Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
Larry Zhu <lzhu@exchange.microsoft.com> Fri, 17 December 2010 22:36 UTC
Return-Path: <ietf-krb-wg-bounces@lists.anl.gov>
X-Original-To: ietfarch-krb-wg-archive@core3.amsl.com
Delivered-To: ietfarch-krb-wg-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C19663A69B8 for <ietfarch-krb-wg-archive@core3.amsl.com>; Fri, 17 Dec 2010 14:36:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.133
X-Spam-Level:
X-Spam-Status: No, score=-103.133 tagged_above=-999 required=5 tests=[AWL=-0.267, BAYES_00=-2.599, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRCiMq5RqatX for <ietfarch-krb-wg-archive@core3.amsl.com>; Fri, 17 Dec 2010 14:36:47 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by core3.amsl.com (Postfix) with ESMTP id DA2633A6911 for <krb-wg-archive@lists.ietf.org>; Fri, 17 Dec 2010 14:36:46 -0800 (PST)
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 7FBFB11; Fri, 17 Dec 2010 16:38:34 -0600 (CST)
Received: from lists.anl.gov (katydid.it.anl.gov [146.137.96.32]) by mailhost.anl.gov (Postfix) with ESMTP id 03E7E21; Fri, 17 Dec 2010 16:38:33 -0600 (CST)
Received: from katydid.it.anl.gov (localhost [127.0.0.1]) by lists.anl.gov (Postfix) with ESMTP id B74CC2CC039; Fri, 17 Dec 2010 16:38:33 -0600 (CST)
X-Original-To: ietf-krb-wg@lists.anl.gov
Delivered-To: ietf-krb-wg@lists.anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by lists.anl.gov (Postfix) with ESMTP id 3699980032 for <ietf-krb-wg@lists.anl.gov>; Fri, 17 Dec 2010 16:38:32 -0600 (CST)
Received: by mailhost.anl.gov (Postfix) id 235AE48; Fri, 17 Dec 2010 16:38:32 -0600 (CST)
Delivered-To: ietf-krb-wg@anl.gov
Received: from mailhost.anl.gov (mailhost.anl.gov [130.202.113.50]) by localhost.anl.gov (Postfix) with ESMTP id 1B25245 for <ietf-krb-wg@anl.gov>; Fri, 17 Dec 2010 16:38:32 -0600 (CST)
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22]) by mailhost.anl.gov (Postfix) with ESMTP id 052404B for <ietf-krb-wg@anl.gov>; Fri, 17 Dec 2010 16:38:31 -0600 (CST)
Received: from localhost (localhost [127.0.0.1]) by localhost.it.anl.gov (Postfix) with ESMTP id D3A917CC064; Fri, 17 Dec 2010 16:38:31 -0600 (CST)
Received: from mailrelay.anl.gov ([127.0.0.1]) by localhost (mailrelay.anl.gov [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24268-02; Fri, 17 Dec 2010 16:38:31 -0600 (CST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28]) by mailrelay.anl.gov (Postfix) with ESMTP id 038907CC065 for <ietf-krb-wg@anl.gov>; Fri, 17 Dec 2010 16:38:29 -0600 (CST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtIAANIiC02DawERkWdsb2JhbACkQwEBAgkLCgcRBh4BqGaZeoMFDYI4BI4dFA
X-IronPort-AV: E=Sophos;i="4.59,362,1288587600"; d="scan'208";a="52371563"
Received: from mail1.exchange.microsoft.com (HELO mail.exchange.microsoft.com) ([131.107.1.17]) by mailgateway.anl.gov with ESMTP; 17 Dec 2010 16:38:29 -0600
Received: from df-h14-02.exchange.corp.microsoft.com (157.54.78.140) by DF-G14-01.exchange.corp.microsoft.com (157.54.87.87) with Microsoft SMTP Server (TLS) id 14.1.218.15; Fri, 17 Dec 2010 14:38:28 -0800
Received: from DF-G14-01.exchange.corp.microsoft.com (157.54.87.87) by DF-H14-02.exchange.corp.microsoft.com (157.54.78.140) with Microsoft SMTP Server (TLS) id 14.1.255.3; Fri, 17 Dec 2010 14:38:28 -0800
Received: from PB1EHSOBE002.bigfish.com (131.107.86.173) by mail1.exchange.microsoft.com (131.107.1.17) with Microsoft SMTP Server (TLS) id 14.1.218.15; Fri, 17 Dec 2010 14:38:27 -0800
Received: from mail1-pb1-R.bigfish.com (10.10.80.65) by PB1EHSOBE002.bigfish.com (10.10.80.68) with Microsoft SMTP Server id 14.1.225.8; Fri, 17 Dec 2010 22:39:46 +0000
Received: from mail1-pb1 (localhost.localdomain [127.0.0.1]) by mail1-pb1-R.bigfish.com (Postfix) with ESMTP id 5203FB4805B for <ietf-krb-wg@anl.gov.FOPE.CONNECTOR.OVERRIDE>; Fri, 17 Dec 2010 22:45:58 +0000 (UTC)
X-SpamScore: -56
X-BigFish: PS-56(zz542N936eK1419M10d1I1432N98dN9371P1fa4L1447R9370JzzdafM1202hzzz31h2a8h)
X-Forefront-Antispam-Report: KIP:(null); UIP:(null); IPV:SKI; H:BL2SDF0103HT002.namsdf01.sdf.exchangelabs.com; R:internal; EFV:INT
Received: from mail1-pb1 (localhost.localdomain [127.0.0.1]) by mail1-pb1 (MessageSwitch) id 1292625958157190_28308; Fri, 17 Dec 2010 22:45:58 +0000 (UTC)
Received: from PB1EHSMHS003.bigfish.com (unknown [10.10.80.65]) by mail1-pb1.bigfish.com (Postfix) with ESMTP id 1B024E0804B; Fri, 17 Dec 2010 22:45:58 +0000 (UTC)
Received: from BL2SDF0103HT002.namsdf01.sdf.exchangelabs.com (65.55.126.28) by PB1EHSMHS003.bigfish.com (10.10.80.48) with Microsoft SMTP Server (TLS) id 14.1.225.8; Fri, 17 Dec 2010 22:41:09 +0000
Received: from BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com ([169.254.2.229]) by BL2SDF0103HT002.namsdf01.sdf.exchangelabs.com ([10.6.208.75]) with mapi id 14.01.0225.022; Fri, 17 Dec 2010 22:36:12 +0000
From: Larry Zhu <lzhu@exchange.microsoft.com>
To: "gareth.richards@rsa.com" <gareth.richards@rsa.com>, "ietf-krb-wg@anl.gov" <ietf-krb-wg@anl.gov>
Thread-Topic: draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
Thread-Index: AcudnB1MDHaqaFZGQU6qpwXbQNM11QASMCewABSZ7wA=
Date: Fri, 17 Dec 2010 22:36:12 +0000
Message-ID: <E8A97CB9E3BDF945B239B0FD4F5326671085D287@BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com>
References: <E8A97CB9E3BDF945B239B0FD4F532667108344D7@BL2SDF0103MB009.namsdf01.sdf.exchangelabs.com> <B1371F619AB0A94C9AC73CF2E475485B020A2378F0@MX11A.corp.emc.com>
In-Reply-To: <B1371F619AB0A94C9AC73CF2E475485B020A2378F0@MX11A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.6.208.236]
x-ms-exchange-transport-rules-loop: 0
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2SDF0103HT002.namsdf01.sdf.exchangelabs.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%45$Dn%RSA.COM$RO%2$TLS%5$FQDN%exchange.microsoft.com$TlsDn%*.exchange.microsoft.com
X-FOPE-CONNECTOR: Id%45$Dn%ANL.GOV$RO%2$TLS%5$FQDN%exchange.microsoft.com$TlsDn%*.exchange.microsoft.com
X-CrossPremisesHeadersPromoted: DF-G14-01.exchange.corp.microsoft.com
X-CrossPremisesHeadersFiltered: DF-G14-01.exchange.corp.microsoft.com
X-OriginatorOrg: exchange.microsoft.com
X-Virus-Scanned: Debian amavisd-new at frigga.it.anl.gov
Subject: Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
X-BeenThere: ietf-krb-wg@lists.anl.gov
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "This is a list for the IETF Kerberos Working Group. {WORLDPUB, EXTERNAL}" <ietf-krb-wg.lists.anl.gov>
List-Unsubscribe: <https://lists.anl.gov/mailman/options/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=unsubscribe>
List-Archive: <https://lists.anl.gov/pipermail/ietf-krb-wg>
List-Post: <mailto:ietf-krb-wg@lists.anl.gov>
List-Help: <mailto:ietf-krb-wg-request@lists.anl.gov?subject=help>
List-Subscribe: <https://lists.anl.gov/mailman/listinfo/ietf-krb-wg>, <mailto:ietf-krb-wg-request@lists.anl.gov?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ietf-krb-wg-bounces@lists.anl.gov
Sender: ietf-krb-wg-bounces@lists.anl.gov
Gareth wrote:
> ".. And so if the returning of OTP values in this way does not conform to local policy on the client (for example, if KDC-Authentication is required and is not being provided by other means) then it SHOULD NOT use the token for authentication."
I like this better too.
> 8) Section 3.4, page 14, the expiration time of the OTP account. This
> text introduces a new concept "OTP account".
> Does this imply a separate life-time management is required or
> recommended for OTP usage? Can you please clarify?
> These were added to cover the possibility that the account related to the user's OTP token and the their OTP PIN could have a different expiration times from their Kerberos account.
> For example, if the OTP token is managed by a separate server then that server could have its own account management distinct from that of the KDC.
I can guess that is the case without your clarification. I raised the question thinking that the existing text sounds a bit abrupt, but if you think it is already clear, you can leave it as is. This can be your decision unless the group has a different opinion otherwise.
> 13) Section 6.1, this section explains MITM can choose the session key
> when anonymous PKINIT is used. That is no longer true with anonymity
> draft 12 (the latest). Can this be updated? I believe Sam raised this
> issue during the last WGLC on -12. Can you please summarize the
> discussion and the conclusion?
> Sam raised the following question regarding this section during the review of draft 12
How about the following text, the specific issue is already fixed in anonymity-12, by adding the
KDC contribution. Do you agree?
However, the current anonymous PKINIT proposal is open to man-
in-the-middle attacks since the attacker can choose a session key
such that the session key between the MITM and the real KDC is the
same as the session key between the client and the MITM.
> The "as described above" is actually new text in draft 13. I believe that it was meant to describe the handling of expired PINs in the previous paragraph and can simply be removed.
If so, we have a real issue here. The text before the following (copied right below here for convenience) describes how it should fail with an error when the PIN expires, but now you are saying it should succeed for the PIN-change service (which is basically what RFC3244 does as I alluded) but how that is described in this document? Are we on the same page?
If the PIN change is to be handled by a PIN-change service then it is
assumed that authentication to that service will succeed if the PIN
has expired as described above
> The ASN.1 module was checked using OSS ASN.1 Syntax Checker Version 8.1.1.
That is all I wanted to know. Thanks.
> Are you having trouble with the following:
>
> AnyURI ::= UTF8String
> (CONSTRAINED BY {
> /* MUST be a valid URI in accordance with IETF RFC 2396 */
> })
Exactly right. My aging compiler does not under this syntax.
> 10) Section 4.1,page 30, for consistency please add a ',' at the end
> of "-pin-not-required(4)'.
> Done
Please also update the corresponding portion in appendix A.
To summarize, issue 13, 16 and 18 in the original list are not closed yet at this point. Thanks.
-----Original Message-----
From: gareth.richards@rsa.com [mailto:gareth.richards@rsa.com]
Sent: Friday, December 17, 2010 6:41 AM
To: Larry Zhu; ietf-krb-wg@anl.gov
Subject: RE: draft-ietf-krb-wg-otp-preauth-13 PROTO write-up comments
Larry,
Thanks for the review, my responses are below.
--Gareth
> 1) Nits: Section 1.2 page 4, s/the standard Reply Key/the classic
> Reply Key (as defined in RFC4120)/. The word "standard"
> is overloaded in this context though the same phrase would sound
> perfectly fine anywhere else. This is just a suggestion and the same
> applies to the rest of my comments with regarding to the word
> "classic" vs "standard.
I am happy to change standard to classic.
> 2) Nits: section 3.2 page 9, ditto s/standard/classic/.
OK, I changed "standard shared-key" to "classic shared-key"
> 3) Nits: section3.2, page 9, can you please upper case KDC in
> "kdc-authentication", as "KDC-authentication".
Done
> 4) Grammar: section 3.2, page 9, s/PA-OTP-CHALLENGE that do not have
> the set the/ PA-OTP-CHALLENGE that do not have the/, i.e. extra "the
> set" seems to be just a copy&paste error.
Done
> 5) Nits: section 3.3 page 11, at the very end, s/if the algorithm
> identifiers do not conform/if none of the algorithm identifiers
> conforms/.
OK, done
> 6) Section 3.4, page 13. If kdc-authentication is required then a
> PA-OTP-REQUEST containing an otp-value must be rejected. This
> discusses the KDC side of verifying the preauth-data, how does the KDC
> know if KDC-authentication is required. Isn't that KDC-authentication
> is a client side thing?
Yes, I think this is a mistake. The following sentence from section 3.2 covers the fact that the client SHOULD NOT return send the OTP value to the client if local policy does not permit it.
If the "must-encrypt-nonce" flag is set in the otp-keyInfo then the
OTP value MUST be used to generate the Client Key and Reply Key as
described in Section 3.6 and MUST NOT be included in the otp-value
field of the PA-OTP-REQUEST. If the flag is not set then the OTP
value MUST be included in the otp-value field of the PA-OTP-REQUEST
and MUST NOT be used in the key derivation. In this case, the Client
Key and Reply Key SHALL be the same as the Armor Key as described in
Section 3.6 and so if the returning of OTP values in this way does
not conform to local policy on the client then it SHOULD NOT use the
token for authentication.
I would think that this policy would also cover KDC-authentication and so maybe the last sentence should be modified as follows:
".. And so if the returning of OTP values in this way does not conform to local policy on the client (for example, if KDC-Authentication is required and is not being provided by other means) then it SHOULD NOT use the token for authentication."
> 7) Nits: section 3.4, page 14, s/standard encrypted timestamp/classic
> encrypted timestamp/.
Done
> 8) Section 3.4, page 14, the expiration time of the OTP account. This
> text introduces a new concept "OTP account".
> Does this imply a separate life-time management is required or
> recommended for OTP usage? Can you please clarify?
These were added to cover the possibility that the account related to the user's OTP token and the their OTP PIN could have a different expiration times from their Kerberos account.
For example, if the OTP token is managed by a separate server then that server could have its own account management distinct from that of the KDC.
> 9) Section 3.4, page 14, the current text says "it SHOULD return the
> same response as for a non-OTP expired password", first, what does it
> mean by "non-OTP expired password", does it imply there may exist an
> OTP expired password, secondly, and is it intentional that the KDC is
> not returning KDC_ERR_PIN_EXPIRED in this case?
I believe that this was an oversight. I updated section 2.3 to include the new KDC_ERR_PIN_EXPIRED but omitted to update section 3.4. I suggest that the last sentence of this paragraph be reworded as follows.
Finally, if the KDC determines that the
user's PIN has expired then it SHOULD return a KRB-ERROR of type
KDC_ERR_PIN_EXPIRED as described in section 2.3
> 10) Section 4.1,page 30, for consistency please add a ',' at the end
> of "-pin-not-required(4)'.
Done
> 11) Section 4.1, page 18, s/both flags MUST NOT be set and the client
> MUST regard/ both flags MUST NOT be set, or the client MUST regard/.
Done
> 12) Section 4.3, page 23, for consistency, please remove the comma at
> the end of "-mandatory(2)," so that it looks like "--mandatory(2)" .
Done
> 13) Section 6.1, this section explains MITM can choose the session key
> when anonymous PKINIT is used. That is no longer true with anonymity
> draft 12 (the latest). Can this be updated? I believe Sam raised this
> issue during the last WGLC on -12. Can you please summarize the
> discussion and the conclusion?
Sam raised the following question regarding this section during the review of draft 12
> I'm a bit confused about the concern where a host key is compromised.
> It's basically always possible for a client and an attacker to work
> together to spoof the KDC if the attacker knows the host key. This
> tends to be one of the least serious concerns that happens
> when the host
> key is compromised.
>
This text was added following an issue raised by Greg Hudson on 28 July 2009
On Tue, 2009-07-28 at 13:27 -0400, Sam Hartman wrote:
> This makes sense to me.
> So, S/KEY with host armor would be OK to allow?
I think it's worth documenting that it would allow someone with
the host key to fool the client, whereas a straight RFC 4120 AS-REQ does
not allow this.
It's not a terribly interesting vulnerability because a
compromised host key normally means a compromised host, which generally
gives you more latitude to mess with the user's activities than
impersonating the KDC does.
> 14) Grammar: appendix b4, s/The Client generates Client Key Reply Key
> as described in/ The Client generates the Client Key and the Reply Key
> as described in/
Done
> 15) Appendix b4, page 39, s/proceed as with the standard
> sequence/proceed as with the classic sequence as defined in RFC4120/.
Done
> 16) Section 2.3, on top of page 7, "as described above". I believe
> what was described above was removed. You can say "similarly as
> illustrated in RFC3244" and add a non-normative reference to RFC3244.
The "as described above" is actually new text in draft 13. I believe that it was meant to describe the handling of expired PINs in the previous paragraph and can simply be removed.
> 17) I have the opinion that the reference to PKINIT and anonymity
> draft should be normative. Do you have good reasons otherwise?
I don't have any particular reasons to keep them as informational, I just didn't think that they were used in a normative manner. I've moved them to the normative section.
> 18) Section 3.6, page 16, the current text says that "the salt SHALL
> be the default salt for the principal requested in the AS-REQ". I do
> not think "default salt for the principal"
> is defined in existing standards or in this document. I can see a few
> possibilities to address this issue. A) we might need to have a
> protocol change, for example, we can add the optional "salt" field of
> KerberosString type in the OTP challenge message and allow the client
> to retry if it got it wrong when the two-pass variant; B) you can
> simply say that the salt is an empty string if the OTP value is
> already salted when computed from a secret; C) go back to draft 12 and
> I do agree that approach in -12 can create an unnecessary pain point.
What was meant by this text was that the salt used would be the default salt defined for the enctype and principal. So for example, for AES it would be a value derived from the principals name.
> 19) draft-ietf-keyprov-pskc has been published as RFC 6030.
OK, updated.
> 20) I was able to compile the ASN module in appendix A except the
> latest 3 lines before the "end", ignoring the blank line right before
> that. Can you please confirm this module passes a modern ASN1
> compiler?
>
The ASN.1 module was checked using OSS ASN.1 Syntax Checker Version 8.1.1.
Are you having trouble with the following:
AnyURI ::= UTF8String
(CONSTRAINED BY {
/* MUST be a valid URI in accordance with IETF RFC 2396 */
})
> Draft 13 contains significant changes from draft 12 mostly due to WGLC
> comments. The quality of the document has been significantly improved.
> Out of these, issue 18 must be addressed before the document can move
> forward but overall the document is very close. In order to allow the
> document progress quickly, I just started another WGLC on 13 together
> with these comments. Taking into account of the holidays at this time
> of the year, I have extended the last call to cover
> 3 weeks instead of the normal 2 week length.
>
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg@lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
- [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-13 PR… Larry Zhu
- Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-1… gareth.richards
- Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-1… Larry Zhu
- Re: [Ietf-krb-wg] draft-ietf-krb-wg-otp-preauth-1… gareth.richards