logo_kerberos.gif

Difference between revisions of "Projects/Authentication indicator"

From K5Wiki
Jump to: navigation, search
(New page: {{project-early}} This project will implement a way to restrict access to services based on how the initial authentication was performed. ==Background== Kerberos deployments may support...)
 
Line 20: Line 20:
   
 
This project will instead use the AUTHENTICATION-INDICATOR element defined in {{idref|draft-jain-kitten-krb-auth-indicator}}. The intent of this element is that the KDC makes a determination about pre-authentication confidence at the time of initial authentication, and communicates this to services via one or more site-defined string values. The AUTHENTICATION-INDICATOR element is carried within a CAMMAC ({{idref|draft-ietf-krb-wg-cammac}}), which allows it to be carried from the evidence ticket of an S4U2PROXY request into the delegated ticket.
 
This project will instead use the AUTHENTICATION-INDICATOR element defined in {{idref|draft-jain-kitten-krb-auth-indicator}}. The intent of this element is that the KDC makes a determination about pre-authentication confidence at the time of initial authentication, and communicates this to services via one or more site-defined string values. The AUTHENTICATION-INDICATOR element is carried within a CAMMAC ({{idref|draft-ietf-krb-wg-cammac}}), which allows it to be carried from the evidence ticket of an S4U2PROXY request into the delegated ticket.
  +
  +
==Design==
  +
  +
This project requires several elements.
  +
  +
===ASN.1 encoders and decoders===
  +
  +
We will require encoders and decoders for the CAMMAC and AUTHENTICATION-INDICATOR elements. Commit a7dc565cafbaa6c18d5a76ea3cc823c7159a0d6b can be used as a reference.
  +
  +
===Deciding on authentication indicators===
  +
  +
The KDC will need some way of deciding on authentication indicator strings based on a successful pre-authentication. It must take into account the particulars of the pre-authentication mechanism as well as site preferences.
  +
  +
The simplest approach would be to allow each kdcpreauth module to be able to yield authentication indicators via a callback, and in each module to implement code to yield indicators based on configuration. PKINIT might have configuration to produce indicators based on certificate attributes and/or the signing authority, OTP based on the token type, etc.. This approach would be easily used out of the box, but would not be any more flexible than the code in the kdcpreauth modules.
  +
  +
A more complicated approach would have each module producing detailed parameters (PKINIT certificate and signing chain, OTP request and token type, etc.) and then have either a KDB method or a new plugin interface for determining authentication indicators based on the parameters.
  +
  +
===Generating indicator authdata===
  +
  +
===Preserving CAMMAC across TGS requests===
  +
  +
===Enforcing indicator restrictions===

Revision as of 23:18, 24 February 2014

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project will implement a way to restrict access to services based on how the initial authentication was performed.

Background

Kerberos deployments may support pre-authentication mechanisms, such as PKINIT or OTP, which may confer a higher level of confidence in the authentication than the use of a password alone. A deployment may wish to require that some resources can only be accessed using tickets which were obtained using high-confidence pre-authentication.

Currently, the most practical way to enforce this requirement is to make sure that certain principals can only authenticate using high-confidence pre-authentication, and then grant resource access only to those principals. Such principals may be separated from the principals used for day-to-day activities of the end-user by giving them different names (e.g. ghudson/root@ATHENA.MIT.EDU as opposed to ghudson@ATHENA.MIT.EDU), at the cost of complicating realm administration and auditing.

This project will implement a means of restricting access without requiring that a principal always authenticates using high-strength pre-authentication, by marking how the ticket was initially obtained. The Kerberos protocol defines several existing methods for doing this, none of which are sufficiently general:

  • The pre-authent ticket flag indicates that some form of prea-authentication was used, but does not indicate what it was.
  • The hw-authent ticket flag was intended to indicate that a hardware device was used during pre-authentication. It is rarely used, as the KDC usually cannot tell whether a client used a software or hardware device to produce a certificate or OTP token value. While it could be re-purposed to mean "high-confidence pre-authentication" in general, it would still be poorly defined and not very granular.
  • PKINIT (RFC 4556) defines the AD_INITIAL_VERIFIED_CAS authdata type, which shows the certification path of the client certificate. This type is specific to PKINIT, and would be cumbersome for an application server to use as it would have to be configured with specific knowledge about PKINIT certification authorities. There is no equivalent for FAST OTP.
  • RFC 6113 defines AD-authentication-strength, which contains the numeric codes of the pre-authentication types used to authenticate the client, and possibly additional information for each type (but no additional information is currently defined). Again, to use this element, an application server would have to be configured with specific knowledge about pre-authentication mechanisms and the confidence they confer.

This project will instead use the AUTHENTICATION-INDICATOR element defined in draft-jain-kitten-krb-auth-indicator. The intent of this element is that the KDC makes a determination about pre-authentication confidence at the time of initial authentication, and communicates this to services via one or more site-defined string values. The AUTHENTICATION-INDICATOR element is carried within a CAMMAC (draft-ietf-krb-wg-cammac), which allows it to be carried from the evidence ticket of an S4U2PROXY request into the delegated ticket.

Design

This project requires several elements.

ASN.1 encoders and decoders

We will require encoders and decoders for the CAMMAC and AUTHENTICATION-INDICATOR elements. Commit a7dc565cafbaa6c18d5a76ea3cc823c7159a0d6b can be used as a reference.

Deciding on authentication indicators

The KDC will need some way of deciding on authentication indicator strings based on a successful pre-authentication. It must take into account the particulars of the pre-authentication mechanism as well as site preferences.

The simplest approach would be to allow each kdcpreauth module to be able to yield authentication indicators via a callback, and in each module to implement code to yield indicators based on configuration. PKINIT might have configuration to produce indicators based on certificate attributes and/or the signing authority, OTP based on the token type, etc.. This approach would be easily used out of the box, but would not be any more flexible than the code in the kdcpreauth modules.

A more complicated approach would have each module producing detailed parameters (PKINIT certificate and signing chain, OTP request and token type, etc.) and then have either a KDB method or a new plugin interface for determining authentication indicators based on the parameters.

Generating indicator authdata

Preserving CAMMAC across TGS requests

Enforcing indicator restrictions