Re: [kitten] Kerberos extra round trips I-D revised
Nico Williams <nico@cryptonector.com> Wed, 12 November 2014 20:06 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EEFC1A8725 for <kitten@ietfa.amsl.com>; Wed, 12 Nov 2014 12:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7gLbISqHzTX for <kitten@ietfa.amsl.com>; Wed, 12 Nov 2014 12:06:20 -0800 (PST)
Received: from homiemail-a32.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 443F41AD00B for <kitten@ietf.org>; Wed, 12 Nov 2014 12:05:55 -0800 (PST)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id AF9EC584064; Wed, 12 Nov 2014 12:05:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=/wvfjjE5fvy3iJ BbNQBsLzebvxM=; b=AZrMHUbmaOhGGLQtGkGRmRumMatx+nv9ks8ear3JCgeUrL v6b9flB3+B2tsQu7bzNW9QvXrOEtOvfgxEMAG5yKLQr6DhFNyRrTnqHCtyAZIoPa ewu6vwz1AGwmxycPUUZKBoyUti6LJNAu3VhjrOViVKrrC6XueoSoFwX0OBclI=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPA id 55F66584059; Wed, 12 Nov 2014 12:05:55 -0800 (PST)
Date: Wed, 12 Nov 2014 14:05:54 -0600
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20141112200552.GA3124@localhost>
References: <20141027071704.GC14215@localhost> <alpine.GSO.1.10.1411071543280.27826@multics.mit.edu> <54624E87.8010007@mit.edu> <20141111185423.GM3412@localhost> <54638C46.8060203@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54638C46.8060203@mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/kV0wjdwXgTUNpAzUJ_SAhnAAMbY
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos extra round trips I-D revised
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 20:06:23 -0000
On Wed, Nov 12, 2014 at 11:35:18AM -0500, Greg Hudson wrote: > This brings up a larger point that I previously missed: in the rcache > avoidance flow with an odd number of tokens, there is no AP-REP token in > the exchange. I removed too much when I removed sname/srealm. The intention is to use the KRB-ERROR2 as an AP-REP in the three-token flow, which means that it needs to have an optional sub-session key field (and which must be present when the initiator's AP-REQ was fine but the acceptor wants that third token). I added this back for -04 (not yet submitted). > So, should rcache avoidance should use a modified KRB-ERROR or a > modified AP-REP? I think using a modified AP-REP is more natural, but > it does mean adding a second new message type and adding the nonce to > both messages. Right. To me KRB-ERROR2 can fill both roles. > If we do use a modified KRB-ERROR in this flow, then we need to make > sure that we get all of the security properties we would get from the > AP-REP. The AP-REP provides: Agreed. I'll be re-adding the acceptor sub-session key, I'll add the mirrored timestamp, and I'll add authz-data (not just typed-data) so that this message really can serve as both, KRB-ERROR2 and AP-REP2. (Authz-data, for example, could be useful here in the user-to-user case, for symmetry, but also so we don't have to define both, authz-data and typed-data elements for things like kDH pubkeys.) > We also need to consider how this all interacts with > draft-vanrein-krb5-kdh. A typed-hole in KRB-ERROR2, and the authz-data in AP-REQ, allow for ephemeral DH keys. We then only need to specify the relevant elements for carrying them. We'll also need to support acceptor key confirmation for the DH key in the case where the initiator's optimistic DH group/curve choice fails. The kDH flows might look like this: - 2-token flow (optimistic negotiation succeeds, no acceptor key confimation): C->S: AP-REQ with ad-kdh-groups, ad-kdh-pubkey (one or more even) (initiator is PROT_READY here) S->C: KRB-ERROR2 or extended AP-REP with ad-kdh-pubkey and key confirmation typed-data/authz-data - 3-token flow (optimistic negotiation succeeds, no acceptor key confimation, acceptor wants rcache avoidance): C->S: AP-REQ with ad-kdh-groups, ad-kdh-pubkey (one or more even) (initiator is PROT_READY here) S->C: KRB-ERROR2 or extended AP-REP with acceptor pubkey and key confirmation C->S: AP-REQ with challenge - 4-token flow (optimistic negotiation fails, acceptor key confirmation desired): C->S: AP-REQ with ad-kdh-groups, ad-kdh-pubkey (one or more even) S->C: KRB-ERROR2 or extended AP-REP with ad-kdh-pubkey C->S: AP-REQ with ad-kdh-pubkey (and with challenge if the acceptor wanted it) (initiator is PROT_READY here) S->C: AP-REP Obviously, it'd be nice if the KDC had some idea what groups/curves the acceptor supports, then we could more often avoid the 4-token flow. BTW, the TLS crowd is very keen on 0-RTT, which in GSS-speak means being prot_ready after producing the first context token^W^W handshake message. I'm not sure that prot_ready is a such terribly good idea because in many, many cases the very first app data either needs PFS/established authentication state, or else the layer right above TLS/whatever doesn't know if the app data needs that. But, there's a reason that 0-RTT is desired, and I think it'd be worth formalizing and modernizing the prot_ready concept. I also think it'd be a good idea to de-conflate (in GSS) acceptor key confirmation from authentication of the acceptor to the initiator. Nico --
- [kitten] Kerberos extra round trips I-D revised Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Benjamin Kaduk
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Greg Hudson
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams
- Re: [kitten] Kerberos extra round trips I-D revis… Nico Williams