IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

"Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com> Wed, 22 February 2023 17:36 UTC

Return-Path: <Steve.Syfuhs@microsoft.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D99D3C151522 for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 09:36:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qS4bY00TNZpK for <kitten@ietfa.amsl.com>; Wed, 22 Feb 2023 09:36:45 -0800 (PST)
Received: from BN6PR00CU002-vft-obe.outbound.protection.outlook.com (mail-eastus2azlp170110002.outbound.protection.outlook.com [IPv6:2a01:111:f403:c110::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29E3EC14F737 for <kitten@ietf.org>; Wed, 22 Feb 2023 09:36:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mFCIbWbeLE0tChxnSVvtS4HtbHtHjXqsL3JQyBfOCBTLLws1liCk5m4JtdHgO5fivm5GIUFl38Ot9yjo8BN1BKTMr6ydZqEN85hn9Pt3qKgaxIyCSKqwi60cpfj4FUg0Tr/hUHCJ6Y6kKuyFUWSEw/nOfjhug0Bht88LXQPbKbMZmT7cwW1hp6zADYzHtPjJngFMDDTZ1NIgJXVdSVLwCBjMXcQo/ASVdTNqo3v7P01p25Tjhah1R4tnqYgVgsof9tXcgQfADgZ5lhrI97kk31woDuLEtm/w6wCzRPzqk+yerKNvRXkIXXAxG2pNF3vBzz45SDHhQKiQOX3hiZIpmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jE9bMk1EiLVd9LBwyf51Lbc36bOdt0NsTwO61sDco1Q=; b=FwRbSagE5Zh+vykh3tvXv+LTqXwOe6UnsXQbed5/z+naMcJc4eItyW6Z4oSqsr4iTfe7UE7kdZJpDaNMtILPDVT96UO7YdA/yDore4IxQmYRP+WBdBAkmjI80NfDM0O89QyDy6g9w2jEvGUGmWReqGBv5EVzbp4jkhHg+fVIh2HjRzkJ8LzNG8plNTDhet+ic6kv2kf7iqZdle/N1+6wu4GuvRtSpN5ochitYa+fZ+4q31eHLxLtCB09/FKRSpeYOH7cq3Dl6piY/YBB3RaflGTfJV4KxZS5bf/VbG4OPLY4muw1njdqv0gtSeIcRnx1HCfIT5g8qVjXJ9HD9xISGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jE9bMk1EiLVd9LBwyf51Lbc36bOdt0NsTwO61sDco1Q=; b=MkIu+j74qI4QOfJsnvsHLB4nBeA7gNy9CxwugtTsdSvW6IaMywhJdltskX6y9sLXVTM7eY9wD/R8H5OfzBJLkOHUXQOQqAQj/z4GFRHzwv8ekLyOItq3tQiVfDSGN61tD+HR8/xkQBM8mUSZ+9EEucrd+Hoqjv3l4K4QUR0rvwY=
Received: from MW4PR21MB1970.namprd21.prod.outlook.com (2603:10b6:303:70::14) by BL0PR2101MB1348.namprd21.prod.outlook.com (2603:10b6:208:92::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.5; Wed, 22 Feb 2023 17:36:40 +0000
Received: from MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25]) by MW4PR21MB1970.namprd21.prod.outlook.com ([fe80::5e00:89be:2491:e25%7]) with mapi id 15.20.6156.005; Wed, 22 Feb 2023 17:36:40 +0000
From: "Steve Syfuhs (AP)" <Steve.Syfuhs@microsoft.com>
To: Nico Williams <nico@cryptonector.com>
CC: Luke Howard Bentata <lukeh@padl.com>, "kitten@ietf.org" <kitten@ietf.org>
Thread-Topic: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
Thread-Index: AQHZRIkZIwXtHRqIbEa9KZa+XVqqD67Wq+wAgABFUgCAAaD9AIAAArEAgAAshICAAAu+gIAA0M7wgAANhYCAAAJ04IAADAWAgABQGNCAAB0HAIAAIxL0gAAU9wCAANkqoA==
Date: Wed, 22 Feb 2023 17:36:40 +0000
Message-ID: <MW4PR21MB1970B688BF31100AF8C6EF8D9CAA9@MW4PR21MB1970.namprd21.prod.outlook.com>
References: <7064A9EB-EB01-426C-9BED-AFB97FA93551@padl.com> <Y/Q7hdTOF1HaxQKM@gmail.com> <Y/RFX4XywCAlhCeB@gmail.com> <MW4PR21MB197087AF4BB7632B0DF662619CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/T/3wwBIMZ+2mf6@gmail.com> <MW4PR21MB197051A332E7DD85FFB91EE69CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/UMA7xZYpOAWK4N@gmail.com> <MW4PR21MB19700BA2F20F8CC779F72CD39CA59@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/VnjL/IBYXFWkYX@gmail.com> <MW4PR21MB1970EAD9739BFA099B05F4779CAA9@MW4PR21MB1970.namprd21.prod.outlook.com> <Y/WWjumkyhEjMvda@gmail.com>
In-Reply-To: <Y/WWjumkyhEjMvda@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=e67f3894-feb3-4ece-bcf5-58ab9e5c8b0c; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-02-22T17:11:21Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW4PR21MB1970:EE_|BL0PR2101MB1348:EE_
x-ms-office365-filtering-correlation-id: 31319165-91cf-47c7-fb9d-08db14fb5b51
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xQmIpxc+b0W0aoU88coytTjrgc871i9Maz/aPTGAoChlU4s9GmGpCC/sK3WBKPJxWy0YdXjZZi5Bm60bx5vWVXOb3XuZp5oH5q8Svb6Om0jFz3CuA8HmcFaZ0NdfO46KDEy29a9B3z2KNvrz6rPWGQf/vMAtYDEayw6FHAXu2JeslhLoaoi4dm2bSnNcH7yMSeAE+BtE8y/BhXmIxj9/PUXR364PcsIGVeNE15vothqnaNO6dG0e4HRpGTlw0p4X6NIcwW1n3DenUWLInsawq4WfYLlixNajABtshXN34b0rnLM/19TGqasaDfp3dl3cei49uFBpVv5EFTIEv820q0zjDUUJflhDm4YnjtwTMqIKtyNbSJmf3KGtEEksfGzVomYonDZ39hcmOqeWVioFN3pTfcjGonhms5serZFNv9uo90l6Ek0pgtm/mc7vLgO4qehCUFfxJvcjE/Z2i9njjOjwkt2Xto/YqZcBFsoiz0REvmuGrfsaECwhLIrmCSQ43uLFsny+RINzwxUIBSr9p+ddi1q45RWzG9e6Shc/qCx2Rjk7rUv5GkKlPuTra6LBY3A3UtzHIS7eQFfiq4llwbkitqSXKmboUsVocZ8/B2Csf/Wv1v+oracqFKlXX7ichHPEqWmyCITPiq419N8kl65nZVpH9vCRKvPg0hvtyxbgwoNcqFjlA8oRUt12lzQMnenWhLGH8VWjXpzQqlp2HTsH9s3OSeyLMyUGqCZw98fw5rB97/NgidZzuEOjczTI
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW4PR21MB1970.namprd21.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(39860400002)(396003)(346002)(136003)(376002)(366004)(451199018)(5660300002)(2906002)(8990500004)(38070700005)(9686003)(83380400001)(82960400001)(82950400001)(38100700002)(122000001)(66556008)(64756008)(76116006)(66946007)(55016003)(8936002)(8676002)(4326008)(316002)(66476007)(66446008)(6916009)(41300700001)(52536014)(33656002)(10290500003)(53546011)(478600001)(6506007)(186003)(86362001)(54906003)(7696005)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 67+UFWMI+equBs2nuteuwa5cVCJ0+asrN+wkeF2QdtVugKppBZRqYJBFA1PSAcIwFRcqB5SjB5RNwmaiRIHSa/tSLdZuQB1TNa0WgA1TmbhdfUbg68PkObCBjccuM3fQQ9b45ybZGGzhYq1BhJAnBPBcVgZFiy0av+lTEcfIFwKrKrfbSQBmezwEDnJaiSYDBsv+RJ+25067ne/o6cOZlebFqaAjGeNtd7LuunhzH/BSqkXD11wuEkbThNc8frzF9ejjeju05VswSIfC1qoEMomvfGHt8duW8cPGO6AP6qvznFMYy3dLOHEATCq59IUmwq1ZHycnW4EjUpeAYvzmUhD+KuD9boi6Yff1eyD7X/DKR0w5Vr42UTp1nUoa1CwF2upYbqABANmYn0F3step5fbFwvkSuNyrBe634oGE4iz7np8ZYCH7L3hApe6TKPqFBO8Bt+4yHsofgXBuyf5a++voLDlSmHtcqUnwZHvp43AneA8Maj+6+7KOHhoxiT4Uub2Cai3yFvUp5Mjj9YtyHnryL3X70YlYU0CdPNeDw5T2vMrPoq//NsG4NoY7Za2BUNMDLr/tl6gLJT49kuzodQpLyQHPGb2DpT6nJFlbeB95KUVqDRsMXLVLOZ5JrMAMyrjgH+QaxqROBaxj+u15y57Z9YKfjNqtFAWDUutSzzJqqE3BRDzB8e7a35ty+/atnF6jtSVgvLZeoCPwtPjuaL8BZghqByE5avuy7otVAseAS14vEGadmGyepjNnVPQSRsENNrEYnuRLYcVaaFLYbRdNt1VEEgKpvzalcqnXkUBIAEv4+s75jdg1vRSOqnbJa4v4HPjCileJwMb/qNZaywba9qgEpbe7tfc8Z+I1d3SIm8bL/luHDvrL4NxGrFRZevBfzlDDwTouaUuN8Fodru/mlVrjCOqDspsFsguIUdU5KOVOyXLrmtCaLNTEOvXQPw2qgjBU6w5Hnnu/hbvUmFmOCZSd3RH4DbRJEMlqyDPtq5u6JoDqFg2W+nGDGmeoz6l8amhtis1v9CUGA5rG15RiwGL4MrteOLqnrmgpGAhkhNyhns/3XtZHtvCWzY5D+ZxJniZ4xqjr8zyaFi1ZGTDegvJtgA71tMssP8xsMmWoRsMGKm1CSrAjDfak3ICjBMRgO8ZElcaSuPfsqZrTIdCeggTy+tSR60oLH+56s7y+Wcsn0cYWXTYtKIgCwLH56GAAXIgxMKz8zpBF2kr9w6jjULvPZEzejO7fio+hIWZujGNyEWcNH4LavRnv+vCoviVpCjyzOxSnCwfgqCaZCjR4WJeIyVVPyDwm7qvJGYhl5NiUwKjnJX5HAGqZlf1JyhfahXL5OzzG4t7uXWBCLSHEfNDTayq/QqdxqByzbqIPnE4otiPEaf6UHPUzsxVf/8YI4/vZPK7+Rkk3yZJqTxHgxZAAOMZ0Ve+IEjoy+3rD3ubjQJBU3sYCutmV5F1C9CNG8Zu/Zhntggry5ybjate7yV3DtkKysbN6L2G77z8Jolkf6rR5HqOrtmoVlSp7UMcqe7WF2UkQ9QwAxtxB0SamKHbo0ED7PO78BxlK0JMGKx8WJhl+Uu5mkI6ISqXyiwMKb0LR1EUlXdp23ujUdcLN5/X0Q+cDXc5VsdekBGdJIYCx2bjmtyfxsM2LN8Ny
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW4PR21MB1970.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 31319165-91cf-47c7-fb9d-08db14fb5b51
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2023 17:36:40.4347 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0DaJnoMD53eCqjh5cAsCx5CykihRuSLr/kC+O/PWyOx5TviDS94gvEKtp5q8Tse/moJcFkRd4rDA0310l8AXBg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR2101MB1348
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/YW9X3xf3zfchy2VPBYSWKBq8smM>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2023 17:36:50 -0000

You should implement forest trusts. We automated key rotation in 2000. :)

That said, I'm a bit surprised you've seen any issues with key rotation. We generally return ap-err-modified in such bad key cases which should just trigger a client renew/reauth of the ticket. What do non-Windows clients do in that case? Do they just drop the request? 

RC4-wise we don't have much in the way of documentation because it originated in an MSRC security incident. Client-side telemetry tells us only about 1% of all *observed* encryptions use RC4 (the percentage of devices that have touched RC4 any given day is quite a bit higher). Telemetry is absolutely lying to us because it's only on newer versions of client and server. I wouldn't be surprised if both numbers are actually 2x-5x higher. Part of the problem is that the code to add/remove cipher suites is rather lacking so it's been an...effort...to get to a place where we can outright turn it off. Our strategy is otherwise simple: block RC4 session keys (incidentally, also break XP and friends along the way... oops?), and then once the code is in a place where we can outright disable the RC4 enctype, signal to customers they have 12 months before it goes away. The code is in our vnext branch; now it's just a matter of getting into in-market branches. Herculean effort, and not the fun kind.

I'll have to dig through the client/server logic for how gMSAs are handled. I don't quite remember the exact behavior, but caveat a few bugs we introduced ourselves I can't recall any major reports of timing issues, which I would attribute back to the badkey-retry-getkey behavior our clients have. Also said, I'm not aware of any non-Windows servers that implement gMSA support, especially given Andrew's comment about SAMBA only now investigating adding them. That sorta makes any third party behavior a bit moot.

-----Original Message-----
From: Nico Williams <nico@cryptonector.com> 
Sent: Tuesday, February 21, 2023 8:14 PM
To: Steve Syfuhs (AP) <Steve.Syfuhs@microsoft.com>
Cc: Luke Howard Bentata <lukeh@padl.com>; kitten@ietf.org
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

On Wed, Feb 22, 2023 at 03:07:48AM +0000, Steve Syfuhs (AP) wrote:
> True. In the cross-realm krbtgt case we give it an hour I think. I was 
> always under the impression that we had that coded that way because of 
> replication delays. Or are you thinking hypothetically if one were to 
> build this from scratch, today?

People I know will be doing one of these trust account password changes soon.  It'd be good to know if it's really one hour so we can tune down the krbtgt/${AD_REALM} principals' ticket lifetimes.

A then-client of mine did one of these rotations in 2012, and we tuned x-realm krbtgt ticket lifetimes way down ahead of rotating the keys on a Saturday to avoid any downtime.  Workable, but expensive in terms of labor.  Key rotations should be smooth w/o manual intervension.  This is especially important given that because they've not been smooth people don't rotate them, and now you're retiring RC4 and so they have to rotate them.  Is there some guidance doc for this somewhere?

> GMSA-wise, a ticket will never be encrypted with an out of date key.
> It's issued to the N key with the ticket set to expire when the 
> password is set to roll over. If you're looking to postdate a ticket 
> (not something I'm keen on folks doing), you could encrypt to N+1 
> because all versions of the key are always derivatives of a constant 
> secret plus a time epoch. TOTP on a grander scale if you will.

I feel a bit uncomfortable with non-overlapping key periods.  For one thing there's clock skew to think about.  For another the ticket lifetimes will not be the same every time a client requests a ticket -- weird! but especially given that they decrease to zero.  The window of time for which that could be a problem seems small, but I bet it does cause problems.  Maybe you've seen hiccups in your telemetry?  I worry that hiccups in apps that retry with a backoff timer might be getting papered over and you're missing hiccups in non-Windows, customer apps.

I would prefer that key lifetimes overlap a bit.  The Heimdal virtual principal service namespace feature too does time-based key derivation (good to know we're not the only ones thinking of such things!), but it does allow the service to fetch multiple kvnos (all the ones the service could need given configured ticket lifetimes and key epochs and current time), and does not cause ticket lifetimes to be variable.

This a friendly suggestion that AD should store at least up to two keys per account (plus a time at which each key was set).

Nico
--

v2.23.0 | Report a Bug | By Email