IETF Logo Mail Archive

Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04

Nico Williams <nico@cryptonector.com> Mon, 11 March 2019 18:57 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF531311B6 for <kitten@ietfa.amsl.com>; Mon, 11 Mar 2019 11:57:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UT5gZAi312wo for <kitten@ietfa.amsl.com>; Mon, 11 Mar 2019 11:57:19 -0700 (PDT)
Received: from catfish.maple.relay.mailchannels.net (catfish.maple.relay.mailchannels.net [23.83.214.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3658E13118F for <kitten@ietf.org>; Mon, 11 Mar 2019 11:57:13 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id E5C035C4B41; Mon, 11 Mar 2019 18:57:11 +0000 (UTC)
Received: from pdx1-sub0-mail-a24.g.dreamhost.com (unknown [100.96.24.101]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 44FDC5C4707; Mon, 11 Mar 2019 18:57:11 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a24.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.3); Mon, 11 Mar 2019 18:57:11 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Wide-Eyed-Imminent: 591f2a8752cd0a35_1552330631586_2118978103
X-MC-Loop-Signature: 1552330631586:1994553067
X-MC-Ingress-Time: 1552330631585
Received: from pdx1-sub0-mail-a24.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a24.g.dreamhost.com (Postfix) with ESMTP id D72107EF7D; Mon, 11 Mar 2019 11:57:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=eI45+7J2vADayR wrLwTqbYfdVBk=; b=xQOleXGDcIiyKUYcoN9R0+0QpNR497oMNTnFGFRF4I4E4R z0zbJ1UJhfZxrgdHCASwi5HjBuSjW56O/lcHs7bPFKIHtV4jdzqPB/cD2p+5jzN2 Sp6mPcD7GinZcYY70RJFiMxECvPb9hqtAe7ykYPztYp2bIET6avClIFAsEfe4=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a24.g.dreamhost.com (Postfix) with ESMTPSA id 00E207EF6C; Mon, 11 Mar 2019 11:57:09 -0700 (PDT)
Date: Mon, 11 Mar 2019 13:57:07 -0500
X-DH-BACKEND: pdx1-sub0-mail-a24
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans-ietf@mit.edu>
Cc: kitten@ietf.org
Message-ID: <20190311185706.GD4211@localhost>
References: <tslbm38vl8h.fsf@suchdamage.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <tslbm38vl8h.fsf@suchdamage.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedutddrgeeigdduvddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/whfsHwfFEYxdgvLsEewMkJzmxfc>
Subject: Re: [kitten] Review of draft-ietf-kitten-channel-bound-flag-04
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 18:57:30 -0000

On Mon, Feb 18, 2019 at 04:29:34PM -0500, Sam Hartman wrote:
> I've reviewed this document at the request of one of the authors, and
> here are my comments:

Thanks.

> This draft is based on the premis that the GSS-API channel binding
> behavior is flawed and that  there's a security problem associated with
> not knowing if channel bindings are validated.

It's only flawed if you'd like to start using CB in applications that
lack a negotiation for it.  Modifying application protocols is
non-trivial.

> I've heard this argument over the years, but never been convinced of it,
> and unfortunately, this draft is filled with assertions of that fact
> without any rationale.

In GSS it is generally the case that all features are optional and one
finds out what one actually gets by looking at the ret_flags from
context establishment, but CB status is not indicated this way.  This
seems like at least an inconsistency.

Perhaps we can rephrase this?

> At one level it doesn't matter much.  I absolutely agree that a facility
> for knowing if channel bindings are validated would be incredibly useful
> and would simplify application design.

Yes.

> However, by jumping to the conclusion that we're fixing a flaw, I think
> we approach interoperability and operational aspects with inadequate
> thought.  I think we discard some of the options too early.
>
> My past experience is that when we take short cuts like that, we find
> ourselves frustrated later when we discover things we overlooked.
> 
> As I write this up, I'm realizing that the draft authors seem to be
> making an assumption that  there are applications in the wild that pass
> in channel bindings to the initiator but not the acceptor or vise
> versa.  The only such application I'm aware of is gss ftp, which passed
> IP address channel bindings into the acceptor and optionally initiator.
> It would help me evaluate whether there is a security problem to
> understand these applications better.
> I note that SASL is not such an application.

I believe IWA is such an application...

> I think the current draft has several shortcomings:
> 
> * I think that it inaccurately describes what RFC 2743 says and so it
> does not call out backward incompatible changes.

There should be no backwards-incompatible changes.

I am open to re-designing this extension.

One alternative way to do what we're trying to do:

 - add TWO new, mutually-exclusive ret_flags and NO new req_flags

   GSS_C_CHANNEL_BOUND_FLAG
   GSS_C_CHANNEL_NOT_BOUND_FLAG

 - newer GSS implementations will set ONE of those ret_flags when the
   application provided channel bindings data

This is simpler as we then don't need to add a context creation
function.

Or we could add a GSS_Inquire_context_channel_binding() to indicate CB
status.

> * I think that it inaccurately describes what current implementations
>   do.
> 
> * I think that more consideration needs to be given to situations where
> one side supports the channel bound flag and the other does not and what
> if any signaling changes are required.

We might want to extend the Kebreros mechanism to provide signalling
about this from the acceptor to the initiator.

That could be done in a separate I-D.

> * I think it does not consider behavior when mutual authentication is
> not requested.

In that case the acceptor could not signal CB status to the initiator,
not via a context token, though the application still could if it was
necessary.

> * I'm concerned that in thinking about channel binding we have not given
> adequate thought to how channel binding interacts with proxies, reverse
> proxies and the like.  I'm concerned that this draft makes that
> situation worse, and so I'd recommend exploring that at least enough to
> understand whether I'm right.

As long as we provide a way to discover that CB failed, but continue
context establishment, we are making things better, not worse.

Presumably the operator of an MITM proxy would not want to permit
application-layer cryptographic session protection if the proxy cannot
MITM that.

(Most of the web is trending towards bearer tokens with no CB (and no
proof of possession, by definition), so your concern might not be
relevant to the web, but things could change, thus making your concern
relevant again.  :)

> * Please get review from multiple implementors before standardizing the
> create_context stuff.  In particular, do you want to take inputs like a
> credential and/or a flag indicating the context is for initiation or
> acceptor.  If yo,u've gotten review including from folks like Luke and
> they are happy, then this is great.  It seems good for API users at
> least.

Sure.  As it happens the authors include maintainers or contributors to
two of the most common GSS C implementations.

I'll seek Luke's input.

Nico
--

v2.23.0 | Report a Bug | By Email