 + + The security mechanism name (for the AUTH command) associated with + Kerberos Version 4 is KERBEROS_V4. If the server supports + KERBEROS_V4, it must respond with a 334 reply code indicating that an + ADAT command is expected next. + + The client must retrieve a ticket for the Kerberos principal + "ftp.hostname@realm" by calling krb_mk_req(3) with a principal name + of "ftp", an instance equal to the first part of the canonical host + name of the server with all letters in lower case (as returned by + krb_get_phost(3)), the server's realm name (as returned by + krb_realmofhost(3)), and an arbitrary checksum. The ticket must then + be base 64 encoded and sent as the argument to an ADAT command. + + + + + +Horowitz & Lunt Standards Track [Page 25] + +RFC 2228 FTP Security Extensions October 1997 + + + If the "ftp" principal name is not a registered principal in the + Kerberos database, then the client may fall back on the "rcmd" + principal name (same instance and realm). However, servers must + accept only one or the other of these principal names, and must not + be willing to accept either. Generally, if the server has a key for + the "ftp" principal in its srvtab, then that principal only must be + used, otherwise the "rcmd" principal only must be used. + + The server must base 64 decode the argument to the ADAT command and + pass the result to krb_rd_req(3). The server must add one to the + checksum from the authenticator, convert the result to network byte + order (most significant byte first), and sign it using + krb_mk_safe(3), and base 64 encode the result. Upon success, the + server must reply to the client with a 235 code and include + "ADAT=base64string" in the text of the reply. Upon failure, the + server should reply 535. + + Upon receipt of the 235 reply from the server, the client must parse + the text of the reply for the base 64 encoded data, decode it, + convert it from network byte order, and pass the result to + krb_rd_safe(3). The client must consider the server authenticated if + the resultant checksum is equal to one plus the value previously + sent. + + The procedure associated with MIC commands, 631 replies, and Safe + file transfers is: + + krb_mk_safe(3) for the sender + krb_rd_safe(3) for the receiver + + The procedure associated with ENC commands, 632 replies, and Private + file transfers is: + + krb_mk_priv(3) for the sender + krb_rd_priv(3) for the receiver + + CONF commands and 633 replies are not supported. + + Note that this specification for KERBEROS_V4 contains no provision + for negotiating alternate means for integrity and confidentiality + routines. Note also that the ADAT exchange does not convey whether + the peer supports confidentiality services. + + In order to stay within the allowed PBSZ, implementors must take note + that a cleartext buffer will grow by 31 bytes when processed by + krb_mk_safe(3) and will grow by 26 bytes when processed by + krb_mk_priv(3). + + + + +Horowitz & Lunt Standards Track [Page 26] + +RFC 2228 FTP Security Extensions October 1997 + + +Full Copyright Statement + + Copyright (C) The Internet Society (1997). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implmentation may be prepared, copied, published + andand distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + + + + + + + + + + +Horowitz & Lunt Standards Track [Page 27] +