misc q's: not loading profile from memory, not alloc memory on mk_priv/mk_safe, no replay cache?
Chris Hecker
checker at d6.com
Sat Aug 6 05:38:52 EDT 2011
> AP_OPTS_USE_SUBKEY on client
> KRB5_AUTH_CONTEXT_USE_SUBKEY on the server
I'm getting around to testing this, and I think I'm misunderstanding the
subkey thing, and specifically, how the send_subkey and recv_subkey are
used in the auth_context. I expected, when I implemented the above
flags as you mention below, when the mutual authentication was complete
(mk_req->rd_req->mk_rep->rd_rep) for there to be one subkey in the
send_subkey on the client and the recv_subkey on the server, and another
on the send_subkey of the server and the recv_subkey on the client.
This is not what happens. Everywhere a subkey is generated or read in
these functions (that I could find), they stomp both send_subkey and
recv_subkey with the same key. Namely:
- mk_req_ext.c - generate_and_save_subkey stomps both send and recv
- rd_req_dec.c - sets both send and recv with krb5_k_create_key
- mk_rep.c - generate_and_save_subkey again
- rd_rep.c - sets both to the enc->subkey
So, a couple questions:
1. I assume this is correct, and I'm simply misunderstanding? I'm
trying to parse your last sentence below...the
KRB5_AUTH_CONTEXT_USE_SUBKEY on the mk_rep makes a new subkey for the
entire session, so assuming I always do mutual authn, then if I get a
replayed AP-REQ which has a subkey in it, I stomp it with the new one
during AP-REP, and to get the new subkeys the client would have to be
able to decode the reply, which they can't since they're just replaying.
I think.
2. Why have send_subkey and recv_subkey if they're always equal?
Thanks,
Chris
On 2011/07/14 20:59, Greg Hudson wrote:
> On Thu, 2011-07-14 at 21:57 -0400, Chris Hecker wrote:
>> 1. I'd like to specify the profile information via code directly in the
>> clients, rather than loading it from a file. In other words, I'd like
>> to simply set the default_realm, the kdc, and whatnot dynamically from
>> code. Looking through the prof_* code, it looks like the
>> loading/parsing stuff is pretty file-dependent, and there's a lot of it.
>
> This is coming in 1.10. I haven't finished the project writeup for it,
> but there are some design discussions in the krbdev archives. I'm not
> sure what your constraints are; if you need to make a current release
> work but can modify the code, you may just want to hack up libprofile in
> whatever way is easiest and replace it with the 1.10 pluggable
> configuration system in the future.
>
>> 2. I was hoping to make versions of mk_priv and mk_safe that use
>> already allocated buffers, but this seems like it'd be a pretty huge
>> change and there's a lot more memory allocation in those functions than
>> just the output buffer, so it's probably not worth it. I assume there's
>> not much demand for a version of kerberos that doesn't allocate memory
>> (once session is established)?
>
> Not that I'm aware of. That would indeed be a pretty huge change.
>
>> 3. I'm trying to understand when it's safe to not use a replay cache,
>> and from reading the internet[*], it seems like if I have the packets in
>> a session have any kind of unique challenge-response data in them, I
>> don't need to worry about replays, right?
>
> So, there are two dangers: an attacker could use replayed messages to
> fake a client to the server, or an attacker could use replayed messages
> to fake a server to the client.
>
> As long as you do mutual authentication, faking a server to the client
> should be impossible if you use AP_OPTS_USE_SUBKEY in the client.
> Setting that option causes the client to generate a fresh subkey for the
> auth context each time it performs an authentication, so no previous
> KRB-AP-REP packet will be accepted.
>
> Likewise, if you set KRB5_AUTH_CONTEXT_USE_SUBKEY in the auth context on
> the server, the server will generate a (second) fresh subkey in the
> reply message. This means if the client replays a KRB-AP-REQ, the
> server will (without a replay cache) believe it to be a valid
> authenticator, but the attacker won't be able to send any valid KRB-SAFE
> or KRB-PRIV messages because it won't know the subkey for the auth
> context.
>
>
>
More information about the Kerberos
mailing list