Skip Menu |
 

From: "Christopher D. Clausen" <cclausen@acm.org>
To: <kfw-bugs@mit.edu>
Subject: REQ: in-registry keytab support
Date: Mon, 15 Oct 2007 19:53:12 -0500
Download (untitled) / with headers
text/plain 1.6KiB
Hello wonderful Kerberos people,

I'd like to request a new format/support for keytabs to be stored in the
Windows Registry. This would enable me to use Group Policy to push
specific registry keys (and therefore keytabs) to groups of machines
that need to share a specific key, either a cluster of machines serving
web pages (HTTP/clustername) or some similar function. It will also
allow me to push a dummy keytab simply to validate that the KDC itself
isn't being spoofed or perhaps for some type of authenticated DNS or
LDAP look-ups that need to be performed by the SYSTEM account.

In some instances, admins may want to use Group Policy to permanently
assign a keytab to a group of machines in this way. If the machine ever
gets reinstalled, the keytab will be automatically re-applied to the
machine via Group Policy once the computer is joined to the domain.
This would completely eliminate the need to keep track of versions and
distribution of actual keytab files in addition to allowing the keytab
for an entire cluster of machines to be changed all at once. No older
versions around messing things up.

I believe that OpenAFS for Windows will soon have support for
authenticated anonymous access to a cell and this same procedure can be
used to distribute a keytab that the OpenAFS client could use for
anonymous authentication. Having all anonymous connections
authenticated allows for encryption and the ability to get rid of
IP-based ACLs. This is very useful for things like software
distribution using GPO or other methods that require the SYSTEM account
to read data out of AFS.

<<CDC
--
Christopher D. Clausen
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
CC: undisclosed-recipients:;undisclosed-recipients:;@MIT.EDU
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
Date: Thu, 18 Oct 2007 16:41:25 -0400
RT-Send-Cc:
Hi. I'm concerned about a mechanism that makes it this easy to reuse
keys. Your example of a cluster of web servers using HTTP/clustername
is OK; that's a case where you need to reuse keys.

However, many of the other examples are cases where reusing keys would
significantly harm security. The AFS case is particularly alarming.
Pushing out the same key for anonymous cell access would decrease
security by allowing anyone with this key to impersonate the cell.

I'm also concerned about whether group policy has the appropriate
confidentiality protection for this use. How is group policy pushed
to a machine? Is it encrypted in transit? Can a machine find out the
group policy of someone else?

--Sam
Date: Thu, 18 Oct 2007 17:02:19 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
Sam Hartman via RT wrote:
Show quoted text
> However, many of the other examples are cases where reusing keys would
> significantly harm security. The AFS case is particularly alarming.
> Pushing out the same key for anonymous cell access would decrease
> security by allowing anyone with this key to impersonate the cell.
I wouldn't be thrilled with this use case either and I'm sad it was
brought up.
The AFS Client Service is going to add a feature that permits it to use
the Windows host
principal to obtain tokens. The Windows host principal is either keyed
during the domain
join operation or with KSETUP. In either case, the host password is
stored in a protected
part of the HKLM hive which is only accessible to the SYSTEM account.

This hive can be encrypted on local disk and when that functionality is
enabled, a password
must be entered before Windows will boot.
Show quoted text
>
> I'm also concerned about whether group policy has the appropriate
> confidentiality protection for this use. How is group policy pushed
> to a machine? Is it encrypted in transit? Can a machine find out the
> group policy of someone else?
In Vista, group policy data is pushed to machines over TLS. I would
need to go back to verify
that XP does the same.

Group Policy data is pushed to all the machines which are members of the
group. A single
machine account can be treated as a group of one member. Policy data
associated with a
single machine will only be sent to that machine. Obviously, domain
administrators will
have the ability to view or manipulate that data.

It should be noted that group policy can also be used to push out
applications or configuration
files. Therefore, creating a registry based keytab does not increase
the risk of abuse. It
simply puts the key data in a location that is more likely to be secured
than a file.
Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.

From: "Christopher D. Clausen" <cclausen@acm.org>
To: <rt@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
Date: Thu, 18 Oct 2007 16:15:26 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.2KiB
Sam Hartman via RT <rt@krbdev.mit.edu> wrote:
Show quoted text
> Hi. I'm concerned about a mechanism that makes it this easy to reuse
> keys. Your example of a cluster of web servers using HTTP/clustername
> is OK; that's a case where you need to reuse keys.
>
> However, many of the other examples are cases where reusing keys would
> significantly harm security. The AFS case is particularly alarming.
> Pushing out the same key for anonymous cell access would decrease
> security by allowing anyone with this key to impersonate the cell.

Impersonating an anonymous user is actually what one would want in some
environments. (Say non-AD joined machines. Copying a registry file and
importing it may be simpler than setting up a file path, etc. A single
registry key can contain all the needed configuration info.) The fact
that you are actually authenicating but still an anonymous user allows
for OpenAFS to enable encryption to the cell. The is a FEATURE in this
case. (Well, it will hopefully soon be an OpenAFS feature.)

I mean I can currenty set a keytab file up on a world readable network
share. Taking a file and putting it in the registry doesn't fix the
ability of someone to do something stupid.

Show quoted text
> I'm also concerned about whether group policy has the appropriate
> confidentiality protection for this use.
> How is group policy pushed to a machine?

Group policy is generally implemented as a set of files in SYSVOL share
on the domain controller. I'm not sure if a higher level of protection
is granted to these files over normal CIFS traffic to the DC. I suspect
not. Again though, the ease of configuration may outweigh the security
risk in certain environments.

Also note that this would not be used for per-machine host keys, which
would be generated when the machine is joined to the domain. (A needed
step before Group Policy can be applied to the computer.)

Show quoted text
> Is it encrypted in transit?

I do not know if GPO traffic is encrypted. You can of course force
encryption to the DC on using IPsec or with the security levels on the
CIFS traffic.

Show quoted text
> Can a machine find out the group policy of someone else?

Yes, it can by default. It would be up to GPO creator to properly ACL
the Group Policy Object itself to restrict access to the proper computer
accounts or users.

<<CDC
From: Ken Raeburn <raeburn@MIT.EDU>
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
Date: Thu, 18 Oct 2007 18:40:24 -0400
To: rt@krbdev.mit.edu
RT-Send-Cc:
On Oct 18, 2007, at 17:16, Christopher D. Clausen via RT wrote:
Show quoted text
> Sam Hartman via RT <rt@krbdev.mit.edu> wrote:
>> However, many of the other examples are cases where reusing keys
>> would
>> significantly harm security. The AFS case is particularly alarming.
>> Pushing out the same key for anonymous cell access would decrease
>> security by allowing anyone with this key to impersonate the cell.
>
> Impersonating an anonymous user is actually what one would want in
> some
> environments.

Sam said, and I believe meant, impersonating the cell. More
specifically, impersonating the cell to any of these anonymous users,
while giving the illusion of secure access.

Because Kerberos uses symmetric cryptography, not only can any party
knowing your password pretend to be you when talking to the KDC (and
then other parties), they can also pretend to be the KDC (and then
other parties) when talking to you. There are some preauth systems
and application protocols (e.g., authenticating inside a TLS-
protected stream, where the server certificate is verified and
assumed not to be compromised, as is the CA) that can mitigate this,
but with the basic, password-based Kerberos protocol, the possibility
is there.

So, someone extracting this shared "anonymous-client" key from one
compromised machine can pretend to be the KDC to other anonymous
clients, sending a fake AS-REP encrypted using that key and holding
credentials encrypted using not the real TGS key but a key chosen by
the attacker, and then responding to the following TGS-REQ with
equally fake credentials for talking to the local AFS service. Then
the attacker can pretend to be the AFS server, accepting and sending
encrypted messages.

So now your anonymous user would be talking to the attacker's version
of the AFS cell, with encryption.

It may be safer from passive eavesdroppers who don't have the shared
key, but conservatively, it shouldn't be considered any more secure
than non-encrypted exchanges, unless you have good reason to believe
the key can never be compromised.

(An attacker who records live traffic to the real KDC and AFS servers
and gets access to the key later could go back and decrypt it all,
but if you're really trying to do protected anonymous access, maybe
there aren't secrets revealed that way. But that's not guaranteed; I
could imagine a protocol implemented over the file system that might
work otherwise. Kerberos needs some sort of PFS facility; we know
this.)

Show quoted text
> (Say non-AD joined machines. Copying a registry file and
> importing it may be simpler than setting up a file path, etc. A
> single
> registry key can contain all the needed configuration info.) The fact
> that you are actually authenicating but still an anonymous user allows
> for OpenAFS to enable encryption to the cell. The is a FEATURE in
> this
> case. (Well, it will hopefully soon be an OpenAFS feature.)

A better solution, which unfortunately is still in design, might be
the anonymous-ticket facility for Kerberos, http://www.ietf.org/
internet-drafts/draft-ietf-krb-wg-anon-04.txt .

Ken
From: "Christopher D. Clausen" <cclausen@acm.org>
To: <rt@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #5821] REQ: in-registry keytab support
Date: Thu, 18 Oct 2007 17:57:28 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.6KiB
Ken Raeburn via RT <rt@krbdev.mit.edu> wrote:
Show quoted text
> On Oct 18, 2007, at 17:16, Christopher D. Clausen via RT wrote:
>> Sam Hartman via RT <rt@krbdev.mit.edu> wrote:
> So now your anonymous user would be talking to the attacker's version
> of the AFS cell, with encryption.

Understood. No less secure than anonymous AFS access right now though,
except for maybe the user thinking they are secure.

Show quoted text
> It may be safer from passive eavesdroppers who don't have the shared
> key, but conservatively, it shouldn't be considered any more secure
> than non-encrypted exchanges, unless you have good reason to believe
> the key can never be compromised.

Basically, one would use it purely for over the wire encryption.

Show quoted text
>> (Say non-AD joined machines. Copying a registry file and
>> importing it may be simpler than setting up a file path, etc. A
>> single
>> registry key can contain all the needed configuration info.) The
>> fact that you are actually authenicating but still an anonymous user
>> allows for OpenAFS to enable encryption to the cell. The is a
>> FEATURE in this
>> case. (Well, it will hopefully soon be an OpenAFS feature.)
>
> A better solution, which unfortunately is still in design, might be
> the anonymous-ticket facility for Kerberos, http://www.ietf.org/
> internet-drafts/draft-ietf-krb-wg-anon-04.txt .

Yeah, well, sometimes one needs a solution that works now and not at
some undetermined point in the future.

-----

Regardless, even only using the single instance of a cluster of machines
serving HTTP the keytab in the registry is still a useful feature. And
allowing the service keytab to be in a registry key doesn't make it any
less secure than a file.

<<CDC