IETF Logo Mail Archive

[SPKM] Re: Comments on draft-zhu-pku2u-01.txt

Martin Rex <martin.rex@sap.com> Mon, 19 March 2007 16:24 UTC

Return-path: <spkm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTKeR-0000Vf-6U; Mon, 19 Mar 2007 12:24:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HTKeP-0000VO-V9; Mon, 19 Mar 2007 12:24:01 -0400
Received: from smtpde01.sap-ag.de ([155.56.68.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HTKeJ-0004Vy-Gq; Mon, 19 Mar 2007 12:24:01 -0400
Received: from sap-ag.de (smtpde01) by smtpde01.sap-ag.de (out) with ESMTP id SAA12805; Mon, 19 Mar 2007 18:23:43 +0200 (MESZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200703191623.RAA05635@uw1048.wdf.sap.corp>
To: lzhu@windows.microsoft.com
Date: Mon, 19 Mar 2007 17:23:26 +0100
In-Reply-To: <CAAAEFE273EAD341A4B02AAA9CA6F733051CA996@WIN-MSG-20.wingroup.windeploy.ntdev.microsoft.com> from "Liqiang" at Mar 16, 7 10:37:24 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5a9a1bd6c2d06a21d748b7d0070ddcb8
Cc: kitten@lists.ietf.org, andros@citi.umich.edu, Michael.Eisler@netapp.com, spkm@ietf.org, jhutz@cmu.edu
Subject: [SPKM] Re: Comments on draft-zhu-pku2u-01.txt
X-BeenThere: spkm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: Low Infrastructure Public Key GSS mechanism <spkm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/spkm>
List-Post: <mailto:spkm@ietf.org>
List-Help: <mailto:spkm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/spkm>, <mailto:spkm-request@ietf.org?subject=subscribe>
Errors-To: spkm-bounces@ietf.org

Liqiang wrote:
> 
> Nicolas.Williams wrote:
> > Where does GSS_S_CONTINUE_NEEDED appear in the KRB-ERROR??  Normally
> > status codes like GSS_S_CONTINUE_NEEDED are not sent in a mechanism
> > token -- they are implied.
> 
> See section 6 of the user2user ID
> http://www.watersprings.org/pub/id/draft-swift-win2k-krb-user2user-03.txt
> 
>     
> 6. User to User when applied by server policy 
>     
>    In the case that the client application doesn't know that a service 
>    requires user-to-user authentication, and requests and receives a 
>    conventional KRB_AP_REP, the client will send the KRB_AP_REP 

Is it me or should this read KRB_AP_REQ? 

>    request, and the server will respond with a KRB_ERROR token as 
>    described in RFC1964, with a msg-type of 
>    KRB_AP_ERR_USER_TO_USER_REQUIRED (0x45). The server may optionally 
>    pass the TGT in the data field of this error message. In response to 
>    this error, the initiator sets flags and returns a 
>    GSS_C_CONTINUE_NEEDED so that the next round uses the mechanism 
>    described in section 4.


This "server policy" confuses me.

There are potentially 3 issues with AP_REQ/AP_REP exchanges that
I can think of:

  1) "weak" server key (i.e. server does not have a strong random key)

  2) server lacks (or doesn't want to use) replay cache

  3) replay caches are not shared across hosts, so a distributed services
     using a single principal (a single key) instead of the original
     hostbased services of the original Kerberos 5 design become
     vulnerable to cross-host replay

Protection for (1) would require the KDC to not even issue
service tickets, so that the client can not even send a KRB_AP_REQ.


Having a Application send a KRB_ERROR upon receiving an rfc-1964 AP_REQ
will result in fatal termination of the security context establishment
for every conforming implementation of rfc-1964.  So this suggestion
seems to create an interoperability problem, and the CONTINUE_NEEDED
status is an inappropriate return status for gss_accept_sec_context()
for a mechanism using the rfc-1964 mechanism OID.


-Martin

 

_______________________________________________
SPKM mailing list
SPKM@ietf.org
https://www1.ietf.org/mailman/listinfo/spkm

v2.23.0 | Report a Bug | By Email