[kitten] Removing unnecessary and damaging check from RFC4120 section 3.2.3
Nico Williams <nico@cryptonector.com> Wed, 20 April 2016 22:45 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CB312E84E for <kitten@ietfa.amsl.com>; Wed, 20 Apr 2016 15:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcVtTfe-L2_U for <kitten@ietfa.amsl.com>; Wed, 20 Apr 2016 15:45:19 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AA6C12E82B for <kitten@ietf.org>; Wed, 20 Apr 2016 15:45:10 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 8B4ED26C08B; Wed, 20 Apr 2016 15:45:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=F7pT3zKA9LbvsK1TIaMcxVa2AEw=; b=cLRz4duj0xs agQKLqqm04PuyGU5W+bVzWc+LbmAG/QVTcujEQb/ycjwoyCP1854Ebj9HH7qlRzb qtbmGvkLLiM0JF6PYQdZ67Tov4cyGaCTZK3GarfHj7DR+xQvRSruSpvA17LmSx4B /7/ixm8R4uxKfPElTGqa9RLPSxp6cM40=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id 9051A26C085; Wed, 20 Apr 2016 15:45:02 -0700 (PDT)
Date: Wed, 20 Apr 2016 17:44:53 -0500
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <20160420224452.GK25972@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/d-l3kLL7mVpGMWMzzxb78D9deKI>
Subject: [kitten] Removing unnecessary and damaging check from RFC4120 section 3.2.3
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 22:45:21 -0000
RFC4120 (Kerberos) requires that services check that the cname/crealm fields of the decrypted Authenticator match those in the decrypted Ticket. Section 3.2.3, page 31, says that "the name and realm of the client from the ticket are compared [by the service] against the same fields in the authenticator", and that "[i]f they don't match, the KRB_AP_ERR_BADMATCH error is returned; normally this is caused by a client error or an attempted attack." (This being RFC4120, this has the force of a SHOULD at least, probably a MUST, even though such terms are not used in the quoted text.) I cannot think of a single attack that this foils. If there were such an attack, either it would be utterly uninteresting, or it would imply that the Kerberos cryptosystem and/or cryptographic protocol are broken, in which case we'd have bigger problems. In particular, the Authenticator decrypt integrity check should be sufficient to rule out all interesting attacks. I'm sure you'll agree. That leaves only the "client error" case of the given justification. But this error never happens. There is a USER error case however, not envisioned by RFC4120, where this check fails: with Active Directory as the KDC when the client acquires an INITIAL Ticket for an alias instead of their canonical principal name. In this case the AS puts the canonical name in the cname/crealm fields of the Ticket. If the client did not use the AS canonicalization feature, then the client will not put the correct cname/crealm in subsequent Authenticators, thus AP exchanges with many services will fail due to this check. The user error lies in running "kinit <alias-principal>". The most likely explanation for why this behavior is required by RFC4120 is that this was carried over from Kerberos IV and earlier, harkening back to the days when authentication tags were weak or missing altogether. But those days are behind us, and this check is redundant now. We should remove it. [ASIDE: Incidentally, there is a simple way to do client principal name canonicalization with no new protocols, all on the client side: - first, get a TGT for a client principal - then get a service ticket for the same principal as the service, preferably using user-to-user authentication - extract the canonical cname/crealm -and any authorization-data of interest!- from the service Ticket Of course, this only works if the AS works like Active Directory and puts the canonical cname/crealm in the issued Ticket, not the requested cname/crealm. This seems like very helpful behavior, actually, and for this reason: that the client can perform canonicalization if it wants to (though it shouldn't be necessary if the services stop performing the cname/crealm Authenticator check).] Dropping this unnecessary check will allow non-Windows clients to gracefully recover from user error at sites that have ASes that support silent aliasing as AD does. Alternatively, dropping this unnecessary check could allow the cname/crealm from the Authenticator to be used as a way to indicate that the real client wishes to impersonate another. The application, naturally, would have to decide whether any given impersonation is to be accepted. This use would conflict with the existing user-error case, so I think we can rule out this alternative use of the Authenticator cname/crealm. I propose that we update RFC4120 as follows: - drop the requirement to perform this unnecessary check; - require that the cname/crealm reported to the application be the ones from the Ticket, not the ones from the Authenticator; - recommend/require that the AS put the canonical cname/crealm in the Tickets it issues. Are there other such checks in RFC4120 that should be modified/removed? (At a quick glance I could not find any others.) In the short-term, I'm wondering if implementors shouldn't just go ahead and remove this check from their implementations. For Heimdal this would entail removing 31 lines of text (26 lines of actual code) from one file; no remaining uses of KRB_AP_ERR_BADMATCH would remain. Nico PS: I mention crealm because the crealm too can be aliased, and indeed, the Active Directory KDC supports realm aliasing.
- [kitten] Removing unnecessary and damaging check … Nico Williams
- Re: [kitten] Removing unnecessary and damaging ch… Nico Williams