draft-ietf-kitten-pkinit-alg-agility-06.txt   draft-ietf-kitten-pkinit-alg-agility-07.txt 
Kitten Working Group L. Hornquist Astrand Kitten Working Group L. Hornquist Astrand
Internet-Draft Apple, Inc Internet-Draft Apple, Inc
Updates: 4556 (if approved) L. Zhu Updates: 4556 (if approved) L. Zhu
Intended status: Standards Track Oracle Corporation Intended status: Standards Track Oracle Corporation
Expires: September 7, 2019 M. Wasserman Expires: October 20, 2019 M. Wasserman
Painless Security Painless Security
G. Hudson, Ed. G. Hudson
MIT MIT
March 6, 2019 April 18, 2019
PKINIT Algorithm Agility PKINIT Algorithm Agility
draft-ietf-kitten-pkinit-alg-agility-06 draft-ietf-kitten-pkinit-alg-agility-07
Abstract Abstract
This document updates the Public Key Cryptography for Initial This document updates the Public Key Cryptography for Initial
Authentication in Kerberos standard (PKINIT) [RFC4556], to remove Authentication in Kerberos standard (PKINIT) [RFC4556], to remove
protocol structures tied to specific cryptographic algorithms. The protocol structures tied to specific cryptographic algorithms. The
PKINIT key derivation function is made negotiable, and the digest PKINIT key derivation function is made negotiable, and the digest
algorithms for signing the pre-authentication data and the client's algorithms for signing the pre-authentication data and the client's
X.509 certificates are made discoverable. X.509 certificates are made discoverable.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 7, 2019. This Internet-Draft will expire on October 20, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 4 skipping to change at page 3, line 4
8.2. Test Vector for SHA-1, enctype 18 . . . . . . . . . . . . 12 8.2. Test Vector for SHA-1, enctype 18 . . . . . . . . . . . . 12
8.2.1. Specific Inputs . . . . . . . . . . . . . . . . . . . 12 8.2.1. Specific Inputs . . . . . . . . . . . . . . . . . . . 12
8.2.2. Outputs . . . . . . . . . . . . . . . . . . . . . . . 12 8.2.2. Outputs . . . . . . . . . . . . . . . . . . . . . . . 12
8.3. Test Vector for SHA-256, enctype . . . . . . . . . . . . 13 8.3. Test Vector for SHA-256, enctype . . . . . . . . . . . . 13
8.3.1. Specific Inputs . . . . . . . . . . . . . . . . . . . 13 8.3.1. Specific Inputs . . . . . . . . . . . . . . . . . . . 13
8.3.2. Outputs . . . . . . . . . . . . . . . . . . . . . . . 13 8.3.2. Outputs . . . . . . . . . . . . . . . . . . . . . . . 13
8.4. Test Vector for SHA-512, enctype . . . . . . . . . . . . 13 8.4. Test Vector for SHA-512, enctype . . . . . . . . . . . . 13
8.4.1. Specific Inputs . . . . . . . . . . . . . . . . . . . 13 8.4.1. Specific Inputs . . . . . . . . . . . . . . . . . . . 13
8.4.2. Outputs . . . . . . . . . . . . . . . . . . . . . . . 13 8.4.2. Outputs . . . . . . . . . . . . . . . . . . . . . . . 13
9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
12.1. Normative References . . . . . . . . . . . . . . . . . . 14 12.1. Normative References . . . . . . . . . . . . . . . . . . 15
12.2. Informative References . . . . . . . . . . . . . . . . . 15 12.2. Informative References . . . . . . . . . . . . . . . . . 16
Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . 16 Appendix A. PKINIT ASN.1 Module . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
The Public Key Cryptography for Initial Authentication in Kerberos The Public Key Cryptography for Initial Authentication in Kerberos
(PKINIT) standard [RFC4556] defines several protocol structures that (PKINIT) standard [RFC4556] defines several protocol structures that
are either tied to SHA-1 [RFC6234], or do not support negotiation or are either tied to SHA-1 [RFC6234], or do not support negotiation or
discovery, but are instead based on local policy: discovery, but are instead based on local policy:
o The checksum algorithm in the authentication request is hardwired o The checksum algorithm in the authentication request is hardwired
to use SHA-1. to use SHA-1.
skipping to change at page 14, line 13 skipping to change at page 14, line 13
D3C78A79 D65213EF E9A826F7 5DFB01F7 2362FB16 FB01DAD6 D3C78A79 D65213EF E9A826F7 5DFB01F7 2362FB16 FB01DAD6
9. Security Considerations 9. Security Considerations
This document describes negotiation of checksum types, key derivation This document describes negotiation of checksum types, key derivation
functions and other cryptographic functions. If a given negotiation functions and other cryptographic functions. If a given negotiation
is unauthenticated, care must be taken to accept only secure values; is unauthenticated, care must be taken to accept only secure values;
to do otherwise allows an active attacker to perform a downgrade to do otherwise allows an active attacker to perform a downgrade
attack. attack.
The discovery method described in Section 4 uses a Kerberos error
message, which is unauthenticated in a typical exchange. An attacker
may attempt to downgrade a client to a weaker CMS type by forging a
KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED error. It is a matter of
local policy whether a client accepts a downgrade to a weaker CMS
type. A client may reasonably assume that the real KDC implements
all hash functions used in the client's X.509 certificate, and refuse
attempts to downgrade to weaker hash functions.
The discovery method described in Section 5 also uses a Kerberos
error message. An attacker may attempt to downgrade a client to a
certificate using a weaker signing algorithm by forging a
KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED error. It is a matter of local
policy whether a client accepts a downgrade to a weaker certificate.
This attack is only possible if the client device possesses multiple
client certificates of varying strength.
In the KDF negotiation method described in Section 6, the client
supportedKDFs value is protected by the signature on the
signedAuthPack field in the request. If this signature algorithm is
weak to collision attacks, an attacker may attempt to downgrade the
negotiation by substituting an AuthPack with a different or absent
supportedKDFs value, using a PKINIT freshness token [RFC8070] to
partially control the legitimate AuthPack value. A client performing
anonymous PKINIT [RFC8062] does not sign the AuthPack, so an attacker
can easily remove the supportedKDFs value in this case. Finally, the
kdf field in the DHRepInfo of the KDC response is unauthenticated, so
could be altered or removed by an attacker, although this alteration
will likely result in a decryption failure by the client rather than
a successful downgrade. It is a matter of local policy whether a
client accepts a downgrade to the old KDF.
The paChecksum field, which binds the client pre-authentication data
to the Kerberos request body, remains fixed at SHA-1. If an attacker
substitutes a different request body using an attack against SHA-1 (a
second preimage attack is likely required as the attacker does not
control any part of the legitimate request body), the KDC will not
detect the substitution. Instead, if a new KDF is negotiated, the
client will detect the substitution by failing to decrypt the reply.
10. Acknowledgements 10. Acknowledgements
Jeffery Hutzelman, Shawn Emery, Tim Polk, Kelley Burgin, Ben Kaduk, Jeffery Hutzelman, Shawn Emery, Tim Polk, Kelley Burgin, Ben Kaduk,
and Scott Bradner reviewed the document and provided suggestions for Scott Bradner, and Eric Rescorla reviewed the document and provided
improvements. suggestions for improvements.
11. IANA Considerations 11. IANA Considerations
IANA is requested to update the following registrations in the IANA is requested to update the following registrations in the
Kerberos Pre-authentication and Typed Data Registry created by Kerberos Pre-authentication and Typed Data Registry created by
section 7.1 of RFC 6113 to refer to this specification. These values section 7.1 of RFC 6113 to refer to this specification. These values
were reserved for this specification in the initial registrations. were reserved for this specification in the initial registrations.
TD-CMS-DIGEST-ALGORITHMS 111 [ALG-AGILITY] TD-CMS-DIGEST-ALGORITHMS 111 [ALG-AGILITY]
TD-CERT-DIGEST-ALGORITHMS 112 [ALG-AGILITY] TD-CERT-DIGEST-ALGORITHMS 112 [ALG-AGILITY]
skipping to change at page 16, line 19 skipping to change at page 17, line 15
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
<https://www.rfc-editor.org/info/rfc6194>. <https://www.rfc-editor.org/info/rfc6194>.
[RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm [RFC7696] Housley, R., "Guidelines for Cryptographic Algorithm
Agility and Selecting Mandatory-to-Implement Algorithms", Agility and Selecting Mandatory-to-Implement Algorithms",
BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015, BCP 201, RFC 7696, DOI 10.17487/RFC7696, November 2015,
<https://www.rfc-editor.org/info/rfc7696>. <https://www.rfc-editor.org/info/rfc7696>.
[RFC8062] Zhu, L., Leach, P., Hartman, S., and S. Emery, Ed.,
"Anonymity Support for Kerberos", RFC 8062,
DOI 10.17487/RFC8062, February 2017,
<https://www.rfc-editor.org/info/rfc8062>.
[RFC8070] Short, M., Ed., Moore, S., and P. Miller, "Public Key
Cryptography for Initial Authentication in Kerberos
(PKINIT) Freshness Extension", RFC 8070,
DOI 10.17487/RFC8070, February 2017,
<https://www.rfc-editor.org/info/rfc8070>.
[WANG04] Wang, X., Lai, X., Fheg, D., Chen, H., and X. Yu, [WANG04] Wang, X., Lai, X., Fheg, D., Chen, H., and X. Yu,
"Cryptanalysis of Hash functions MD4 and RIPEMD", August "Cryptanalysis of Hash functions MD4 and RIPEMD", August
2004. 2004.
Appendix A. PKINIT ASN.1 Module Appendix A. PKINIT ASN.1 Module
KerberosV5-PK-INIT-Agility-SPEC { KerberosV5-PK-INIT-Agility-SPEC {
iso(1) identified-organization(3) dod(6) internet(1) iso(1) identified-organization(3) dod(6) internet(1)
security(5) kerberosV5(2) modules(4) pkinit(5) agility (1) security(5) kerberosV5(2) modules(4) pkinit(5) agility (1)
} DEFINITIONS EXPLICIT TAGS ::= BEGIN } DEFINITIONS EXPLICIT TAGS ::= BEGIN
skipping to change at page 19, line 29 skipping to change at page 20, line 32
Margaret Wasserman Margaret Wasserman
Painless Security Painless Security
356 Abbott Street 356 Abbott Street
North Andover, MA 01845 North Andover, MA 01845
USA USA
Phone: +1 781 405-7464 Phone: +1 781 405-7464
Email: mrw@painless-security.com Email: mrw@painless-security.com
URI: http://www.painless-security.com URI: http://www.painless-security.com
Greg Hudson (editor) Greg Hudson
MIT MIT
Email: ghudson@mit.edu Email: ghudson@mit.edu
 End of changes. 10 change blocks. 
15 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/