Re: Insecure WWW Access Authorization Protocol?
"Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
Errors-To: listmaster@www0.cern.ch
Date: Tue, 8 Mar 1994 18:30:09 --100
Message-id: <9403081725.AA04857@xdm039.ccc.cranfield.ac.uk>
Errors-To: listmaster@www0.cern.ch
Reply-To: P.Lister@cranfield.ac.uk
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: "Peter Lister, Cranfield Computer Centre" <P.Lister@cranfield.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: Insecure WWW Access Authorization Protocol?
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 7120
> All of this Kerberos discussion is perpetrating a lot of
> misconceptions. There's no need to stick service name or realm
> information in urls, or worry about instance names and all that.
I have never suggested "sticking service name or realm information in urls"; I
have agreed with others that the Kerberos principal should be derived from the
URL's server name, not the Authentication field return by an untrusted HTTP
server. I shall continue to worry until the protcol adequately addresses this
problem, thanks all the same.
> Here's the big picture. A client is registered in a Kerberos realm.
> For that realm, there are one or more Kerberos servers which provide
> service tickets to the registered clients. Likewise, a service is
> registered in a Kerberos realm. The realm servers know how to encrypt
> ticket data for all of the registered clients and servers. This is
> because each client and service has a secret key, which the realm
> servers know about.
Neither "clients" nor "servers" are registered with the Kerberos server,
principal/instances are. Kerberos servers happily provide encrypted tickets to
anyone who asks, safe in the knowledge that only a client in possesion of the
correct key can decrypt the ticket. It doesn't have to be "registered" at all.
Whether a principal/instance is a client or server depends solely on who asks
for a ticket to authenticate to whom.
BTW I use "client" to mean running instance of a client program such as a WWW
browser, not the system on which it's running. Likewise a server is a running
instance of a program which responds to requests from the net.
> A client identifies a service it wishes to use. The minimum
> information needed for this identity is a host name or IP address, a
> port number, and a service name. It does *not* matter whether the
> client knows the service name beforehand, or, as in the case of the
> HTTP protocol, learns it *after* connecting to the service (the first
> time).
The service name is http. That's a given. All the client knows is a URL. From
that it knows the server's hostname and port number, it's already tried to get
the document and been told it needs to authenticate via Kerberos. Think about
your last sentence. How did the client get this far without knowing the
service name?
> Given no other information, the client attempts to obtain a ticket for
> the service by making a request to it's Kerberos realm server. If the
> service is correctly registered in that same realm, a ticket will be
> granted and athentication will proceed.
OK. How does the client know
a) which Kerberos server to ask (it needs to know the realm beforehand)
b) which instance of the principal to ask for (since a single Kerberos realm
can quite legitimately have multiple HTTP servers)
..given that it can't trust the server yet? All it knows is the URL, so we
have to agree on how to get this info out of the URL, OK? That's what we're
saying.
> If the service is registered in a *different* Kerberos realm than that
> of the client, the client must provide that realm name with the ticket
> request it makes to it's own realm. If the client's and server's
> realms have a pre-existing cross-authentication agreement,
> athentication can proceed. In the case of the HTTP protocol, the
> client learns the realm of the service *after* connection. Again, this
> is perfectly ok.
No it isn't. Look, at this point the client *CAN'T TRUST THE SERVER*, yes? It
might be talking to the right server, it could be talking to a spoofer which
tells the client to authenticate to the spoofer's principal. How does the
client know? In normal Kerberos interaction, the service's principal is known
beforehand because the application has conventions defining to which principal
the client should authenticate.
If you phone up a small company which you suspect might be crooked, or where
there is no accepted way of checking their bona fides, and the guy on the
other end said "Phone this number, and they'll tell you we're genuine", you
have no way of telling whether the number in question is the conman's partner,
or a very satisfied and upright member of the community who will testify to
years of excellent service. If the guys says "Contact this bank, they'll vouch
for us", and names a respected institution which you then approach
independently via the well-known information contained in the phone book,
you're as sure as you can be.
> Here's the point. It does not matter *when* or *from whom* the client
> learns the service name or registration realm of the server. A rogue
> server cannot spoof a client by providing misleading information of
> this kind. If the service is correctly registered in the client's realm
> or in a valid cross-authenticating realm, authentication will succeed,
> otherwise the client cannot obtain a valid ticket for the service, and
> will recieve an "unknown service" error. The Kerberos protocol and
> client-code take care of things like reverse look-up and all that. I
> know all this is confusing, but that's just because it's complicated
> ;-)
But (sigh) services and clients are not registered by the Kerberos server!!
And how does it learn the server name and realm (and instance), if not from
the URL? The whole point is that a spoof HTTP server provides a reference to
any principal the spoofer knows about (so any student at Cranfield, MIT, CMU
etc has this power). A naive client happily authenicates. It doesn't have to
be the *right* server principal if the client is stupid enough to believe
everything it's told from an untrusted source, because the stupid client
doesn't know what the right server *is*.
I don't know what you imagine that Kerberos client code does, but it
definitely does *not* check that the reverse IP address translation matches
the principal name, which is what you seemm to imply. And, anyway, the
authentication has succeeded, so, Kerberos wouldn't notice anything wrong,
anyway!
I think this this is confusing because you have a misconception about how
Kerberos works. Don't worry. I've been managing a Kerberos site for 3 year,
and it took me about 18 months to handle it, and I still don't regard myself
as an expert.
> The major security problems with Kerberos have to do with the humans
> and human procedures used in adminstering the realms, not the code and
> protocol.
Here, at least, we are in agreement. But if you read the preceding exchanges,
you will have noticed that no-one is accusing Kerberos of being at fault; the
problem is down to the conventions used by HTTP to determine it needs to do
with Kerberos. These must be sorted out *before* any exchanges take place on
the wire.
I you have anything further to say, let's take this off-line. I'm sure we're
boring the pants off www-talk.
Peter Lister Email: p.lister@cranfield.ac.uk
Computer Centre, Cranfield University Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK Fax: +44 234 750875
--- Go stick your head in a pig. (R) Sirius Cybernetics Corporation ---