IETF Logo Mail Archive

Re: [kitten] Verified authorization data

Simo Sorce <simo@redhat.com> Thu, 12 June 2014 12:47 UTC

Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9E01B29F5 for <kitten@ietfa.amsl.com>; Thu, 12 Jun 2014 05:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.553
X-Spam-Level:
X-Spam-Status: No, score=-7.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQ1-nmcT4BM1 for <kitten@ietfa.amsl.com>; Thu, 12 Jun 2014 05:47:16 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id A38681B2864 for <kitten@ietf.org>; Thu, 12 Jun 2014 05:47:16 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s5CClEnZ008237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Jun 2014 08:47:14 -0400
Received: from [10.3.113.187] (ovpn-113-187.phx2.redhat.com [10.3.113.187]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s5CClCfZ009548; Thu, 12 Jun 2014 08:47:13 -0400
Message-ID: <1402577232.22737.26.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Peter Mogensen <apm@one.com>
Date: Thu, 12 Jun 2014 08:47:12 -0400
In-Reply-To: <539952CC.8020703@one.com>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <5397328E.6020005@mit.edu> <539849AA.4000506@one.com> <1402503444.13617.1.camel@willson.usersys.redhat.com> <53988BB6.8010409@one.com> <1402506490.13617.9.camel@willson.usersys.redhat.com> <539952CC.8020703@one.com>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/sWSoA1wvWEV6V_CxLbDx5Sx0QP4
Cc: "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@MIT.EDU>
Subject: Re: [kitten] Verified authorization data
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 12:47:18 -0000

On Thu, 2014-06-12 at 09:12 +0200, Peter Mogensen wrote:
> On 2014-06-11 19:08, Simo Sorce wrote:
> >> Still... the whole EncTicketPart has to be constructed and DER-encoded
> >> twice to add a kdc-verifier.
> >
> > That is done to bind the CAMMAC to a specific ticket, it is an
> > additional protection that you probably want for your use case too.
> 
> Sure... any solution to the S4U2proxy use case would require protecting 
> the ticket and attached authdata, which the KDC has to trust against 
> service tampering.

Sorry, no, the binding to the specific ticket is not a requirement for
s4u2proxy. The only requirement there is the KDC MAC which could be done
the same way as the SVC MAC.

> As the cammac draft says:
> "...assuring the KDC that a malicious service has not substituted a 
> mismatched CAMMAC received from another ticket."
> 
> But if the kdc-verifier was placed out side the EncTicketPart, then that 
> would also provide that protection and not require computing the ticket 
> twice - right?

Exactly, the computing of EncTicketPart is used to bind the CAMMAC to a
specific TGT, it is an additional feature that basically allows you to
bind service tickets back to the original TGT and back to the original
AS Request (assuming you keep track of that information via some sort of
auditing logs and perhaps a new AD with a session number).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

v2.30.2 | Report a Bug | By Email | System Status