IETF Logo Mail Archive

[TLS] Design Alternatives for Kerberos + DH

Rick van Rein <rick@openfortress.nl> Fri, 16 October 2015 16:31 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5668E1A89FC for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 09:31:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qi7TJc_TuQeV for <tls@ietfa.amsl.com>; Fri, 16 Oct 2015 09:31:22 -0700 (PDT)
Received: from lb2-smtp-cloud2.xs4all.net (lb2-smtp-cloud2.xs4all.net [194.109.24.25]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 847FA1A896F for <tls@ietf.org>; Fri, 16 Oct 2015 09:31:21 -0700 (PDT)
Received: from airhead.local ([83.161.146.46]) by smtp-cloud2.xs4all.net with ESMTP id VsXH1r00A10HQrX01sXJ2U; Fri, 16 Oct 2015 18:31:19 +0200
Message-ID: <56212653.6050702@openfortress.nl>
Date: Fri, 16 Oct 2015 18:31:15 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: tls@ietf.org
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mHaomvBAba7HP-HDm5N_7a1SKjI>
Subject: [TLS] Design Alternatives for Kerberos + DH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 16:31:25 -0000

Hello,

Based on the feedback in this WG, I'm now redefining TLS-KDH to keep ECDH and Kerberos orthogonal.  That simplifies matters enormously.  I can now see a few design alternatives.  If you have any response to them, it is kindly appreciated!


1) Continue to use KeyExchange

This variation sends a Ticket + Authenticator in the ClientKeyExchange, but
DH is now mentioned in plaintext instead of encrypted in the Authenticator.

PRO: Prior handshake can be taken into account in an Authenticator hash (a.k.a. "checksum").

CON: Special case for KeyExchange; doesn't integrate automatically with TLS 1.3.


2) Embed the Ticket + Authenticator in a PSK

This uses the binary blurb of the PSK to wrap the Ticket and Authenticator.

PRO: Client authenticates very early, in the ClientHello.

CON: PSK is untyped, so it requires separate agreement on the contents.  It is impossible to incorporate ServerHello information in the exchange.  The server has not indicated if it supports Kerberos, so the client must make a leap of faith.  PSK replies the selected PSK identifier, rather than send a response message; it is not designed for messaging purposes.


3) Similar to OpenPGP: Negotiate cert-type

There is a cert-type for X.509 and for OpenPGP; add one for Kerberos Tickets.

PRO: Good integration with TLS: Tickets are transported in the ClientCertificate, and an Authenticator is the ClientVerify.  DH is independent and can move to the earlier phase for TLS 1.3.

CON: Decision on client credential type must be made in ClientHello, when not all data may be available (namely, the sequence of tickets leading to the TLS-protected service).  Also impacts the cert-type used in the ServerCert.


4) Define an X.509 embedding for Tickets

Certificates provide an id/key binding with a signature by a trusted party; although the AlgorithmIdentifiers used here are new, they do fit in the X.509 framework.  This is rather out-of-the-box thinking, so I tested the idea, see https://github.com/arpa2/kerberos2pkix

PRO: Minimal changes to TLS, since Kerberos is now a signing algorithm.  The server can independently authenticate using RSA & co (on top of Kerberos' mutual authentication).  Ticket + timestamp-Authenticator go into an X.509 ClientCertificate, and an Authenticator including the hash over prior TLS messages can go into ClientVerify.  CertificateRequest can mix options for Kerberos, RSA, and so on, and client selects whatever it can get to locally, giving the best user experience.  We can also support user-to-user connections and S4U2Proxy a.k.a. "Constrained Delegation".

CON: These certificates are symmetrically keyed, which is uncommon.  Certificates are not readable to anyone, but only to the remote peer.  Certificate owner is ideally read from the embedded ticket, rather than from the subject field.


My money is on the last two, but option 4. really needs feedback because it is a bit wild.  When I get an idea where to go, I will be happy to write a new draft version... a much smaller and simpler one this time!

Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email