IETF Logo Mail Archive

Re: [TLS] Design Alternatives for Kerberos + DH

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Sat, 17 October 2015 07:21 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470601A8A6D for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 00:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_82=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ta6QConcPzw6 for <tls@ietfa.amsl.com>; Sat, 17 Oct 2015 00:20:58 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949CF1A8A6C for <tls@ietf.org>; Sat, 17 Oct 2015 00:20:58 -0700 (PDT)
Received: by wicll6 with SMTP id ll6so37928777wic.1 for <tls@ietf.org>; Sat, 17 Oct 2015 00:20:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:mime-version:content-type:in-reply-to:date:cc :message-id:references:to; bh=mCJeSPj0ynfW/tQGfnzPWrwgxkh6ZZb/mZbaTedmA5A=; b=kYsdE7QLZO0apILBi8QBT/es4SHOolePdc9HCQtCaLokqHzBqhGLhHBncdoz7yrZka mS7PamDtAiLgHGdCQto8X3poa18a4H7P9LRfiAeOgwReZqjnOndcE99b2VWSveRE688R hwWlDxq3aeI2tgpoAGEoqBLIf8vmZIZ6exKb6Qq90F3de/gj1Ij0Lh9jm5tCwFKOrXV6 ULNSBR/BLV+iBBafvHBm0+l00Dkk0s4/Gr0Y5xJe31FORaXWCU/SW6CqZcuWRUYpvoVy jxlK4c7L64iHVILaikXFx2gYYUngljA4diCLaoLrxkskJSGzj5huFpLM2qUXd6E8RwUl 7IdA==
X-Received: by 10.180.207.235 with SMTP id lz11mr9359110wic.1.1445066457222; Sat, 17 Oct 2015 00:20:57 -0700 (PDT)
Received: from [192.168.0.12] (89-156-8-219.rev.numericable.fr. [89.156.8.219]) by smtp.gmail.com with ESMTPSA id r15sm6044457wib.18.2015.10.17.00.20.56 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 17 Oct 2015 00:20:56 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
X-Google-Original-From: Karthikeyan Bhargavan <karthikeyan.bhargavan@inria.fr>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_609FFEDF-2624-45B8-81C8-CFBF557248D3"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5.2
In-Reply-To: <56212653.6050702@openfortress.nl>
Date: Sat, 17 Oct 2015 09:20:55 +0200
Message-Id: <A35BE5FA-DF42-44D6-99C1-A41D911BD019@inria.fr>
References: <56212653.6050702@openfortress.nl>
To: Rick van Rein <rick@openfortress.nl>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Oq4D8Ws9mdeeKo7GWkiAl2MqEfw>
Cc: tls@ietf.org
Subject: Re: [TLS] Design Alternatives for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2015 07:21:00 -0000

> 2) Embed the Ticket + Authenticator in a PSK

I don’t fully understand the constraints of the Kerberos+DH use-case, but using DHE-PSK seems like the best idea.
The planned session resumption mechanism for TLS 1.3 also uses DHE-PSK, and uses a session ticket mechanism
that is not so far from the Kerberos ticket. The Kerberos session key would then get mixed in (as a semi-static secret)
to the ECDHE shared secret and both client and server would obtain mutual authentication (based on the Kerberos key).

It may be best to try and fit Kerberos into this existing mechanism, unless there is some fundamental incompatibility.

Best,
Karthik


> 
> This uses the binary blurb of the PSK to wrap the Ticket and Authenticator.
> 
> PRO: Client authenticates very early, in the ClientHello.
> 
> CON: PSK is untyped, so it requires separate agreement on the contents.  It is impossible to incorporate ServerHello information in the exchange.  The server has not indicated if it supports Kerberos, so the client must make a leap of faith.  PSK replies the selected PSK identifier, rather than send a response message; it is not designed for messaging purposes.
> 
> 
> 3) Similar to OpenPGP: Negotiate cert-type
> 
> There is a cert-type for X.509 and for OpenPGP; add one for Kerberos Tickets.
> 
> PRO: Good integration with TLS: Tickets are transported in the ClientCertificate, and an Authenticator is the ClientVerify.  DH is independent and can move to the earlier phase for TLS 1.3.
> 
> CON: Decision on client credential type must be made in ClientHello, when not all data may be available (namely, the sequence of tickets leading to the TLS-protected service).  Also impacts the cert-type used in the ServerCert.
> 
> 
> 4) Define an X.509 embedding for Tickets
> 
> Certificates provide an id/key binding with a signature by a trusted party; although the AlgorithmIdentifiers used here are new, they do fit in the X.509 framework.  This is rather out-of-the-box thinking, so I tested the idea, see https://github.com/arpa2/kerberos2pkix
> 
> PRO: Minimal changes to TLS, since Kerberos is now a signing algorithm.  The server can independently authenticate using RSA & co (on top of Kerberos' mutual authentication).  Ticket + timestamp-Authenticator go into an X.509 ClientCertificate, and an Authenticator including the hash over prior TLS messages can go into ClientVerify.  CertificateRequest can mix options for Kerberos, RSA, and so on, and client selects whatever it can get to locally, giving the best user experience.  We can also support user-to-user connections and S4U2Proxy a.k.a. "Constrained Delegation".
> 
> CON: These certificates are symmetrically keyed, which is uncommon.  Certificates are not readable to anyone, but only to the remote peer.  Certificate owner is ideally read from the embedded ticket, rather than from the subject field.
> 
> 
> My money is on the last two, but option 4. really needs feedback because it is a bit wild.  When I get an idea where to go, I will be happy to write a new draft version... a much smaller and simpler one this time!
> 
> Cheers,
> -Rick
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email