[kitten] Removing unnecessary and damaging check from RFC4120 section 3.2.3
Nico Williams <nico@cryptonector.com> Wed, 20 April 2016 22:45 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CB312E84E for <kitten@ietfa.amsl.com>; Wed, 20 Apr 2016 15:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcVtTfe-L2_U for <kitten@ietfa.amsl.com>; Wed, 20 Apr 2016 15:45:19 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AA6C12E82B for <kitten@ietf.org>; Wed, 20 Apr 2016 15:45:10 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 8B4ED26C08B; Wed, 20 Apr 2016 15:45:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=F7pT3zKA9LbvsK1TIaMcxVa2AEw=; b=cLRz4duj0xs agQKLqqm04PuyGU5W+bVzWc+LbmAG/QVTcujEQb/ycjwoyCP1854Ebj9HH7qlRzb qtbmGvkLLiM0JF6PYQdZ67Tov4cyGaCTZK3GarfHj7DR+xQvRSruSpvA17LmSx4B /7/ixm8R4uxKfPElTGqa9RLPSxp6cM40=
Received: from localhost (108-207-244-100.lightspeed.austtx.sbcglobal.net [108.207.244.100]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id 9051A26C085; Wed, 20 Apr 2016 15:45:02 -0700 (PDT)
Date: Wed, 20 Apr 2016 17:44:53 -0500
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <20160420224452.GK25972@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/d-l3kLL7mVpGMWMzzxb78D9deKI>
Subject: [kitten] Removing unnecessary and damaging check from RFC4120 section 3.2.3
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 22:45:21 -0000
RFC4120 (Kerberos) requires that services check that the cname/crealm
fields of the decrypted Authenticator match those in the decrypted
Ticket.
Section 3.2.3, page 31, says that "the name and realm of the client from
the ticket are compared [by the service] against the same fields in the
authenticator", and that "[i]f they don't match, the KRB_AP_ERR_BADMATCH
error is returned; normally this is caused by a client error or an
attempted attack." (This being RFC4120, this has the force of a SHOULD
at least, probably a MUST, even though such terms are not used in the
quoted text.)
I cannot think of a single attack that this foils. If there were such
an attack, either it would be utterly uninteresting, or it would imply
that the Kerberos cryptosystem and/or cryptographic protocol are broken,
in which case we'd have bigger problems.
In particular, the Authenticator decrypt integrity check should be
sufficient to rule out all interesting attacks. I'm sure you'll agree.
That leaves only the "client error" case of the given justification.
But this error never happens.
There is a USER error case however, not envisioned by RFC4120, where
this check fails: with Active Directory as the KDC when the client
acquires an INITIAL Ticket for an alias instead of their canonical
principal name. In this case the AS puts the canonical name in the
cname/crealm fields of the Ticket. If the client did not use the AS
canonicalization feature, then the client will not put the correct
cname/crealm in subsequent Authenticators, thus AP exchanges with many
services will fail due to this check. The user error lies in running
"kinit <alias-principal>".
The most likely explanation for why this behavior is required by RFC4120
is that this was carried over from Kerberos IV and earlier, harkening
back to the days when authentication tags were weak or missing
altogether. But those days are behind us, and this check is redundant
now. We should remove it.
[ASIDE: Incidentally, there is a simple way to do client principal name
canonicalization with no new protocols, all on the client side:
- first, get a TGT for a client principal
- then get a service ticket for the same principal as the
service, preferably using user-to-user authentication
- extract the canonical cname/crealm -and any authorization-data
of interest!- from the service Ticket
Of course, this only works if the AS works like Active Directory
and puts the canonical cname/crealm in the issued Ticket, not
the requested cname/crealm. This seems like very helpful
behavior, actually, and for this reason: that the client can
perform canonicalization if it wants to (though it shouldn't be
necessary if the services stop performing the cname/crealm
Authenticator check).]
Dropping this unnecessary check will allow non-Windows clients to
gracefully recover from user error at sites that have ASes that support
silent aliasing as AD does.
Alternatively, dropping this unnecessary check could allow the
cname/crealm from the Authenticator to be used as a way to indicate that
the real client wishes to impersonate another. The application,
naturally, would have to decide whether any given impersonation is to be
accepted. This use would conflict with the existing user-error case, so
I think we can rule out this alternative use of the Authenticator
cname/crealm.
I propose that we update RFC4120 as follows:
- drop the requirement to perform this unnecessary check;
- require that the cname/crealm reported to the application be the ones
from the Ticket, not the ones from the Authenticator;
- recommend/require that the AS put the canonical cname/crealm in the
Tickets it issues.
Are there other such checks in RFC4120 that should be modified/removed?
(At a quick glance I could not find any others.)
In the short-term, I'm wondering if implementors shouldn't just go ahead
and remove this check from their implementations. For Heimdal this
would entail removing 31 lines of text (26 lines of actual code) from
one file; no remaining uses of KRB_AP_ERR_BADMATCH would remain.
Nico
PS: I mention crealm because the crealm too can be aliased, and indeed,
the Active Directory KDC supports realm aliasing.
- [kitten] Removing unnecessary and damaging check … Nico Williams
- Re: [kitten] Removing unnecessary and damaging ch… Nico Williams