IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02

Sandra Murphy <sandy@sparta.com> Wed, 15 July 2009 15:26 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD30628C116; Wed, 15 Jul 2009 08:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.527
X-Spam-Level:
X-Spam-Status: No, score=-2.527 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3u6s4Q2n2XO; Wed, 15 Jul 2009 08:26:17 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id F390E3A6B9F; Wed, 15 Jul 2009 08:26:16 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n6FFPv8T022694; Wed, 15 Jul 2009 10:25:57 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id n6FFPvJw003541; Wed, 15 Jul 2009 10:25:57 -0500
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.126]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 11:25:57 -0400
Date: Wed, 15 Jul 2009 11:25:56 -0400
From: Sandra Murphy <sandy@sparta.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
In-Reply-To: <Pine.WNT.4.64.0907151110550.4872@SANDYM-LT.columbia.ads.sparta.com>
Message-ID: <Pine.WNT.4.64.0907151117250.4872@SANDYM-LT.columbia.ads.sparta.com>
References: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com> <Pine.WNT.4.64.0907151110550.4872@SANDYM-LT.columbia.ads.sparta.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 15 Jul 2009 15:25:57.0062 (UTC) FILETIME=[8CCB6660:01CA0560]
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 15:26:19 -0000

And now, to correct what I said below.

The intent was to convey the difficulty of MITM when you don't bind the 
ID the application is using to the secure transport.

As 5056 says:

    There may well be an MITM, particularly if either the lower network
    layer provides no authentication or there is no strong connection
    between the authentication or principals used at the application and
    those used at the lower network layer.

But my example leaves the impression that the binding is to the identity 
exchanged in the sasl exchange.  It isn't.  It would be to the ID EPP uses 
to identify the other end of the EPP connection.

Someone who knows this subject better than I would probably be of more use 
explaining things here.

--Sandy


On Wed, 15 Jul 2009, Sandra Murphy wrote:

> (I sent multiple secdir related messages yesterday that were mangled or 
> failed to deliver to the secdir and iesg lists.  You could see an example in 
> Scott's reply to one of the mangled messages.  Here is the unmangled message, 
> to keep us all in sync.  My apologies to the recipients who are seeing this 
> again.)
>
>
>
>> By Transport ID, I would assume the  identifer(s)  associated with the
>> transport level authentication key.
>> For EPP ID I would assume whatever identification is associated with
>> an EPP instance.
>
> In EPP, you do a simple login with user name and password:
> login Bob bobscleartextpassword
>
> The other end checks the password and says "Great to see you, Bob!"
>
> Underneath you have a stronger authentication system running.
> This is based on some transport id, like the ip addr/protocol/port
> or whatever id the secure transport uses.  Lets say the transport
> id is ip addr, say 10.1.0.0 at the end doing the login authentication.
>
>
> A secure authenticated transport connection is established between
> 10.1.0.0 to the other end where the login is being attempted, say
> 10.2.0.0.
>
> The trouble is that that 10.2.0.0 might be a man in the middle.
> The MITM has another secure authenticated transport connection to
> Bob's host, 10.3.0.0.
>
> Bob sends the "login Bob bobscleartextpassword" over its secure
> transport connection, which ends at the MITM at 10.2.0.0.
>
> The MITM retransmits the "login Bob bobscleartextpassword" over the
> secure transport connection to 10.1.0.0, impersonating Bob.
>
> This is possible because there is no tie between the EPP ID of "Bob"
> and the secure transport id of 10.2.0.0.
>
> The tie is what is called channel binding.
>
> You can look at RFC5056 for more information or at
> http://www.saunalahti.fi/~asokan/research/mitm.html for another
> discussion with a rather detailed example for PEAP.
>
> It might be worth pointing out that draft-ietf-sasl-gs2-14 talks
> about Using GSS-API Mechanisms in SASL, and supports channel binding.
>
> --Sandy
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
>

v2.23.0 | Report a Bug | By Email