Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
"Srinivas Cheruku" <srinivas.cheruku@gmail.com> Fri, 15 May 2009 04:07 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA29C3A6AF7 for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 14 May 2009 21:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fb2MqF6uW5dk for <ietfarch-krb-wg-archive@core3.amsl.com>; Thu, 14 May 2009 21:07:28 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id BFA923A6A25 for <krb-wg-archive@lists.ietf.org>; Thu, 14 May 2009 21:07:28 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id 4612C59; Thu, 14 May 2009 23:09:02 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 881D65A; Thu, 14 May 2009 23:08:59 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 32D7B80DFF; Thu, 14 May 2009 23:08:59 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id E5D0B80DF1 for <ietf-krb-wg@lists.anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: by mailhost.anl.gov (Postfix) id DF20553; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.ctd.anl.gov (Postfix) with ESMTP id D9C0255 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id CDFFA53 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id B54BD7CC114; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03394-07; Thu, 14 May 2009 23:08:56 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay2.anl.gov (Postfix) with ESMTP id 8AD157CC0FB for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 23:08:56 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: An4CAEOHDEpKfU4bkWdsb2JhbACWbT8BAQEBCQkMBw+mE4ESN48+AQMBA4JRgTAFiCI
X-IronPort-AV: E=Sophos;i="4.41,198,1241413200"; d="scan'208";a="27042772"
Received: from ey-out-2122.google.com ([74.125.78.27]) by mailgateway.anl.gov with ESMTP; 14 May 2009 23:08:55 -0500
Received: by ey-out-2122.google.com with SMTP id 9so491888eyd.19 for <ietf-krb-wg@anl.gov>; Thu, 14 May 2009 21:08:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references :in-reply-to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language; bh=lQLbiZrboWF1MgIQm3ak/wRQP3GDCQBAvMH1Ggt4wvc=; b=QHopOEBU2ZQ5m0NUkcVDp4tUOIpjqSfK82VV/0lE/f7PmZ6NYKLJ+A1Hcrj8tr4M7u QXLXwo4Qo2M12VJBz9pOtXf0pj/yX5sKlWrJGv+g5FSp54NJnkEek5QYvtM78fuUblrd lqcmVZJT2qG/bW4e3ofjXHgKPPYVXQHge0GO8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language; b=ehRa7rOTpGTqUOV7SKkgQdhQOeY7EIV2F1uoMdBODAwnuVZCkqYCut5dUZCCxKeeSp HS2h6bBbeUofSbG08yW7elSPfWphjrLK547PDhfocwQWfvoIcOQDq2A+y6dkuiSGte3K HkVxTH8sNRIB7iLv8hQp5cx63Tkk+ju7NBDLY=
Received: by 10.210.82.13 with SMTP id f13mr3181117ebb.72.1242360535193; Thu, 14 May 2009 21:08:55 -0700 (PDT)
Received: from vistascheruku ([122.166.4.6]) by mx.google.com with ESMTPS id 28sm1073402eyg.54.2009.05.14.21.08.52 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 14 May 2009 21:08:54 -0700 (PDT)
From: Srinivas Cheruku <srinivas.cheruku@gmail.com>
To: 'Sam Hartman' <hartmans-ietf@mit.edu>
References: <1A136DCE57F98F4B8BAB5FFC69C8E6DA21E59BDCD7@exchange.cybersafe.local> <tslskj7w8n0.fsf@mit.edu>
In-Reply-To: <tslskj7w8n0.fsf@mit.edu>
Date: Fri, 15 May 2009 09:38:45 +0530
Message-ID: <4a0cead6.1c07d00a.192b.469b@mx.google.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcnU7jAJWP4VThoQTcqcj2gUYLGL+QAIkOTQ
Content-Language: en-in
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Cc: ietf-krb-wg@anl.gov, "'krbdev@mit.edu'" <krbdev@MIT.EDU>
Subject: Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-krb-wg-bounces@lists.anl.gov
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Srinivas> 2. PA-FX-COOKIE (not sure why this is required ??
Srinivas> anyway, I think MIT uses some dummy cookie)
Per discussion on the ietf-krb-wg list, a KDC confirming to the
pre-auth framework should include a cookie whenever it wants to
continue a conversation. This should becomes a must if FAST is being
used.
[Srinivas Cheruku] Yes, I understand that cookie is a must when FAST is used
to continue conversation. But why should it be included in a non-fast
initial request to KDC? Does this mean that FAST enabled KDC sends the
cookie always irrespective of the request uses FAST or not? For me, as the
request doesn't use FAST, there is no need of any cookie.
I *think* that's in the current draft, but it is definitely in
my working copy. Larry and I had some internal slowness; I'll be
publishing a new version quite shortly.
[Srinivas Cheruku] ok
Srinivas> I think it might be good to include
Srinivas> PA-ENCRYPTED-CHALLENGE also when user principal requires
Srinivas> pre-authentication.
Srinivas> This would means that fast enabled kinit can do the
Srinivas> following:
Srinivas> 1. kinit can send a non-fast request to KDC
Srinivas> 2. KDC replies with KRB-ERROR containing the above
Srinivas> pa-types along with PA-ENCRYPTED-CHALLENGE (for user
Srinivas> principals having pre-auth required set)
Srinivas> 3. kinit can check for PA-FX-FAST and
Srinivas> PA-ENCRYPTED-CHALLENGE and send a fast request
Srinivas> containing pa-enc-challenge padata.
Srinivas> 4. KDC sends tgt using FAST on successful
Srinivas> authentication
Srinivas> I know that MIT kinit doesn't support this behaviour but
Srinivas> other vendors can support this. Any advice or issues
Srinivas> you foresee?
Probably this is more of an IETF issue than an MIT issue. My concern
about doing this is that the negotiation of which fast factors are
supported would be unprotected.
[Srinivas Cheruku] yes, make sense.
Consider a client with the policy: * prefers fast with OTP, but will
fall back to FAST with encrypted challenge.
[Srinivas Cheruku] The client policy and the pre-auth to be used is not an
issue as KDC can send the respective pre-auth type e.g.
PA-ENCRYPTED-CHALLENGE or PA-OTP-CHALLENGE based on the client policy along
with PA-FX-FAST. But, I agree that the pre-auth negotiation with fast
factors would be unprotected.
I think you have a relatively weak password, so it is in my interest
to get you to fall back to encrypted challenge. I delete OTP from the
initial unprotected error.
[Srinivas Cheruku] I think you meant if a eavesdropper changes the OTP
pre-auth in unprotected KRB-ERROR with PA-ENCRYPTED-CHALLENGE? If that is
the case, though enc-challenge is received by KDC it would again ask for OTP
fast factor.
Thanks,
Srini
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Sam Hartman
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Srinivas Cheruku
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Srinivas Cheruku
- Re: [Ietf-krb-wg] fast and patypes in KRB-ERROR Sam Hartman