Re: [kitten] GSS & krb5 mutual auth flags aren't -- they are about key confirmation
Robbie Harwood <rharwood@redhat.com> Wed, 15 May 2019 18:57 UTC
Return-Path: <rharwood@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DEA120780 for <kitten@ietfa.amsl.com>; Wed, 15 May 2019 11:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUcGrkWaCtIZ for <kitten@ietfa.amsl.com>; Wed, 15 May 2019 11:57:11 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF51612078E for <kitten@ietf.org>; Wed, 15 May 2019 11:57:04 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D8274C04BD48; Wed, 15 May 2019 18:57:03 +0000 (UTC)
Received: from localhost (dhcp-10-20-1-19.bss.redhat.com [10.20.1.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8EEBC1001DEF; Wed, 15 May 2019 18:57:03 +0000 (UTC)
From: Robbie Harwood <rharwood@redhat.com>
To: Nico Williams <nico@cryptonector.com>, kitten@ietf.org
In-Reply-To: <20190506063408.GF21049@localhost>
References: <20190506063408.GF21049@localhost>
Date: Wed, 15 May 2019 14:57:11 -0400
Message-ID: <jlgd0kjlf5k.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Wed, 15 May 2019 18:57:04 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/gFslioa5_cX4M4iSyIn6Bf25MWM>
Subject: Re: [kitten] GSS & krb5 mutual auth flags aren't -- they are about key confirmation
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 18:57:13 -0000
Nico Williams <nico@cryptonector.com> writes: > See subject. > > I assert that: > > - GSS_C_MUTUAL_FLAG is badly misnamed > > - GSS_C_MUTUAL_FLAGis not, never was, and never could have been about > mutual authentication in the sense of authenticating two peers to > each other, > > - and GSS_C_MUTUAL_FLAGis, always was, and only could have been about > key confirmation. > > It is understandable that "mutual authentication" had a somewhat > confusing definition back when RFCs 1508, 1509, and 1510 were written > (huh, notice the sequential RFC numbers...). But it's time to nail it > down. > > First off, a high-level observation: GSS (and Kerberos) always deals > in *two* principal names, so GSS and Kerberos are *always* about > mutual authentication. > > The API by its very own nature implies mutual authentication even when > one or the other (or both) name can be anonymous or pseudonymous. > > Second, we can look at all the mechanisms we know well enough, and all > the mechanisms we can posit, and see that the above assertions hold: > > - Mechanisms that can have just one, or just two context tokens: > > - Kerberos > > Mutual really only means key confirmation. > > Mutual authentication is obtained naturally in that the acceptor > cannot GSS_Unwrap() (or GSS_VerifyMIC()) without having the > requested target acceptor's credentials. This is true assuming it *does* call those functions. Authentication-only use is not only possible but (unfortunately, in my view) quite common: HTTP Negotiate, or GSSAPI auth in ssh, etc.. In those cases, without mutual authentication, any authentication of (for example) the HTTP server to the client must happen at another point (from the TLS channel in HTTPS). Of course, operating with mutual authentication along an untrusted channel won't buy you much since it's not tamper-proof. However, it does help against passive observers when opportuniustic (untrusted) encryption is used (as well as TOFU schemes). I realize this is a bit in the weeds and possibly not practically relevant, but this is a conversation about definitions, so... Thanks, --Robbie
- [kitten] GSS & krb5 mutual auth flags aren't -- t… Nico Williams
- Re: [kitten] GSS & krb5 mutual auth flags aren't … Nico Williams
- Re: [kitten] GSS & krb5 mutual auth flags aren't … Martin Rex
- Re: [kitten] GSS & krb5 mutual auth flags aren't … Nico Williams
- Re: [kitten] GSS & krb5 mutual auth flags aren't … Martin Rex
- Re: [kitten] GSS & krb5 mutual auth flags aren't … Robbie Harwood