Painless Security

MIT Kerberos 1.7 is released. I think this release really takes MIT Kerberos forward both for end sites and for system integrators. There are a lot of code quality improvements and bug fixes. For sites, this release allows changes to flow from one KDC to another on an ongoing basis rather than waiting for periodic refreshes. In addition, the domain-realm referral project allows information mapping hosts to domains to be configured in one place rather than on each client.

I already wrote about Active Directory enhancements. Painless Security was also involved in a project to secure Kerberos against offline dictionary attacks. I’m very happy that this project made the 1.7 release. To be truly useful, it will require integration from OS vendors into PAM modules and the like. I’ll discuss my plans for doing that in Debian in a future post.

Despite a lot of new features, initial signs are that 1.7 is going to be a relatively stable release. It has been in Debian unstable for over a month and at this point is working quite well.

The Kerberos Consortium, Padl Software, Interisle and Painless Security have been working on adding support for various Active Directory features into MIT Kerberos’s upcoming 1.7 release. I think this project will bring a lot of much needed functionality to MIT Kerberos, and will support the use of Kerberos as a tool in other larger systems.

The project has brought together a lot of players: it wouldn’t have been possible without the efforts of Microsoft, Samba, Novell and several others I’m probably forgetting. It’s great to see such an interest in interoperability that all these parties can work together.

For me, it has been a different approach. I’m used to doing a fair bit of design work up front, understanding what is being delivered, and then working on the code. For a variety of reasons we took a different approach here. Every morning I’d wake up to a new chunk of code to review, evaluate and present to the Kerberos development community. I’d describe the design of the code in order to seek comments and if changes were justified, we’d work to make them. For much of the project, code was coming in faster than I could evaluate it. This meant it was a high-stress and exhilarating project. In other words, it was great fun!

There’s one thing that worries me about this focus on Active Directory. Sure, everyone needs to work with Microsoft. First, it is a market reality. Secondly, Microsoft has brought some great innovative thinking to the realm of network security and we should all take advantage of it. However, it seems that most of the players are only focused on supporting Microsoft features and are ceding the entire space to Microsoft. No one else is working on open standards for expressing authorization. The entire PAC structure, how entities are named, how they belong to groups and how this all interacts in a directory is defined by Microsoft. As a result, Microsoft is in a position to add new technology. However with the current approaches, no one else has this ability. That means, Microsoft will always be one step ahead.

I think it is important that that we all look at how we can embrace and extend Microsoft technology, while maintaining the ability to work together and to work with Microsoft. Doing this is going to require a lot of work but is essential for the continued innovation of network security.

DNS Forgery attacks have been in the news recently in a big way: a story in the New York Times said that details of a new DNS attack will be released this week. The basic idea is that it is possible to trick a recursive name server into believing that responses provided by an attacker should be believed instead of responses provided by the real authoritative DNS server. The recursive name server passes this poisoned data along to its clients who use the information to translate names to addresses and for other DNS functions. As the Wikipedia article points out, a particularly effective target for DNS Forgery are authority records in DNS responses. I.E., if the attacker can overwrite the DNS records that specify what name servers should be consulted for a particular domain, then the attacker can capture all future DNS queries for that domain. For example, if an attacker mounted a forgery against Comcast’s name
servers targeting yahoo.com, then the attacker could control what computers all Comcast customers connect to for any yahoo.com names. The details to be released this week are expected to show how such an attack can be mounted in a number of seconds with high reliability; patches are available although there is ongoing discussion about how effective the patches are. It is quite clear that the patches do not fix the problem at a fundamental level: they are believed to make it much less likely that such an attack can be mounted or to increase the time that the attack will take.

Obviously, this attack is of concern for the global Internet. However the Kerberos community should pay particular attention. As we all know, RFC 4120 states that insecure mapping services such as DNS without DNSSec MUST NOT be used to map user input into authentication names. However, as discussed in The Role of Kerberos in Modern Information Systems, non-Microsoft Kerberos implementations use DNS to map names entered by the user into names that are used within Kerberos. So, consider an attacker that mounts a forgery and is able to modify all DNS responses for example.com. If this attacker can take over a single system registered with example.com’s Kerberos (or learn the Kerberos key of such a system), then they can defeat Kerberos security when authenticating to any system in that Kerberos infrastructure provided that the client uses DNS. There are some core
Kerberos
services such as password changing and the KDC itself that never use DNS in this way. Microsoft implementations also do not depend on this use of DNS. However other implementations tend to use DNS even for relatively sensitive operations such as Ssh used for administrative access to a server. In other words, an easy attack that can be mounted against DNS in a number of seconds is a huge problem for Kerberos. Administrators of Kerberos infrastructure need to insure that DNS server patches are applied in their environments. Hopefully these patches will make the attack hard enough to mount that we have some time to put together a better long-term solution.

We’ve known that this use of DNS is problematic for a long time. We even have better solutions: storing aliases of hosts in KDC databases. I’ve never seen a good solution though to figure out how to get from where we are today to a secure configuration. If you don’t provide a transition strategy, then you will find it difficult to convince users to give up the mode that works in favor of the more secure mode. However at last Tuesday’s Kerberos Working Group meeting, Apple’s Love Hörnquist Åstrand proposed a solution that I think will work. Love proposed that the client learn from the KDC whether a realm supports KDC aliases and has its database properly populated. If the KDC indicates aliases are available, then the client does not use DNS for mapping. The essential bit I had missed before is that this is a realm-by-realm transition. If my client is going to talk to a particular KDC, the question I care about is whether that KDC supports aliases. I had thought you needed some sort of global
transition in the past. Adopting Love’s proposal will take work, especially surrounding APIs such as krb5_sname_to_princ, but doing this work seems critical.

Painless Security has been working with The Interisle Consulting Group and the MIT Kerberos Consortium on the consortium’s paper on how to integrate Kerberos into applications. The paper is now available to the public. The paper gives an overview of GSS-API, SASL and the raw Kerberos messages. It talks about what you hope to get out of integrating Kerberos into an application. Then it discusses several issues to consider when planning your Kerberos integration, including naming, intermediaries and other complicated issues. Finally, the paper points to several examples of application integration.

I think the paper will be useful; I know it covers a lot of issues I have run into over the years. WhenI first heard about the plan for this paper, I expected that it would involve a walk-through of how to integrate Kerberos into some simple application. Other people expected this too: the most consistent comment we’ve received is that there is no tutorial. The paper does point to tutorials for GSS-API in C and Java, but does not include a tutorial ofits own. The reason for this is that it seemed there are already tutorials out there. However there didn’t seem to be an overview to help people choose between SASL and GSS-API, to understand the hard issues and to give best practice advice in avoiding common pitfalls.

I’m very interested in feedback on the paper. I’d especially love to get feedback from those new to the Kerberos community; the comments we’ve received to date are all from people who have been at this for years.

Monday, the consortium board met at Google. As I discussed, I presented a plan for the consortium road map. The road map presentation went reasonably well. The board generally seemed to support the road map and they gave useful feedback on ways to improve it. The specifics will be in the board notes, which will come out shortly on the consortium site. However I’d like to point to a few specific changes that need to happen to the road map as a result of the meeting.

It’s power, stupid! The section on mobile devices discusses the mobile environment in terms of CPU, memory and networking. That’s missing the most critical factor to consider when looking at mobile platforms: power consumption. “Oops,” is all I can say. I certainly was aware of the importance of power and of how both network and CPU utilization are an important fact or in power utilization. I just completely failed to talk about it when discussing the road map. That clearly needs to be fixed.

There was an enlightening discussion about the difference between web services interactions and Kerberos interactions. Slava Kavsan pointed out that Kerberos is missing three things that are important in B2B web services environments. There is no policy exchange where the relying party can explain what information it will need from the security infrastructure. The client does not have an opportunity to provide its preferences to the KDC in order to describe what information it wants disclosed. The KDC does not provide different relying parties with different information. Also, there is no standardized format for describing any useful claims about a subject in Kerberos. I touch on some of these issues at IETF 64 in 2005. I think that an interesting question for the consortium will be how to deal with these issues. Is it better to extend Kerberos, or to combine Kerberos with something else? I think that it is important that
if Kerberos is combined it is done in such a way that it works for all GSS applications and for web services. So, extending Kerberos is probably harder. You have to decide when to go get a new ticket and have APIs both in GSS-API and Kerberos for doing that. However some of the application integration may be easier. Combining Kerberos with something else, where Kerberos handles the authentication and some other provider handles assertions about identity may be easier from an API standpoint for web services applications. It seems like you’re going to lose a lot of the flexibility of Kerberos though if you do that. Will you lose the caching of credentials? Will you be able to take advantage of new Kerberos extensions in such a system? I think looking at these issues will be a critical upcoming challenge for the consortium.

So far, consortium priority setting has focused on short and medium term goals. The consortium proposal itself talks about long term visions of Kerberos and about where we want to move things. We’ve kept that in mind as we look at the short and medium-term work we’ve been planning; it is all consistent with the future vision. However, no single sponsor wants to prioritize the long-term visions. Ultimately though it’s our job as the consortium to drive that effort and get to the long-term vision we want to see.

I’ll be taking the first step in that process at our next board meeting. I will be presenting a road map plan four our long-term technical direction. We will propose a series of projects to advance kerberos on the web; to advance kerberos on mobile platforms; and to improve the maintainability, sustainability and security of Kerberos. The goal will be to make steady progress on each of these fronts. I’m currently in the middle of coming up with an initial proposal for these priorities.

Apoligies for the lack of content. I was on paternity leave celebrating the birth of my first child from January 23 until February 25. I’m still catching up from the backlog.

I wrote about initial efforts to set up more open and transparent process for MIT Kerberos. We approved that content at one of our December release meetings, although we ran into snags surrounding choice of software. However we’re up and running now.

The next challenge is to get people other than me to start contributing content. I have gotten people with active project proposals to start writing them up on the wiki. However I am currently the only one writing content such as policy proposals, descriptions of the organization, etc. Bootstrapping something like this is hard; the resource needs to be useful enough that people remember it, but for that to happen, it needs to be something people remember to add content to.

Once we get people to start looking at the resource and contributing, we have a lot of important community discussions planned. We want to open up a bunch of questions about coding practices. We also want to provide guidelines for how to conduct code reviews and have information on interface stability.

Last Tuesday, December 11, the MIT Kerberos Consortium had its first board meeting. Paul Armstrong gave detailed notes of the meeting. In a few cases, particularly dealing with parties not present at the meeting, Paul dropped some qualifiers and claimed that things were definitely true when I only stated that I suspected they were true. Such is life with raw notes.

The board did succeed in its goal of providing us priorities for our work. I think the board will work well together and will work well with the rest of the consortium staff.

I was expecting our priorities to focus mostly on technical projects. However the board surprised me; much of the work is on documentation, process and on promoting Kerberos. I actually think this is going to be good for the community and the technology but it was not quite what I expected going into the meeting. The board definitely seems to understand the value of standardization activity and working together with multiple vendors.

Some projects we’ll start now; some projects we will explore and report back to the board on in March.

This week we started an experiment to try and improve team work and get people involved in each others’ projects. We stuck everyone in a conference room from 11 to 4 on Tuesday. However it wasn’t a meeting, it was a work session. Preliminary results from the first instance were very positive. We were all working on presentations for the upcoming consortium board meeting, and it proved an excellent opportunity to confirm that various presentations were consistent with each other. Another group of people was working on understanding how to effectively use our new project management tool. Still a third group was working on the website. People floated back and forth between these groups. I will be interested to see how this works when people are working on more technical than administrative issues.