These Minutes are a rough draft only - Megan 04/03/92 Common Authentication Technology (CAT) meeting minutes, San Diego IETF, 16-17 March 1992 [Note: Jeff Schiller took an additional set of meeting notes which include pictures and which are available (in PostScript form) by anonymous FTP from bitsy.mit.edu with pathname: /cat-ietf/cat-wg-mar92-jis-picurenotes.ps ] The March CAT meetings included discussion of standards advancement plans, and of interface extension requests made by ICL in support of ECMA authorization architecture. Most of the discussion was spent, however, on the evolving topic of a unified Internet authentication mechanism hybridizing Kerberos secret-key and DASS public-key technologies. STANDARDS AND ROLLOUT PLAN John Linn led a standards plan discussion, the result of which was a decision to recommend the GSS-API interface specifications for advancement to proposed standards. We anticipate that Kerberos and DASS specifications, as well as a specification for the planned unified mechanism, will follow in succession onto the standards track. Two previously-cited technical topics regarding GSS-API were raised in this discussion: (1) the prospect of additional interfaces oriented to stream-oriented integration (as with UNIX(tm) sockets), tabled as being separately definable later in an upwardly-compatible fashion, and (2) the prospect of adding callouts so that user input (e.g., for passwords or hand-held authenticator information) could be collected at context establishment time. (2) was tabled because of lacking implementation experience, possible OS-specificity of approaches, and consideration that such data might more securely be acquired through end system trusted path facilities than via application mediation. ICL COMMENTS AND ECMA SECURITY ARCHITECTURE P. Rajaram stood in for Piers McMahon of ICL (who was unable to attend the meeting) in leading a discussion based on Piers' message as forwarded to the mailing list. Piers' message proposed interface extensions (GSS_Modify_Cred and GSS_Get_Attributes primitives) to support authorization features of the ECMA security architecture (as described in ECMA reports TR/46, TR/138), and Raj presented an overview of that architecture, the slides from which are included as an appendix to these minutes. Interest was expressed in the prospect of having the ECMA reports available in FTP-accessible on-line form. In group discussion, it was recognized (consistent with discussion at the SAAG) that specific authorization support features, and related extensions in support thereof, would comprise a likely area for future IETF security work. Such work would consider not only ECMA inputs but also contributions from the Kerberos community as well as other sources, selecting an approach or defining a core intersection of multiple approaches. Any and all relevant inputs would be solicited. As with other Internet standards, prototyping results would be necessary for advancement. Lacking a concrete Internet community decision to adopt the ECMA architecture, no decision to incorporate the ECMA extension requests at this time was taken. Raj suggested that it might be useful to convene a BOF at a subsequent IETF meeting to further familiarize interested IETF participants with the ECMA architecture. Specific points raised in ECMA-related discussion: To acquire a Privilege Attribute Certificate (PAC), a subject contacts a server. The PAC contains a sequence of attribute triples {type, authority, value} which govern the ways in which the PAC can be used, and an audit ID which alows audit accountability for actions independent of the privileges on which access controls are based, among other elements. Confusion was expressed about the circumstances under which a PAC must be confidentiality-protected in transfer, and about whether concurrent and separate authentication was necessary in order to demonstrate oneself as an authorized user of a particular PAC. Some of the answers were thought to depend on the particular attributes bound into the PAC, per definitions in ECMA TR/138. UNIFIED AUTHENTICATION MECHANISM John Linn gave an overview of goals for the effort, Charlie Kaufman and Cliff Neuman presented alternative technical options, and Jeff Schiller led a discussion to collect requirement and priorities inputs to be considered in selecting among available alternatives. OVERVIEW OF EFFORT John's overview slides contained the following points: DASS-Kerberos Unification: How Did We Get Here? - Cross-mechanism portability addressed in CAT - Suggestion at Santa Fe SAAG: support universal interoperability for strong Internet authentication - Kerberos and DASS designers and architects met in a series of interim meetings Where are we going? - Internet-Draft documentation of hybrid mechanism to fit under CAT/GSS-API framework - Ability to migrate applications from already-defined mechanisms to hybrid when available - Common token format which can accommodate both public-key and secret-key authentication processes Premises - Domains and endpoints can be built native to Kerberos-like secret-key and DASS-like public-key technologies; all endpoints can interoperate - Support for user, host, and process principals, represented by cryptographic keys - Global naming (plan: X.500 Distinguished Names as basis within mechanism), trust path tied to naming hierarchy Goals - PEM X.509 certificate infrastructure usable as a basis for scaling - Domains equipped with public-key technology can operate without establishing on-line authentication servers - Domains can be constructed without public-key technology - Self-sufficient startup: can form a domain in isolation and later incorporate it into the broader hierarchy - Can transport user-provided data (undefined by us) restricting the use of authentication tokens - Avoid need for endpoints to contact foreign-mode support servers (KDCs, certificate stores, ...) Strong Authentication - Successful authentication requires either: -- current possession of principal's key -- principal's authorization to act for principal with other (short-term) key + demonstration of that key - Intercepted tokens can't be used by attackers to build new tokens for masquerade, or be successfully replayed outside narrow window Four Directions - (We believe all can be made to work, and seek to resolve priorities and tradeoffs) -- SK endpoints add complexity to interwork with PK -- PK endpoints add complexity to interwork with SK -- "Client makes right" -- "Server makes right" Issues and Tradeoffs - Interoperability with existing/emerging technology bases - What entities can accommodate complexity and performance demands? - What entities can and can't be changed feasibly? - What entities must perform what crypto-functions? ALTERNATIVE TECHNICAL APPROACHES Charlie noted that support for interoperability between Kerberos-native and DASS-native authentication peers wasn't (unlike cross-mechanism portability) a chartered goal of GSS-API, and that it was a positively surprising result to discover upon investigation that such support within a unified mechanism below the interface in fact appeared to be possible, via any of several approaches. We confirmed the fact that the ability to support global scaling was intended. Charlie's presented approach has the following characteristics: - SK endpoints need not perform RSA operations or communicate with certificate stores - PK endpoints need not communicate with KDCs and the security of authentication between PK endpoints cannot be compromised by faulty KDCs It imposes the following impacts on particular system components: - no impact on SK client - PK clients and servers must be able to end treewalks at a GKDC and use that GKDC's key in token generation and processing - SK server must interact with KDC to process incoming tickets arriving from PK domains - GKDC must be able to create and open PK tickets The fact of crossing from a public-key to a secret-key domain (or vice versa) needs to be determinable in a trusted fashion; naming prefix rules play an important part in this determination. Cliff Neuman began the second CAT session by presenting an approach which matched Charlie's for the case of an SK client accessing a PK server, using tickets signed with the private key of a GKDC and integrable into the unified ticket format. It was observed that adoption of the unified format (in contrast, e.g., to use of Kerberos V5 tokens for SK cases) would require some level of change to all presently-extant peer systems. Cliff presented an alternative approach for the case of a PK client accessing a SK server. A goal of this alternative was to avoid the need for a SK server to contact the GKDC, since such communication requires that the SK server be stateful in a manner divergent from the current Kerberos operational model. Cliff's proposal included a "Gateway Certificate Distribution Center" or GCDC, to which PK clients would DASS-authenticate and would receive, in response, a Kerberos ticket for the target SK server along with an associated encrypted session key. The GCDC, not the target server, would mediate interactions with intermediary SK authentication servers. In order to support both SK->PK and PK->SK accesses under this model, both GKDCs and GCDCs would be required; while these functions are logically distinct, they could likely be colocated. Cliff summarized the impact which his proposal would impose on particular system components as follows: - no impact on SK client - PK client must use different protocol in interacting with the last CDC in an outbound chain - no impact on SK server - PK server impact equivalent to Charlie's proposal - GKDC and GCDC must be able to create and open PK and SK tickets on behalf of clients REQUIREMENTS/PRIORITIES EVALUATION Jeff Schiller led a discussion at the end of the meeting with a goal of soliciting group inputs on requirements and priorities for the unified mechanism. We created a comparison matrix, and the exercise's results served to validate many of the assumptions adopted by the designers. In particular, the group showed popular acceptance for the idea of a dual-mode approach which employs PK and SK techniques for different cases. It was noted that allocation of computationally-intensive functions among components would be an additional useful metric, though not one which was included within this analysis. Criteria included: - free availability of software, in terms of licensing, anonymous FTP-ability (ranked #3 criterion) - availability of source code implementations (ranked #2 criterion) - ability of approach to scale to world (by a broad margin, ranked as #1 criterion) - avoidance of on-line trusted KDCs (ranked #4 criterion) - simplicity/elegance of approach (construed by some attendees as equivalent to verifiability of protocol) - client simplicity (ranked #5 criterion, more important than server simplicity) - server simplicity - compatibility with existing Kerberos (relatively low priority) - compatibility with SPX (lower priority than Kerberos compatibility) APPENDIX: P. RAJARAM SLIDES ON ECMA SECURITY ARCHITECTURE -----1----- rajaram@sun speaking-for piers-mcmahon@icl Motivation: - Extend GSS-API to enhance . Authorization (useful to Kerberos-5) . Delegation (more than just ON/OFF) - Strategy . Don't modify existing API . Add a few new interfaces -----2----- SUMMARY of ECMA SECURITY ARCHITECTURE - European Computer Manufacturers Assoc. - This framework developed by a working group TC-32 / TG-9 - Supports many security models . ACL based . Capability based . Label based (MAC) & . Extensible combinations of above - 10 security facilities . promote modularity . support interdomain security . allow interoperability -----3----- The 10 SECURITY FACILITIES . Authentication Service . Privilege Service . Subject Sponsor . Cryptographic Service . Secure Association . Authorization Service . Interdomain Service . Audit . Security Recovery . Security State -----4----- Subjects and Objects Subjects access Objects Subjects and Objects have Security Attributes Subject Privilege Attributes . Identity, Group . Role . Clearance Object Control Attributes . ACLs . Information Labels . Classifications Ultimately, access is granted only if the Subject's privilege attributes "dominate" the Object's control attributes. -----5----- Privilege Attribute Certificate Contains: . a Sequence of Attributes { Type, Authority, Value } . Validity times . Contained PACs . Audit identity . Signing Authority name (Domain authority) . Signature The last two are required. -----6----- Simple Model +-----+ | APS | Authentication and +-----+ Privilege Service ^ | Auth | | PAC | v +---------+ +--------+ | Subject |------------------------>| Object | +---------+ \ PAC +--------+ \ \ +--------+ \------------------->| Object | PAC +--------+ 1) Subject authenticates itself to APS 2) Subject receives PAC 3) Subject offers PAC to Object and receives requested service. A PAC contains both Identification AND Authorization info. -----7----- . A PAC need not contain a Subject Identifier. . An anonymous PAC may contain only a security clearance, and an audit ID. . This may be enough to authorize access. . Kerberos 5 and Kerberos/DCE can benefit from proposed API -----8----- Proposed API (greatly simplified) GSS-Modify-Credentials . [In] Cred handle . [In] { Attributes & Values} ... . [In/Out] Credentials GSS-Get-Attributes . [In] Cred handle . [In] Requested Attributes . [Out] Returned {Attributes & Values} -----9----- Discussion: . GSS-API: for authentication only ? . Allow for ECMA, in addition to Kerberos & DASS ? . CAT --> CAAT . ECMA BOF ?