Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
Benjamin Kaduk <kaduk@mit.edu> Tue, 03 January 2017 06:20 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14EC129434; Mon, 2 Jan 2017 22:20:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.321
X-Spam-Level:
X-Spam-Status: No, score=-7.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0JuWAZB_O89; Mon, 2 Jan 2017 22:20:10 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B2F6129508; Mon, 2 Jan 2017 22:20:09 -0800 (PST)
X-AuditID: 1209190e-717ff70000005a86-bf-586b4298f449
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id D5.71.23174.8924B685; Tue, 3 Jan 2017 01:20:08 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v036K76K029374; Tue, 3 Jan 2017 01:20:07 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v036K2Dt010607 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 3 Jan 2017 01:20:04 -0500
Date: Tue, 03 Jan 2017 00:20:02 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Christian Huitema <huitema@huitema.net>
Message-ID: <20170103062001.GN8460@kduck.kaduk.org>
References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <006f01d263d8$435dc430$ca194c90$@huitema.net>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleLIzCtJLcpLzFFi42IRYrdT0Z3hlB1hcPSeqsXclt8sFpMbZ7Nb zPgzkdliwpvbrBZzv85itfiw8CGLA5vHrRmnWDyWLPnJ5PF+31W2AOYoLpuU1JzMstQifbsE rozv6/4xFsw2r3h2uIO9gXG6bhcjJ4eEgInEmf7lTF2MXBxCAm1MEhPW7mSEcDYwSjRf3cYM 4Vxhkti9dT4bSAuLgIrEtn9HGEFsNiC7ofsyM4gtIqAtsWb2PbBRzAKrGCXOfT0G1iAs4Cfx +vplFhCbV8BYYtP22WC2kECmxJNvrVBxQYmTM5+A2cwCWhI3/r0EGsQBZEtLLP/HARLmFLCS mH72LtguUQFliYYZD5gnMArMQtI9C0n3LITuBYzMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3SN 9XIzS/RSU0o3MYJCm1OSbwfjpAbvQ4wCHIxKPLwdUVkRQqyJZcWVuYcYJTmYlER5oxmyI4T4 kvJTKjMSizPii0pzUosPMUpwMCuJ8JpaAOV4UxIrq1KL8mFS0hwsSuK8lzLdI4QE0hNLUrNT UwtSi2CyMhwcShK8jI5AjYJFqempFWmZOSUIaSYOTpDhPEDD60FqeIsLEnOLM9Mh8qcYFaXE eeNBEgIgiYzSPLheUOqRyN5f84pRHOgVYd7TDkBVPMC0Bdf9CmgwE9Dgr3HpIINLEhFSUg2M VkcPyPIZ3p12rk68e96N/KW1bvV2+YV/9yf33OKUyPyyQaujzef4RmvbYGHPIJaK0AMct/dH N0lOecSyapFb0hHPj4e3nT70fF1CkPLEvEb74hlsxlZatlnqF8/EKd7K/KDHdvSjPHur8sOb 9w9E5ElE61grp/+/GRzIsNZObofglSjOgIVKLMUZiYZazEXFiQA8aechGAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/7-feW22V9iTbV0SOVvFj6VQdbs8>
Cc: npmccallum@redhat.com, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, nkinder@redhat.com, 'IESG' <iesg@ietf.org>, 'secdir' <secdir@ietf.org>
Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2017 06:20:11 -0000
Hi Christian, Thanks for the review! On Sat, Dec 31, 2016 at 06:39:21PM -0800, Christian Huitema wrote: > Copying to Nathan Kinder and Nathaniel McCallum, since their mail server > rejects messages relayed by the IETF server. > > -----Original Message----- > From: secdir [mailto:secdir-bounces@ietf.org] On Behalf Of Christian Huitema > Sent: Saturday, December 31, 2016 6:20 PM > To: 'IESG' <iesg@ietf.org>; 'secdir' <secdir@ietf.org>; > draft-ietf-kitten-krb-auth-indicator.all@ietf.org > Subject: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 > [...] > The document is almost ready, by I wish a few issues were addressed before > publication. > > My first issue is that the document describes an update to the Kerberos > protocol specification, RFC 4120, but does not define the specific way in > which RFC 4120 is updated. Could the draft be updated to include something > like the section "6. Assigned Numbers" of RFC 7751? If I understand > correctly, the changes are a new ad-type number 97, pointing to a CAMMAC > container, in which the "elements" are encoded according to the syntax > specified in Appendix A of the draft. Having that explained succinctly would > help future readers. I noticed the "Updates but doesn't really update" issue while preparing the shepherd review, and opted to leave in the "Updates" marker since it's probably something an implementor of 4120 should know about. The "Assigned Numbers" section is a good idea, thanks for pointing it out (and yes, you understand correctly). Authors, can you prepare another update? > My second issue is with the use of site-defined strings. I understand that > the site defined strings are defined by the administrator of a realm. What > happens if these strings appear outside the original realm, for example in > an environment connecting multiple realms? Don't we have a potential there > for name collision? Should there not be some guidance to implementers? There is maybe some potential for confusion, though not, I think, at the protocol level. The authentication indicator should always originate from the realm of orignial authentication, which is the realm of the client principal (in general). Even with some of the more exotic flows, like anonymous (or semi-anonymous) principals and making cross-realm TGS requests for foreign-realm TGTs, the client principal's realm is unchanged, so at a protocol level, the meaning of "this realm asserts that this authentication mechanism was used" remains clear. The confusion is when applications just check strings against a table without special-casing foreign-realm principals (which is likely to happen and the natural thing for application authors to do; I am not trying to belittle the issue you raised). In many cases, cross-realm operations occur when the administrators of the different realms are tightly coordinated (or even the same group), in which case they probably use the same semantics for the authentication indicator. In cases where the administrators of the different realms are genuinely different organizations, there are already risks for application services in such realms, such as for applications that grant access to "valid user". That said, the authentication indicator does introduce a new type of risk, and it is appropriate to have some text about it in the security considerations. Authors, do you think you can come up with text, or should one of us try to make a contribution? > I note that the proposed short string syntax forbids use of the ":" > character in site-defined strings. Did the WG look at the consequences of > that choice? If site administrators cannot use the URI like syntax, what is > the preferred way of defining unique strings and preventing collisions? I don't think the WG looked at the consequences, no -- IIRC this requirement was introduced at my urging due to the shepherd review, in order to avoid conflict between the two classes of possible values. If URIs must be LoA profiles and site-local values must be not-URIs, then there is no conflict. My expectation is that what will happen in practice is that the site-local short strings will actually be implementation-local, and the name of the preauthentication plugin or module will be used, like "otp" or "pkinit" or "spake". I don't expect anyone to try to make globally unique values, but of course there are always options like UUIDs or using alternate separator characters for those who wish to try. (It is debatable whether UUIDs count as "short", but there is no enforcement on "short", so they are in practice fair game.) > What are application services supposed to do when they encounter URI or > site-defined strings that they do not understand? The same thing they do now (in practice) when receiving other unknown authorization data types: ignore it. (This is in violation of the spec, that says unknown types should be treated as critical unless wrapped in AD-IF-RELEVANT, but that behavior is not implemented in the major implementations.) That may end up being a default-deny or default-permit mode, depending on the application service's configuration. > The ASN.1 syntax defines the element as a "SEQUENCE OF UTF8String". The > document mentions that "Each UTF8String value is a short string". How short > exactly should these strings be? How many of them should an application > expect in the "SEQUENCE OF" element? The syntax itself does not constrain > the length or number of these strings. Are we not worried with potential > interoperability issues? Could this be abused in some attacks? Should the > security considerations mention that? If I remember the history of the document correctly, there is intentionally no limit. URIs for LoA profiles could end up being pretty long, and there was a desire to not artificially limit those; it doesn't seem worth complicating the semantics of the indicator just to impose a length restriction on the non-URI strings. As far as the number of elements in the sequence, in practice there is probably no issue, since the authentication indicator is issued by the KDC in response to the actual authentication that occurred -- well-behaved KDCs should only include as many strings as authentication methods were used (which is in practice one or two at the moment, and probably not going to get much above three ever). There is always the concern about a client parsing untrusted/unvalidated input, but the consumer should be validating the MAC(s) in the CAMMAC container before parsing, and the implementation ticket size (and similar) constraints will also limit the possible size here. So, probably no attacks (absent compromised KDCs, which have other ways to wreak havoc) and probably no need for security consideration mention. I can't come up with any potential interoperability issues, either, but I didn't spend a whole lot of time thinking about it. Thanks again, Ben
- [secdir] SECDIR review of draft-ietf-kitten-krb-a… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Benjamin Kaduk
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Benjamin Kaduk
- Re: [secdir] [kitten] SECDIR review of draft-ietf… Greg Hudson
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Nathaniel McCallum
- Re: [secdir] SECDIR review of draft-ietf-kitten-k… Christian Huitema