IETF Logo Mail Archive

Re: [nfsv4] Last call start for "RPCSEC_GSS Version 2"

Nicolas Williams <Nicolas.Williams@sun.com> Sat, 14 June 2008 00:25 UTC

Return-Path: <nfsv4-bounces@ietf.org>
X-Original-To: nfsv4-archive@megatron.ietf.org
Delivered-To: ietfarch-nfsv4-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 96AD73A6941; Fri, 13 Jun 2008 17:25:59 -0700 (PDT)
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62B503A6941 for <nfsv4@core3.amsl.com>; Fri, 13 Jun 2008 17:25:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.988
X-Spam-Level:
X-Spam-Status: No, score=-2.988 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FKyvsw6HlXUL for <nfsv4@core3.amsl.com>; Fri, 13 Jun 2008 17:25:57 -0700 (PDT)
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id 128673A6774 for <nfsv4@ietf.org>; Fri, 13 Jun 2008 17:25:56 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m5E0QT2A014970 for <nfsv4@ietf.org>; Sat, 14 Jun 2008 00:26:29 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m5E0QSP3023074 for <nfsv4@ietf.org>; Fri, 13 Jun 2008 18:26:28 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m5E0QRie020744; Fri, 13 Jun 2008 19:26:27 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m5E0QRdw020743; Fri, 13 Jun 2008 19:26:27 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Fri, 13 Jun 2008 19:26:27 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Mike Eisler <mre-ietf@eisler.com>
Message-ID: <20080614002626.GP2735@Sun.COM>
Mail-Followup-To: Mike Eisler <mre-ietf@eisler.com>, nfsv4@ietf.org
References: <559831BE-8E35-43E4-911C-EE570E511C38@Sun.COM> <20080613190050.GT2735@Sun.COM> <38432.198.95.226.230.1213389346.squirrel@webmail.eisler.com>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <38432.198.95.226.230.1213389346.squirrel@webmail.eisler.com>
User-Agent: Mutt/1.5.7i
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] Last call start for "RPCSEC_GSS Version 2"
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: nfsv4-bounces@ietf.org
Errors-To: nfsv4-bounces@ietf.org

On Fri, Jun 13, 2008 at 01:35:46PM -0700, Mike Eisler wrote:
> 
> On Fri, June 13, 2008 12:00 pm, Nicolas Williams wrote:
> > On Mon, Jun 02, 2008 at 11:30:43PM -0500, Spencer Shepler wrote:
> >> http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-rpcsec-gss-v2-03.txt
> >
> > There's a rather minor, but easy to fix attack on RPCSEC_GSSv2 as
> > described in -03.
> >
> > I started wondering what kind of games an attacker could play with the
> > RPCSEC_GSS version number.  I think an MITM could modify RPCs from a v1
> > client, talking to a v2 server, to set the RPCSEC_GSS version to 2, and
> > in the process obtain a few MICs that it might, by sheer luck, cause the
> > server to accept in the channel binding portion of the protocol.
> 
> I'm not seeing it. The MIC in the verifier of both v1 and v2
> of RPCSEC_GSS is compute from the RPC header "up to and including
>       the credential"

The version number in the context token exchange messages is not
protected.

So:

 - a v1 client
 - an MITM
 - a v1 and v2 server

 - the MITM intercepts the client's v1 context token messages and
   changes the version number to 2 before forwarding to the server, and
   changes the version number back to 1 in the replies from the server

    - neither the client nor the server notice

 - eventually the context is established and the client sends its first
   RPC protected by the established handle

    - this RPC is bound to fail since the verifier MIC'ed data includes
      the credential, which includes the RPCSEC_GSS version number

    - but the MITM is an optimist, and so the MITM formats an
      RPCSEC_GSS_BIND_CHANNEL RPC using the verifier from the client's
      RPC, and then forwards this to the server in the hopes that
      there's a collision

       - most likely the MITM's RPC fails, so the MITM send back garbage
	 to the client and hopes the client will try again

       - lather, rinse, repeat until collision happens, at which point
	 the MITM closes the connection to the client and then proceeds
	 to impersonate the client to the server, since at this point
	 the handle is bound to the MITM's channel with the server.

The client sees lots of failures, perhaps, from its p.o.v., due to
network problems.

The server sees lots of failures too.  But finnally a success.

> Since the credential contains the RPCSEC_GSS version number (field
> rgc_version below) the RPCSEC_GSS target will reject the MITM's
> modified RPCs.

The version number in the context token exchange is the one that must be
protected.

Nico
-- 
_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www.ietf.org/mailman/listinfo/nfsv4

v2.23.0 | Report a Bug | By Email