Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
Nico Williams <nico@cryptonector.com> Wed, 03 September 2014 18:32 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 569EE1A038C; Wed, 3 Sep 2014 11:32:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7WgYWINNxpz; Wed, 3 Sep 2014 11:32:48 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id A83221A0366; Wed, 3 Sep 2014 11:32:48 -0700 (PDT)
Received: from homiemail-a111.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTP id 4F2AE2007F026; Wed, 3 Sep 2014 11:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=mjpDUO/xRB02RVK9c06Y qseOZQ8=; b=uaPhqaI0Z3Ww8qlbAEX0kjCGrvblk21TYbFWSSELp+JdKJKLUkCV m/8tMvUwfOJ/SbVRIilQ1bfs6cWSQ5xQ309NTr1YNJx0FwcoX9Q2IM9tYvNeA73p wRLQJv8IelykfzUJwQ2QrdSe5Z3+LhECvW4qreclDgaKZCFUKVBrsRg=
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a111.g.dreamhost.com (Postfix) with ESMTPSA id C63462007F006; Wed, 3 Sep 2014 11:32:47 -0700 (PDT)
Received: by mail-wi0-f182.google.com with SMTP id z2so10379835wiv.15 for <multiple recipients>; Wed, 03 Sep 2014 11:32:46 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.123.1 with SMTP id lw1mr49848010wjb.4.1409769166493; Wed, 03 Sep 2014 11:32:46 -0700 (PDT)
Received: by 10.216.231.131 with HTTP; Wed, 3 Sep 2014 11:32:46 -0700 (PDT)
In-Reply-To: <20140903174741.GA24790@fieldses.org>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <20140730163006.GG26316@fieldses.org> <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu> <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu> <20140903041240.GG2664@localhost> <20140903174741.GA24790@fieldses.org>
Date: Wed, 03 Sep 2014 13:32:46 -0500
Message-ID: <CAK3OfOipM10jM=e59q8hZd7niQGinQgWSBVFjKVabKRkvH1HUg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/V3MZsCgd4Z_mMxMUzFr6JWLdenk
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 18:32:49 -0000
On Wed, Sep 3, 2014 at 12:47 PM, J. Bruce Fields <bfields@fieldses.org> wrote: > Sorry, I haven't been thinking about this, I'm probably confused, but I > think I was imagining an attack something like: > > - I, a rogue client, sniff some random krb5 traffic from the > user. > - That traffic includes at least one (rpc header, mic of rpc > header) pair. > - I send a CREATE call using that rpc header as the nonce data. > > ? It almost works, but remember, the server must have the security context to verify the MIC with, and that context will have to be tied to the same NFSv4 client ID (same session). Oh, but maybe some servers have a global RPCSEC_GSS context handle? If so, that would be a problem. In that case the server could pick the nonce. Or the MIC could be taken over more content (e.g., also a MIC made with the client context). Just in case, this would be a good change to make. Nico --
- [kitten] draft-ietf-nfsv4-rpcsec-gssv3: request f… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- [kitten] rpcsec-gssv3 multi-principal authenticat… Benjamin Kaduk
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk