Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
"Srinivas Cheruku" <srinivas.cheruku@gmail.com> Fri, 15 May 2009 04:07 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA29C3A6AF7 for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 14 May 2009 21:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fb2MqF6uW5dk for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 14 May 2009 21:07:28 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id BFA923A6A25 for <krb-wg-archive@lists.ietf.org>; Thu, 14 May 2009 21:07:28 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 4612C59; Thu, 14 May 2009 23:09:02 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 881D65A; Thu, 14 May 2009 23:08:59 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 32D7B80DFF; Thu, 14 May 2009 23:08:59 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id E5D0B80DF1 for <ietf-krb-wg@lists.anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id DF20553; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id D9C0255 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id CDFFA53 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id B54BD7CC114; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03394-07; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 8AD157CC0FB for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: An4CAEOHDEpKfU4bkWdsb2JhbACWbT8BAQEBCQkMBw+mE4ESN48+AQMBA4JRgTAFiCI
X-IronPort-AV: E=Sophos;i="4.41,198,1241413200"; d="scan'208";a="27042772"
Received: from ey-out-2122.google.com ([74.125.78.27]) by mailgateway.anl.gov with ESMTP; 14 May 2009 23:08:55 -0500
Received: by ey-out-2122.google.com with SMTP id 9so491888eyd.19 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 21:08:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references :in-reply-to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language; bh=lQLbiZrboWF1MgIQm3ak/wRQP3GDCQBAvMH1Ggt4wvc=; b=QHopOEBU2ZQ5m0NUkcVDp4tUOIpjqSfK82VV/0lE/f7PmZ6NYKLJ+A1Hcrj8tr4M7u QXLXwo4Qo2M12VJBz9pOtXf0pj/yX5sKlWrJGv+g5FSp54NJnkEek5QYvtM78fuUblrd lqcmVZJT2qG/bW4e3ofjXHgKPPYVXQHge0GO8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language; b=ehRa7rOTpGTqUOV7SKkgQdhQOeY7EIV2F1uoMdBODAwnuVZCkqYCut5dUZCCxKeeSp HS2h6bBbeUofSbG08yW7elSPfWphjrLK547PDhfocwQWfvoIcOQDq2A+y6dkuiSGte3K HkVxTH8sNRIB7iLv8hQp5cx63Tkk+ju7NBDLY=
Received: by 10.210.82.13 with SMTP id f13mr3181117ebb.72.1242360535193; Thu, 14 May 2009 21:08:55 -0700 (PDT)
Received: from vistascheruku ([122.166.4.6]) by mx.google.com with ESMTPS id 28sm1073402eyg.54.2009.05.14.21.08.52 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 14 May 2009 21:08:54 -0700 (PDT)
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
To: 'Sam Hartman' <hartmans-ietf@mit.edu>
References: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDCD7@exchange.cybersafe.local> <tslskj7w8n0.fsf@mit.edu>
In-Reply-To: <tslskj7w8n0.fsf@mit.edu>
Date: Fri, 15 May 2009 09:38:45 +0530
Message-ID: <4a0cead6.1c07d00a.192b.469b@mx.google.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcnU7jAJWP4VThoQTcqcj2gUYLGL+QAIkOTQ
Content-Language: en-in
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@anl.gov, "'krbdev@mit.edu'" <krbdev@MIT.EDU>
Subject: Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Srinivas> 2. PA-FX-COOKIE (not sure why this is required ?? Srinivas> anyway, I think MIT uses some dummy cookie) Per discussion on the ietf-krb-wg list, a KDC confirming to the pre-auth framework should include a cookie whenever it wants to continue a conversation. This should becomes a must if FAST is being used. [Srinivas Cheruku] Yes, I understand that cookie is a must when FAST is used to continue conversation. But why should it be included in a non-fast initial request to KDC? Does this mean that FAST enabled KDC sends the cookie always irrespective of the request uses FAST or not? For me, as the request doesn't use FAST, there is no need of any cookie. I *think* that's in the current draft, but it is definitely in my working copy. Larry and I had some internal slowness; I'll be publishing a new version quite shortly. [Srinivas Cheruku] ok Srinivas> I think it might be good to include Srinivas> PA-ENCRYPTED-CHALLENGE also when user principal requires Srinivas> pre-authentication. Srinivas> This would means that fast enabled kinit can do the Srinivas> following: Srinivas> 1. kinit can send a non-fast request to KDC Srinivas> 2. KDC replies with KRB-ERROR containing the above Srinivas> pa-types along with PA-ENCRYPTED-CHALLENGE (for user Srinivas> principals having pre-auth required set) Srinivas> 3. kinit can check for PA-FX-FAST and Srinivas> PA-ENCRYPTED-CHALLENGE and send a fast request Srinivas> containing pa-enc-challenge padata. Srinivas> 4. KDC sends tgt using FAST on successful Srinivas> authentication Srinivas> I know that MIT kinit doesn't support this behaviour but Srinivas> other vendors can support this. Any advice or issues Srinivas> you foresee? Probably this is more of an IETF issue than an MIT issue. My concern about doing this is that the negotiation of which fast factors are supported would be unprotected. [Srinivas Cheruku] yes, make sense. Consider a client with the policy: * prefers fast with OTP, but will fall back to FAST with encrypted challenge. [Srinivas Cheruku] The client policy and the pre-auth to be used is not an issue as KDC can send the respective pre-auth type e.g. PA-ENCRYPTED-CHALLENGE or PA-OTP-CHALLENGE based on the client policy along with PA-FX-FAST. But, I agree that the pre-auth negotiation with fast factors would be unprotected. I think you have a relatively weak password, so it is in my interest to get you to fall back to encrypted challenge. I delete OTP from the initial unprotected error. [Srinivas Cheruku] I think you meant if a eavesdropper changes the OTP pre-auth in unprotected KRB-ERROR with PA-ENCRYPTED-CHALLENGE? If that is the case, though enc-challenge is received by KDC it would again ask for OTP fast factor. Thanks, Srini _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Sam Hartman
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Srinivas Cheruku
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Srinivas Cheruku
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Sam Hartman