IETF Logo Mail Archive

Re: [kitten] Replacing Kerberos

D.Rogers@gmx.net Thu, 23 February 2023 20:56 UTC

Return-Path: <D.Rogers@gmx.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F2AAC165767 for <kitten@ietfa.amsl.com>; Thu, 23 Feb 2023 12:56:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.695
X-Spam-Level:
X-Spam-Status: No, score=-2.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuEqYRxO88rR for <kitten@ietfa.amsl.com>; Thu, 23 Feb 2023 12:56:18 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21AE1C16950B for <kitten@ietf.org>; Thu, 23 Feb 2023 12:56:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1677185769; i=d.rogers@gmx.net; bh=5Oi4mx9a9crLFcICfkI1TZMoZUpWWHJq0VudvybZUlo=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=HlBzp4nxlbl2BcT5ZepZ02rsV+dJpAVlZyZxGNrg4dm6F/tJuE1CvkjNhnY2yRIdG kFPyRyXLNKlYVIdxWLr0O+2iFlKuwrSDHzVaCmrRprGO7AupHnybRWsvdskqJYSnha 74OyJ5i7/oyOI0u3pyHyRx4Y9sNWpzyQv7QS1PxkzqYbSUnfnyGnTP0qYjEu9I7BzV NvWztnKU+b2TnnbDFvAfE9XIBQiEGJUD+XmXpSAUiAzh1FzV+rXos+YOt+5e+iTTgL XeOejVIBWAQxHK21fC9ZxZYcWYlRFmwTW7f/QoZJ+FEKRuqvUdX3sDJbGAOX13mv13 hAN/x/pYE86qA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [89.247.175.236] ([89.247.175.236]) by web-mail.gmx.net (3c-app-gmx-bs20.server.lan [172.19.170.72]) (via HTTP); Thu, 23 Feb 2023 21:56:09 +0100
MIME-Version: 1.0
Message-ID: <trinity-6e7be0e9-e437-4cdc-b08c-bd12133e26cd-1677185769010@3c-app-gmx-bs20>
From: D.Rogers@gmx.net
To: Erin Shepherd <erin.shepherd@e43.eu>
Cc: Nico Williams <nico@cryptonector.com>, "kitten@ietf.org" <kitten@ietf.org>
Content-Type: text/html; charset="UTF-8"
Date: Thu, 23 Feb 2023 21:56:09 +0100
Importance: normal
Sensitivity: Normal
In-Reply-To: <134D46FA-1E2A-4DB0-9B8D-6897136972CA@e43.eu>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/GFY3wTO+TBg638@gmail.com> <134D46FA-1E2A-4DB0-9B8D-6897136972CA@e43.eu>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:R0VYS4hPHPxUgX5Xbh/qMVEPzD2oYs7bZLWkzHZ+sl7Pa8CdwwxmcQEKAXdnpK2mIq75b ZsQ3jzpIoOdkO9iK7CsBD4HZfsgnJTIjqTIFQEtI1Qa2MYDs6+TkuEWbhISa8iRXDaSD/FP2nM3k yFJbo05NH4tFRB8opNwbg+Bxq/3Db36JX58ZwZ0q9kismaQ94sh2Nq/0kDCsSxrHt4Q39lmY1dxC +LPsQpq1FzdhPAb5RKrXyK3GeJgQLtUTFOwAhlP+FPsvrSJ0v/XW9FP+skf25Bfbf3N3NOmIzwhi K4=
UI-OutboundReport: notjunk:1;M01:P0:w4tatmVnE0g=;JUjrMXOFdnSdSzxSbGgRyqDZvdd d2zegA5lVzbEPNCOnUwPAbi72fbBW4EeaWlrBRwrt1wEt91Nb5787ng98CRQsqS0l0ZgJXlGx Yr+vFDwBOpPkx+DE9bLe/Dt2/G7UjfabwgojJxMiQsvu3aMNFn8CMDqCY6fkbHYbQZ/27pQoI O/MyJfQQZ5Bu+Fo8V5AMFjT7cKHrWLHvs1VDM+Rx/HMzTqdW25Z0PIC0HctcB4nkX1QzO5/X9 4uXAyZ6vg171cAOp+R92KJDUsIjYYgPCq83H4/OLMor3hw2qfaLObxrTif+UMQYsppqV01A9u 1AS2ccwnoPkAxk+omD8xzalREjZJ24fpGOAMrlHBKK9id11wVnSXj22BR+0XoNLi5yh2eW07t c9+eBm3xrUC8PUVIoqHTMcpZp7i7rhvkJNaU9UgFmw3hPZXgb2+1Y6V7O8lZ9QbyHaiCZ6+Or 7ihJEg2+A+vY0X9859RehW9T+8YnUQqYD704XsldJkiqJJwBoNEwk8Yvy1U2lQkHUy9MGcNHy lXhhCim1L3KCFyC7+1NvROPNezIN3qibZ3/+3EFgCqwQyslGjyVeHYTUiHrV0nfl1jVWWMGG8 aQxhG9ZWT+cPWINjT4OiZTEhZxylXkljYz2uHnLk0TvlZ25jSpCUswlI9K9lvyCyx6oK4d6VU gDY6xjB2QmryEcMp6I4K0tlzX3xmcXfRBhTu4ODjbCd+/7WFjLvirUP2qIfetNIquSOVM6P0I M9WP1TLo8mv2z16BmYjlmOaow4u2VU2KSHwNIY/Vkolm7WXQ4KinGkxo8ztAnzjMZMI7cDYgE 3HKb+f1J3/1yDRmGyNJmjA8s7ceQL5g/yY1QIIKaME7b8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/J7NSqKFq76pWO6zufmXHdXJakU0>
Subject: Re: [kitten] Replacing Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2023 20:56:23 -0000

Hi,
 
I dont know if its worth mentioning but in 2013 I published a paper concerning combining Kerberos with IPsec. Perhaps some ideas may still be relevant
 
 
Dean
 
 
Gesendet: Donnerstag, 23. Februar 2023 um 21:20 Uhr
Von: "Erin Shepherd" <erin.shepherd@e43.eu>
An: "Nico Williams" <nico@cryptonector.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>
Betreff: Re: [kitten] Replacing Kerberos
 
On 19 Feb 2023, at 03:11, Nico Williams <nico@cryptonector.com> wrote:

- the ability to easily create server/acceptor software for it

  This is a reference to ASN.1/DER _still_ being too much to ask for
  most developers.

- the ability to make a GSS/SSP/SA(SL) mechanism, which means:

   - the ability to exchange keys
   - some ciphersuite for wrap and MIC tokens
- the ability to use this mechanism as a TLS 1.3 PSK
 
How do people feel about the security layer just being raw TLS 1.3 bootstrapped using PSK, or as close to that as possible? (Not quite sure what to do with the GSS MIC functions here, though. Maybe just draw a MAC key from a TLS exporter?)
 
I say this in part because re-using Kerberos encryption types as other mechs have done makes implementing a new mech outside of Kerberos a gigantic pain in the arse. If we use TLS 1.3 PSKs, you can just use a TLS stack, which you probably already have.
 
(Maybe we could define this framework style, provide a knob which can be used to turn this on for supporting existing mechs, and update those existing mechs to support it, and then just make it the only option for the new mech)
 
One other thing I’d like to suggest, since we were just talking about it:
 
- Builtin-in ability to proxy credential acquisition through the acceptor, IAKerb-style, where the “KDC” authentication is itself just recursively tunnelled GSS-API (so we can do SCRAM or something)
 
Probably should be optional on both ends, but I think building this in will avoid a bunch of the complications seen with IAKerb.
 
I suspect we’d end up with multiple ways of getting our TGT equivalent for this system, but maybe that’s not the worst thing in the world (in fact it’s probably just pragmatic)
 
 
- Erin
_______________________________________________ Kitten mailing list Kitten@ietf.org https://www.ietf.org/mailman/listinfo/kitten" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email