IETF Logo Mail Archive

Re: [kitten] Kerberos preauth negotiation techniques

Greg Hudson <ghudson@mit.edu> Wed, 18 February 2015 20:16 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 080511A0A85 for <kitten@ietfa.amsl.com>; Wed, 18 Feb 2015 12:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uO8tGgR-43pG for <kitten@ietfa.amsl.com>; Wed, 18 Feb 2015 12:16:34 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 047851A02F1 for <kitten@ietf.org>; Wed, 18 Feb 2015 12:16:33 -0800 (PST)
X-AuditID: 12074425-f79846d0000054e1-2f-54e4f320d1ca
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 61.88.21729.023F4E45; Wed, 18 Feb 2015 15:16:32 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t1IKGVBx006581; Wed, 18 Feb 2015 15:16:32 -0500
Received: from [18.101.8.186] (vpn-18-101-8-186.mit.edu [18.101.8.186]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t1IKGTMx030957 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 18 Feb 2015 15:16:31 -0500
Message-ID: <54E4F31D.5080103@mit.edu>
Date: Wed, 18 Feb 2015 15:16:29 -0500
From: Greg Hudson <ghudson@mit.edu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Nathaniel McCallum <npmccallum@redhat.com>
References: <x7da90k47ox.fsf@equal-rites.mit.edu> <1424189675.2645.23.camel@redhat.com>
In-Reply-To: <1424189675.2645.23.camel@redhat.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixG6nrqvw+UmIQWOHpsXRzatYLOZ+ncXq wOSxZMlPJo/3+66yBTBFcdmkpOZklqUW6dslcGX8fLCUpWCfaMW8jSsZGxgXCnYxcnJICJhI POndzwhhi0lcuLeerYuRi0NIYDGTxOPWK4wQzkZGiVdHbrBAOEeYJNruPWEDaeEVUJPYdKiB HcRmEVCV6D/8nhXEZhNQlli/fysLiC0qECbxffMOZoh6QYmTM5+AxUUE9CSW7ZsAtppZQFji wva9YL3CArYSk29/B6sXEgiXuPZoOpjNKWAksfjYCTaIenWJP/MuMUPY8hLNW2czT2AUnIVk xSwkZbOQlC1gZF7FKJuSW6Wbm5iZU5yarFucnJiXl1qka6GXm1mil5pSuokRHMIuqjsYJxxS OsQowMGoxMPbwfQkRIg1say4MvcQoyQHk5Iob/pjoBBfUn5KZUZicUZ8UWlOavEhRgkOZiUR 3h37gHK8KYmVValF+TApaQ4WJXHeTT/4QoQE0hNLUrNTUwtSi2CyMhwcShK8GR+BGgWLUtNT K9Iyc0oQ0kwcnCDDeYCGLwOp4S0uSMwtzkyHyJ9iVJQS5+X9BJQQAElklObB9cJSzCtGcaBX hHlngLTzANMTXPcroMFMQIPn/3kEMrgkESEl1cAY4r0wwOjVP0vnM1kLdQ5wmyppzZ+7+/57 DoWm1osHBP+v5AvT+65+u9646ECpdfvkw94Z8Y8v5EX3pib+1GzQjIiM0QwKs/xwYBZfaPX7 K0tT9r8zO+diov569QMlzfm9oqvD1/8zM1x/cXH6lbc+7DydHE5Ljs9fm1HlNnuHJafu6dk2 h5iUWIozEg21mIuKEwEGUzybDAMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/_4AkDuQPXTB_4vZYaLn7kxYNcn4>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos preauth negotiation techniques
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 20:16:36 -0000

I wrote (in summary):
>> I think there are basically three options:
>> 1. Add a third round trip
>> 2. Use pseudo-enctypes
>> 3. Use client preauth hints

On 02/17/2015 11:14 AM, Nathaniel McCallum wrote:
> 1 and 3 are also compatible workflows. In 3, the first AS-REQ is 
> exactly the same padata as the second AS-REQ in 1. That is to say, 3 
> is an optimization of 1 where the first round-trip of 1, which 
> includes no meaningful data, is simply not used. Put another way, 3 is 
> just 1 with optimistic preauth.

That's an interesting way of looking at things.  It means we wouldn't
have to amend RFC 6113, although we might be bending it a bit.  Here are
some considerations, which all seem manageable:

* Traditionally, optimistic preauth is only done with some prior
knowledge of what the KDC wants (see RFC 6113 section 2.3 paragraph 1).
 To get down to two round trips in the common case, an AS client  needs
to do optimistic PA-PAKE by default.

* Of course PA-PAKE would need to be specified such that the first
client message requires no knowledge from the KDC.  This is pretty
simple; the first client message can be defined to contain only
sub-negotiation parameters.

* Most KDC implementations will ignore the client's PA-PAKE padata if
they don't implement it, and respond with PREAUTH_REQUIRED with
METHOD-DATA.  Some older KDCs (like MIT krb5 pre-1.7) will instead
respond with PREAUTH_FAILED.  Clients already need to deal with this
behavior if they implement RFC 6112 encrypted padata negotiation or any
similar extension, so this is not really a concern.

* An optimistic PA-PAKE message should be cheap to compute (it's just
parameters), but is still wasted bytes if the exchange winds up settling
on a different mechanism or not using preauth at all.  The more
compactly we can represent client parameters, the less bandwidth we will
waste and the fewer problems we will have with AS-REQs exceeding UDP
limitations.

* Can a client optimistically preauthenticate with multiple mechanisms?
 RFC 6113 doesn't really say either way.  Without going into detail on
the arguments pro and con:

  - If we assume no, then a client which does optimistic PA-PAKE by
default can't do the same thing with any other mechanism.  This could be
a reasonable choice; the client implementation could always choose to
drop back to three round trips for PA-PAKE if it wants to do optimistic
PA-FUTURE-AWESOME by default in the future.

  - If we assume yes, then a client which does optimistic PA-PAKE is
still privileging that mechanism by choosing to spend bandwith on it
before it is negotiated.  But it wouldn't necessarily have to exclude
other mechanisms from doing the same thing.

v2.23.0 | Report a Bug | By Email