IETF Logo Mail Archive

Re: [kitten] Token Preauth for Kerberos

Greg Hudson <ghudson@MIT.EDU> Tue, 10 June 2014 16:30 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5229B1A01FB for <kitten@ietfa.amsl.com>; Tue, 10 Jun 2014 09:30:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.252
X-Spam-Level:
X-Spam-Status: No, score=-3.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6oRsJ9d_ZzOU for <kitten@ietfa.amsl.com>; Tue, 10 Jun 2014 09:30:16 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553311A019B for <kitten@ietf.org>; Tue, 10 Jun 2014 09:30:16 -0700 (PDT)
X-AuditID: 1209190e-f79946d000000c39-d1-5397329625a1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id B6.A9.03129.69237935; Tue, 10 Jun 2014 12:30:14 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s5AGUDcc023535; Tue, 10 Jun 2014 12:30:14 -0400
Received: from [18.101.8.248] (vpn-18-101-8-248.mit.edu [18.101.8.248]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s5AGUAnk023711 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 10 Jun 2014 12:30:13 -0400
Message-ID: <5397328E.6020005@mit.edu>
Date: Tue, 10 Jun 2014 12:30:06 -0400
From: Greg Hudson <ghudson@MIT.EDU>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Zheng, Kai" <kai.zheng@intel.com>, "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@mit.edu>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
In-Reply-To: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixG6nojvNaHqwwbc1lhbrW0+zWBzdvIrF gcljyZKfTB6L97xkCmCK4rJJSc3JLEst0rdL4Mpouv2FsWCtVMW88wuZGxgXiXYxcnJICJhI LHt3nBHCFpO4cG89WxcjF4eQwGwmiRPfLrBCOBsZJd4+X8IC4Rxhklh19zZYC6+AmsSGc7vZ QWwWAVWJuTv2MoPYbALKEgfPfmMBsUUFwiQ+Hl3HBlEvKHFy5hOgOAeHiEC5xIurGiBhYQED ie57N8FKhASCJa41zwcbwykQIjHv4xRWiOskJbYtOga2illAR+Jd3wNmCFteYvvbOcwTGAVn IdkwC0nZLCRlCxiZVzHKpuRW6eYmZuYUpybrFicn5uWlFuka6+VmluilppRuYgQFMKck3w7G rweVDjEKcDAq8fAekJgeLMSaWFZcmXuIUZKDSUmU94k8UIgvKT+lMiOxOCO+qDQntfgQowQH s5IIb9vfacFCvCmJlVWpRfkwKWkOFiVx3rfWVsFCAumJJanZqakFqUUwWRkODiUJ3omGQEMF i1LTUyvSMnNKENJMHJwgw3mAhluA1PAWFyTmFmemQ+RPMSpKifOygiQEQBIZpXlwvbAE84pR HOgVYd45IFU8wOQE1/0KaDAT0GDRiKkgg0sSEVJSDYxcM5ysppd5qXXINHJ0yR8udxMUlND9 5vk21inlxo74JRlyW9SL515cqp+2p0eOz1OEW0/Y+ceCi7/VQ994Shw8eePjF5Ho3M7TqyJ4 o4+/b4ltYVB1r72z5Jm5n1JE7eqNd189EHTd7vlqymPGrByN20vPhbm+lPj19+L5uftWvPXa 3nnPrk+JpTgj0VCLuag4EQAoCpauCwMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/8LcnTe1nHBY-HNk40fVUpgUvY-4
Subject: Re: [kitten] Token Preauth for Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jun 2014 16:30:18 -0000

On 06/10/2014 08:19 AM, Zheng, Kai wrote:
> This proposes to add another preauthentication mechanism similar to OTP
> and PKINIT for Kerberos, based on Kerberos preauthentication framework
> and FAST tunnel. It allows 3^rd party token in JWT format like OAuth
> bearer token can be used as credential to authenticate to KDC for a
> normal principal instead of user password.

Without knowing more details, here are three areas where there might be
concerns:

1. How is the reply key computed during an AS request?

I am guessing that you took the OTP approach of using the FAST armor key
as the reply key.  This is not ideal, but may be the path of least
resistance if you have to work with bearer tokens.  The limitations of
this approach are:

* It precludes the preauth mechanism from working securely inside FAST
channels which do not authenticate the KDC (such as anonymous PKINIT
channels without KDC certificate verification).

* It means any holder of the FAST armor key (e.g. someone who has the
host keytab) can passively observe the exchange and decrypt the ticket,
not just the holder of some user-specific authentication secret.

If you use holder-of-key tokens instead of bearer tokens, the key can be
used in one of several ways to more securely establish a reply key.

The last time I talked about this with Sam Hartman in person, he
suggested that perhaps mechanisms which can't securely establish a reply
key should be doing an unauthenticated DH exchange within the FAST
channel, which would prevent a passive observer with the armor key from
decrypting the ticket.  That would add a lot of complexity and have a
performance impact, however.

2. Can a service impersonate the client to other services?

If you're handing out client bearer tokens to each service the client
authenticates to, and the bearer token can be used to obtain a TGT, then
a service can use that bearer token to get its own TGT and authenticate
as the user to other services.

This problem goes away if the bearer tokens are restricted to particular
services and the KDC doesn't issue TGTs.  The client would make an AS
request for a specific server (identified in the bearer token) and get a
service ticket for that server directly, without making a TGS request.
The service can then only impersonate a user to itself, which is harmless.

3. Is the authdata correctly packaged?

In the Kerberos 5 authdata model, the KDC is assumed to blindly pass
through authdata requested by the client.  If the authdata is to be
trusted by the target service as something vetted by the KDC, it needs
to be packaged accordingly.

The traditional method for doing this is a container called
AD-KDC-ISSUED which contains a checksum for the authdata in a key which
cannot be known (in advance) by the client.  This container has not seen
much practical use, and it turns out that RFC 4120 says conflicting
things about which key to use for the checksum.  To the extent that
there are implementations, they use the ticket session key.

A more recent container for this purpose is AD-CAMMAC, as specified in:

    http://tools.ietf.org/html/draft-ietf-krb-wg-cammac-01

In addition to not having key ambiguity issues, AD-CAMMAC also contains
a KDC verifier which allows the authdata to be propagated through an
S4U2Proxy request.

v2.30.2 | Report a Bug | By Email | System Status