[5551] in Kerberos
Re: What is a GSSAPI channel binding?
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Tue Jul 25 14:19:37 1995
To: kerberos@MIT.EDU
Date: 25 Jul 1995 18:06:10 GMT
From: marc@cam.ov.com (Marc Horowitz)
>> It's not clear to me what the abstraction of a GSSAPI channel binding
>> maps to on the level of a real protocol. The intent is to prevent
>> replay of a data stream from another host, correct?
Basically. The intent is to give security protocols which have the
ability to check addresses the necessary info to do so. (This is
orthogonal to whether or not it is a good idea for kerberos or any
other protocol to handle addressing information.)
>> Isn't this redundant for Kerberos, since the client address is in the
>> authenticator?
No. When you call gss_accept_sec_context() with an underlying
kerberos mechanism and pass it a token, the underlying code cannot
know what IP address the token came from. The application developer
must use the channel bindings to tell the mechanism implementation
what IP address the token came from, so that it can compare this
address to the address in the decoded authenticator to make sure
nothing bad is happening.
>> If having addresses in the authenticator is optional in other
>> protocols, shouldn't this be handled like the per-message QOP option?
I'm not sure I understand your question. The application developer
doesn't always know what underlying mechanism is in use, so it doesn't
know if the addresses are needed. So it should always pass in channel
bindings, and underlying mechanisms can choose to make use of this
information, or throw it away.
Marc
