Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Pray to God, but keep rowing to shore. -- Russian Proverb

devel / comp.protocols.kerberos / Re: RFC 4121 & acceptor subkey use in MIC token generation

SubjectAuthor
o Re: RFC 4121 & acceptor subkey use in MIC token generationNico Williams

1
Re: RFC 4121 & acceptor subkey use in MIC token generation

<mailman.13.1698206686.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=389&group=comp.protocols.kerberos#389

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: nico@cryptonector.com (Nico Williams)
Newsgroups: comp.protocols.kerberos
Subject: Re: RFC 4121 & acceptor subkey use in MIC token generation
Date: Tue, 24 Oct 2023 23:04:34 -0500
Organization: TNet Consulting
Lines: 80
Message-ID: <mailman.13.1698206686.2263420.kerberos@mit.edu>
References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
<ZTiT0ub2uv5A/b4E@ubby21>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="5094"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Ken Hornstein <kenh@cmf.nrl.navy.mil>, kerberos@mit.edu
To: Greg Hudson <ghudson@mit.edu>
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=cryptonector.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698206684; cv=pass;
b=j41VAJbKXgHx61SLTUXdjLQk9MKA4Nk4JmIYrlM2OJ9C7ioUe7rkzSu+KuXCIJDpz6uew4mWCrA5sWi5XQZ+GUGs3qhUrSk5tzExlcnrN7gQcjQLmqUOmpH8/qR3ISY3LB2ZO8b+4NKehCn0cnm8ITLRYE1zQRePRm9hOb+DBAOqbBAfWypfQqP1Hnp78VSiuLYHxYnlXfAPjp6wKALbpG8/bUkb6Ewyi224Jb8H9xQncxTbbiSEVus4cyNQcVtECPBCUnvEdE6oBn98CzmVyRTyYgONWmwmsngDSTxC8lykUcvQDdcmE5ZoSs8PA1wCtBZsl+EVOy07JbYB2haQgQ==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1698206684;
c=relaxed/relaxed; bh=a2P6GSoaLqUoDpRSloyb/vG/L1A0owHuOkEwfZO6Lpw=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=0cgTLjG2zVnVkdqkkhc2JcSuPLm9HYyuKjdMuVmzigJ6jIStMXfd3sd/ZLVuvjidbCKglrjEK0b1aH12oUHbHdqrzidEzob/+4plN9DAbiMD6x45x7TpwW3Un+cOyrNc6+Y0eYrcXtQCONaqt4DV6WXjCRRJ1hzmg6t1hoMPL2jhEFiPkmf+7iV7Y74NsbcM9goEsu7DthySJCTixY6Jkkdg2dqFueiM8tJJbPKWy1SnacADVkiHTo7FY/hBuTgLgAlCYVm3R4aQjSJimpa66QsHanJiYTqUEFaQsniSFrmW/TignyNLevAOUwV3hVF6C6uNz1r/zs3Tj8VXNkKasw==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=u2uj5qlW;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=t9Y/36zz
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=u2uj5qlW;
dkim=pass (2048-bit key;
unprotected) header.d=cryptonector.com header.i=@cryptonector.com
header.a=rsa-sha256 header.s=dreamhost header.b=t9Y/36zz
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=MLEiZghoipOngZbiAXtZxFFoBt5Nru7C9z1ZUyDzHishFtuIkQeX2YR9rjjcA6pnRm8D9DzjUkaAZssirzbkb6dQpQfyZImo6dsuuuebQAp75Y/y8vqDbzE1/aLqfkTiBRTXex1aj3nfufRS37CZVYqn/mCfvZN/pxbhSfGS2icBMT2AO05iCN+BmTyV7KRKrIK3D9/G7PHFe6aZ9O1u0BdSdwhueHdDhjXAfaUolqCfYPe2OJLXbhB/jjwArRoT6FJ1v6LWq9CHE9uI1j2Hzk1R9DyFRmZ+Io+c3w1tVaGRYr7mddo/a50jvYEKbLW9NyS5Eu+Lj2nQ/2ysNz1UZg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=a2P6GSoaLqUoDpRSloyb/vG/L1A0owHuOkEwfZO6Lpw=;
b=SAWQd3N2ix0/1SrzQZ13ySmV25WCgXycwbzCJZP24Ci1zOPTNkDd6ablvrhHlw0hgv4wY7RpWfkd4kCPwDCDrEuTHeoOQ7zO/pD7jkfKS/ZkZv5XnIylmoWv2CLfhllPZD9ZQE9kvdTlnWAP4ZCENC29OJlJw3ThVArtg67y/Zp97URW9tGWbivkIXOAPRDsIxdu16ukbrJZNO30KkSRyvSm/MCjORJR39Pi5KIuinKVwKlwED+1bQ6dyHbPwAm5bPbcCiMpPveVZn16t2SRQBzKQokg7H6WWylJlg2xQQbP+qE1RbE511mQni4KTVWosPBDzrI6z9GAqVwTMp09tw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
23.83.212.50) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=a2P6GSoaLqUoDpRSloyb/vG/L1A0owHuOkEwfZO6Lpw=;
b=u2uj5qlWp/f3nuN6c4ViK53GKJQtpV1pBS0fOoOFaqGGWKXmOf4Ng6aPyY4mfg6vsdFPptL0QfdpAClh2AFdVVQh+J5GDaFRpYzDJVfmf7VpInRNDeConpkPGgVoCayJidyfhg0BiaGs3pOaMwYPbvr26AkCTzPHAG8BJUQYVC8=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=U7loY9/giM/ctJIvlaQLpFtoGGDpKjhf/PWRUBCzP1ZCd3xDLe/9/eYbseGmV+pQHjJQy8xue80vFnXHpobnTj2LmkTKj78vlPU+yQp2IaLcNQsZ8RnxGpsStEg9Elv+ddxd/yoDnark1CZ2JAZ/puOSDHCdUAexCYWZcvb3GXIb9ZP3Sn6Fly/6YtOdSCjxWQYEIvBq7Tp0ePbYGwLLGhjWuAi+am6NucvBda0hu7s+s84Jg/QUZiKianNURmyTn/0C0sMhh9Jxe0XF+15CSXejq2/yVXzhlxU6zhObqPuqOTYBuoSTuYxZhdd7Jt0W1fdnieh/ZYQ2SHFUyeUOoQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=a2P6GSoaLqUoDpRSloyb/vG/L1A0owHuOkEwfZO6Lpw=;
b=K0sbWzNpbEwSAXnw5R6amMbOIG+U3g1Bc/vy6utjqT8HJQombVfPmkfqWBFXOjes3KWumDHWRj1yXWZN+4cUQbMyi7JUSJgwGjAMgoFieacqU9qj5r+L2unOkdS5xawJA3qcoVBCeU16WjhaCQUNv85cKOQOBpA6i6nJXfi13Bl9FjOQx6vQ8MPTaV9RpKVrEnnPyjJTUpPGikqgTXAkbhJF8ZdWxSSP6iRnONX4w0KC+1ihESq916NHTyDBoqh8QAXDTRqPzyVsTDcV5g2gkXShrGncrI/II1Toperp5hw9xSqcOswHSJoeqggjWReGdloLS3AAj3Upr+QLNm+koQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
23.83.212.50) smtp.rcpttodomain=mit.edu smtp.mailfrom=cryptonector.com;
dmarc=bestguesspass action=none header.from=cryptonector.com; dkim=pass
(signature was verified) header.d=cryptonector.com; arc=pass (0 oda=0 ltdi=0
93)
Authentication-Results: spf=pass (sender IP is 23.83.212.50)
smtp.mailfrom=cryptonector.com; dkim=pass (signature was verified)
header.d=cryptonector.com;dmarc=bestguesspass action=none
header.from=cryptonector.com;
Received-SPF: Pass (protection.outlook.com: domain of cryptonector.com
designates 23.83.212.50 as permitted sender) receiver=protection.outlook.com;
client-ip=23.83.212.50; helo=dormouse.elm.relay.mailchannels.net; pr=C
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1698206678; a=rsa-sha256;
cv=none;
b=4AuZdId4KiA2fI5K6juDMHFZ4oe4O7qxtdHfWBva6C364avW210TsloOJ14PQQiY97SOSv
kartnfgSsSWR+z1m6LiKd+deklAZc4LtxgKTjxmVx0JI/0gFhGWKRII+2GmM0nhqEt3teJ
0smheJOGoKAGaI9D4skQKJkU+5dMv3DtZqX19zC3HSL7F6UeXuGg6TWtoGRNupz1b/E+KE
Xqf0BEs5PDMbfqIs/AQC4AbS4Z00YBaosNyT9Wu8PAJZrcIfWORMfER9YOjvQQSRu6WH/a
F9ruiuhWj3dC131ap+sKnTol9SJ6q3ciyTsM+rC9eaIspUcTID1WIhvaYQGRdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=mailchannels.net; s=arc-2022; t=1698206678;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=a2P6GSoaLqUoDpRSloyb/vG/L1A0owHuOkEwfZO6Lpw=;
b=tV3SBLNUYfvK2MHDWwM6TBGuWePSWiHsc5O9kVNEGsYrCtM/IYh8qxek44otd9eaqn1XT/
dcDmAzj/wGNUAlzAD2lHaejRrxX36r0StsTr1+tRz6/uNFeiHIRHp1d5mrwevt+AiG4RSJ
2vrS/UvdS8S5FpRMuJcU/X5HWLciWkGdzI9buFNC8nziU9TBU/B5XwoEUjDwCK1GUn0Qej
tKwKkmBop8PUbto46yHnvrz6xMF5562ELL66JJekJTt+yKFIJ9ftDKuYHpf5N1feJ5JrVF
0meydP2/W6uZ4HcOPxIzfrC/S5C9zlUvoCw0j7X+Eec2Y764ME1s85CgnvxOkg==
ARC-Authentication-Results: i=1; rspamd-79d8cddc67-56prv;
auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Decisive-Spill: 3e1ca7071c4d77d8_1698206678309_2337819257
X-MC-Loop-Signature: 1698206678309:1561259138
X-MC-Ingress-Time: 1698206678309
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
s=dreamhost; t=1698206677;
bh=a2P6GSoaLqUoDpRSloyb/vG/L1A0owHuOkEwfZO6Lpw=;
h=Date:From:To:Cc:Subject:Content-Type;
b=t9Y/36zz7ZeYRHOWi1Netw3UsU0K2W/SGiXvxRAgIjwFU1MJvgPKuDYGAddkyGSOf
kuqcnF/9XlRVw17d7xC4zbXPjKmdQE6b3OCX2cTrFsbKLuJf/eWrrJUh31RncmgmWQ
SV9DbZy4zZ09X7fA8xB6r7UgY3lPnfr8/jSDFk6+MEnzNOSfl7WQqIgpJw0ehJe/7/
CTEX+UvLwCHfWLY5SAcsaZWWmJ7DLqp++d36nwQ/sDgPfhZQno5BDAE2eINSaIVYX2
PctnuanKSrESkjWviq45JxxM0HC/A8HFRmVsqHh30gNppYdVkgeebdeJfO121CZfp9
9xZZX/VssZeiw==
Content-Disposition: inline
In-Reply-To: <3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SN1PEPF0002636D:EE_|CO1PR01MB6600:EE_
X-MS-Office365-Filtering-Correlation-Id: 14a5877c-24e5-4650-4bbf-08dbd50f82c5
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: UY7sOjWZfpm3GZgKuRX69ThofnEjuf7TsxyYnZJnUvNnags9k9BSeVjba6nAra9asnk3vsVTD2PwZkVcYGsAu56z+A4lL8wuRjHcfHdOutM0wbO4ilqRPT5BRPyn2LogQMh1VcFMAZa9emKn2y3AuPKVQXV9UA9abcqQu3y16/Ne2st5ng/fk+Q19RbEgER4sSpU1QCDsnZECN2VsI/RiiSGWqwcrtvmUoNJx9N4Tn0QKDlcr7Oa7bhytXp5X+4Relo5ESbxnOte1LSv22iC+i3Lg5It/39sUaAe+895pKaQrY8oTlumPEe/yPpUcHVBf0Uu7PCIOYWTe5cKHKRq6u56V1ChrfAxcgPzKrKK6rhM3uRTl5X4lcI6TDUsQ3oWYNMsuUIe4P4QZp0gH08ehMlBDQD//5YP/y7hzk2Iz6Yj8ntaP/np+1dIsrHFF43GbC56iqZpwn3LXttLXk/JQbUgRmKZVpghuOsnFY8ngSO3eIcajRjJOvyAz1IFLWTGc5VhQC24fAFIKSQ/P9vq264Us+FgmqotGj/ELqlhJ58psaHy5EoqAX4I5SxJB57/ZB2buSsyxPj/73NNyk9DXnwS0TZBNtUwgLLONSCIzdvbBCXXS6qGpyN9op8cTp3Uhm9QpLUJFOP/FZplhtVql6Twplw5PYIl2rANYq+N3uneVIKoKDHtyD3xIJ7grzcowz3BJjfQEHEsFz+1ULvPCQ==
X-Forefront-Antispam-Report: CIP:23.83.212.50; CTRY:CA; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:dormouse.elm.relay.mailchannels.net;
PTR:dormouse.elm.relay.mailchannels.net; CAT:NONE;
SFS:(13230031)(4636009)(396003)(346002)(39860400002)(376002)(136003)(61400799006)(64100799003)(48200799006)(451199024)(4326008)(2906002)(8676002)(6862004)(83380400001)(9576002)(356005)(7596003)(7636003)(55016003)(53546011)(9686003)(5660300002)(6666004)(86362001)(786003)(316002)(336012)(956004)(498600001)(26005)(6266002)(70586007)(68406010)(33716001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2023 04:04:39.3875 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 14a5877c-24e5-4650-4bbf-08dbd50f82c5
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: SN1PEPF0002636D.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR01MB6600
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <ZTiT0ub2uv5A/b4E@ubby21>
X-Mailman-Original-References: <202310241950.39OJoa0Z000708@hedwig.cmf.nrl.navy.mil>
<3db2752e-565e-1f64-b354-9031a2fe9334@mit.edu>
 by: Nico Williams - Wed, 25 Oct 2023 04:04 UTC

On Tue, Oct 24, 2023 at 08:09:20PM -0400, Greg Hudson wrote:
> On 10/24/23 15:50, Ken Hornstein via Kerberos wrote:
> [Disputing the following comment in k5sealv3.c:]
> > First, we can't really enforce the use of the acceptor's subkey,
> > if we're the acceptor; the initiator may have sent messages
> > before getting the subkey. We could probably enforce it if
> > we're the initiator.

Once you've seen a MIC/Wrap token made with the acceptor subkey you know
that all subsequent sequence numbers must use the acceptor subkey.

Until then you don't know because GSS doesn't know if some MIC/Wrap
token it's consuming was made in response to an earlier MIC/Wrap/AP-REP
token sent by the acceptor application to the initiator. Also, in
practice no app that makes use of PROT_READY before GSS_S_COMPLETE on
the initiator side will do so for more than one or maybe two per-message
tokens (one for the app itself, and one for SPNEGO), so maybe we could
have a hard cap[*] on the number of per-message tokens using the
initiator sub-session key when the initiator requested mutual auth.

So, yes, enforcement is tricky. But in practice it's probably not a
problem because few apps make use of PROT_READY before GSS_S_COMPLETE on
the initiator side -- that's a pretty lame reason to say this is not a
problem...

[*] Apps that don't request mutual auth, however, should get to send an
unlimited number of per-message tokens using the initiator
sub-session key because what else could they do?

> I believe mutual authentication is frequently omitted for HTTP negotiate,
> but that's a minor point as in that case there's no acceptor subkey.

Yes.

> Whether the initiator can generate per-message tokens before receiving the
> subkey depends on whether the mechanism returned the prot_ready state (RFC
> 2743 section 1.2.7) to the caller after generating the initiator token. RFC
> 4121 does not mention prot_ready; I couldn't say whether that's an implicit
> contraindication on setting the bit. I'm not aware of any krb5 mechs
> setting the bit at that point in the initiator, although I recall Nico
> talking about maybe wanting to do so.

I'll have to check what MIT and Heimdal do. But yes, it'd be nice to be
able to make use of PROT_READY when GSS_S_CONTINUE_NEEDED.

Though GSS loses appeal every day, so we might never get to do a variety
of interesting things in GSS space.

Then again I know someone who badly wants a JWT client library that does
krb5-style caching for audience-constrained JWT tokens, and we could
always revive something like Luke Howard's BrowserID (a key exchanging
GSS mechanism based on JWT) so that JWT could be used in application
protocols where today it can't, and that might be interesting.

While I'm on the subject of JWT, there are two reasons JWT is killing
Kerberos:

- scaling (which we've solved in Heimdal)

To provision a server with Kerberos acceptor credentials is
traditionally a real pain because orchestrating them requires writing
to a database (the KDB). For JWT there's no provisioning, just a
periodic download of fresh JWKs. Heimdal has a scheme where you can
also periodically download Kerberos acceptor credentials w/o having
to write the the HDB (we call this a virtual host-based service
principal namespace, where all possible host-based principals below
the namespace "exist" with keys derived from the namespace's, the
principal's keys, and current time chunked into epochs.

- ease of access to authz data

In GSS/Kerberos getting to authz-data is insanely hard. In JWT it's
just JSON, and all you need is a convention for object key naming.

We have a solution to the scaling problem in Heimdal, but for the latter
problem we really need a GSS_Inquire_context_authz_data() that outputs
JSON just like JWT.

Nico
--

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor