[Ietf-krb-wg] PKINIT with smart-cards
Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> Mon, 09 May 2011 22:04 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Delivered-To: ietfarch-krb-wg-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92C10E0848 for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Mon, 9 May 2011 15:04:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utE28BXwXplx for <ietfarch-krb-wg-archive@ietfa.amsl.com>; Mon, 9 May 2011 15:04:45 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by ietfa.amsl.com (Postfix) with ESMTP id 99E05E082B for <krb-wg-archive@lists.ietf.org>; Mon, 9 May 2011 15:04:45 -0700 (PDT)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 871A566; Mon, 9 May 2011 11:14:07 -0500 (CDT)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 92D4D51; Mon, 9 May 2011 11:14:05 -0500 (CDT)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id 558FA80E99; Mon, 9 May 2011 11:14:05 -0500 (CDT)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by lists.anl.gov (Postfix) with ESMTP id 534C280E8C for <ietf-krb-wg@lists.anl.gov>; Mon, 9 May 2011 11:14:03 -0500 (CDT)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id 3CE7E7CC05E; Mon, 9 May 2011 11:14:03 -0500 (CDT)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28817-10; Mon, 9 May 2011 11:14:03 -0500 (CDT)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 237EC7CC059 for <ietf-krb-wg@lists.anl.gov>; Mon, 9 May 2011 11:14:03 -0500 (CDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AlIEAPERyE3RVdIvk2dsb2JhbACEUpM/jWYIFAEBAQEJCQsJFAQhp36CQotdPIIxhGk2iF8BAQMGgSSDYIECBI9linE7gzM
X-IronPort-AV: E=Sophos;i="4.64,341,1301893200"; d="scan'208";a="59949265"
Received: from mail-pz0-f47.google.com ([209.85.210.47]) by mailgateway.anl.gov with ESMTP/TLS/RC4-SHA; 09 May 2011 11:14:02 -0500
Received: by pzk36 with SMTP id 36so2832865pzk.20 for <ietf-krb-wg@lists.anl.gov>; Mon, 09 May 2011 09:14:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=+wXWSqHXzaABldAM4+y4uTEbe32Ghame7oTGDEP1HFg=; b=PC6puALD6mb5eKGB8qfYW+Th8Hs/J+MPX2W3c7TX+N1DoRizvixkmoYJsZ0MYoNu1b zuPSsektMmj5xdEkIroWOrAUjKzDfwsNyKZLcwfdte8HYG2PmJ/UgklqjvpB+j0PS/bE vTVrOz7PAzGGUjREMxSkLoCymv4dnQUkL5J4g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=GDhM5zQD6FRQztxoRoL+qPRpBHBt6uorPiSb7jcDMy169PaY2VDw0hhxLAqxQYDv4S Rv2Jn9gEv7Ys0adesQV9LcFyP9XqCdQES2Re6LFTwJ8r9ybMVH5GBD/E1xga/hO2Vsc7 Ndms+DAtPTiX16tIfmA1ZVZDcgdInp5h0dHhk=
MIME-Version: 1.0
Received: by 10.68.0.227 with SMTP id 3mr9869944pbh.284.1304957641009; Mon, 09 May 2011 09:14:01 -0700 (PDT)
Received: by 10.68.59.70 with HTTP; Mon, 9 May 2011 09:14:00 -0700 (PDT)
Date: Mon, 09 May 2011 18:14:00 +0200
Message-ID: <BANLkTinontbmJ1JQB0ZQoMt7K=F-tR_XAQ@mail.gmail.com>
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
To: ietf-krb-wg@lists.anl.gov
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: [Ietf-krb-wg] PKINIT with smart-cards
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
Hello, I've been thinking of an attack relating to Public key Kerberos with smart-cards and I'd appreciate if anyone could verify that what is described is not due to my misunderstanding of the protocol. The legitimate owner is equipped with a smart-card containing an RSA private key and a certificate that restricts it to signing (meaning Diffie-Hellman PKINIT will be used). (two scenarios illustrating the same impersonation attack) 1. The attacker steals the smart card and the PIN required to operate it. Performs several precalculations for PK_AS_REQ with future timestamps that span for next few years. Places the smart-card back to the owner. The owner has no way of detecting that the card has been used and the key although no compromised, it can be used to impersonate him by the thief. 2. A malicious smart-card reader is installed in a way that legitimate users will use it to connect using Kerberos. The reader operates as expected, but during idle time that the card is inserted the reader precalculates PK_AS_REQ messages with future timestamps. The owner has no way of knowing that. The attacker having the PK_AS_REQ signed message can initiate connections impersonating the legitimate owner at any time of his choice. best regards, Nikos _______________________________________________ ietf-krb-wg mailing list ietf-krb-wg@lists.anl.gov https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- [Ietf-krb-wg] PKINIT with smart-cards Nikos Mavrogiannopoulos
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- Re: [Ietf-krb-wg] PKINIT with smart-cards Henry B. Hotz
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nikos Mavrogiannopoulos
- Re: [Ietf-krb-wg] PKINIT with smart-cards Sam Hartman
- Re: [Ietf-krb-wg] PKINIT with smart-cards Tom Yu
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nikos Mavrogiannopoulos
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- Re: [Ietf-krb-wg] PKINIT with smart-cards Tom Yu
- Re: [Ietf-krb-wg] PKINIT with smart-cards Martin Rex
- Re: [Ietf-krb-wg] PKINIT with smart-cards Sam Hartman
- Re: [Ietf-krb-wg] PKINIT with smart-cards Tom Yu
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- Re: [Ietf-krb-wg] PKINIT with smart-cards Douglas E. Engert
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- Re: [Ietf-krb-wg] PKINIT with smart-cards Martin Rex
- Re: [Ietf-krb-wg] PKINIT with smart-cards Henry B. Hotz
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- Re: [Ietf-krb-wg] PKINIT with smart-cards Nico Williams
- Re: [Ietf-krb-wg] PKINIT with smart-cards Sam Hartman
- Re: [Ietf-krb-wg] PKINIT with smart-cards Sam Hartman
- Re: [Ietf-krb-wg] PKINIT with smart-cards Love Hörnquist Åstrand
- Re: [Ietf-krb-wg] PKINIT with smart-cards Douglas E. Engert