IETF Logo Mail Archive

[kitten] rpcsec-gssv3 multi-principal authentication

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 20 August 2014 15:31 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D921A0680; Wed, 20 Aug 2014 08:31:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.169
X-Spam-Level:
X-Spam-Status: No, score=-2.169 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2M1ahTqjPge; Wed, 20 Aug 2014 08:31:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72E001A0662; Wed, 20 Aug 2014 08:31:56 -0700 (PDT)
X-AuditID: 12074424-f79346d000004923-53-53f4bf6bb108
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id A4.57.18723.B6FB4F35; Wed, 20 Aug 2014 11:31:55 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s7KFVrwT000776; Wed, 20 Aug 2014 11:31:54 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s7KFVp6N023463 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 20 Aug 2014 11:31:53 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s7KFVpfH004880; Wed, 20 Aug 2014 11:31:51 -0400 (EDT)
Date: Wed, 20 Aug 2014 11:31:50 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Adamson, Andy" <William.Adamson@netapp.com>
In-Reply-To: <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <20140730163006.GG26316@fieldses.org> <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; boundary="-559023410-1699034942-1408548420=:21571"
Content-ID: <alpine.GSO.1.10.1408201129020.21571@multics.mit.edu>
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLKsWRmVeSWpSXmKPExsUixCmqrZu9/0uwwcLPQhZHN69isZj9/hGr xfRFVg7MHkuW/GTymPHpC1sAUxSXTUpqTmZZapG+XQJXxr3WdraCRdIV3/d8YWxg/CDaxcjJ ISFgInFs0V4mCFtM4sK99WwgtpDAbCaJNRO4uxi5gOyNjBINu3rZIJxDTBKXWm4zQjgNjBK7 bp1mBmlhEdCW2P9qMTuIzSagIjHzzUagDg4OEQEDiY1LVUHCzAL2Ej27XoFtEAbafOL2CrBW TgEniSlbroO18go4Stzs2cMOMb+ZSaJ/ez9Yg6iAjsTq/VNYIIoEJU7OfMICMTRQ4sDzT2wQ tqNE/9x7zBMYhWYhKZuFpGwWkjIIW13iwKeLjBC2tsT9m21wNT3rfjEuYGRbxSibklulm5uY mVOcmqxbnJyYl5dapGuul5tZopeaUrqJERQr7C4qOxibDykdYhTgYFTi4b2x6EuwEGtiWXFl 7iFGSQ4mJVHehbuAQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4T2wAyvGmJFZWpRblw6SkOViU xHnfWlsFCwmkJ5akZqemFqQWwWRlODiUJHir9wE1ChalpqdWpGXmlCCkmTg4QYbzAA1fDFLD W1yQmFucmQ6RP8WoKCXOqwWSEABJZJTmwfXCUtkrRnGgV4R5N4BU8QDTIFz3K6DBTECDty7+ CDK4JBEhJdXAWOD8dA/3zIDlk1vmhp9YY+/Vdbc4+M1PzbfrJ0SoZTO4XlNd0vd/Dp/5DN60 TfM3FvRvCdC8WqiwjOnu/QvrP3YYB8xJfrlm3kSdiJOXXMz40m592M6w+56b6vO5q56s3jdj vtN6t0+sW1vSNkp6zjgSuLL+otpziSkBsRcvlNYaWdhw3f50iEuJpTgj0VCLuag4EQBIVSXP QAMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/C95yOyetqW5sYOunqyuHS8AcJm4
Cc: "kitten@ietf.org" <kitten@ietf.org>, NFSv4 <nfsv4@ietf.org>
Subject: [kitten] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 15:31:59 -0000

I'm starting a new thread for this, since I think it is the most important
item revealed by my review, but it seems to have been lost amidst the
other discussions.

On Sun, 3 Aug 2014, Benjamin Kaduk wrote:

> On Fri, 1 Aug 2014, Adamson, Andy wrote:
>
> >
> > I have always thought of Multi-principal authentication in terms of it’s use
> > in NFSv4.2 Inter server to server copy, where all of the RPCSEC_GSS_CREATE
> > messages MUST use rpc_gss_svc_privacy’…. Good catch Bruce.
> >
> > So for this attack to occur the rgmp_nonce must be re-used by the same
> > rgmp_handle (same user-principal). Insisting on using a random number
> > generator to create nounce could be by-passed by a bad implementation...
> >
> > Bruces suggestion of using the new reply verifier data (rpc-header) should
> > do the trick. Any objections to this approach?

I don't think I correctly understand this proposal.  Can someone try to
explain it in more detail, please?

> If I understand correctly, the child RPCSEC contex handle will use the same
> GSS context as the parent RPCSEC context handle (i.e., using the host's
> credentials, not the user's credentials).  This means that when creating the
> child RPCSEC context, there must be some proof that the RPC client controls
> the GSS context corresponding to the inner RPCSEC context handle, since the
> child RPCSEC context will perform operations acting as the user specified by
> the GSS context of the inner RPCSEC context.
>
> My reading of the current draft is that the only attempt to do this is by
> presenting a random nonce and a GSS_GetMIC of that nonce, created using the
> GSS context of the inner RPCSEC context.  The server must verify that the MIC
> is a valid mic, but I do not see any other binding to this GSS context.  In
> particular, the nonce+MIC could be eavesdropped on the wire, and inserted into
> an attacker's RPCSEC_GSS_CREATE call, where the attacker provides its own
> parent RPCSEC context but does not actually have an inner context at all.  The
> attacker can reuse the valid nonce+MIC that it has intercepted, which will
> validate correctly on the server, and the server will issue a child RPCSEC
> context that acts as the user indicated by the GSS context of the inner RPCSEC
> context but uses the key material from the attacker's GSS context.

Basically, my reading is that the triple of (opaque inner handle, nonce,
mic) is a bearer token that is valid as long as the inner rpcsec context
is valid, as specified in the -08.  The inner handle is only used to
lookup the GSS security context to use to verify the MIC of the nonce, so
if all three are passed together, there is no binding to anything else
that I can see.

An attacker who gets a copy of this bearer token could then use it to
create its own child context from a parent context that the attacker
controls, and perform actions as the user corresponding to the GSS
security context of the inner context handle.

-Ben

v2.29.0 | Report a Bug | By Email | System Status