Re: [kitten] Verified authorization data

Peter Mogensen <apm@one.com> Thu, 12 June 2014 07:12 UTC

Message-ID: <539952CC.8020703@one.com>
Date: Thu, 12 Jun 2014 09:12:12 +0200
From: Peter Mogensen <apm@one.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Simo Sorce <simo@redhat.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <5397328E.6020005@mit.edu> <539849AA.4000506@one.com> <1402503444.13617.1.camel@willson.usersys.redhat.com> <53988BB6.8010409@one.com> <1402506490.13617.9.camel@willson.usersys.redhat.com>
In-Reply-To: <1402506490.13617.9.camel@willson.usersys.redhat.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/CAoMlJ0AxTCdKrMKS8_RgG0GdN0
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@MIT.EDU>
Subject: Re: [kitten] Verified authorization data
Precedence: list

On 2014-06-11 19:08, Simo Sorce wrote:
>> Still... the whole EncTicketPart has to be constructed and DER-encoded
>> twice to add a kdc-verifier.
>
> That is done to bind the CAMMAC to a specific ticket, it is an
> additional protection that you probably want for your use case too.

Sure... any solution to the S4U2proxy use case would require protecting 
the ticket and attached authdata, which the KDC has to trust against 
service tampering.
As the cammac draft says:
"...assuring the KDC that a malicious service has not substituted a 
mismatched CAMMAC received from another ticket."

But if the kdc-verifier was placed out side the EncTicketPart, then that 
would also provide that protection and not require computing the ticket 
twice - right?

/Peter

[kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Thomas Hardjono
Re: [kitten] Token Preauth for Kerberos Greg Hudson
Re: [kitten] Token Preauth for Kerberos Nordgren, Bryce L -FS
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
[kitten] Verified authorization data Peter Mogensen
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Token Preauth for Kerberos Nathaniel McCallum
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Verified authorization data Peter Mogensen
Re: [kitten] Verified authorization data Simo Sorce
Re: [kitten] Token Preauth for Kerberos Simo Sorce
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Wang Weijun
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Simo Sorce
Re: [kitten] Token Preauth for Kerberos Dr. Greg Wettstein
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Simo Sorce
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Greg Hudson
Re: [kitten] Token Preauth for Kerberos Zheng, Kai
Re: [kitten] Token Preauth for Kerberos Benjamin Kaduk
Re: [kitten] Token Preauth for Kerberos Zheng, Kai