Painless Security

OpenID provides a single-sign-on solution for websites without requiring browser modifications. The idea is that you can go to an identity provider where you have an account, log in, and then you can go to other websites and point them at your identity provider to validate your ID. You only have to type your password once. It’s very convenient.

OpenID proponents argue that OpenID does not contribute to phishing. It also doesn’t really solve phishing, but the hope is that if we manage to get strong authentication to the identity provider, then that strength will cascade across all the sites that use the identity provider. Some have pointed out that single-sign-on systems provide attractive targets for phishing: once an attacker has your OpenID password they may have access to many more resources. That’s certainly true, but single-sign-on has security benefits in terms of reducing the number of passwords people need and making them less likely to believe that some random server actually has a legitimate need for a password. So, it’s not clear to me how this argument balances out.

However I think there is a bigger contribution from schemes like OpenID to phishing. Even if the authentication to the identity provider is strong, the hand off between the target website and identity provider is weakly authenticated in OpenID. In particular, OpenID depends on TLS certificate validation and correctly going to the right URI to identify the right website. As I discussed earlier this week, the W3C is poised to move us to a world where we admit that self-signed certificates have a place and accept that sometimes we will not have strong authentication when we first go to a site. Unfortunately, because OpenID decouples the authentication to the identity provider from the authentication between the identity provider and website, improvements in the authentication on one side will not increase the security of the overall system. Two attacks are probable. The first is that an attacker might mount a
man-in-the-middle or other attack between the identity provider and target website. Even though the user authenticates strongly to the identity provider, they are left with protections of their eventual authentication no stronger than today’s TLS. The second is that a target website may not actually participate in the authentication exchange. If the website is after capturing your credit card information, they may never forward you back to your identity provider; instead they may just make it appear as if authentication is successful.

I don’t think either of these attacks is particularly interesting today: there are bigger problems. However if we’re successful in strengthening web authentication mechanisms we’ll need to think about how to help folks like OpenID evolve their technology to avoid being the weakest link.

The Web Security Context working group of the W3C has begun a last call on its User Interface Guidelines. The link is to the version being last called, which may be updated before the recommendation is published. The last call runs until September 15.

I like the approach these recommendations take. They strike a balance between security and usability. One of the controversial changes that they make is they recommend against warnings when you go to a website that is using a self-signed certificate or that chains back to something that you don’t consider a trust anchor. The idea is that a lot of people use self-signed certificates for appliances or within small communities. If you present security warnings in these cases then you reduce the value of all security warnings. This does make it easier to attack a site the first time someone goes to it. Browsers must remember if they have seen a validated certificate for a site; a site that once presented a valid certificate must not present a self-signed certificate in the future.

Another great thing about the recommendation is the handling of errors. Errors are separated into notifications, warnings and danger signals. The main advantage of this separation is that danger signals are used only when there is sufficient evidence that something bad is going on that may put the user at risk. As such, danger signals can be taken seriously.

It’s not clear that everyone will take advantage of these mechanisms, but it seems like a great step in the right direction. This work also aligns well with the authentication requirements work I’ve been doing.

DNS Forgery attacks have been in the news recently in a big way: a story in the New York Times said that details of a new DNS attack will be released this week. The basic idea is that it is possible to trick a recursive name server into believing that responses provided by an attacker should be believed instead of responses provided by the real authoritative DNS server. The recursive name server passes this poisoned data along to its clients who use the information to translate names to addresses and for other DNS functions. As the Wikipedia article points out, a particularly effective target for DNS Forgery are authority records in DNS responses. I.E., if the attacker can overwrite the DNS records that specify what name servers should be consulted for a particular domain, then the attacker can capture all future DNS queries for that domain. For example, if an attacker mounted a forgery against Comcast’s name
servers targeting yahoo.com, then the attacker could control what computers all Comcast customers connect to for any yahoo.com names. The details to be released this week are expected to show how such an attack can be mounted in a number of seconds with high reliability; patches are available although there is ongoing discussion about how effective the patches are. It is quite clear that the patches do not fix the problem at a fundamental level: they are believed to make it much less likely that such an attack can be mounted or to increase the time that the attack will take.

Obviously, this attack is of concern for the global Internet. However the Kerberos community should pay particular attention. As we all know, RFC 4120 states that insecure mapping services such as DNS without DNSSec MUST NOT be used to map user input into authentication names. However, as discussed in The Role of Kerberos in Modern Information Systems, non-Microsoft Kerberos implementations use DNS to map names entered by the user into names that are used within Kerberos. So, consider an attacker that mounts a forgery and is able to modify all DNS responses for example.com. If this attacker can take over a single system registered with example.com’s Kerberos (or learn the Kerberos key of such a system), then they can defeat Kerberos security when authenticating to any system in that Kerberos infrastructure provided that the client uses DNS. There are some core
Kerberos
services such as password changing and the KDC itself that never use DNS in this way. Microsoft implementations also do not depend on this use of DNS. However other implementations tend to use DNS even for relatively sensitive operations such as Ssh used for administrative access to a server. In other words, an easy attack that can be mounted against DNS in a number of seconds is a huge problem for Kerberos. Administrators of Kerberos infrastructure need to insure that DNS server patches are applied in their environments. Hopefully these patches will make the attack hard enough to mount that we have some time to put together a better long-term solution.

We’ve known that this use of DNS is problematic for a long time. We even have better solutions: storing aliases of hosts in KDC databases. I’ve never seen a good solution though to figure out how to get from where we are today to a secure configuration. If you don’t provide a transition strategy, then you will find it difficult to convince users to give up the mode that works in favor of the more secure mode. However at last Tuesday’s Kerberos Working Group meeting, Apple’s Love Hörnquist Åstrand proposed a solution that I think will work. Love proposed that the client learn from the KDC whether a realm supports KDC aliases and has its database properly populated. If the KDC indicates aliases are available, then the client does not use DNS for mapping. The essential bit I had missed before is that this is a realm-by-realm transition. If my client is going to talk to a particular KDC, the question I care about is whether that KDC supports aliases. I had thought you needed some sort of global
transition in the past. Adopting Love’s proposal will take work, especially surrounding APIs such as krb5_sname_to_princ, but doing this work seems critical.

I’m pleased to announce that I’m now in business: Painless Security, LLC was formed last week. The lack of a company has not kept me from being busy, but having a company makes it much easier to set up agreements. The standard agreement should be on the website in a couple of days.

Painless Security has been working with The Interisle Consulting Group and the MIT Kerberos Consortium on the consortium’s paper on how to integrate Kerberos into applications. The paper is now available to the public. The paper gives an overview of GSS-API, SASL and the raw Kerberos messages. It talks about what you hope to get out of integrating Kerberos into an application. Then it discusses several issues to consider when planning your Kerberos integration, including naming, intermediaries and other complicated issues. Finally, the paper points to several examples of application integration.

I think the paper will be useful; I know it covers a lot of issues I have run into over the years. WhenI first heard about the plan for this paper, I expected that it would involve a walk-through of how to integrate Kerberos into some simple application. Other people expected this too: the most consistent comment we’ve received is that there is no tutorial. The paper does point to tutorials for GSS-API in C and Java, but does not include a tutorial ofits own. The reason for this is that it seemed there are already tutorials out there. However there didn’t seem to be an overview to help people choose between SASL and GSS-API, to understand the hard issues and to give best practice advice in avoiding common pitfalls.

I’m very interested in feedback on the paper. I’d especially love to get feedback from those new to the Kerberos community; the comments we’ve received to date are all from people who have been at this for years.

As of April 18, I have left MIT and am working as an independent consultant. Information on my expertise is available.

Since April I’ve been spending a lot of time with my family. I planned to start setting up Painless Security as a company in mid June and start looking for work around then. However, in late May, I received an offer to work on a project I’ll be discussing shortly. So, the good news is that work started sooner than expected. The bad news is that I have not made as much progress as I had hoped on infrastructure. That project is winding down now, so I am beginning to work on the infrastructure work and on finding more projects. If there are opportunities you think I should take a look at, please drop me a line.

I’m going to expand the scope of this blog a bit. While I will think about the security implications of whatever I post, I’m going to broaden things a bit from the strict security focus. If you are interested in some of the content here, but find other content not to your taste, drop me a line. I can probably set up tags so you can find only what you’re looking for.

Currently, I am not funded to participate in the IETF. If projects came along that involved contributing the the IETF, I’d definitely take a serious look. Meanwhile I will stay involved in some IETF activities as a self-funded individual, but my involvement will need to scale back.

As I mentioned, I’ve been in DC for the last two days at the AFCEA Solutions conference on identity assurance. One thing I’ve learned is that the government and those providing services to the government think about identity and some of the related security problems much differently than we do in the Internet standards community and especially the open source software community.

I’m sitting here in a session where people are bemoaning the fact that people put their personal information on Myspace, Facebook, etc. (Interestingly, LJ was not mentioned.) There seems to be inadequate consideration of the value people get for making this information available.

However the most stunning revelation is the strong desire to make sure that people have a single identity and to avoid duplicates. The Kerberos community went down this path a while ago. We found that users really want to have multiple identities in multiple contexts. The example within MIT is that you really probably didn’t want to buy porn using your work credential.

In some of the government contexts, for example giving people security clearances, making sure all the identities are bound together seems really important. However I feel that a strong push to bind everything to a physical identity will be very harmful to privacy in the long run. I’ve found that reputation-based identity has been really critical to online communities.

I’m on a panel discussing the implications of large databases of information on the identity management/assurance problem. The concern is that as you have large databases like national ID databases, credit report databases, medical records, etc, and you want to share information, how do you handle the identity management problems. Sharing is important because it enables new uses of the information. You would like to delegate access to information to services and agents. However, you also want to meet privacy and secrecy objectives. Technologies like oauth are in this space, although I think that this conference would not be interested in that particular technology.

I have not been thinking that much about some of the problems in this space before preparing for this panel. However, it has been a lot of fun to consider and I think there are some very interesting challenges in this space.

Monday, the consortium board met at Google. As I discussed, I presented a plan for the consortium road map. The road map presentation went reasonably well. The board generally seemed to support the road map and they gave useful feedback on ways to improve it. The specifics will be in the board notes, which will come out shortly on the consortium site. However I’d like to point to a few specific changes that need to happen to the road map as a result of the meeting.

It’s power, stupid! The section on mobile devices discusses the mobile environment in terms of CPU, memory and networking. That’s missing the most critical factor to consider when looking at mobile platforms: power consumption. “Oops,” is all I can say. I certainly was aware of the importance of power and of how both network and CPU utilization are an important fact or in power utilization. I just completely failed to talk about it when discussing the road map. That clearly needs to be fixed.

There was an enlightening discussion about the difference between web services interactions and Kerberos interactions. Slava Kavsan pointed out that Kerberos is missing three things that are important in B2B web services environments. There is no policy exchange where the relying party can explain what information it will need from the security infrastructure. The client does not have an opportunity to provide its preferences to the KDC in order to describe what information it wants disclosed. The KDC does not provide different relying parties with different information. Also, there is no standardized format for describing any useful claims about a subject in Kerberos. I touch on some of these issues at IETF 64 in 2005. I think that an interesting question for the consortium will be how to deal with these issues. Is it better to extend Kerberos, or to combine Kerberos with something else? I think that it is important that
if Kerberos is combined it is done in such a way that it works for all GSS applications and for web services. So, extending Kerberos is probably harder. You have to decide when to go get a new ticket and have APIs both in GSS-API and Kerberos for doing that. However some of the application integration may be easier. Combining Kerberos with something else, where Kerberos handles the authentication and some other provider handles assertions about identity may be easier from an API standpoint for web services applications. It seems like you’re going to lose a lot of the flexibility of Kerberos though if you do that. Will you lose the caching of credentials? Will you be able to take advantage of new Kerberos extensions in such a system? I think looking at these issues will be a critical upcoming challenge for the consortium.

So far, consortium priority setting has focused on short and medium term goals. The consortium proposal itself talks about long term visions of Kerberos and about where we want to move things. We’ve kept that in mind as we look at the short and medium-term work we’ve been planning; it is all consistent with the future vision. However, no single sponsor wants to prioritize the long-term visions. Ultimately though it’s our job as the consortium to drive that effort and get to the long-term vision we want to see.

I’ll be taking the first step in that process at our next board meeting. I will be presenting a road map plan four our long-term technical direction. We will propose a series of projects to advance kerberos on the web; to advance kerberos on mobile platforms; and to improve the maintainability, sustainability and security of Kerberos. The goal will be to make steady progress on each of these fronts. I’m currently in the middle of coming up with an initial proposal for these priorities.