IETF Logo Mail Archive

Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow

Pavel Březina <pbrezina@redhat.com> Fri, 19 November 2021 14:41 UTC

Return-Path: <pbrezina@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1B83A0101 for <kitten@ietfa.amsl.com>; Fri, 19 Nov 2021 06:41:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.651
X-Spam-Level:
X-Spam-Status: No, score=-4.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXlvsWDixZMt for <kitten@ietfa.amsl.com>; Fri, 19 Nov 2021 06:41:56 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0D83A00D8 for <kitten@ietf.org>; Fri, 19 Nov 2021 06:41:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1637332915; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n6q6gngIh87Uo6m/NuRmLHtP9L+LGlvh6rOchrbuCyk=; b=cbpoQ/MYxA+dDHV+7LvizQx4S8W88vW5QSzSMd5mIVDrOcNe5FU8v5sTxVUZakZiERDrJw zU9fvKULHRVKAAt/buNdtVcJmtnmTz+dZgAmN4JdHyxxkC432X8hPWF0DLyAJ4fsL9OCYL Jn5Z24NkGwX0Xb6IcnXSpSh0ipgRnc0=
Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-81-wzSfrsT7PQq8YFOW4uHbZA-1; Fri, 19 Nov 2021 09:41:53 -0500
X-MC-Unique: wzSfrsT7PQq8YFOW4uHbZA-1
Received: by mail-wr1-f69.google.com with SMTP id k8-20020a5d5248000000b001763e7c9ce5so1817762wrc.22 for <kitten@ietf.org>; Fri, 19 Nov 2021 06:41:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=n6q6gngIh87Uo6m/NuRmLHtP9L+LGlvh6rOchrbuCyk=; b=Q7vz3cUephc1stp97FwK/4VIQwjFQPvyp8z0CiCPo/DOIvh3it4mRezGY0aXP8XoKq OS79QSGAeeCN3bCqCCd4MvId7osFuqmm1xBx7jPBbEKbC6CcKTjJ5HmrrVVDkAwt2lev PTc+btex407WSs3MrYiaokxDX7OZAew7qb1mCQXfQ4wSXVB5aix3vUX2XVd1YHeET3rd HrOlgdHRWxCuxLygK4YzpFnSpDcMqVQl/pvLvccwNiSRLPZP7HSg53ug/WAAdcS2lPbN emhJU51QapBTEfX9oJEwpyDR7GLX0p3VJ6cgBbjVNBemUOZj90U9sylktI0FgC9l+AiE FjWQ==
X-Gm-Message-State: AOAM532byCA04I9Dt8KycZgHDAoKwiMT+jH91b6F3HgcnYfRoXB49SBd clc1IQ5vmQ2Qob+cP5V42+bySsfzmSZnqtKw2V/cGI9/SslMa4u7+oh5kRPiSxOF9M1BEudtOLC PtvPZydo=
X-Received: by 2002:a5d:64c3:: with SMTP id f3mr7811884wri.321.1637332912331; Fri, 19 Nov 2021 06:41:52 -0800 (PST)
X-Google-Smtp-Source: ABdhPJy4aPNWkoTDw0l8v+Vn4c4EiDA4Y300kxtrk/Sy1n28SHvbeztQJz+Xuo8GDwHqvREaFK6tvw==
X-Received: by 2002:a5d:64c3:: with SMTP id f3mr7811844wri.321.1637332912024; Fri, 19 Nov 2021 06:41:52 -0800 (PST)
Received: from [10.0.1.6] ([83.240.62.52]) by smtp.gmail.com with ESMTPSA id f7sm15911393wmg.6.2021.11.19.06.41.51 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 19 Nov 2021 06:41:51 -0800 (PST)
Message-ID: <775cc45b-51d8-8867-a19b-a7e55e2794c5@redhat.com>
Date: Fri, 19 Nov 2021 15:41:51 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.0
To: Sam Hartman <hartmans-ietf@mit.edu>, Greg Hudson <ghudson@mit.edu>, kitten@ietf.org
References: <0100017d06db6c83-21cbd2ce-f371-48a9-88ce-5b6452842241-000000@email.amazonses.com> <99094d0b-6bc1-d896-4f70-83f2e1696eb3@mit.edu> <tslczmx6rgl.fsf@suchdamage.org>
From: Pavel Březina <pbrezina@redhat.com>
In-Reply-To: <tslczmx6rgl.fsf@suchdamage.org>
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pbrezina@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/BBYYrrhqiNLAsLJmIIenOec_sds>
Subject: Re: [kitten] Kerberos Preauth Registration for OAuth2 device flow
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2021 14:41:58 -0000

On 11/18/21 23:15, Sam Hartman wrote:
>>>>>> "Greg" == Greg Hudson <ghudson@mit.edu> writes:
> 
>      Greg> On 11/9/21 5:39 PM, Sam Hartman wrote:
>      >> Basic approach.  The KDC provides the client a URI and a code (or
>      >> a URI specific to that authentication interaction.)  The client
>      >> spawns a web browser, does stuff, and eventually somehow the
>      >> client lets its Kerberos app know that authentication has
>      >> happened, and then the KDC goes off to see if it believes that.
>      >>
>      >> AS far as I can tell, the reply key is never used (it is
>      >> replaced) so a long-term password is not needed.
> 
>      Greg> Some additional context: this is essentially the same user
>      Greg> experience as one sees when authorizing a set-top box to a
>      Greg> video streaming service using OAuth2.  The initial proposal
>      Greg> was to extend MIT krb5's FAST OTP implementation to support
>      Greg> this on the back end.
>      Greg> Like FAST OTP without must-encrypt-nonce, this mechanism
>      Greg> replaces the reply key with the armor key, so that the
>      Greg> mechanism can be used in place of a long-term password.
> 
> I think you and the person submitting the registration to the IANA are
> in the mind set of "This is how we're going to use this," and are
> thinking about  the security analysis of that and  of  your intended
> usage.
> 
> I think my job is to imagine all the ways people might try to use a
> protocol like this  and think about those implications.
> So, I think my job is to think much more broadly than how you're
> thinking.
> And some of your responses to me come across  roughly of the form of
> "but we weren't going to do that."
> 
> If this were an IETF reviewed document, I'd probably say "But someone
> probably will; it's the Internet."
> For an expert review, though I think it's a lot more relaxed.
> 
> I think a couple of things would make me happy to approve this:
> 
> 1) The registration template submitted to IANA did not actually include
> a name for the assigned  value.
> I'd like to include Redhat or FreeIPA in the name.
> If we do that I think it will make it more clear we're focused on a
> specific use case.
> 
> 2) it sounds like  you eventually plan to release a spec or some
> documentation or something.
> In most of the cases where I or anyone else brings something up, a fine
> response would be to  track that as something to include in eventual
> docs.
> In effect, to make sure you document restrictions on the scope or
> intended use.
> 
> 
>      >> 1) It appears to have the same issues with anonymous pkinit that
>      >> OTP has.  You probably do not want to use this FAST factor with a
>      >> armor ticket you got from anonymous pkinit.  If you do, you need
>      >> to verify the KDC's identity elsewhere.
> 
>      Greg> If a Kerberos client contains an implementation of
>      Greg> unauthenticated PKINIT, I would expect it to also contain some
>      Greg> facility for recognizing armor tickets that don't authenticate
>      Greg> the KDC, and reject the use of those as armor for FAST OTP
>      Greg> (without must-encrypt-nonce) or this mechanism.
> 
> Yes, and I think OTP's security considerations talks about that.
> I think agreeing this would be something to mention as a constraint
> would resolve this concern.
> 
>      >> 2) This effectively gives you an arbitrary URI that you have no
>      >> way to validate and encourages the user to go authenticate to
>      >> that URI.
>      >>
>      >> * Appears to be a phishing vector
> 
>      Greg> Potentially, as is FAST OTP.  One hopes that it is at least as
>      Greg> difficult to fool a user into authenticating to a malicious
>      Greg> Kerberos realm as it would be to directly fool the user into
>      Greg> authenticating to the malicious URI.
> 
> I'm not at all sure this is generally true.
> In protocol design we've often found that  adding a new mechanism for
> redirects has security implications.
> 
> In this case, your trust model is at least more complex than the
> traditional trust model of Kerberos because you now need to trust
> probably the web PKI to authenticate the URI.
> 
> I think this is probably safe in a situation where you have a statically
> configured realm.  I'm less sure about a situation where this mechanism
> is used with clients that can successfully authenticate to a wide
> variety of KDCs all with different trust levels.
> 
> 
> I suspect you are making some assumptions about how this will be used
> under which this is probably safe.
> For example in a relatively closed environment with a single realm that
> is also closely connected with the OAuth provider this seems safe.
> 
> What I'm hoping for here at a minimum is acknowledgement that  when
> you're talking about the security of this scheme you will explain the
> assumptions under which phishing is not an issue.
> 
> The IETF also provides a great place to discuss those assumptions if you
> want to get additional feedback on your security analysis.
> 
>      Greg> The user is not being
>      Greg> asked to present any additional information of value to the
>      Greg> given URI beyond what is necessary to authenticate, since the
>      Greg> code is presented by the same authority as the URI.
> 
> I agree, but that's not the attack I was envisioning.
> I was worried about a case where a user gets a URI from a KDC that they
> shouldn't have trusted as much as they do
> and authenticates to a URI provided by that KDC.
> If I have a strong password with Kerberos, particularly with SPAKE,
> authenticating to the wrong KDC doesn't hurt me much.
> 
> But this mechanism could be used for converting a federated identity of
> some kind into a local identity.
> In a case where I don't know the realm where I'm getting a new local
> identity well, I could be phished if they give me a URI that is an MITM
> for some site where I have an account.
> 
> I suspect your use cases for this protocol rule out the sort of
> deployments I'm thinking about.
> For a non-IETF document I think that's fine, I'm just asking you to
> think about and confirm it is secure in your use case and write it down
> when you get there.
> 
> 
>      >> * Appears to be a malicious code vector.  I'm particularly
>      >> concerned about a case where this is part of machine login.
>      >> You'd be running potentially attacker supplied code in a
>      >> pre-login context.  I hope your sandboxing is good.
> 
>      Greg> I don't think we're expecting the Kerberos client
>      Greg> implementation to fire up its own web browser.  As with a
>      Greg> set-top box or similar device, the URL and code are presented
>      Greg> to the user in a prompt.  If this mechanism were used at login
>      Greg> time, the user would probably have to run the browser on a
>      Greg> different device.
> 
> Okay, sounds like another thing you are ruling out of scope
> Would you be willing to track and write down when you do describe
> security?
> 
>      >> On the interoperability side, the protocol between the KDC and
>      >> the OAuth provider does not appear to be described at all.  You
>      >> get vendor lockin between a KDC and OAuth provider as far as I
>      >> can tell.
> 
>      Greg> Preauth mechs don't generally specify back-end protocols;
>      Greg> certainly RFC 6560 does not.
> 
> I think it's the first preauth mechanism where that was an issue.
> My thoughts at the time reading the draft was that the kind of tokens
> used for OTP were fairly well understood  and it wasn't a big deal.
> 
> I think my answer here is that I personally don't mind the  backend
> protocol being out of scope, and no one else in the WG seems to mind
> either, so it is okay.
> 
> 
> So, in conclusion, if nothing else comes up i propose that:

Hi Sam,

thank you for thorough reply.

> 1) We agree on a name for the preauth constant that makes it clear this
> is either Redhat or FreeIPA specific or something like that.

The proposal write-up contained a name PA-IDP-OAUTH2. If you think it is 
better to show Red Hat/FreeAPI affiliation we can use the name:

PA-REDHAT-IDP-OAUTH2

> 2) You track the security concerns and when you eventually produce
> documentation explain the use case in a way that scopes it to a use case
> where the protocol is safe

I agree.

> 3) Without waiting for 2, I approve the registration.

We will prioritize and focus on describing the preauthentication method 
in more detail, including the backend specifics and security analyses in 
a publicly available document. Once the work is finished, this document 
will be presented either in FreeIPA or SSSD documentation.

If you are not comfortable with the approval without this document and 
further discussion, we are certainly willing to wait and provide more 
information.

Thank you,
Pavel.

v2.23.0 | Report a Bug | By Email