IETF Logo Mail Archive

Re: [kitten] rpcsec-gssv3 multi-principal authentication

Benjamin Kaduk <kaduk@MIT.EDU> Tue, 02 September 2014 17:13 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA68E1A0700; Tue, 2 Sep 2014 10:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.169
X-Spam-Level:
X-Spam-Status: No, score=-2.169 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9N9-bo68ov7; Tue, 2 Sep 2014 10:13:17 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 609861A068E; Tue, 2 Sep 2014 10:13:11 -0700 (PDT)
X-AuditID: 12074424-f79346d000004923-58-5405faa6046d
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 29.23.18723.6AAF5045; Tue, 2 Sep 2014 13:13:10 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s82HD9Tk012808; Tue, 2 Sep 2014 13:13:09 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s82HD7T8016465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 2 Sep 2014 13:13:08 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s82HD64C025044; Tue, 2 Sep 2014 13:13:06 -0400 (EDT)
Date: Tue, 02 Sep 2014 13:13:06 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: "Adamson, Andy" <William.Adamson@netapp.com>
In-Reply-To: <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu>
Message-ID: <alpine.GSO.1.10.1409021306240.21571@multics.mit.edu>
References: <DC941FEB-725A-49E1-8C38-FF765454827C@netapp.com> <20140730163006.GG26316@fieldses.org> <alpine.GSO.1.10.1407311902230.21571@multics.mit.edu> <9BF7E3EA-59DB-4B91-A27A-659790AED727@netapp.com> <alpine.GSO.1.10.1408030153400.21571@multics.mit.edu> <alpine.GSO.1.10.1408201123060.21571@multics.mit.edu>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-67061960-1409677986=:21571"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprCKsWRmVeSWpSXmKPExsUixCmqrLvsF2uIwZ2lIhZHN69isZj9/hGr xfRFVg7MHkuW/GTymPHpC1sAUxSXTUpqTmZZapG+XQJXxtoz/SwFx2UrLt9az9rAuE68i5GT Q0LAROJFxz5mCFtM4sK99WxdjFwcQgKzmST2L/7JBOFsYJTYufMeVOYgk8SmpQeAWjiAnHqJ NVtrQLpZBLQk/u9azgRiswmoSMx8s5ENpEREwEBi41JVkDCzgL1Ez65XbCC2sICFxMNpi8AW cwo4Sbxt/MoCYvMKOErs77zBDrFqJ5PE5udfGEESogI6Eqv3T4EqEpQ4OfMJC8RQf4lPk38w T2AUnIUkNQtJCsJWlzjw6SIjhK0tcf9mG9sCRpZVjLIpuVW6uYmZOcWpybrFyYl5ealFuuZ6 uZkleqkppZsYQQHO7qKyg7H5kNIhRgEORiUeXokfLCFCrIllxZW5hxglOZiURHnL3rGGCPEl 5adUZiQWZ8QXleakFh9ilOBgVhLhdf4KlONNSaysSi3Kh0lJc7AoifO+tbYKFhJITyxJzU5N LUgtgsnKcHAoSfBO+gnUKFiUmp5akZaZU4KQZuLgBBnOAzT8BEgNb3FBYm5xZjpE/hSjLse6 zm/9TEIsefl5qVLivBwgRQIgRRmleXBzYInpFaM40FvCvFdAqniASQ1u0iugJUxAS9xywJaU JCKkpBoYN6/rbqibvGBit+m3L0UNDdpuf9eFdG346uriK6wq/f/pc2azBwVJOkUijRFFvSXX nkd5/n+ZkiN5PXjxyi87pm1v6P64oPYl54treU4z9fbuaOUoVihjjPqkorxH/GSoRG7oGfY3 iT0fDBS+hYa4nvwTMEmTq+VecmLM//r/9bUdAm6XPfYosRRnJBpqMRcVJwIAJ7qPUicDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/yOMUt3jLHXbpcXrXyxinvzH-K8I
Cc: "kitten@ietf.org" <kitten@ietf.org>, NFSv4 <nfsv4@ietf.org>
Subject: Re: [kitten] rpcsec-gssv3 multi-principal authentication
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 17:13:21 -0000

It would be nice if someone could confirm or contradict my conclusion that
the triple of (opaque inner handle, nonce, mic) is a bearer token for
performing multi-principal authentication.

-Ben

On Wed, 20 Aug 2014, Benjamin Kaduk wrote:

> I'm starting a new thread for this, since I think it is the most important
> item revealed by my review, but it seems to have been lost amidst the
> other discussions.
>
> On Sun, 3 Aug 2014, Benjamin Kaduk wrote:
>
> > On Fri, 1 Aug 2014, Adamson, Andy wrote:
> >
> > >
> > > I have always thought of Multi-principal authentication in terms of it’s use
> > > in NFSv4.2 Inter server to server copy, where all of the RPCSEC_GSS_CREATE
> > > messages MUST use rpc_gss_svc_privacy’…. Good catch Bruce.
> > >
> > > So for this attack to occur the rgmp_nonce must be re-used by the same
> > > rgmp_handle (same user-principal). Insisting on using a random number
> > > generator to create nounce could be by-passed by a bad implementation...
> > >
> > > Bruces suggestion of using the new reply verifier data (rpc-header) should
> > > do the trick. Any objections to this approach?
>
> I don't think I correctly understand this proposal.  Can someone try to
> explain it in more detail, please?
>
> > If I understand correctly, the child RPCSEC contex handle will use the same
> > GSS context as the parent RPCSEC context handle (i.e., using the host's
> > credentials, not the user's credentials).  This means that when creating the
> > child RPCSEC context, there must be some proof that the RPC client controls
> > the GSS context corresponding to the inner RPCSEC context handle, since the
> > child RPCSEC context will perform operations acting as the user specified by
> > the GSS context of the inner RPCSEC context.
> >
> > My reading of the current draft is that the only attempt to do this is by
> > presenting a random nonce and a GSS_GetMIC of that nonce, created using the
> > GSS context of the inner RPCSEC context.  The server must verify that the MIC
> > is a valid mic, but I do not see any other binding to this GSS context.  In
> > particular, the nonce+MIC could be eavesdropped on the wire, and inserted into
> > an attacker's RPCSEC_GSS_CREATE call, where the attacker provides its own
> > parent RPCSEC context but does not actually have an inner context at all.  The
> > attacker can reuse the valid nonce+MIC that it has intercepted, which will
> > validate correctly on the server, and the server will issue a child RPCSEC
> > context that acts as the user indicated by the GSS context of the inner RPCSEC
> > context but uses the key material from the attacker's GSS context.
>
> Basically, my reading is that the triple of (opaque inner handle, nonce,
> mic) is a bearer token that is valid as long as the inner rpcsec context
> is valid, as specified in the -08.  The inner handle is only used to
> lookup the GSS security context to use to verify the MIC of the nonce, so
> if all three are passed together, there is no binding to anything else
> that I can see.
>
> An attacker who gets a copy of this bearer token could then use it to
> create its own child context from a parent context that the attacker
> controls, and perform actions as the user corresponding to the GSS
> security context of the inner context handle.
>
> -Ben

v2.29.0 | Report a Bug | By Email | System Status