[NNTP] Comments on draft-...-authinfo-03
Jeffrey M. Vinocur
jeff at litech.org
Fri Sep 17 14:21:52 PDT 2004
On Sep 17, 2004, at 8:40 AM, Clive D.W. Feather wrote:
> Ken Murchison said:
>>> 2.2.2 para "After a security layer ...": why must the SASL mechanism
>>> list
>>> be the same? Why can't new ones be added?
>>
>> This is to help detect man in the middle attacks. [...]
>
> I remain confused.
>
> Firstly, why won't an active attacker just present the old list anyway?
> It's no skin off his nose to do it.
>
> <later>
> After much reading, I'm beginning to understand some of it (but still
> not
> the Man in the Middle bit). But I think the draft needs to explain it
> all
> much better. [...]
Let me take a stab it this, for completeness. Assuming I've understood
it correctly.
(I think this is one of those things that doesn't need to be completely
explained in the protocol, actually. I mean, a programmer implementing
a spec doesn't have to explain exactly what went in to every design
decision, and at some point the sheer quantity of explanatory material
makes the overall task -more- complicated.)
You should keep in mind a couple underlying assumptions that are true
in other SASL-using protocols perhaps more than NNTP. One is that the
client may have some way to verify the server's identity after the
connection is established. Another is that the data passing over the
connection is more valuable than the user's password itself.
In the kind of attack being considered, an attacker has the ability to
snoop on the (initially unencrypted) connection, and to forge packets
appearing to come from the server. At some point the client sends LIST
EXTENSIONS, and the attacker forges a response in which the list of
available SASL mechanisms has been altered. In particular, the
strongest mechanisms have been removed from the list. So the client
sees the altered list, and selects one of the (weak) available
mechanisms, even if the client would have preferred something else that
might have been in the unaltered list. When the server's LIST
EXTENSIONS response arrives, the client TCP stack discards it as a
duplicate. The client and server proceed with the SASL negotiation
(the server having no idea the client hasn't chosen its ideal
mechanism), and establish a SASL layer. Keep in mind that it's the
true server (and the client has perhaps verified this during the
exchange in a way the attacker couldn't forge); the attacker is not
forging any packets during the negotiation. So the attacker has
"successfully" caused the established layer to be weaker than
otherwise, and now a second attack has to be used -- but perhaps an
attack is known against the weaker mechanism now in use.
> Question to the group: would it be worth adding a flag to show that
> authentication is no longer possible? Something like:
>
> AUTHINFO - USER SASL:EXTERNAL
This seems decent at first glance, actually. (Although I don't know
how I feel about the "-" as a special parameter.)
--
Jeffrey M. Vinocur
jeff at litech.org
More information about the ietf-nntp
mailing list