[NNTP] Comments on draft-...-authinfo-03

Clive D.W. Feather clive at demon.net
Wed Sep 22 07:28:22 PDT 2004 

Jeffrey M. Vinocur said:
>> After much reading, I'm beginning to understand some of it (but still not
>> the Man in the Middle bit). But I think the draft needs to explain it all
>> much better. [...]
> 
> Let me take a stab it this, for completeness.  Assuming I've understood 
> it correctly.

Thanks very much.

> (I think this is one of those things that doesn't need to be completely 
> explained in the protocol, actually.  I mean, a programmer implementing 
> a spec doesn't have to explain exactly what went in to every design 
> decision, and at some point the sheer quantity of explanatory material 
> makes the overall task -more- complicated.)

I appreciate your point there.

The problem in this case is that the requirement is apparently nonsense and
self-contradictory: after establishing a security layer:
* you MUST advertise AUTHINFO even though you can't use it;
* you MUST NOT advertise STARTTLS *because* you can't use it.
Plus the mention of an "active down-negotiation attack" without explaining
how this prevents/detects it.

Anyway:

> You should keep in mind a couple underlying assumptions that are true 
> in other SASL-using protocols perhaps more than NNTP.  One is that the 
> client may have some way to verify the server's identity after the 
> connection is established.

External to the link or internal?

> Another is that the data passing over the 
> connection is more valuable than the user's password itself.

Hmm. Surely if you've got the password then you have access to the data at
your leisure?

But continuing ...

> In the kind of attack being considered, an attacker has the ability to 
> snoop on the (initially unencrypted) connection, and to forge packets 
> appearing to come from the server.

Ah. This is *not* what "man in the middle" means to me. My model has been:
* the client is talking to the attacker thinking it's the server (either
  through DNS manipulation or IP re-routeing);
* the attacker is talking to the server on a separate TCP connection,
  pretending to be the client.
Messages are passed through unless the attacker has a need to modify them.
Packet boundaries are *not* preserved and separate encryption is carried
out on each leg.

What you have is a snooper who can inject packets but not delete them.

> At some point the client sends LIST 
> EXTENSIONS, and the attacker forges a response in which the list of 
> available SASL mechanisms has been altered.  In particular, the 
> strongest mechanisms have been removed from the list.  So the client 
> sees the altered list, and selects one of the (weak) available 
> mechanisms, even if the client would have preferred something else that 
> might have been in the unaltered list.

Okay. I'm not sure how much of a threat that is, but ...

> When the server's LIST 
> EXTENSIONS response arrives, the client TCP stack discards it as a 
> duplicate.

Only if it's exactly the same length. If it isn't, the two ends will now
be out of sync.

    Attacker sends  "AUTHINFO SASL:WEAK" as the last item in the response.
    Server sends "AUTHINFO SASL:WEAK,MEDIUM,STRONG" as the last item.

Suppose the client discards that message and sends a command, say "AUTHINFO
SASL WEAK". The server sends a 283 response. The client's stack will see a
11 octet gap in sequence numbering and send a retransmission request. The
server will now send "UM,STRONG[CR][LF].[CR][LF]283 whatever[CR][LF]"
and the client will barf.

> The client and server proceed with the SASL negotiation 
> (the server having no idea the client hasn't chosen its ideal 
> mechanism),
[...]
> but perhaps an 
> attack is known against the weaker mechanism now in use.

I follow this, though if SASL:WEAK isn't strong enough the client shouldn't
be using it.

>> Question to the group: would it be worth adding a flag to show that
>> authentication is no longer possible? Something like:
>>
>>     AUTHINFO - USER SASL:EXTERNAL
> 
> This seems decent at first glance, actually.  (Although I don't know 
> how I feel about the "-" as a special parameter.)

Better something like that than "DONTUSE". I would have suggested
"-AUTHINFO USER SASL:EXTERNAL" except that the first word has to be all
uppercase.

-- 
Clive D.W. Feather  | Work:  <clive at demon.net>   | Tel:    +44 20 8495 6138
Internet Expert     | Home:  <clive at davros.org>  | Fax:    +44 870 051 9937
Demon Internet      | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc            |                            |

More information about the ietf-nntp mailing list