IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Simo Sorce <simo@redhat.com> Sun, 19 February 2023 17:57 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF21AC151555 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 09:57:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wf1GRiVEd2q for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 09:56:58 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E544FC151557 for <kitten@ietf.org>; Sun, 19 Feb 2023 09:56:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1676829416; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=t+SAqnyF4XaNBvsfLaNQuzW/YWr0Xv1FC4KP18gdbTU=; b=Y/igp4aoyaA7GfuXiV2LNJD7nPXm0EObzZQ7Dr3bi79xFNq47hm8UZDTKem5hgK474Q/qD UQyxo6XJ4GNbVXZMsLBcBu2ZJQfWNdnFDrqU+qfFFKehVmPZDoAExuRWcB/Wr/gt7HrE+4 Hyfw80AKF4UELdHZmuyxqbEJcF71Bxc=
Received: from mail-qv1-f69.google.com (mail-qv1-f69.google.com [209.85.219.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-80-jQtpMWvMNxOFgzUvLY9X9A-1; Sun, 19 Feb 2023 12:56:54 -0500
X-MC-Unique: jQtpMWvMNxOFgzUvLY9X9A-1
Received: by mail-qv1-f69.google.com with SMTP id bo9-20020a05621414a900b0053c23b938a0so491545qvb.17 for <kitten@ietf.org>; Sun, 19 Feb 2023 09:56:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:to:from:subject:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=t+SAqnyF4XaNBvsfLaNQuzW/YWr0Xv1FC4KP18gdbTU=; b=SBU4uBKMhIBjyyt5YndfS7TF3iLytWfyc2jBBJdmiU79NzyAMuVwpnlB/lP1z0DURt n3bswWpkBx7cyc0WDKItFHntocdkWTUDB96/4gjThrZTnjVwFEwSn3CbxaQm2hyEGP8t EZ4d8OwHh/h/ZyG2oJqzyAhLAYbD9qTGSr0rtoH3bXR5XS5T8sjqfDjVI5/vImDbVvct 9YnyWIakqeuesdm70AdM0kpm/ws1U9LvXtc3A2DrLsOAByHYpi3GCUTjULlzu7LmcU6R Zf7Xs/3ekqAcvAciRfZWmzH9LVXx+EMuxiKp455CsmQapyslPHUF3vnm3sfaYsYZ0OIK K2sg==
X-Gm-Message-State: AO0yUKU4fNNBxL2kxsA+0RqMMSIh4lXf1uYO97rHpv2PndFiBVYa+HOc UaWu0r+XuJXwcvpjQHee0ZF8qfgQSZ1QoYXcYextXv26/xv2H2oTE6S+s8PzX4FqeV/xpH15331 cHQ4jrq9AdbBs
X-Received: by 2002:a05:622a:110c:b0:3b9:b8b2:a870 with SMTP id e12-20020a05622a110c00b003b9b8b2a870mr13267701qty.18.1676829414266; Sun, 19 Feb 2023 09:56:54 -0800 (PST)
X-Google-Smtp-Source: AK7set+S1x5ppNDEfgreKFQ0ryalr2BH03zlZBmROT0mQJxN+JwBKhY7MSj/p2TT27Zc0gF8/huA+g==
X-Received: by 2002:a05:622a:110c:b0:3b9:b8b2:a870 with SMTP id e12-20020a05622a110c00b003b9b8b2a870mr13267688qty.18.1676829413936; Sun, 19 Feb 2023 09:56:53 -0800 (PST)
Received: from 2603-7000-9400-fe80-0000-0000-0000-07a7.res6.spectrum.com (2603-7000-9400-fe80-0000-0000-0000-07a7.res6.spectrum.com. [2603:7000:9400:fe80::7a7]) by smtp.gmail.com with ESMTPSA id p26-20020ac8409a000000b003bb822b0f35sm7453670qtl.71.2023.02.19.09.56.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Feb 2023 09:56:53 -0800 (PST)
Message-ID: <294be4137f2c1e83a279a252757c084692a8f25a.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>, Jeffrey Altman <jaltman@secure-endpoints.com>, "kitten@ietf.org" <kitten@ietf.org>
Date: Sun, 19 Feb 2023 12:56:53 -0500
In-Reply-To: <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com>
Organization: Red Hat
User-Agent: Evolution 3.46.3 (3.46.3-1.fc37)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/4P-0E5n3EQz-slb1PsL0fsAt6oU>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2023 17:57:03 -0000

Uhmm,
Ignore the server authentication verification part, I was thinking
about local auth with a fraudulent user and KDC and mixed in here when
thinking about fraudulent server (and its local fraudulent KDC). 

The rest hopefully is not similarly flawed :)

On Sun, 2023-02-19 at 12:39 -0500, Simo Sorce wrote:
> Hi Steve,
> in the past I wanted to build a "local" KDC into each server (I think
> Apple may have something like that actually), so that you could always
> fallback to do a AS request against the server directly (with the
> server name as a pseudo Realm, and if it replied you'd just use
> kerberos as a fancy challenge-response protocol.
> 
> In order to reduce latency you'd want to return directly a service
> ticket together with a TGT. You could return directly a service ticket
> only, but if you want to allows different services on a host to have
> different keys you'd do TGT+ticket.
> Of course this is not much of a concern for Windows where traditionally
> it handles credentials as a system service and never exposes them to
> services and it never supported using multiple keys for different
> service (that I know of).
> Therefore having a custom workflow that returns a service ticket
> directly is probably fine. It would still be nice to try to avoid
> multiple round trips if possible.
> 
> One of the issues here is figuring out how to avoid this fallback to
> become a way to exploit clients.
> One issue with direct to server authentication is that you have no
> trust anchors to determine if the server is really who it claims to be.
> Their "local KDC" can send back to the client any garbage if a classic
> AS request/reply is used. And then simply accept any garbage sent in a
> tgs request as well.
>  
> So you cannot just fallback w/o some checks, or servers can be
> impersonated somewhat easily when there is no line of sight (laptop
> travels away from the mothership and suddenly any request to "known"
> servers becomes a fallback path because KDCs are not available).
> 
> I assume this can be easily fixed by returning something that can be
> verified by the client, encrypted with the shared session key, probably
> even a reverse encrypted timestamp auth (from KDC to client this time)
> might suffice.
> 
> Anyway this will be different enough from IAKerb that would really be
> beneficial to discuss it in IETF before a full implementation is done.
> 
> Of course another way to replace NTLM, is to just adopt some more
> modern challenge-response mechanism like SCRAM or a PAKE, but then the
> protocol should really have strong algorithmic agility in it, so that
> we do not end up like with NTLM again in 20 years.
> 
> I assume you want to use something like IAKerb because that protocol
> already allows you to carry authorization data, and it would be a pain
> to replace NTLM with another thing that does the same thing, just
> different. It allows to reuse a lot of existing code. OTOH IAkerb will
> not easily allow for single round-trip auth ... 
> 
> 
> Speaking of which I wonder if it would be possible to discuss changing
> (gutting?) SPNEGO, quite radically.
> 
> The reason why SPNEGO is a pain is the case of needing multiple
> roundtrips. But that is due only to the fact that we want to carry half
> of the negotiation "in band" over HTTP.
> However if we had a KDC service that can return a bearer token that a
> service can then simply accept by using a much simplified workflow, the
> need for multiple roundtrips over HTTP (or any similar protocol) would
> entirely go away.
> 
> This is similar to what Nico mentioned in his emails I think, but I
> would embed this in the TGS service, and just carry a new mech OID in
> SPNEGO, the client could do completely optimistic authentication and
> pre-send a bearer token wrapped in  SPNEGO (only over HTTPS of course)
> and send the new OID with the bearer token (after all if you got it
> from the TGS, it means the KDC believes the server can handle it).
> 
> The bearer token could even be a JWT that carries claims (or anything
> analogous), and could be verified either directly on the service
> (standalone server case), or shipped somewhere else for verification
> and then cached (complex load balanced or otherwise terminated services
> where frontend and backends are disjoint).
> 
> Adding channel-bindings support would not be hard as long as the client
> can do TGS requests after the HTTPS channel is already established,
> especially if something like a JWT is employed. (But it would require
> new TGS requests every time a new HTTPS connection is made, probably
> not for everyday cases as it adds up in latency again.
> 
> 
> Just throwing it out here, because I sure would love to make it
> possible (and easier) to use kerberos-backed out on the Web, without
> all the issues that come with multiple-roundtrips, which are what I
> find breaks most of these scenarios (the complexity of the protocol
> itself and the unfamiliarity of any non-password/bearer based auth
> scheme aside).
> 
> Simo.
> 
> On Fri, 2023-02-17 at 19:04 +0000, Steve Syfuhs (AP) wrote:
> > Thanks folks, good context. I'll review the diffs and threads on this. Happy to help with any logistical issues.
> > 
> > As for why we care - Luke is spot on. NTLM deprecation. Despite the good intentions of our corporate overlords over the last few years, Kerberos ain't going away anytime soon, and with that NTLM certainly isn't going away without us giving it a good shove. So...
> > 
> > Caveat that numbers are anonymized Windows telemetry, so it's inherently biased in our direction. We know fallback from Kerberos to NTLM via SPNego occurs approximately 7% of the time because of line of sight issues. KDC Proxy [MS-KKDCP] technically solves this for us, but is a bit of a deployment joke. Spinning up yet another public-facing web server, plus certificate, plus configuring policy on machines that by definition do not have line of sight to policy sources is rather a pain in the butt for customers.
> > 
> > 52% of NTLM usage is because of hardcoding the package in GSS or SSPI. We know why this happens some of the time - lack of visibility into outer negotiation processes like HTTP - and sometimes just lack of knowledge on the implementers part. Internally, we're working with the top offenders to move them to SPNego. Once that happens we predict it will increase line of sight issues a fair bit, though relative to the rest of the fallback reasons.
> > 
> > As it stands, we've actually already implemented IAKerb as per draft 3, less some minor Appendix A interop concerns.
> > 
> > 100% - 52% - 7% != 0%, so obviously there would have to be some other things going on to kill NTLM. We have a plan, but aren't ready to talk about it yet. Suffice to say IAKerb is an integral part of it.
> > 
> > From: Kitten <kitten-bounces@ietf.org> On Behalf Of Jeffrey Altman
> > Sent: Friday, February 17, 2023 6:37 AM
> > To: kitten@ietf.org
> > Subject: [EXTERNAL] Re: [kitten] Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
> > 
> > 
> > It should also be noted that in 2019 it was determined that there was no longer any interest in further development of IAKerb and the Working Group State for the document was set to "Dead WG Document".   Although IAKerb was never removed from the Kitten Charter.
> > 
> >   https://datatracker.ietf.org/wg/kitten/about/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fwg%2Fkitten%2Fabout%2F&data=05%7C01%7Csteve.syfuhs%40microsoft.com%7Cefc22916f2934e43dbdd08db10f47a15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638122414447051754%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RFtk6otA1rdnU52XEOMl2x%2F0kVX5%2BT6mFbUZfTr0IPM%3D&reserved=0>
> > 
> > Its unclear to me from a process perspective whether the charter document is simply out of date and IAKerb needs to be once again added as a working group work item OR whether the Dead WG Document state can be removed by publishing an update.
> > 
> > The initial individual draft was published in 2006.  At that time there was a very narrow use case which drove the effort.   Over time the range of use cases grew broader without being reflected in the text of the draft.   Re-reading the draft today for first time in years I believe the draft fails to sufficiently describe the use cases for which it is intended and those which should be considered out of scope.
> > 
> > I am in favor of IAKerb or something like it being adopted and implemented.   I would appreciate it if Steve could describe the 2023 use cases for which Microsoft intends to use it in case they have significantly diverged from those considered in 2006.
> > 
> > Jeffrey Altman
> > On 2/17/2023 8:31 AM, Jeffrey Altman (jaltman@secure-endpoints.com<mailto:jaltman@secure-endpoints.com>) wrote:
> > 
> > Please note that draft 3 does not include all of the feedback provided on draft 2.
> > 
> > The draft 2 feedback starts with this archived message
> > 
> >   https://mailarchive.ietf.org/arch/msg/kitten/5l6CknOZBF39aZps7wQIsl_L-6o/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fkitten%2F5l6CknOZBF39aZps7wQIsl_L-6o%2F&data=05%7C01%7Csteve.syfuhs%40microsoft.com%7Cefc22916f2934e43dbdd08db10f47a15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638122414447051754%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=90ulxdfe%2Fjh4RqIVyZ81a5CJR2aiVcig4GJqk9sEs20%3D&reserved=0>
> > 
> > and the diff between drafts 2 and 3 can be found here
> > 
> >   https://www.ietf.org/rfcdiff?url2=draft-ietf-kitten-iakerb-03<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-kitten-iakerb-03&data=05%7C01%7Csteve.syfuhs%40microsoft.com%7Cefc22916f2934e43dbdd08db10f47a15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638122414447051754%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bmWJl39j%2FF9mXt5poqkAjXfLO8AGrtgb39MX%2B9T4SYM%3D&reserved=0>
> > 
> > The discussion around error handling and default realm determination is particularly important in my opinion.
> > 
> > I do not believe there are any implementations of draft 3.
> > 
> > Jeffrey Altman
> > On 2/16/2023 6:57 PM, Steve Syfuhs (AP) (Steve.Syfuhs=40microsoft.com@dmarc.ietf.org<mailto:Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>) wrote:
> > Howdy folks,
> > 
> > I'm a developer on the Windows auth team that oversees Kerberos development. We were handed the torch from Larry, Michiko, and crew when they went off to do other exciting things.
> > 
> > We're currently in the process of implementing IAKerb as per the latest expired draft and want to revive it and see it through to full RFC. Happy to go into detail about why, but the benefits are I think fairly self explanatory.
> > 
> > Unfortunately there's a fair amount of institutional knowledge around this protocol that's been lost to time and I was wondering if someone could provide background on where things were last? What is required in order to see it through?
> > 
> > We have a few open questions, specifically around interop.
> > 
> > What is the state of the MIT implementation? The draft refers to interop with earlier versions. Is this something we need to reasonably care about? The draft says the Finished checksum key usage is implemented as int 42, but specced as 41. Why wasn't 42 used in the spec (that's otherwise a rather obnoxious interop hack)?
> > 
> > As mentioned, happy to go into more detail about our plans.
> > 
> > Cheers
> > Steve
> > 
> > 
> > 
> > _______________________________________________
> > 
> > Kitten mailing list
> > 
> > Kitten@ietf.org<mailto:Kitten@ietf.org>
> > 
> > https://www.ietf.org/mailman/listinfo/kitten<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fkitten&data=05%7C01%7Csteve.syfuhs%40microsoft.com%7Cefc22916f2934e43dbdd08db10f47a15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638122414447051754%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oFMTyCHTrlzUCxEKY2cf0s0KShGBQroqwO7PjOmCAmw%3D&reserved=0>
> > 
> > 
> > 
> > _______________________________________________
> > 
> > Kitten mailing list
> > 
> > Kitten@ietf.org<mailto:Kitten@ietf.org>
> > 
> > https://www.ietf.org/mailman/listinfo/kitten<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fkitten&data=05%7C01%7Csteve.syfuhs%40microsoft.com%7Cefc22916f2934e43dbdd08db10f47a15%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638122414447051754%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oFMTyCHTrlzUCxEKY2cf0s0KShGBQroqwO7PjOmCAmw%3D&reserved=0>
> > _______________________________________________
> > Kitten mailing list
> > Kitten@ietf.org
> > https://www.ietf.org/mailman/listinfo/kitten
> 

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc

v2.23.0 | Report a Bug | By Email