IETF Logo Mail Archive

Re: [kitten] Kerberos preauth negotiation techniques

Nathaniel McCallum <npmccallum@redhat.com> Mon, 23 February 2015 20:13 UTC

Return-Path: <npmccallum@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF1161A6F03 for <kitten@ietfa.amsl.com>; Mon, 23 Feb 2015 12:13:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.211
X-Spam-Level:
X-Spam-Status: No, score=-3.211 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8DMZKdvA84h for <kitten@ietfa.amsl.com>; Mon, 23 Feb 2015 12:13:48 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 942A21A3BA6 for <kitten@ietf.org>; Mon, 23 Feb 2015 12:13:48 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t1NKDj2f012060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 23 Feb 2015 15:13:45 -0500
Received: from vpn-59-5.rdu2.redhat.com (vpn-59-5.rdu2.redhat.com [10.10.59.5]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t1NKDioY029026 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO); Mon, 23 Feb 2015 15:13:45 -0500
Message-ID: <1424722422.2604.77.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Nico Williams <nico@cryptonector.com>
Date: Mon, 23 Feb 2015 15:13:42 -0500
In-Reply-To: <20150218204339.GR5246@localhost>
References: <x7da90k47ox.fsf@equal-rites.mit.edu> <1424189675.2645.23.camel@redhat.com> <54E4F31D.5080103@mit.edu> <20150218204339.GR5246@localhost>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/zLkvA0Nh7M88K2Mugq-Sqm8BTk4>
Cc: kitten@ietf.org
Subject: Re: [kitten] Kerberos preauth negotiation techniques
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 20:13:51 -0000

On Wed, 2015-02-18 at 14:43 -0600, Nico Williams wrote:
> On Wed, Feb 18, 2015 at 03:16:29PM -0500, Greg Hudson wrote:
> > On 02/17/2015 11:14 AM, Nathaniel McCallum wrote:
> > > 1 and 3 are also compatible workflows. In 3, the first AS-REQ is 
> > > exactly the same padata as the second AS-REQ in 1. That is to 
> > > say, 3 is an optimization of 1 where the first round-trip of 1, 
> > > which includes no meaningful data, is simply not used. Put 
> > > another way, 3 is just 1 with optimistic preauth.
> > 
> > That's an interesting way of looking at things.  It means we 
> > wouldn't have to amend RFC 6113, although we might be bending it a 
> > bit.  Here are some considerations, which all seem manageable:
> > 
> > * Traditionally, optimistic preauth is only done with some prior
> > knowledge of what the KDC wants (see RFC 6113 section 2.3 
> > paragraph 1).
> >  To get down to two round trips in the common case, an AS client  
> > needs
> > to do optimistic PA-PAKE by default.
> 
> When the client has only one pre-auth it's willing to do then it can 
> be optimistic.  That doesn't seem terribly likely in many cases, but 
> for environments where 2fa is used for protecting some resources and 
> not others, then it could be clear at AS-REQ time that the client 
> only wants to do 2fa.
> 
> Clients can also tell -sometimes- when they have credentials for 
> PKINIT.  And they can learn and cache -or have configured- whether a 
> realm's KDCs support FAST for protecting PA-ENC-TIMESTAMP, and so 
> on. It may not be such a stretch that a client will have just one 
> pre-auth method that it's willing to use in some cases.
> 
> > * Of course PA-PAKE would need to be specified such that the first
> > client message requires no knowledge from the KDC.  This is pretty 
> > simple; the first client message can be defined to contain only 
> > sub-negotiation parameters.
> 
> Yea, we're already there as to this proposal.
> 
> > * Most KDC implementations will ignore the client's PA-PAKE padata 
> > if
> > they don't implement it, and respond with PREAUTH_REQUIRED with 
> > METHOD-DATA.  Some older KDCs (like MIT krb5 pre-1.7) will instead 
> > respond with PREAUTH_FAILED.  Clients already need to deal with 
> > this behavior if they implement RFC 6112 encrypted padata 
> > negotiation or any similar extension, so this is not really a 
> > concern.
> 
> Good point.
> 
> > * An optimistic PA-PAKE message should be cheap to compute (it's 
> > just
> > parameters), but is still wasted bytes if the exchange winds up 
> > settling on a different mechanism or not using preauth at all.  
> > The more compactly we can represent client parameters, the less 
> > bandwidth we will waste and the fewer problems we will have with 
> > AS-REQs exceeding UDP limitations.
> 
> We can greatly "compress" it by using bit sets (which could be 
> compressed if there are many contiguous zero bits in the bit string).
> 
> The trade-off is requiring a registry.  For PAKEs and groups, an OID 
> would do just fine, or we could use an existing (or upcoming) 
> registry.
> 
> A middle of the road proposal would be to use a bit set for 
> registered PAKEs and groups and an optional set (sequence) of OIDs 
> for all others.
> 
> But all this to save a bit of space?  Before we go there we should 
> determine that this really is a problem we need to address.

On the call last week there was a general consensus to move forward 
with SPAKE2 and not make PAKEs negotiable. SPAKE2 has all the 
properties we care about. It:
* has a formal security proof that is well regarded
* takes only a single roundtrip
* supports elliptic curves
* has wide deployment (via Chromium/Chrome)

We also had a general consensus that there is no need to negotiate 
hashes. There are three hash uses:
1. Transcript for message integrity
2. Key derivation
3. Key validation

For #1, we can just use the checksum method implicit in the enctype.

For #2, we can just use a KDF.

For #3, Greg had an idea, but I've since forgotten it and can't find 
it in my email. Greg, perhaps you can remind me?

Enctype negotiation is implicit from the existing exchange. This 
leaves only groups and second factors.

We also discussed making group negotiation have a note in the RFC 
about being careful regarding the number of groups exposed. I suspect 
sensible defaults will be:
* P-256
* P-384
* P-521
* Curve25519

OpenSSL does not support Curve25519 (yet) so it won't be offered in my 
implementation.

One reason I don't think it will be a problem is that no other data is 
sent in the group negotiation packet from the client to the server. 
The response from the server will contain just one group OID along 
with the public key and the 2FA negotiation parameters.

I suggest an empirical approach here. I'll be developing the RFC in 
parallel with the application itself. If we see this becoming a 
problem, we can address it at that time. I am open even to bit set 
negotiation if space becomes a serious concern. I would simply like to 
avoid a registry if it is not needed.

> > * Can a client optimistically preauthenticate with multiple > > mechanisms?
> >  RFC 6113 doesn't really say either way.  Without going into 
> > detail on
> > the arguments pro and con:
> 
> A separate update to RFC6113 about this would be nice.
> 
> >   - If we assume no, then a client which does optimistic PA-PAKE by
> > default can't do the same thing with any other mechanism.  This 
> > could be a reasonable choice; the client implementation could 
> > always choose to drop back to three round trips for PA-PAKE if it 
> > wants to do optimistic PA-FUTURE-AWESOME by default in the future.
> 
> Well...  See above.  Also, a client could be somewhat abusive and 
> send N single-preauth AS-REQs concurrently, hoping one of them will 
> succeed.
> 
> >   - If we assume yes, then a client which does optimistic PA-PAKE 
> > is
> > still privileging that mechanism by choosing to spend bandwith on 
> > it before it is negotiated.  But it wouldn't necessarily have to 
> > exclude other mechanisms from doing the same thing.
> 
> Yes, but hopefully the client knows from context that it will need 
> this PA method.

v2.23.0 | Report a Bug | By Email