Realm lookups again
Nicolas.Williams at sun.com
Wed Oct 1 23:48:34 EDT 2008
On Wed, Oct 01, 2008 at 11:32:16PM -0400, Jeffrey Hutzelman wrote:
> > Aren't we running into the issue of what "trust" means? Just because
> > you "trust" another organization enough to exchange cryptographic
> > keys, doesn't mean you "trust" their people to access all of your
> > services
Yeah, Jeff's example was a chinese wall, but if there's an x-realm trust
across that wall then you don't have a chinese wall :)
> That is true, which is why I hate the term "cross-realm trust".
Well, sure, and then we could say that we hate the term "trusted third
party." Yet that's what the KDC is in Kerberos (and the CA in PKI).
> But no, in this case we're being very specific; Nico said "the child
> domain/realm trusts the parent not to attack it willfully". And one of the
> attacks we're talking about is the parent attempting to impersonate one of
> the child realm's services by causing domain-to-realm lookups to return
> incorrect results.
Yes. Your example of a case where we could not assume this trusting
relationship was not a very good one. A better example would be
something like a service-provider relationship between the child and the
parent realms. But the point is that yes, one can imagine such a
situation, so it's not a good idea to default to assuming that children
realms trust parent realms.
> It's possible that, given two heirarchically-related realms, the outer
> realm can be trusted not to attempt to impersonate services in the inner
> realm in this way. However, it's also possible that the outer realm cannot
> be trusted in this way, in which case assuming that it could would leave
> one vulnerable. It seems to me that "secure by default" demands that such
> an assumption not be made without explicit policy to the contrary.
I agree. And yet, I think that this host2realm algorithm is safer than
the TXT RR lookup algorithm since the attacker is far more constrained
w.r.t. what realms he can redirect the client to. Also, this host2realm
algorithm works with DNS lookups for KDCs disabled, provided you have a
fully populated [realm] section in krb5.conf, but without having to
furnish a fully populated [domain_realm] section.
IOW, there's value, even much value, in this scheme. Make it default to
not searching up the hierarchy unless DNS lookups are disabled, and
you've got something that is secure and convenient.
More information about the krbdev