[kitten] Verified authorization data

Peter Mogensen <apm@one.com> Wed, 11 June 2014 12:21 UTC

Return-Path: <apm@one.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557AA1B2886 for <kitten@ietfa.amsl.com>; Wed, 11 Jun 2014 05:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIPyovVpweUL for <kitten@ietfa.amsl.com>; Wed, 11 Jun 2014 05:21:02 -0700 (PDT)
Received: from officesmtp1.one.com (officesmtp1.one.com [195.47.247.16]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB6B11B286D for <kitten@ietf.org>; Wed, 11 Jun 2014 05:21:01 -0700 (PDT)
Received: from [172.16.16.74] (unknown [46.30.211.29]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by officesmtp1.one.com (Postfix) with ESMTPSA id BCEB8801173A2; Wed, 11 Jun 2014 12:20:59 +0000 (UTC)
Message-ID: <539849AA.4000506@one.com>
Date: Wed, 11 Jun 2014 14:20:58 +0200
From: Peter Mogensen <apm@one.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Greg Hudson <ghudson@MIT.EDU>, "kitten@ietf.org" <kitten@ietf.org>, "krbdev@mit.edu" <krbdev@MIT.EDU>
References: <8D5F7E3237B3ED47B84CF187BB17B666118D870F@SHSMSX103.ccr.corp.intel.com> <5397328E.6020005@mit.edu>
In-Reply-To: <5397328E.6020005@mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/w9ST-bHo2RNq-mvLQgSLTb307cY
Subject: [kitten] Verified authorization data
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 12:21:05 -0000

Hi,

Greg Hudson summes up the situation fine here. I feel the urge to 
comment. (below)

On 2014-06-10 18:30, Greg Hudson wrote:
> In the Kerberos 5 authdata model, the KDC is assumed to blindly pass
> through authdata requested by the client.  If the authdata is to be
> trusted by the target service as something vetted by the KDC, it needs
> to be packaged accordingly.
>
> The traditional method for doing this is a container called
> AD-KDC-ISSUED which contains a checksum for the authdata in a key which
> cannot be known (in advance) by the client.  This container has not seen
> much practical use, and it turns out that RFC 4120 says conflicting
> things about which key to use for the checksum.  To the extent that
> there are implementations, they use the ticket session key.
>
> A more recent container for this purpose is AD-CAMMAC, as specified in:
>
>      http://tools.ietf.org/html/draft-ietf-krb-wg-cammac-01
>
> In addition to not having key ambiguity issues, AD-CAMMAC also contains
> a KDC verifier which allows the authdata to be propagated through an
> S4U2Proxy request.


I did some work to implement RFC6806 AD-LOGIN-ALIAS which requires 
AD-KDC-ISSUED and noticed the ambiguity in RFC4120 regarding which key 
to use for the checksum.
I also noticed that AD-CAMMAC explicitly uses the service-key (and not 
the ticket session key) to do the same.
... and that to embed a ~10 bytes username in a ticket as AD-LOGIN-ALIAS 
I end up increasing the ticket size with about 110 bytes. - which is a 
rather significant increase if you are worried about ticket sizes.

So, I wonder... is this really the optimal way to extend a ticket with 
verified information?
If I just wanted to verify the login-alias to the service it seems like 
a waste of ~100 bytes to checksum it with the service-key (like RFC4120 
also states). If it wasn't for the authdata-model Greg describes above, 
where the DC is assumed to blindly pass through authdata requested by 
the client, then no checksum would have been needed. The ticket it self 
would protect the integrity of the field. (and saving ~100 bytes ticket 
size).

It seems to me that a lot of complexity in verifying authdata originates 
from this authdata model where the client can put anything it likes in 
the authorization-data. This is of course useful for negative 
authorization, but makes things complicated for positive authorization 
data. (like simple info the KDC just want to assert to the service, like 
AD-LOGIN-ALIAS)

The solution in AD-CAMMAC seems very complex too, requiring effectively 
calculating the entire EncTicketPart twice - and once for every present 
AD-CAMMAC present.

Things would have been much simpler if there were an authdata field in a 
ticket outside of the clients control. Now, - I know - there's probably 
very good reasons why extending the EncTicketPart and Ticket definitions 
is difficult, but...

In an ideal world, maybe something like:

EncTicketPart   ::= [APPLICATION 3] SEQUENCE {
         flags                   [0] TicketFlags,
         key                     [1] EncryptionKey,
         crealm                  [2] Realm,
         cname                   [3] PrincipalName,
         transited               [4] TransitedEncoding,
         authtime                [5] KerberosTime,
         starttime               [6] KerberosTime OPTIONAL,
         endtime                 [7] KerberosTime,
         renew-till              [8] KerberosTime OPTIONAL,
         caddr                   [9] HostAddresses OPTIONAL,
         authorization-data      [10] AuthorizationData OPTIONAL
         protected-authdata      [11] AuthorizationData OPTIONAL
}

Where the client can't add to "protected-authdata".
This would make the AD-KDC-ISSUED and svc-verifier of AD-CAMMAC redundant.

( It would also relieve the clients from having to verify every 
AD-KDC-ISSUED element in order to find the one it's interested in - of 
course, this is an API artifact of libkrb5's 
krb5_verify_authdata_kdc_issued(). )

And then:

Ticket          ::= [APPLICATION 1] SEQUENCE {
         tkt-vno         [0] INTEGER (5),
         realm           [1] Realm,
         sname           [2] PrincipalName,
         enc-part        [3] EncryptedData -- EncTicketPart
         kdc-verifier    [4] Verifier-MAC OPTIONAL,
}

Which would solve the S4U2proxy use case mentioned where the KDC needs 
to protect the Ticket from tampering by the service.
Of course this changes some of the binding semantics of the current 
AD-CAMMAC draft. Specically this now binds all authdata together with 
one checksum. But the kdc-verifier cannot be verified without the Ticket 
anyway.

This would also make the need for a special AD-CAMMAC limited to 
providing for "other-verifiers"

I realize that it's non-trivial to extend these ASN.1 definitions, but 
something similar was suggested in draft-ietf-krb-wg-ticket-extensions

To do the above example there will also have to be API-changes. Like 
krb5_find_authdata() needs to know about this.
But it seems AD-CAMMAC will require minor API changes too, since it uses 
the service-key and not the session-key like implementations of 
AD-KDC-ISSUED (as Greg mentioned). Using the session-key is a lot easier 
for client verification. Using the service-key would probably need 
krb5_rd_req() to verify AD-CAMMAC to avoid the application having to 
look up its service-key independently .

So maybe it's worth investigating if there's anyway to provide 
verified/signed AD-DATA in a simpler way, requiring smaller tickets and 
less computation when signing/verifying.

I hope these thoughts are not so naive that the answer is that it will 
require a new protocol version or a new tkt-vno... ;-)

/Peter