[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
alternative to user-to-user Kerberos in KINK
After talking to Matt Hur about this and thinking
about this for a long time, I think the better
part of valor here may, in fact, be avoidance.
Taking a giant step backward, the root of all of
the trouble here is that KINK is, in fact, a peer
to peer protocol where PKinit expects a client
server relationship. The main problem is that
PKinit authenticated clients do not share a
symmetric key at the KDC so the KDC cannot issue a
service ticket directly thus bringing on the
issues related to user-user mode. If the PKinit
client did share a key with the KDC, the KINK peer
would just obtain a normal service ticket and that
would be that.
Therefore, I think that I agree with Matt's
contention that a much better strategy for use of
PKinit would be to use PKinit as an enrollment
strategy into a kerberos realm rather than an
authentication strategy, per se. Ie, a client
authenticates to the KDC using a cert but the KDC
then enrolls it with a symmetric key and saves
that key in its principal database. I haven't
looked at this exhaustively, but I think that this
strategy could be implemented using either no or
minimal changes to PKinit -- the obvious thing to
do is use the session key from the TGT from the
PKinit AS-REQ as the symmetric key.
My proposal is that we deal with this problem as a
PKinit issue rather than a KINK issue because this
is a generic problem with PKinit -- KINK is just
the first to stumble upon the implications of
using PKinit in a peer to peer application. The
advantage here is that we could avoid *all*
unauthenticated requests which from a DoS
standpoint seems like a much better idea.
Mike
Medvinsky, Sasha (SD-EX) writes:
> The user-to-user Kerberos mode in KINK is intended to address the situation
> with PKINIT clients that do not have symmetric client keys registered with
> the KDC and therefore a Kerberized server cannot get a standard ticket for
> such a client. But the server still has to obtain user-to-user tickets for
> clients, which brings up the following issues:
>
> 1) Under some architecures, such as VoIP, fast failover time from a
> primary to a backup application server is critical. With the current
> protocol, the backup server would have to go to the KDC and get user-to-user
> tickets for all of the clients with which it needs to establish IPSec SAs.
> This adds to the recovery time and adds additional performance/reliability
> requirements to the KDC. The number of clients per server can be large -
> 100,000 clients / Call Server is possible in the PacketCable architecture.
>
> It is possible for the server to save user-to-user tickets and
> corresponding session keys into some shared database, which is undesirable
> in terms of complexity as well as security.
>
> 2) Load balancing between multiple Call Servers is sometimes used in
> the VoIP architecture - support for it is mandatory in the PacketCable
> standard. The user-to-user tickets again either add to the rekeying time
> (which delays the switch-over time for a client between servers) or adds the
> complication of a shared database of user-to-user tickets.
>
> 3) A standard Kerberized server that doesn't support the
> user-to-user tickets is a lot simpler to implement. It would implement a
> very small percentage of the Kerberos protocol - just the AP Req/AP
> Rep/KRB-ERROR messages. With the user-to-user mode, the server needs the
> complete Kerberos client implementation and in addition may need to support
> a very large ticket cache for user-to-user tickets.
>
> 4) Setting per-user policy is awkward for user-to-user requests.
> Normally, the user policy is associated with the client, but in this case
> the client is the server. Kerberos allows a user to pass authorization data
> in a TGS Request (which may be insecure, depending on the content of that
> authorization data), which would not be possible if it is the server getting
> a ticket for the client.
>
> 5) Setting per-user policy in a cross-realm case is even more
> awkward. The server's GetTGT request would most likely contain the server's
> realm name (as the server may not know the client's realm). This means that
> the response to the GetTGT will contain a cross-realm TGT for the client.
> So, the server's KDC will wind up issuing a server a user-to-user ticket for
> a client principal that is not even in that KDC's realm.
>
> There are alternative methods for handling PKINIT clients that address most
> of the above issues. What I propose, is the following modification to the
> protocol. The GetTGT message flow in section 4.2 can be replaced with the
> following:
>
> A
> B
> ------
> ------
> 1 AuthenticateRequest+ServerPrincipalName--------------->
>
> 2 <------------------------------------AuthenticateReply+AP_REQ
>
> 3 CREATE+ISAKMP (keyed cksum with sess key)-------->
>
> 4 <------------REPLY+ISAKMP(keyed cksum with sess key)
>
> In the above flows, there needs to be a way to tie flows 2 and 3 together -
> for example the client timestamp inside AP_REQ can be repeated in flow 3.
> In addition, there is already an XID in the header for this key management
> session. (It is also possible to include the AP_REP in flow 3.)
>
> In the above flows, the AuthenticateRequest is not authenticated, just like
> the GetTGT message. There is the denial of service argument against the
> above flow since anyone can send the AuthenticateRequest. If C impersonates
> A and sends the AuthenticateRequest, B will have to reply, but A will reject
> the reply because the XID (session ID in the header) will not match anything
> that A sent out. The denial of service arguments are:
>
> a) denial of service on the KDC - B may need to get a ticket for A
> if it doesn't have it already. But, even if KDC receives an invalid
> TGS_REQ, it still has to decrypt it to see that it is invalid. I don't
> think that the extra work of issuing a ticket is a major problem. Also,
> clients should cache the tickets, and the number of servers in the KDC
> database is probably not that big. Also, the clients should excersize
> access control and know ahead of time which servers they should be talking
> to.
>
> b) denial of service on the clients - this is similar to (a), except
> that the client's ticket cache is filled up. This is really the same case
> as (a), because when the client's ticket cache is filled up it can remove
> one of the entries. It just means that if the client gets a request that
> needs the removed ticket, the client will request it from the KDC again.
>
> Also, with the current KINK protocol, similar denial of service attacks are
> possible. In that protocol, the GetTGT message only specifies the realm.
> If the server doesn't know the client's name, it might get the wrong client
> TGT and get a user-to-user ticket for a wrong client. If the server then
> finds out that the resulting user-to-user ticket is not accepted by the
> legitimate client, it will probably retry with another GetTGT message that
> could also result in a wrong TGT (inserted by an adversary) and then a wrong
> user-to-user ticket, ...
>