PKINIT -27 proposal: binding the AS-REP with the AS-REQ

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PKINIT -27 proposal: binding the AS-REP with the AS-REQ

Larry Zhu

Andre Scedrov and his research group, Iliano Cervesato, Aaron Jaggard,
Joe-Kai Tsay, and Chris Walstad, discovered that the binding between
AS-REQ and AS-REP can be broken when using PKINIT.  

"In brief, the intruder inserts herself into the usual Kerberos 5
message flow. This allows the intruder to obtain credentials under her
own name-she must be a legal client herself-but using the nonces, etc.,
from the original client's requests in doing so. The intruder may thus
forge responses, including the proper signatures from the KAS, to the
original client's requests. At the end of the sequence: the client
believes that she has authenticated herself to, and shares keys with,
the various servers; the intruder knows these shared keys; and the
servers correctly believe that they have taken part in a protocol run
with the intruder. As a result, the intruder may impersonate the
application server in interacting with the client; alternatively, if the
client attempts to interact with the server in a way that the intruder
is allowed to, the interaction will proceed and may be monitored by the
intruder (who knows the associated session key)."

"This attack is possible because the servers never sign the name of the
client they believe they are interacting with in a way that is visible
to the client herself. (The servers do encrypt the name of the client
for whom they are granting credentials-in this case, the intruder's
name-but this is inside a ticket which is opaque to the client.) This
attack described does not appear to be possible when Diffie-Hellman key
generation is used, because the intruder cannot learn the Diffie-Hellman
private values;"

(Curtsey of [hidden email])


To address Andre's concern, we propose to make the following changes in
section 3.2.3.2:

OLD:
        ReplyKeyPack ::= SEQUENCE {
           replyKey                [0] EncryptionKey,
                    -- Contains the session key used to encrypt the
                    -- enc-part field in the AS-REP.
           nonce                   [1] INTEGER (0..4294967295),
                    -- Contains the nonce in the PKAuthenticator of the
                    -- request.
           ...
        }

REPLACE with:

       ReplyKeyPack ::= SEQUENCE {
           replyKey                [0] EncryptionKey,
                   -- Contains the session key used to encrypt the
                   -- enc-part field in the AS-REP.
           as-checksum             [1] Checksum,
                   -- Contains the checksum of the AS-REQ
                   -- corresponding to the containing AS-REP.
                   -- The checksum is performed over the type AS-REQ.
                   -- The protocol key [RFC3961] of the checksum is the
                   -- replyKey and the key usage number is 6.
                   -- If the replyKey's enctype is "newer" [RFC4120]
                   -- [RFC4121], the checksum is the required
                   -- checksum operation [RFC3961] for that enctype.
                         -- The client MUST verify this checksum upon
receipt
                   -- of the AS-REP.              
          ...
       }

-- Larry

P.S.

Andre and Aaron will be present at the upcoming IETF meeting.


Reply | Threaded
Open this post in threaded view
|

Re: PKINIT -27 proposal: binding the AS-REP with the AS-REQ

Jeffrey Hutzelman


On Monday, July 11, 2005 09:43:29 AM -0700 "Liqiang(Larry) Zhu"
<[hidden email]> wrote:

>
> Andre Scedrov and his research group, Iliano Cervesato, Aaron Jaggard,
> Joe-Kai Tsay, and Chris Walstad, discovered that the binding between
> AS-REQ and AS-REP can be broken when using PKINIT.

This is ticket #1063.  Bleah, 4-digit numbers. :-(


Reply | Threaded
Open this post in threaded view
|

Re: PKINIT -27 proposal: binding the AS-REP with the AS-REQ

Jeffrey Hutzelman


On Monday, July 11, 2005 11:37:07 PM -0400 Jeffrey Hutzelman
<[hidden email]> wrote:

>
>
> On Monday, July 11, 2005 09:43:29 AM -0700 "Liqiang(Larry) Zhu"
> <[hidden email]> wrote:
>
>>
>> Andre Scedrov and his research group, Iliano Cervesato, Aaron Jaggard,
>> Joe-Kai Tsay, and Chris Walstad, discovered that the binding between
>> AS-REQ and AS-REP can be broken when using PKINIT.
>
> This is ticket #1063.  Bleah, 4-digit numbers. :-(

Also, as Larry mentioned, Andre and Aaron will be at the meeting in Paris.
We'll be making some agenda time for them to talk about their discovery and
its implications, and to discuss Larry's proposed solution.

Larry's proposed text will appear in pkinit-27, but the issue will not be
considered resolved until we have a WG consensus on how to deal with this
important issue.

-- Jeff