IETF Logo Mail Archive

Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication

Benjamin Kaduk <kaduk@MIT.EDU> Wed, 03 September 2014 19:34 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB5B31A6F49; Wed, 3 Sep 2014 12:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.869
X-Spam-Level:
X-Spam-Status: No, score=-4.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wbyg-Z8UkuxE; Wed, 3 Sep 2014 12:34:56 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104751A0B84; Wed, 3 Sep 2014 12:34:55 -0700 (PDT)
X-AuditID: 1209190d-f79c06d000006f95-c1-54076d5e4903
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 3E.03.28565.E5D67045; Wed, 3 Sep 2014 15:34:54 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s83JYrN3032560; Wed, 3 Sep 2014 15:34:54 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s83JYmY0002845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 3 Sep 2014 15:34:51 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s83JYmhV016650; Wed, 3 Sep 2014 15:34:48 -0400 (EDT)
Date: Wed, 03 Sep 2014 15:34:48 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Nico Williams <nico@cryptonector.com>
In-Reply-To: <20140903041240.GG2664@localhost>
Message-ID: <alpine.GSO.1.10.1409031527510.21571@multics.mit.edu>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <20140730163006.GG26316@fieldses.org> <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu> <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu> <20140903041240.GG2664@localhost>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjleLIzCtJLcpLzFFi42IR4hRV1o3LZQ8x+PRQx+Lo5lUsFrPfP2K1 OHXtCJvF9EVWDiweL0+dY/RYsuQnk8eMT1/YApijuGxSUnMyy1KL9O0SuDImXuItaJaouPL2 NmsD4wahLkZODgkBE4nFx6ezQthiEhfurWfrYuTiEBKYzSRx4tQsRghnA6PExVl/WSGcg0wS O/vPsYC0CAnUSyxZdJIRxGYR0JK4fP8BG4jNJqAiMfPNRjBbREBT4vq8pWA2s0CZRPe0drB1 wgIOEgsW3wbr5RTQk5g+/QZQDQcHr4CjxIzfzhC7JjJLrD13EaxGVEBHYvX+KWB7eQUEJU7O fMICMVNLYvn0bSwTGAVnIUnNQpJawMi0ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdILzezRC81 pXQTIziIJXl3ML47qHSIUYCDUYmH18OPLUSINbGsuDL3EKMkB5OSKG9oOnuIEF9SfkplRmJx RnxRaU5q8SFGCQ5mJRHeNdJAOd6UxMqq1KJ8mJQ0B4uSOO9ba6tgIYH0xJLU7NTUgtQimKwM B4eSBK92DlCjYFFqempFWmZOCUKaiYMTZDgP0HBdkBre4oLE3OLMdIj8KUZdjnWd3/qZhFjy 8vNSpcR5e7OBigRAijJK8+DmwJLPK0ZxoLeEebeDVPEAExfcpFdAS5iAlrjlsIIsKUlESEk1 MDJ9kxNzvTLz4Ta5guovE9haJsQsOh/ydGVex+HVURdemSyV+hR9lrfz3fOV8WXsJgGmLTMM Gy8UR9gdet/I+DB20aMHN/5cf7vrXqPXtb0uof5s6oG7bSRsXhSZZGw8G+ujcHL13pU/2J19 vXLfZHy4sm7pvYo1flMVPtbXPV8ivfdYUn763w9KLMUZiYZazEXFiQCy4/X1GQMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/a132Sqa23UE3kR-Z8DBuTU4bE-c
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 19:34:59 -0000

On Wed, 3 Sep 2014, Nico Williams wrote:

> On Tue, Sep 02, 2014 at 01:13:06PM -0400, Benjamin Kaduk wrote:
> > It would be nice if someone could confirm or contradict my conclusion that
> > the triple of (opaque inner handle, nonce, mic) is a bearer token for
> > performing multi-principal authentication.
>
> Sorry, let's look at this:
>
>  - As I had it the client sends an integrity-protected message that
>    contains a MIC of a nonce.  The outer message is protected by a GSS
>    security context authenticating the client host.  The inner MIC is
>    made with the user's context.  Both contexts having the same
>    acceptor.

Check.  The inner mic is an ordinary GSS_GetMic(), correct?

>  - The *new* RPCSEC_GSS security context uses the same GSS security
>    context as the outer message in the establishment (see above) of this
>    new context.

Check.

>  - When the client sends an RPC on behalf of a user, then, it sends
>    something like (simplifying):
>
>     - RPC header:
>        - program, procedure, XID
>        - credential
>           - *new* context ID

This part is, I think, the problem.

>        - verifier
>           - MIC taken over the header (minus verifier) with the old outer
>             context

(I don't think 'old' is needed here; it's just the outer GSS context.)

>     - payload (possibly wrapped)
>
> There's no bearer token here.  There's nothing in the credential or
> verifier that a man in the wire can use to replay against the server and
> get the same rights with a different payload (well, assuming we're
> providing at least integrity protection to the payload).

I don't think that there's a bearer token used to authenticate RPCs on
behalf of a user.

I think that the process of obtaining a new/child context ID involves a
bearer token that identifies the user which will be associated with the
child context.

The message to obtain the child context ID is integrity protected, but if
I have my own credentials to make my own parent context, and I can read
the contents of the RPCSEC_GSS_CREATE request, I can make my own
RPCSEC_GSS_CREATE request that contains the handle ID, nonce, and mic that
I observed over the wire.  So, I guess the question becomes, does the
server do anything to verify that the inner handle ID is associated with
the connection/peer that the server is currently talking to.

> The man in the wire would have to be able to manufacture a MIC and Wrap
> tokens without having the related security context's session keys.
>
> Could an attacker find a MIC made with a context authenticating the user
> (to the same acceptor) of a payload that looks like a nonce?  Yes,
> perhaps, but the client would have to pick that same nonce, so, not
> really.

If the attacker has their own (rpcsec) client, they can choose whatever
nonce they want.

-Ben

> OK, now let's see if the same is true for the current draft.  [reads]
>
> This section of the draft got rewritten, but my reading is that the gist
> is the same.

v2.29.0 | Report a Bug | By Email | System Status