Re: [kitten] draft-ietf-kitten-cammac kdc-verifier omission

[Benjamin Kaduk <kaduk@MIT.EDU>]

On Thu, 12 Feb 2015, Tom Yu wrote:

> Greg Hudson <ghudson@mit.edu> writes:
>
> > On 02/12/2015 01:47 PM, Benjamin Kaduk wrote:
> >> Do you want to come up with a concrete proposal for new text?
> >
> > Sure.  In section 8 (Security Considerations), replace "two exceptions"
> > with "three exceptions," and add a third item to the list:
> >
> > ---
> > 3. If the ticket server principal is a cross-realm TGS from a different
> > realm, the CAMMAC's kdc-verifier cannot be validated because the
> > checksum was made using the other realm's local TGS key.  If the
> > CAMMAC's svc-verifier is valid, the CAMMAC contents can be safely
> > assumed to have originated from the other realm.  The KDC SHOULD NOT
> > blindly copy CAMMAC elements originating from another realm, but MAY
> > choose to filter, transform, and propagate elements according to policy
> > rules, and MAY place a kdc-verifier in the new CAMMAC containing the
> > resulting authorization data elements.
> > ---
> >
> > I use MUST NOT instead of SHOULD NOT because a KDC might be in a
> > subsidiary relationship to a higher-security realm.  By "cross-realm TGS
> > from a different realm," I mean an incoming cross-realm krbtgt principal
> > like "krbtgt/MYKDCREALM@FOREIGNREALM," but I don't see a need to spell
> > that out.
>
> This seems backwards to me; you wrote "KDC SHOULD NOT blindly copy"
> in your suggested text.  Which did you intend?
>
> I would like to try to reason about this from a data origin
> authentication standpoint.  This might help us come up with more clear
> and generally applicable wording.  On the other hand, if we want to
> minimize textual changes, reasoning about this might help us avoid
> missing edge cases when we make the more minimal changes.
>
> The kdc-verifier provides data origin authentication that the CAMMAC
> contents originated from the KDC itself (or another KDC serving the same
> local realm).  If the KDC successfully validates the kdc-verifier, it
> can copy the CAMMAC contents knowing that either it or another KDC in
> the realm originated the contents.  There is also the local TGT special
> case.  In the other cases, where it can only validate the svc-verifier,
> it must apply some policy about the provenance of the contents of the
> CAMMAC to decide whether to copy the contents verbatim, filter, or
> transform them.  This includes both the non-S4U2Proxy service tickets
> and the cross-realm TGTs.
>
> Exception (1) in the document is for the case where the
> ticket-encrypting key is a key that only other KDCs in the local realm
> know, and therefore provides the same properties of data origin
> authentication that the kdc-verifier would.  Exception (2) is different,
> because the KDC has no assurance that the CAMMAC contents originated
> from it or another KDC serving the same local realm.  In this case, the
> KDC makes a policy decision that the only consumers of the possibly
> forged CAMMAC contents that it copies into a new CAMMAC are consumers
> that would not suffer adverse effects from such a forgery.
>
> In the cross-realm case, the local realm KDC can only validate the
> svc-verifier (because the only remote realm KDC can validate the
> kdc-verifier).  The local realm KDC makes a policy decision about how to
> filter, transform, etc. the original CAMMAC contents to a new CAMMAC.
>
> I guess this is a roundabout way of suggesting text that includes:
>
>    The KDC SHOULD NOT make verbatim copies of CAMMAC contents into a new
>    CAMMAC when it cannot validate the original CAMMAC as authentically
>    originating from itself or another KDC in its local realm.  In such a

The SHOULD NOT here makes me slightly uncomfortable.  (I understand Greg's
reasons for suggesting it, though.)  Can we say something about MUST NOT
... as originating from itself or another KDC in its local realm or [some
other trusted KDC; wording TBD]?  This could potentially even include the
cross-realm case.

>    situation, the KDC MAY choose to filter, transform, or propagate

I think that what "such a situation" is potentially unclear and should be
specified more concretely.

>    elements from the original CAMMAC to a new CAMMAC according to policy
>    rules, and MAY place a kdc-verifier in the new CAMMAC containing the
>    resulting authorization data elements.
>
>    The two individually sufficient conditions for a KDC validating a
>    CAMMAC as authentically originating from itself or another KDC in its

That's a rather complicated sentence; I expect it would confuse some
readers.

>    local realm are:
>
>       1. The KDC successfully validates the kdc-verifier of the CAMMAC; or
>
>       2. The CAMMAC lacks a kdc-verifier, but the encryption key for its
>          surrounding ticket is one known exclusively by the local realm
>          KDCs (e.g., when the ticket is a local TGT), and all KDCs
>          serving the realm are configured to filter out CAMMAC
>          authorization data submitted by clients.
>
> Then we would somehow modify existing explanatory text about the
> specific use cases, e.g.:
>
> 1. omission of kdc-verifier to make TGTs, etc., smaller -- safe to make
>    verbatim copies if the local realm KDCs are configured properly
>
> 2. omission of kdc-verifier when the only consumers of the CAMMAC are
>    the original service principal of the ticket (no S4U2Proxy
>    privileges) -- apply policy rules

Would these involve changes outside section 8?


-Ben


> 3. incoming cross-realm TGTs -- apply policy rules
>