[kitten] RFC8636 paChecksum Agility
Andrew Wiley <anwiley@microsoft.com> Thu, 04 February 2021 23:28 UTC
Return-Path: <anwiley@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82693A193D for <kitten@ietfa.amsl.com>; Thu, 4 Feb 2021 15:28:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.352
X-Spam-Level:
X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0OtSxFUdGr3 for <kitten@ietfa.amsl.com>; Thu, 4 Feb 2021 15:28:32 -0800 (PST)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2103.outbound.protection.outlook.com [40.107.220.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEAB43A0A2B for <kitten@ietf.org>; Thu, 4 Feb 2021 15:28:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KC9Bg3SASfpE+q2nWgWDbw/AJT01yWPU4N7zqO7R4RovrP/e9NNuqwT7Rxija53J6jKHDqU8wkEZHft+VevKCRT8F8GEPNttrqvuiGpfYRFqmeQpeNWny+iC3dKCz/u5dHTgnwYlbRYQq4Uy22vD/Ez3HbHj5HHwfC3EXYA9LAsEPWRyos2odC9rrD304SvtaCbBrHcdArc7lga6eym53S6SDIoCXNMjm7JW9+hk0lx5vWCJiR+LIQ0NhBU3Z1d/USB7MRUxOjfDISTvtk1nAyy9gb0Zo3O/e3sFyNw9diqHgSzJcwsg9mtmu772EvA1AiiHyopQBOViZYJDOSGpqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XI432j5oy5M2IuW75Ha3HwsQNjxFYoufov89VFse7vI=; b=RQ2AAOvCa/ctkNzKz3UVxdPhV3SN9pp50Sxa+cCEvbfIAEe+ehkRMZxyImWQIfukBxbf/jOP9KIIw0cFUCSYcyor1v8yHNBd7z4FLI6x4s5SSG2DM0ayyCzGCrJPqmSVcEhAOP9jO5uIi1ZOp7+MpdYo9yeDI8QUQlORl75/BITYyKv5XzI9hT/qO7Tbr5MhWujnExdLYEAJt76fx5/9yOOq3t+ux9qhBsTAtvTBwy3YO1gZVpW39reWZ8uNPj2CoEnKd/cA0TmZ204Hav1iFrKWICromM2eQlfmNi7vgu6BX2hACPFxcv6VeFEsouHzC2YQL57fhfHb2ZIKHaVyOQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XI432j5oy5M2IuW75Ha3HwsQNjxFYoufov89VFse7vI=; b=YIOgYVpwPHyzeQ0rcjoyKSDgLgxRxK3ZM77ll5dzpVlxhwpS2667M2BGC/bNtAYkvPMVp+MO64ANLD+dc+y52Nqc2yYSU22WBnPRdo0EZufqq2V0de0CYk37UieuhC/JvCgP9xK6ukbsxgjYapJc8OEw2uewfH+hZTInOsd6oNo=
Received: from (2603:10b6:300:78::20) by MW4PR21MB2004.namprd21.prod.outlook.com (2603:10b6:303:68::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.3; Thu, 4 Feb 2021 23:28:31 +0000
Received: from MWHPR21MB0174.namprd21.prod.outlook.com ([fe80::88cb:a4ef:87c:f510]) by MWHPR21MB0174.namprd21.prod.outlook.com ([fe80::88cb:a4ef:87c:f510%10]) with mapi id 15.20.3846.011; Thu, 4 Feb 2021 23:28:31 +0000
From: Andrew Wiley <anwiley@microsoft.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: RFC8636 paChecksum Agility
Thread-Index: AQHW+0017WJweDv3Wk6+M5dbX66aCA==
Date: Thu, 04 Feb 2021 23:28:31 +0000
Message-ID: <MWHPR21MB0174E9837FA1A08F0472F072A0B39@MWHPR21MB0174.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-02-04T23:28:30.757Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:a27f:d178:dce6:7176:7310:2a6e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b27364ae-b40e-4bdd-ed83-08d8c9649555
x-ms-traffictypediagnostic: MW4PR21MB2004:
x-microsoft-antispam-prvs: <MW4PR21MB2004BD2D8F587DB5B3A5EB72A0B39@MW4PR21MB2004.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 42ZBTCfk7QHS8hUHaHkzI2fsY2cSIv5Bnw0TxXlD328k2BkAsb9g2219gNFeKOd6PtuefnyM5ozqVEhiI6asfPJNw4e22E4IBVFGgTUvunssI/IjsDSVBauddHUW9DDKKG9va35ba1TzEfQCVlzYumxg0oL8ImgLE+adnvxYaKOP726gWKnGYFBhcQyaKByhtjz0siuPOGSP2bTW3RB+Xctiw9XeO1o8pYyfh5sglSxhTR3NT/5mQCvJXhd1lZy8VcqSiCfLGftVIMOvXTqT3B3gWSGg9bxClsluUw/jpBqNRPyxLEFiWs8qRRZbNosXgg33NFQ3Q7NK159dAyUVphcZVD2X7glvYIeDJ5Q0V8xS/5ZJkpsKHAdDwGfQ0ZIccSyUIGBnjQklf7KzB4Qhb8VANjUTjQTHfrZPEU3BKV/gqn5Q7eW+SqEcNBwdIxNMQFNKkt+K0ML8rKWrED1g9VEc1UgKRJhg+H7lq0+tmexMHXtdgdMxc1mnRsELgywr0q9OMyFE+Q75HIMPc/bPjw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR21MB0174.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(39860400002)(376002)(396003)(136003)(52536014)(7696005)(66446008)(6916009)(33656002)(76116006)(8936002)(7116003)(55016002)(478600001)(2906002)(64756008)(66556008)(66476007)(86362001)(66946007)(10290500003)(186003)(8676002)(316002)(9686003)(82960400001)(6506007)(5660300002)(82950400001)(83380400001)(71200400001)(8990500004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: B5rJXKbi2bux/8yy+H/xy90wwEW7gSQqGywdcbyJEcjmjdKOBVOxoLNNVgCVtJKuRBztzAIw2hocNz7KLgupA6vhzxJrRFyDhvlohgeKQJ56JdSQ3w0Jeu75+6D4NUT3QcHlI8HC1afGb8fSgYnon6xXAJVfFh/URBHToJOokIrIl3xyK4tsyiR+sdhp5OE5zf6OqK+fy0xxkXKgo6lDjLSaazSwk1k4ySKNDqFXacWL0svmS1Esfe58xCS24Y0NF1LnEbFXPZ/8dTQ2uJGixYdy0iiTWNnzg+uTCQ5Yn03WDIL8h/XKRgtrSmM5NX10992vkJhYIXWLzgnmkiXP9v0DYJ2p41hpy/s0XFDboBbTQbnYws8DNrbCHFGybGSd7JofcPnfq4SE3I1PjXHbFvQVYCu0a9Zxc6bLBfm9ObnJOIaj6+PF3HHxtJwpPijU6xi6xJmpU8MzAbjb8prGooEgsfh/lgRshPb1wseqBPTwuszVfOzhhIg/HyhnlhX0e5ZfdwVdcZC6YWyUyrJ5+0a91KFBpsDHZPbLdHJqVsouDZ6YGkr8pgw+c6RX+9NJn59iiiuZEgtn43ImShJFVztZAvOyT88XqgW3OFu1a1XgXjik1CcKG8uKlCVSc61WEps1iggW0gynxkBezK/REXuHPUHEX1FpzShQJkd/BTQMTCmUOXcswMMNegOqyT+3Jl+JDnXNPj6pABSrF6n8pYFboCFjfw4LxO6AjYK29T54eORKr9QP4YqYS7TZSPLxmhrpgmWn7FTP2ZOATVcr9Q6FPZSIKgGq16XLxJWOCiBtY9V1w3FhjmPLDaJtxEFENFh9SY/cgMPWmZMaU6U3Ck4vUqPJRCk61TEgxgVI/dQfOMQ7lkJ4+0rnXw+mJj4iAAMnw/di1rtFFVks98gFeHItkgLefnLl/ZK52bUOXP5/pvmJ3thG6XRLK9UCn6QAhJm74fIikKSk3CYtxa073oAHI2StrVnqDrVCch5Udfw/fNegfPWdwC9DJVbXQqtClY1OTO2IxIoCBJw8QkFKKsYI7vMqiiKR+Fk617YFPCCIeN2DcvAUGj/x+vB0iTZZUcrCmZZmya40K8uavncXJPE1yOXpaXy/vBIFJ7Me9O+88S5t5sVYJZShUuX7DHXim9SGnHE+Bc/azw+xKarcYXDgdLKNECNxi0vBrpJRs2NpUr/bZ/XbIfmc6yqGnz5BDpylnAiRMWEpjpR9PJR5UZl0jrPReN+P4EwlnZ7cJQBXbPmnkRHnXVkJBcU5/OZPQXHy9fT5wsKymrjXgONu81rsK/IEpU9kHu+USHeLD1GfWmr49Pk+0otWWbZa1nELhKhUhymNYDlVl0QwOxNpunK2QUaugxUhhnRBondUAdb4w1n8YuZpV0CNhSGb+eV2
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR21MB0174.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b27364ae-b40e-4bdd-ed83-08d8c9649555
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2021 23:28:31.1474 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ufSGIfpIYukhyeBhw4undXaLppOXqG5lqI3gW3qTZKLegXBdofBVoXY56yiKhpvsS35BIkBiWAzjtawkHpfL+33QdnuXBR3xk37/mWvn+Z8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR21MB2004
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/zWAdZ3-MB5n81CwEm3rtZ_dqU2w>
Subject: [kitten] RFC8636 paChecksum Agility
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 23:28:34 -0000
Hello Kitten, We’ve started work on PKINIT agility in RFC 8636 in the Windows stack and we’ve found one issue we’d like to raise. Section 3 describes how the SHA-1 checksum in paChecksum binds the preauthentication data to the request body and that in DH key agreement, the KDF supplements it. However, the KDF does not bind the preauthentication data to the request body – it only binds the response to the full request including preauthentication data. This is not a security issue per se, but it seems to be problematic. With all of RFC8636 in place, a malicious client could observe a PKINIT AS-REQ on the wire, put the preauthentication data into a separate AS-REQ, and replay it (against a different KDC in the same realm). This should not result in a response the malicious client can decrypt and use, but it allows the client to manipulate audit logs and lockout counters without real credentials. The malicious client can also manipulate the supported etypes in the AS-REQ to potentially force a downgrade that could allow the ticket to be used if an attack against the etype of the reply key is available. These are definitely defense-in-depth measures and only expose serious threats against realms with weak etypes enabled, but we know historically that cryptographic changes are very slow and we believe these are worth mitigating. We’re considering extending the PKAuthenticator structure, probably with an octet string for a digest and an AlgorithmIdentifier to identify the algorithm used to generate it. There would be a matching KDC error to allow the KDC to reject weak digest algorithms. Any thoughts? Thanks, Andrew
- [kitten] RFC8636 paChecksum Agility Andrew Wiley
- Re: [kitten] RFC8636 paChecksum Agility Greg Hudson