directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Anonymous PKINIT signatures
Date Fri, 22 Jul 2016 15:21:48 GMT
Hi Jiajia,

So if I understand you correctly, what you are saying is that it is
sufficient to verify that the Subject (alternative name) of the Certificate
matches that of the "known principal" of the KDC? In other words, the KDC
is not doing any asymmetric signature, it is just "presenting" the
certificate to the client. The client verifies that the certificate is
trusted, and then verifies that the KDC principal matches the certificate.
However, the client doesn't use the certificate to verify a signature, and
thus proving that the KDC knows the private key associated with the cert.
Is this correct?

It's a bit unusual from a security POV but I think it's ok. We're verifying
trust in the certificate path and we're putting a hard constraint on the
Subject of the certificate. A malicious KDC/MITM could forge a certificate,
but then trust validation would fail, or else get a certificate for another
KDC, but then the constraint would fail. So I think it's ok.

Colm.

On Fri, Jul 22, 2016 at 3:40 AM, Li, Jiajia <jiajia.li@intel.com> wrote:

> Hi Colm,
> >> >However, I can't see where it is signing the response with the private
> key associated with the KDC. This is a requirement for anonymous PKINIT
>
> Yes, you are right. The  "Identity" should be used in anonymous PKINIT.
> But now in client PkinitPreauth, start from line 393, we skip to use the
> certificateSet which is returned by server, so now the code can't verify
> the kdc sans, edu and so on. Such as the function
> cryptoRetrieveX509Sans#PkinitCrypto is marked as TODO.
>
>
> Thanks
> Jiajia
>
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Thursday, July 21, 2016 7:27 PM
> To: kerby@directory.apache.org
> Subject: Anonymous PKINIT signatures
>
> Hi all,
>
> I'm continuing to look at anonymous PKINIT as implemented in Kerby. I'm a
> bit puzzled by a few things relating to signatures and would welcome some
> feedback.
>
> Looking at the server PkinitPreauth, it appears that Diffie-Hellman is
> used to establish a shared secret key with the client. However, I can't see
> where it is signing the response with the private key associated with the
> KDC. This is a requirement for anonymous PKINIT, unless I am mistaken?
>
> Similarly, on the client side, it's not enough just to verify trust in the
> Certificate that's presented, it also needs to be using the Certificate to
> verify some signed data, to make sure that the KDC knows the private key
> associated with the Certificate...
>
> I've updated the code so that the server at least includes the "Identity"
> Certificate in the response to the client.
>
> Thanks,
>
> Colm.
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message