Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
Nico Williams <nico@cryptonector.com> Wed, 03 September 2014 19:39 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10A9F1A6EDC; Wed, 3 Sep 2014 12:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yHLLWVOK7o6; Wed, 3 Sep 2014 12:39:31 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 3B9D61A0B09; Wed, 3 Sep 2014 12:39:31 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id EA6A920047B8B; Wed, 3 Sep 2014 12:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=0JbfBKbJFR+aTdepX2w5 jDI1grI=; b=DRly/Aa9vqT/ZZYJUGolfkPuceHG1mAiYYm9HPVKelLYJLEfhXda GvOB8+iKcnEBkNB2cKOzpqutjzGsIrVhlmObdY3jSom7cRoiqih1EIaMCZHeRceG Lptt/zi1E//w151IzKQOZytB1xHFUL9joKDw/pGQ0pZP3RYj97RE3WI=
Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPSA id 6EDB920047B88; Wed, 3 Sep 2014 12:39:30 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id u56so9200067wes.2 for <multiple recipients>; Wed, 03 Sep 2014 12:39:29 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.58.244 with SMTP id u20mr50230302wjq.36.1409773169110; Wed, 03 Sep 2014 12:39:29 -0700 (PDT)
Received: by 10.216.231.131 with HTTP; Wed, 3 Sep 2014 12:39:29 -0700 (PDT)
In-Reply-To: <20140903192855.GA25363@fieldses.org>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <20140730163006.GG26316@fieldses.org> <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu> <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu> <20140903041240.GG2664@localhost> <20140903174741.GA24790@fieldses.org> <CAK3OfOipM10jM=e59q8hZd7niQGinQgWSBVFjKVabKRkvH1HUg@mail.gmail.com> <20140903192855.GA25363@fieldses.org>
Date: Wed, 03 Sep 2014 14:39:29 -0500
Message-ID: <CAK3OfOg9KSu7eK8a9zf24gJ92xegJhHvGXX1EEYhuPKE=Q87Vw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/qsaDquuA_IYZR2u9Dk0zNfI-jek
Cc: "kitten@ietf.org" <kitten@ietf.org>, "Adamson, Andy" <William.Adamson@netapp.com>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 19:39:32 -0000
On Wed, Sep 3, 2014 at 2:28 PM, J. Bruce Fields <bfields@fieldses.org> wrote: > On Wed, Sep 03, 2014 at 01:32:46PM -0500, Nico Williams wrote: >> On Wed, Sep 3, 2014 at 12:47 PM, J. Bruce Fields <bfields@fieldses.org> wrote: >> > Sorry, I haven't been thinking about this, I'm probably confused, but I >> > think I was imagining an attack something like: >> > >> > - I, a rogue client, sniff some random krb5 traffic from the >> > user. >> > - That traffic includes at least one (rpc header, mic of rpc >> > header) pair. >> > - I send a CREATE call using that rpc header as the nonce data. >> > >> > ? >> >> It almost works, but remember, the server must have the security >> context to verify the MIC with, and that context will have to be tied >> to the same NFSv4 client ID (same session). > > Argh, I'm totally confused. > > Which context (inner or outer) is "the security context" in the above? Inner. The one authenticating the user. > So the server will reject my attempt above because the inner context is > associated with a different clientid than the outer context? Yes: because the inner security context is not known in ... this context (English sense of the word). > I'm not even sure what it means for a gss context to be tied to a client > ID. To a session, connection, ... Maybe I assumed too much about that? I'd have to go look at Illumos source to see if maybe I was led astray by that. It's been a while. > Maybe I'm just dense, but at a minimum I think this needs a much more > careful explanation. I agree. >> Oh, but maybe some servers have a global RPCSEC_GSS context handle? >> If so, that would be a problem. In that case the server could pick >> the nonce. Or the MIC could be taken over more content (e.g., also a >> MIC made with the client context). Just in case, this would be a good >> change to make. > > Fundamentally the (nonce, mic) pair here looks meaningless. The network > is presumably already full of (data, mic(data)) pairs using this > context, what does it prove that you can supply me with one when you get > to choose the data? There should be a bit more structure to it to prevent aliasing, and the server could be the source of the nonce (adding a round-trip) or we could add more to the message to be MICed (e.g., the client ID). Nico --
- [kitten] draft-ietf-nfsv4-rpcsec-gssv3: request f… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… J. Bruce Fields
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Nico Williams
- [kitten] rpcsec-gssv3 multi-principal authenticat… Benjamin Kaduk
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… J. Bruce Fields
- Re: [kitten] rpcsec-gssv3 multi-principal authent… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Benjamin Kaduk
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Nico Williams
- Re: [kitten] [nfsv4] rpcsec-gssv3 multi-principal… Adamson, Andy
- Re: [kitten] [nfsv4] draft-ietf-nfsv4-rpcsec-gssv… Benjamin Kaduk