IETF Logo Mail Archive

Re: [kitten] GSS & krb5 mutual auth flags aren't -- they are about key confirmation

Nico Williams <nico@cryptonector.com> Wed, 08 May 2019 20:19 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 632771200B5 for <kitten@ietfa.amsl.com>; Wed, 8 May 2019 13:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cc_ekcFt9Q8H for <kitten@ietfa.amsl.com>; Wed, 8 May 2019 13:19:06 -0700 (PDT)
Received: from ostrich.birch.relay.mailchannels.net (ostrich.birch.relay.mailchannels.net [23.83.209.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3898B120026 for <kitten@ietf.org>; Wed, 8 May 2019 13:19:06 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 637DA1406D3; Wed, 8 May 2019 20:19:05 +0000 (UTC)
Received: from pdx1-sub0-mail-a9.g.dreamhost.com (100-96-78-10.trex.outbound.svc.cluster.local [100.96.78.10]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D50E914067F; Wed, 8 May 2019 20:19:04 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a9.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.17.2); Wed, 08 May 2019 20:19:05 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Scare-Blushing: 49dab264152422b2_1557346745226_1708140854
X-MC-Loop-Signature: 1557346745225:4235032393
X-MC-Ingress-Time: 1557346745225
Received: from pdx1-sub0-mail-a9.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a9.g.dreamhost.com (Postfix) with ESMTP id 315BC7FCB3; Wed, 8 May 2019 13:19:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=dWJ9v36Ae48dnX NBrwGNLXUGZaI=; b=U8MmQwrEfnNWTQ4jLhmTvB55q+oyMA3CDTQ+Qt39SBZrA0 QfQfMGEoT9QALvT+80GlslEo0+UXLv0Mn/MPMZHBCRNlJHC4n2+71BgepUjSouQT +1QESYoRqnnlQliVBIruDrFrHcz+EJmVAxqWkUoMWheCeH0YUFno4CwdxG+zY=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a9.g.dreamhost.com (Postfix) with ESMTPSA id 2C2A37FCB0; Wed, 8 May 2019 13:18:58 -0700 (PDT)
Date: Wed, 08 May 2019 15:18:56 -0500
X-DH-BACKEND: pdx1-sub0-mail-a9
From: Nico Williams <nico@cryptonector.com>
To: Martin Rex <mrex@sap.com>
Cc: kitten@ietf.org
Message-ID: <20190508201855.GX21049@localhost>
References: <20190506063408.GF21049@localhost> <20190508025351.1EF31404C@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20190508025351.1EF31404C@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrkeefgddugeekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/la1bulY6F6Gj3f7HJb9S5qcwuDQ>
Subject: Re: [kitten] GSS & krb5 mutual auth flags aren't -- they are about key confirmation
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 20:19:09 -0000

On Wed, May 08, 2019 at 04:53:51AM +0200, Martin Rex wrote:
> Nico Williams <nico@cryptonector.com> wrote:
> > I assert that:
> > 
> >  - GSS_C_MUTUAL_FLAG is badly misnamed
> 
> Not really.
> 
> Original GSS-API implied initator towards acceptor authentication,
> and GSS_C_MUTUAL_FLAG was used to request acceptor towards initiator
> authentication.

I believe that conflates "mutual" with key confirmation.

Assuming the cryptosystems are secure, an exchange of this form:

I->A: init sec context token w/o "mutual" (AP-REQ)
I->A: wrap token w/ confidentiality

keeps the plaintext confidential even if the recipient is not the
intended acceptor.

Kerberos ensures that only the intended acceptor can unwrap that token.

Moreover, in an exchange like this

I->A: init sec context token w/o "mutual" (AP-REQ)
A->I: sec context token (AP-REP)
I->A: wrap token w/ confidentiality

there is no assurance that there is not a party on-path that can observe
the ciphertext of these tokens.

Thus the only thing GSS_C_MUTUAL_FLAG can do in the case of Kerberos is
provide key confirmation and, in RFC4121, a new sub-session key.

In both cases there are *two* principal names, and they are
cryptographically bound by the init sec context token alone.

Moreover, the GSS-API always has two principal names involved in every
security context.  I suppose you could argue it's "up to two names", but
I wouldn't agree.  First, the initiator's credential (default or not)
supplies one name (the initiator's) to GSS_Init_sec_context().  Second,
GSS_Init_sec_context() requires a target_name (the acceptor's).  Even if
the initiator wishes to be anonymous, it still has a NAME as indicated
by GSS_Inquire_context() -- that name will be of GSS_C_NT_ANONYMOUS
type, indeed, but it will be a NAME.

> The better terminology would have been to indicate the actually desired
> (additional) function, rather than describing the addition of what is
> requested, and what has been silently implied/assumed.

If I understand this, you might actually be agreeing with me.  But I
probably didn't understand it.  What alternative terminology would you
propose?

> The difference became obvious when the "Anoymous" authentication was
> added in GSS-APIv2, i.e. no authentication of initiator towards acceptor.

Has this been implemented by any mechanisms?

(Kerberos is the only Internet mechanism that has this specified, but
it's not yet been implemented, much less as specified.)

A better design would have been to have the initiator application supply
GSS_Inquire_context() with an input_cred_handle for a GSS_C_NT_ANONYMOUS
desired_name.  No flag should have been needed or specified.

> Web Browsers using TLS usually do what at the GSS-API would be the
> combination of (GSS_C_ANON_FLAG|GSS_C_MUTUAL_FLAG), i.e.
> unidirectional authentication, acceptor towards initiator.

This would seem like a contradiction in terms.  Unless you take
GSS_C_MUTUAL_FLAG to be about key confirmation, which is not optional in
TLS, and so we're down to just GSS_C_ANON_FLAG (about which see above).

> >  - and GSS_C_MUTUAL_FLAGis, always was, and only could have been about
> >    key confirmation.
> 
> GSS-API is about authentication of name-based entities.
> There is no concept of keys in GSS-API.

Key confirmation is a term of art referring to an aspect of the chosen
mechanism's context token protocol.  "Key confirmation" is certainly not
about exposing keys to applications.

But certainly, too, the existence of cryptographic keys is strongly
implied by the GSS-API, at least assuming classical cryptography (and we
can't assume quantum cryptography because while there are quantum key
exchange systems, there are no quantum authentication systems).

> > It is understandable that "mutual authentication" had a somewhat
> > confusing definition back when RFCs 1508, 1509, and 1510 were written
> > (huh, notice the sequential RFC numbers...).  But it's time to nail it
> > down.
> > 
> > First off, a high-level observation: GSS (and Kerberos) always deals in
> > *two* principal names, so GSS and Kerberos are *always* about mutual
> > authentication.
> 
> Nope.  Kerberos has always been about unidirectional authentication,
> and most of the time, MUTUAL is still unidirectional.

I strongly disagree as explained above.

> Performing server name canonicalization through insecure DNS
> has been insecure and a well-known bad idea in 1996.

I'd rather not distract this thread with that issue.

Nico
--

v2.23.0 | Report a Bug | By Email