[15919] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8654] Prevent fallback from SPAKE to encrypted

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Mar 26 22:11:15 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8654@krbdev.mit.edu>
Message-ID: <rt-8654-48342.3.16195119790514@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8654'":;
Date: Mon, 26 Mar 2018 22:11:02 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

The SPAKE draft security considerations states "Client 
implementations SHOULD assume that encrypted timestamp and encrypted 
challenge are unlikely to succeed if SPAKE pre-authentication fails 
in the second pass and no second factor was used."  Otherwise, when 
an incorrect password is used with SPAKE, the client unnecessarily 
offers a dictionary-attackable ciphertext to the network.

The SPAKE module should set a flag when it sends a single-factor 
response, probably via a new callback.  The encrypted timestamp and 
encrypted challenge modules should check this flag and error out.

To be determined:

* What should the callback name be?

* Should it also affect SAM-2?  SAM-2 begins with a dictionary-
attackable ciphertext from the KDC, so it probably doesn't help for 
us to suppress it.

* It also doesn't seem right to fall back from a two-factor SPAKE 
attempt to encrypted timestamp.  Falling back to single-factor SPAKE 
would be strictly better (but not trivial to engineer); failing out 
entirely seems maybe more appropriate.  In general, if we get as far 
as using credentials to send a request in one preauth mechanism, 
falling back to another seems questionable; for instance, PKINIT 
rejections manifesting as password requests has never been a great 
user experience.  So we might give thought to a more general fallback 
suppression mechanism.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post