Re: [kitten] Kerberos extra round trips I-D revised
Nico Williams <nico@cryptonector.com> Fri, 07 November 2014 21:43 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2E91A1B49 for <kitten@ietfa.amsl.com>; Fri, 7 Nov 2014 13:43:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v1cQOtmAQ5Z9 for <kitten@ietfa.amsl.com>; Fri, 7 Nov 2014 13:43:51 -0800 (PST)
Received: from homiemail-a74.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 864BB1A1B48 for <kitten@ietf.org>; Fri, 7 Nov 2014 13:43:51 -0800 (PST)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 4CA8367C06E; Fri, 7 Nov 2014 13:43:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Et82j2pnDUa+AV Kom77JqF0e2JM=; b=e3EEdQUgM04v8IBeh3l3eYPEZc5lt5TWLNmCGKrq6k9G0h tnreKVoYxyM9+rBRCoSCHFAi9eJtVdfSvWUSSPt2yztglKmQh7c3d5WUKho+AjNt TjA3VtxkExKV86JfbbfYJ+OkQAdqV/nIZ9Q3P3rgF1M6dXfBDK+k89yzZBOnk=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPA id 09DA467C069; Fri, 7 Nov 2014 13:43:50 -0800 (PST)
Date: Fri, 07 Nov 2014 15:43:50 -0600
From: Nico Williams <nico@cryptonector.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Message-ID: <20141107214348.GW7913@localhost>
References: <20141027071704.GC14215@localhost> <alpine.GSO.1.10.1411071543280.27826@multics.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.GSO.1.10.1411071543280.27826@multics.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/SR0R92RI48LAn_aRYSud002cmOc
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos extra round trips I-D revised
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Nov 2014 21:43:53 -0000
On Fri, Nov 07, 2014 at 04:13:06PM -0500, Benjamin Kaduk wrote: > On Mon, 27 Oct 2014, Nico Williams wrote: > My summary is: [...] That's a fine summary. (Except that I think we seem to agree that there's no need for an initiator->acceptor error context token.) > The initiator includes (3) in the follow-up AP-REQ, proving freshness and > allowing the replay cache to be safely omitted. Yes. > The core extension seems like a fine thing to have so I would be okay with > adopting this as a WG document if we think we have the energy to advance > it properly. Thanks. I hope we do. I think this is sorely needed. > There are a few open questions tagged in the document: > > [[anchor1: Perhaps we should use a checksum 0x8003 [RFC4121] > extension instead of authorization data in the authenticator.]] (FYI, this [[anchorN:...]] business is an artifact of lyx2rfc's rendering of "revision remarks" -- comments intended for rendering, effectively. I should fix this to drop the anchorN business.) > This is for incorporating the challenge-nonce back into the reply, if I > understand correctly. I'm not sure how well that would work if we want to > allow for stateless acceptors that use nonces similar to the pkinit > freshness tokens we've been discussing. It works fine: the acceptor decrypts the Ticket from the AP-REQ, then the Authenticator from the AP-REQ, recovers the challenge, and validates it. The challenge should probably have a timestamp and a counter at the very least, and should be at least integrity protected. I.e., it should be very similar to the PKINIT freshness token. > [[anchor2: Question: how should we address this? We could say "give > priority to the user-to-user mechanism", but in some cases that might > require changes to the acceptor side.]] > > This refers to the potential for conflict with > draft-swift-win2k-krb-user2user, which I haven't read, so I can't say much > about. Consider an initiator app with a mech with these extensions *and* an implementation of draft-swift-win2k-krb-user2user. Now imagine this app talks to an acceptor app that also has both mechanisms but not these extensions. Can we accidentally end up failing to setup a security context? That was my question. However, I'm now convinced that the answer is "no", therefore this section and remark can be removed. The reason the answer is "no" is that if the acceptor app has acceptor credentials for RFC4121 and draft-swift-win2k-krb-user2user then it should be able to use both, otherwise it should only have acceptor credentials for one (if that) and only offer to negotiate those mechanisms for which it has acceptor credentials. It follows then that the situation I feared cannot happen. > [[anchor3: We could use the GSS_EXTS_FINISHED extension from > draft-ietf-kitten-iakerb to implement a strong binding of all context > tokens.]] > > I haven't thought about things hard enough to decide whether the gain in > strength of binding is worth the extra work. I think it's not worth the extra work, but it's important that the acceptor either insist that the cname/crealm of the two AP-REQs be the same, or else ignore the cname/crealm from the first AP-REQ and then rely only on the second AP-REQ's cname/crealm. I feel uneasy about the latter. For PROT_READY purposes it would be convenient if the two Authenticators asserted the same sub-session keys too. I don't think there's any need to bind any more of the exchange, but then, I like the binding everything as a generic defensive design security principle. Nico --
- [kitten] Kerberos extra round trips I-D revised Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams