On Internet Authentication
RFC 1704

Document Type RFC - Informational (October 1994; No errata)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 1704 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          N. Haller
Request for Comments: 1704                  Bell Communications Research
Category: Informational                                      R. Atkinson
                                               Naval Research Laboratory
                                                            October 1994

                       On Internet Authentication

Status of this Memo

   This document provides information for the Internet community.  This
   memo does not specify an Internet standard of any kind.  Distribution
   of this memo is unlimited.


   The authentication requirements of computing systems and network
   protocols vary greatly with their intended use, accessibility, and
   their network connectivity.  This document describes a spectrum of
   authentication technologies and provides suggestions to protocol
   developers on what kinds of authentication might be suitable for some
   kinds of protocols and applications used in the Internet.  It is
   hoped that this document will provide useful information to
   interested members of the Internet community.

   Passwords, which are vulnerable to passive attack, are not strong
   enough to be appropriate in the current Internet [CERT94].  Further,
   there is ample evidence that both passive and active attacks are not
   uncommon in the current Internet [Bellovin89, Bellovin92, Bellovin93,
   CB94, Stoll90].  The authors of this paper believe that many
   protocols used in the Internet should have stronger authentication
   mechanisms so that they are at least protected from passive attacks.
   Support for authentication mechanisms secure against active attack is
   clearly desirable in internetworking protocols.

   There are a number of dimensions to the internetwork authentication
   problem and, in the interest of brevity and readability, this
   document only describes some of them.  However, factors that a
   protocol designer should consider include whether authentication is
   between machines or between a human and a machine, whether the
   authentication is local only or distributed across a network,
   strength of the authentication mechanism, and how keys are managed.

Haller & Atkinson                                               [Page 1]
RFC 1704               On Internet Authentication           October 1994


   This section briefly defines some of the terms used in this paper to
   aid the reader in understanding these suggestions.  Other references
   on this subject might be using slightly different terms and
   definitions because the security community has not reached full
   consensus on all definitions.  The definitions provided here are
   specifically focused on the matters discussed in this particular

   Active Attack:  An attempt to improperly modify data, gain
          authentication, or gain authorization by inserting false
          packets into the data stream or by modifying packets
          transiting the data stream. (See passive attacks and replay

   Asymmetric Cryptography:  An encryption system that uses different
          keys, for encryption and decryption.  The two keys have an
          intrinsic mathematical relationship to each other.  Also
          called Public~Key~Cryptography.  (See Symmetric Cryptography)

   Authentication:  The verification of the identity of the source of

   Authorization:  The granting of access rights based on an
          authenticated identity.

   Confidentiality: The protection of information so that someone not
          authorized to access the information cannot read the
          information even though the unauthorized person might see the
          information's container (e.g., computer file or network

   Encryption: A mechanism often used to provide confidentiality.

   Integrity:  The protection of information from unauthorized

   Key Certificate: A data structure consisting of a public key, the
          identity of the person, system, or role associated with that
          key, and information authenticating both the key and the
          association between that identity and that public key.  The
          keys used by PEM are one example of a key certificate

   Passive Attack:  An attack on an authentication system that inserts
          no data into the stream, but instead relies on being able to
          passively monitor information being sent between other

Haller & Atkinson                                               [Page 2]
RFC 1704               On Internet Authentication           October 1994

          parties.  This information could be used a later time in what
Show full document text