IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-josefsson-kerberos5-starttls-07

Simon Josefsson <simon@josefsson.org> Fri, 22 January 2010 08:29 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2E51A3A6359; Fri, 22 Jan 2010 00:29:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level:
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3LPNJ0Xz1+G; Fri, 22 Jan 2010 00:29:15 -0800 (PST)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id CA4FE3A672E; Fri, 22 Jan 2010 00:29:14 -0800 (PST)
Received: from mocca (c80-216-24-99.bredband.comhem.se [80.216.24.99]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id o0M8T0tv010670 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 22 Jan 2010 09:29:02 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Magnus Nyström <magnusn@gmail.com>
References: <2f57b9e60912231723x12e87864g9c0ad1ce095fc2c2@mail.gmail.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:100122:magnusn@gmail.com::bCvRJ6KDbi3bxkzF:1E9m
X-Hashcash: 1:22:100122:jhutz@cmu.edu::9Ett7qsZcMV4nW4Y:1MaI
X-Hashcash: 1:22:100122:secdir@ietf.org::3Ls98g7aRVFK9ize:GxEC
X-Hashcash: 1:22:100122:iesg@ietf.org::fpHZfEBlVLudMgA8:M/vJ
X-Hashcash: 1:22:100122:larry.zhu@microsoft.com::Cfi0J1hAEKGAcqAO:Lc86
Date: Fri, 22 Jan 2010 09:29:01 +0100
In-Reply-To: <2f57b9e60912231723x12e87864g9c0ad1ce095fc2c2@mail.gmail.com> ("Magnus Nyström"'s message of "Wed, 23 Dec 2009 17:23:29 -0800")
Message-ID: <87zl46h7aq.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Cc: larry.zhu@microsoft.com, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-josefsson-kerberos5-starttls-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 08:29:16 -0000

Magnus Nyström <magnusn@gmail.com> writes:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.

Thank you for the review!

> This document defines a new Kerberos extension to allow Kerberos
> protocol runs over TLS.
>
> I do not have any general issues with this document but a few
> questions/comments:
>
> Section 1: "The TLS protocol has been studied by many parties.  In
> some threat models, the designer prefer to reduce the number of
> protocols that can hurt the overall system security if they are
> compromised." This statement seems to me like a strange reason to
> motivate this work - Kerberos is equally well studied (at least) as
> TLS and this memo does not reduce the number of protocols in the
> system (c.f. the recent TLS renegotiation vulnerability)

I have removed the paragraph.

That paragraph was intended to contrast with PKINIT which to my
knowledge has not been studied as thoroughly as the core Kerberos
protocol or TLS.

> Section 3: In the packet flow, why are the first two Kerberos
> exchanges ([0x70000000 & STARTTLS-bit] and [0x00000000]) wihtin square
> brackets? Is it because they're seen as a separate protocol, or some
> other reason? A clarification would be helpful.

Good catch -- after studying that part, I noticed that it is also
incorrect.  It should be 0x80000000 | STARTTLS-BIT.  Further, the binary
operator was not explained.  The brackets are indeed not helpful.  Here
is the new text:

   A complete packet flow for a successful AS-REQ/REP exchange protected
   by this mechanism will be as follows.  The "STARTTLS-bit" is a
   4-octet value with only the bit allocated for this extension set, and
   | is the binary OR operation.

       Client                                               Server

        [ Kerberos V5 TCP extension mechanism negotiation starts ]

       0x80000000 | STARTTLS-bit  -------->
                                                       0x00000000
                                    <--------

Further, when reading the protocol explanation in the previous section,
it wasn't clear that the client actually initiates the communication,
and there were no pointer on handling errors at that point.  Here is the
new text:

   The protocol is as follows.  The client requests the extension by
   setting the STARTTLS bit in the TCP extension mechanism bitmask.
   (How to deal with extension negotiation failures at this point is
   described in [RFC5021].)  After the server has sent the 4-octet value
   0x00000000 to indicate support of this extension, the stream will be
   controlled by the TLS protocol and its framing.  The TLS protocol is
   initiated by the client.

> Section 5: "Use of TLS, even without server certificate validation,
> protects against some attacks that Kerberos V5 over UDP/TCP do not.
> Requiring server certificates to be used at all times would enable
> attacks in those situations": a) It would be useful to give examples
> of attacks that unauthenticated TLS protects against that Kerberos V5
> does not protect against.

I have added:

     (For example, passive network sniffing between the user and the KDC
     to track which Kerberos services are used by the user.)

> b) Last sentence is ambigious - if server certs are required and the
> client verifies them I do not see what attacks would be enabled. I
> assume the last sentence intends to say that requiring server certs to
> be used when clients cannot validate will enable some attacks but I am
> not sure.

Good catch, it didn't say what was intended.  I have changed it to:

   To require server certificates to be validated at all times would
   lead to disabling of TLS when clients are unable to validate server
   certificates, and this may have worse security properties than using
   TLS and not validate the server certificate would have.

It feels a bit clumsily, suggestions on easier ways to express the same
intent are welcome.

> Section 5: "When clients have the ability, they need to be able to
> validate the server certificate" I suggest rephrasing to: "When
> clients have the ability, they MUST validate the server certificate"

I have made this change.

Regards,
/Simon

v2.23.0 | Report a Bug | By Email