[NNTP] Comments on draft-...-authinfo-03
Clive D.W. Feather
clive at demon.net
Wed Sep 22 07:28:22 PDT 2004
Jeffrey M. Vinocur said:
>> After much reading, I'm beginning to understand some of it (but still not
>> the Man in the Middle bit). But I think the draft needs to explain it all
>> much better. [...]
>
> Let me take a stab it this, for completeness. Assuming I've understood
> it correctly.
Thanks very much.
> (I think this is one of those things that doesn't need to be completely
> explained in the protocol, actually. I mean, a programmer implementing
> a spec doesn't have to explain exactly what went in to every design
> decision, and at some point the sheer quantity of explanatory material
> makes the overall task -more- complicated.)
I appreciate your point there.
The problem in this case is that the requirement is apparently nonsense and
self-contradictory: after establishing a security layer:
* you MUST advertise AUTHINFO even though you can't use it;
* you MUST NOT advertise STARTTLS *because* you can't use it.
Plus the mention of an "active down-negotiation attack" without explaining
how this prevents/detects it.
Anyway:
> You should keep in mind a couple underlying assumptions that are true
> in other SASL-using protocols perhaps more than NNTP. One is that the
> client may have some way to verify the server's identity after the
> connection is established.
External to the link or internal?
> Another is that the data passing over the
> connection is more valuable than the user's password itself.
Hmm. Surely if you've got the password then you have access to the data at
your leisure?
But continuing ...
> In the kind of attack being considered, an attacker has the ability to
> snoop on the (initially unencrypted) connection, and to forge packets
> appearing to come from the server.
Ah. This is *not* what "man in the middle" means to me. My model has been:
* the client is talking to the attacker thinking it's the server (either
through DNS manipulation or IP re-routeing);
* the attacker is talking to the server on a separate TCP connection,
pretending to be the client.
Messages are passed through unless the attacker has a need to modify them.
Packet boundaries are *not* preserved and separate encryption is carried
out on each leg.
What you have is a snooper who can inject packets but not delete them.
> At some point the client sends LIST
> EXTENSIONS, and the attacker forges a response in which the list of
> available SASL mechanisms has been altered. In particular, the
> strongest mechanisms have been removed from the list. So the client
> sees the altered list, and selects one of the (weak) available
> mechanisms, even if the client would have preferred something else that
> might have been in the unaltered list.
Okay. I'm not sure how much of a threat that is, but ...
> When the server's LIST
> EXTENSIONS response arrives, the client TCP stack discards it as a
> duplicate.
Only if it's exactly the same length. If it isn't, the two ends will now
be out of sync.
Attacker sends "AUTHINFO SASL:WEAK" as the last item in the response.
Server sends "AUTHINFO SASL:WEAK,MEDIUM,STRONG" as the last item.
Suppose the client discards that message and sends a command, say "AUTHINFO
SASL WEAK". The server sends a 283 response. The client's stack will see a
11 octet gap in sequence numbering and send a retransmission request. The
server will now send "UM,STRONG[CR][LF].[CR][LF]283 whatever[CR][LF]"
and the client will barf.
> The client and server proceed with the SASL negotiation
> (the server having no idea the client hasn't chosen its ideal
> mechanism),
[...]
> but perhaps an
> attack is known against the weaker mechanism now in use.
I follow this, though if SASL:WEAK isn't strong enough the client shouldn't
be using it.
>> Question to the group: would it be worth adding a flag to show that
>> authentication is no longer possible? Something like:
>>
>> AUTHINFO - USER SASL:EXTERNAL
>
> This seems decent at first glance, actually. (Although I don't know
> how I feel about the "-" as a special parameter.)
Better something like that than "DONTUSE". I would have suggested
"-AUTHINFO USER SASL:EXTERNAL" except that the first word has to be all
uppercase.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list