Re: [kitten] Kerberos extra round trips I-D revised
Greg Hudson <ghudson@mit.edu> Tue, 11 November 2014 18:50 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B501A1AAC for <kitten@ietfa.amsl.com>; Tue, 11 Nov 2014 10:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5hDv7-i5dnZ for <kitten@ietfa.amsl.com>; Tue, 11 Nov 2014 10:50:33 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 118B81A1A7C for <kitten@ietf.org>; Tue, 11 Nov 2014 10:50:31 -0800 (PST)
X-AuditID: 1209190d-f79c06d000006f95-ec-54625a760ea8
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id E9.03.28565.67A52645; Tue, 11 Nov 2014 13:50:31 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id sABIoO7p012845; Tue, 11 Nov 2014 13:50:25 -0500
Received: from [18.101.8.150] (vpn-18-101-8-150.mit.edu [18.101.8.150]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sABIoMBZ024299 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 11 Nov 2014 13:50:24 -0500
Message-ID: <54625A6E.3000305@mit.edu>
Date: Tue, 11 Nov 2014 13:50:22 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Benjamin Kaduk <kaduk@mit.edu>, Nico Williams <nico@cryptonector.com>
References: <20141027071704.GC14215@localhost> <alpine.GSO.1.10.1411071543280.27826@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1411071543280.27826@multics.mit.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrOIsWRmVeSWpSXmKPExsUixCmqrVselRRi8GUBo8XRzatYLE5dO8Lm wOTx8tQ5Ro8lS34yBTBFcdmkpOZklqUW6dslcGXc/XyRseCFaEV731S2Bsbjgl2MnBwSAiYS XfemsUHYYhIX7q0Hsrk4hARmM0l8bJwH5WxklPgxbQEjhHOESWLCrY1MIC28AmoSd18tYQex WQRUJVavPMoKYrMJKEus37+VpYuRg0NUIExi6lIeiHJBiZMzn4CFRQQ8JT5MNwIJMwsIS1zY vhesU1jARmLL5XdgE4UEUiTudS1mBLE5BZwkVm9sYIGo15PYcf0XK4QtL9G8dTbzBEbBWUg2 zEJSNgtJ2QJG5lWMsim5Vbq5iZk5xanJusXJiXl5qUW6Rnq5mSV6qSmlmxjB4SvJu4Px3UGl Q4wCHIxKPLwa/okhQqyJZcWVuYcYJTmYlER5hcOSQoT4kvJTKjMSizPii0pzUosPMUpwMCuJ 8DKA5HhTEiurUovyYVLSHCxK4rybfvCFCAmkJ5akZqemFqQWwWRlODiUJHjl/IEaBYtS01Mr 0jJzShDSTBycIMN5gIbLRIIMLy5IzC3OTIfIn2JUlBLndQFJCIAkMkrz4Hph6eUVozjQK8K8 4iBVPMDUBNf9CmgwE9Dgb+Fgg0sSEVJSDYzd3zYVqnrEz9zXOoebZfXyOVWlind05svUeQWY KkYf39ElbP1Pbeb0kwoMl7srdhZulaz6t3jW0wMplirWi3O+ysbZ5Kd6TIyrv7lnx/65n6Yf ez5vXtv8xU67d7wKZlI3vmk9l9Hzt/7mufrTF4jkNe7VPBmtMVlGm1n7Sdz9FduXCrz/nL1C iaU4I9FQi7moOBEAvJhNQQoDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/SDKzafaKV1RXQVKnKIB1lg8zfWI
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos extra round trips I-D revised
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 18:50:38 -0000
Here are further thoughts on replay cache avoidance as it affects this draft. Replay caches help in two cases: 1. They provide minimal protection when a krb5 exchange takes place over an unprotected channel and is used for authentication only, with no use of the resulting key. This protection is minimal because a replay attack assumes an active attacker, who could perhaps suppress the original exchange, beat the original exchange with the replay, or compromise the channel after authentication. It is not totally unreasonable to abandon case 1 as hopeless, but for the purpose of this message I will assume we still care about it. 2. They prevent an entire session from being replayed, causing a properly authenticated request to be processed twice within the replay window. This is not a concern when an acceptor subkey is used. (I assume that legitimate initiators don't use prot-ready messages or send wrap tokens using the initiator subkey. I think in practice RFC 4121 implementations don't set the prot-ready flag and initiators never use the initiator subkey.) A krb5 acceptor implementation generally does not know whether the application protocol will use the context key or whether there is a different case 1 acceptor using the same long-term acceptor keys. Because of this, it is intrinsically difficult for an implementation to know that it is safe not to use a replay cache for case 1. The extra round trips draft allows the acceptor to ask an initiator to encrypt a nonce, which would defeat a replay attack if everyone had to do it. However: * There is an easy downgrade attack on the extra round trip. Until client implementations are ubiquitous enough for acceptors to turn off support for basic RFC 4121, an attacker can simply suppress the extra round trip. * The first authenticator must still be added to the replay cache if it might be used for a case 1 acceptor--and if this acceptor would be a case 1 acceptor without the extra round trip, allowing basic RFC 4121 means it is still a case 1 acceptor. So this doesn't really seem to give us replay cache avoidance until basic RFC 4121 can be turned off. Specific notes: * The MUST in section 4 is not necessary for interoperability or security, and as such ought to be a SHOULD. * Section 2.2.1 states that after a recoverable error, a fifth token is not required because of the nonce in the second token. I am not sure this is true--the nonce in the second token was not necessarily encrypted; if it wasn't, an attacker could feed it to a legitimate initiator in a separate exchange. * For pedagogical purposes, section 4 should probably be explicit about what the initiator does in response to a KRB-ERROR2 with a KDC_ERR_NONE code.
- [kitten] Kerberos extra round trips I-D revised Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams