headers
Nico Williams | 10 Jun 2012 19:52

KDC model and atomicity (was Re: Add. comments on Kdc model, WAS[Re: I-D Action: draft-ietf-krb-wg-kdc-model-12.txt])

I'm quite concerned about the failed authentication count and last
failed authentication timestamp fields.  Their purpose is, clearly, to
implement N-strikes-you're-locked.  Setting aside the wisdom of such
policies, I have a fundamental objection to the prescriptive nature of
the I-D regarding implementation: the prescribed implementation design
requires atomic increment operations on the KDB, something that is
rather difficult to obtain, has far reaching design and operational
considerations, and is unnecessary to the implementation of
N-strikes-you're-locked.

Specifically I object to any requirement, particularly any implied
requirement, that a KDC support atomic operations on principal
records.  We have never before had such a requirement, and to add it
now for a controversial feature (a DoS, for goodness' sake) is... not
acceptable.

I also object to the idea that the only correct  (required to
implement) response to password guessing attacks is to lock the
principal.  Other possibilities include: delay replies to AS-REQs for
principals under attack (Hank's suggestion, IIRC), bring forward
password expiration for the principal, or inform the affected user /
ask them if the failed login attempts are theirs or not.

I understand that LDAP is supposed to support such operations, but we
all know of at least one major implementation that does not implement
such atomicity.  Moreover, just because LDAP is supposed to provide
for atomic modify operations does not mean that it's a good idea to
rely on that feature, or that it's easy to implement it....  LDAP
atomic modifies imply either single mastering (possibly with
elections), single mastering individual objects, a distributed locking
(Continue reading)

Permalink | Reply |
headers
Leif Johansson | 10 Jun 2012 21:39
Picon
Gravatar

Re: KDC model and atomicity (was Re: Add. comments on Kdc model, WAS[Re: I-D Action: draft-ietf-krb-wg-kdc-model-12.txt])


> Specifically I object to any requirement, particularly any implied 
> requirement, that a KDC support atomic operations on principal 
> records.  We have never before had such a requirement, and to add
> it now for a controversial feature (a DoS, for goodness' sake)
> is... not acceptable.

I hadn't thought of this aspect. FTR I agree with your objection.
Permalink | Reply |
headers
Sam Hartman | 11 Jun 2012 15:44
Picon
Favicon

Re: KDC model and atomicity

>>>>> "Leif" == Leif Johansson <leifj <at> mnt.se> writes:

    >> Specifically I object to any requirement, particularly any implied 
    >> requirement, that a KDC support atomic operations on principal 
    >> records.  We have never before had such a requirement, and to add
    >> it now for a controversial feature (a DoS, for goodness' sake)
    >> is... not acceptable.

    Leif> I hadn't thought of this aspect. FTR I agree with your objection.
    Leif> _______________________________________________

Leif, I'm confused because I'd like to understand what in the current
text leads to a requirement for atomicity.
The current text has a failed authentications count (and we're adding
one that can be reset).

To me, that means a schema must be able to map to/from that attribute in
the data model.
It's entirely reasonable for a schema to store more information so long
as the mapping exists.
Nico has proposed an excellent mapping of this attribute to LDAP: a list
of failed authentications.
What in the current text prohibits that?
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Nico Williams | 11 Jun 2012 22:41

Re: KDC model and atomicity

On Mon, Jun 11, 2012 at 8:44 AM, Sam Hartman <hartmans-ietf <at> mit.edu> wrote:
> Leif, I'm confused because I'd like to understand what in the current
> text leads to a requirement for atomicity.

The failed authentication count attribute.  I suppose we could say
that it's a virtual attribute whose value may be computed from other
sources, then there'd be no atomicity implication.

> To me, that means a schema must be able to map to/from that attribute in
> the data model.

Resetting a virtual failed auth count attribute sounds more like an
operation in LDAP speak than like a modify.  I suppose nothing in the
LDAP specs forbids this, but note that it may not be possible to
explicitly assign any value other than zero to this attribute.

> It's entirely reasonable for a schema to store more information so long
> as the mapping exists.

That's a fair point.

Nico
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Sam Hartman | 11 Jun 2012 23:08
Picon
Favicon

Re: KDC model and atomicity

>>>>> "Nico" == Nico Williams <nico <at> cryptonector.com> writes:

    Nico> On Mon, Jun 11, 2012 at 8:44 AM, Sam Hartman <hartmans-ietf <at> mit.edu> wrote:
    >> Leif, I'm confused because I'd like to understand what in the current
    >> text leads to a requirement for atomicity.

    Nico> The failed authentication count attribute.  I suppose we could say
    Nico> that it's a virtual attribute whose value may be computed from other
    Nico> sources, then there'd be no atomicity implication.

Hmm.  I thought the difference between a schema and data model implied
this.  If there is ambiguity I'd prefer to clarify that so long as the
data is representend in the schema, how it is done is up to the
schema. I think even calling out issues like avoiding atomicity would be
reasonable. But I'd prefer for it to be global not just focused on this
one issue.
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Nico Williams | 11 Jun 2012 23:41

Re: KDC model and atomicity

On Mon, Jun 11, 2012 at 4:08 PM, Sam Hartman <hartmans-ietf <at> mit.edu> wrote:
>    Nico> The failed authentication count attribute.  I suppose we could say
>    Nico> that it's a virtual attribute whose value may be computed from other
>    Nico> sources, then there'd be no atomicity implication.
>
> Hmm.  I thought the difference between a schema and data model implied
> this.  If there is ambiguity I'd prefer to clarify that so long as the
> data is representend in the schema, how it is done is up to the
> schema. I think even calling out issues like avoiding atomicity would be
> reasonable. But I'd prefer for it to be global not just focused on this
> one issue.

Well, LDAP's meta-schema is limited to the needs of LDAP as an access
protocol.  It doesn't address all sorts of things, such as computed
attributes, referential integrity, triggers, and so on.  This document
isn't specific to LDAP, I know, but LDAP might be foremost in readers'
minds.

Perhaps we can just add a minor amount of text saying something to the
effect that some/all schema elements from the model may well be
computed and/or mapped not only to another schema's elements, but also
to operations.

Nico
--
_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Leif Johansson | 13 Jun 2012 14:57
Picon
Gravatar

Re: KDC model and atomicity


> To me, that means a schema must be able to map to/from that
> attribute in the data model. It's entirely reasonable for a schema
> to store more information so long as the mapping exists. Nico has
> proposed an excellent mapping of this attribute to LDAP: a list of
> failed authentications. What in the current text prohibits that?

Because if you need it to be reset at each successful authn then
if C(lient) talks to K1 and first fails n-1 times, then succeeds
once and fails once and if K2 receives status updates from K1 then
if the message about the success arrives after the message about
the last failure then a mgmt client talking to K2 could lock
the user before the success message arrived at K2 to reset the
counter. I'm not sure how mapping the attribute helps there...

	Cheers Leif
Permalink | Reply |
headers
Simo Sorce | 13 Jun 2012 15:41
Picon
Favicon

Re: KDC model and atomicity

On Wed, 2012-06-13 at 14:57 +0200, Leif Johansson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > To me, that means a schema must be able to map to/from that
> > attribute in the data model. It's entirely reasonable for a schema
> > to store more information so long as the mapping exists. Nico has
> > proposed an excellent mapping of this attribute to LDAP: a list of
> > failed authentications. What in the current text prohibits that?
> 
> Because if you need it to be reset at each successful authn then
> if C(lient) talks to K1 and first fails n-1 times, then succeeds
> once and fails once and if K2 receives status updates from K1 then
> if the message about the success arrives after the message about
> the last failure then a mgmt client talking to K2 could lock
> the user before the success message arrived at K2 to reset the
> counter. I'm not sure how mapping the attribute helps there...

FWIW we currently do note replicate the account lock/success status in
our LDAP setups, because it completely kills replication infrastructure.

Simo.

--

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
(Continue reading)

Permalink | Reply |
headers
Jeffrey Hutzelman | 13 Jun 2012 23:55
Picon
Favicon

Re: KDC model and atomicity

On Wed, 2012-06-13 at 09:41 -0400, Simo Sorce wrote:
> On Wed, 2012-06-13 at 14:57 +0200, Leif Johansson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > 
> > > To me, that means a schema must be able to map to/from that
> > > attribute in the data model. It's entirely reasonable for a schema
> > > to store more information so long as the mapping exists. Nico has
> > > proposed an excellent mapping of this attribute to LDAP: a list of
> > > failed authentications. What in the current text prohibits that?
> > 
> > Because if you need it to be reset at each successful authn then
> > if C(lient) talks to K1 and first fails n-1 times, then succeeds
> > once and fails once and if K2 receives status updates from K1 then
> > if the message about the success arrives after the message about
> > the last failure then a mgmt client talking to K2 could lock
> > the user before the success message arrived at K2 to reset the
> > counter. I'm not sure how mapping the attribute helps there...
> 
> FWIW we currently do note replicate the account lock/success status in
> our LDAP setups, because it completely kills replication infrastructure.

As it turns out, regardless of whether failed-auth status is fully
replicated, fully independent, or propagated only from the master to the
slaves, it is possible for a given set of policy parameters to compute
an upper bound on the number of tries an attacker gets before the
lockout or throttling mechanism prevents any further tries.

It is certainly possible to apply a hand-wavy "three strikes" policy, in
(Continue reading)

Permalink | Reply |
headers
Nico Williams | 14 Jun 2012 00:43

Re: KDC model and atomicity

On Wed, Jun 13, 2012 at 4:55 PM, Jeffrey Hutzelman <jhutz <at> cmu.edu> wrote:
> As it turns out, regardless of whether failed-auth status is fully
> replicated, fully independent, or propagated only from the master to the
> slaves, it is possible for a given set of policy parameters to compute
> an upper bound on the number of tries an attacker gets before the
> lockout or throttling mechanism prevents any further tries.

However, the user experience may not be as deterministic.  I'm
referring here not to lockout but to unlock upon successful
authentication.  Failed auth counts might accumulate on some KDCs but
not others and sometimes the user may get lockout errors and other
times it just works.  I want the user experience not to suck.

> In any case, what we're talking about right now is a data model.  It's
> supposed to provide a _model_ of the data the KDC needs to do its job,
> or rather the subset of that data which we might want to observe and
> manage in a standardized way.  It does not need to be all-inclusive; a

The key here being about what we want to observe and manage.  We only
need to manage:

 - policy (value of N)

 - unlock a principal

We do not need to manage the count of failed authentication attempts.
That's an implementation detail.  We may need to observe it.

Given that I think it'd be good to leave this attribute in place but
describe it as read-only.
(Continue reading)

Permalink | Reply |
headers
Greg Hudson | 10 Jun 2012 22:25
Picon
Favicon

Re: KDC model and atomicity

I agree that N-strikes lockout, implemented through counters in the KDB, 
is not the final word on how one should respond to a password-guessing 
attack, and we don't want to carve it in stone.

The simplest, and possibly best, thing to say about lockout in the 
information model is nothing.  Of course, that doesn't help us get to 
the point of interoperating on administrative operations related to 
lockout (policy-setting and administrative unlock)--but that can always 
be the subject of future revisions to the model (or schema, or admin 
protocol).

_______________________________________________
ietf-krb-wg mailing list
ietf-krb-wg <at> lists.anl.gov
https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Permalink | Reply |
headers
Leif Johansson | 11 Jun 2012 00:08
Picon
Gravatar

Re: KDC model and atomicity


On 06/10/2012 10:25 PM, Greg Hudson wrote:
> I agree that N-strikes lockout, implemented through counters in the
> KDB, is not the final word on how one should respond to a
> password-guessing attack, and we don't want to carve it in stone.
> 
> The simplest, and possibly best, thing to say about lockout in the 
> information model is nothing.  Of course, that doesn't help us get
> to the point of interoperating on administrative operations related
> to lockout (policy-setting and administrative unlock)--but that can
> always be the subject of future revisions to the model (or schema,
> or admin protocol).

Well I think Nicos point was that you can't even implement the attribute
in question wo transactions across all KDCs in a realm.
Permalink | Reply |
headers
Nico Williams | 11 Jun 2012 02:47

Re: KDC model and atomicity

On Sun, Jun 10, 2012 at 5:08 PM, Leif Johansson <leifj <at> mnt.se> wrote:
> On 06/10/2012 10:25 PM, Greg Hudson wrote:
>> I agree that N-strikes lockout, implemented through counters in the
>> KDB, is not the final word on how one should respond to a
>> password-guessing attack, and we don't want to carve it in stone.
>>
>> The simplest, and possibly best, thing to say about lockout in the
>> information model is nothing.  Of course, that doesn't help us get
>> to the point of interoperating on administrative operations related
>> to lockout (policy-setting and administrative unlock)--but that can
>> always be the subject of future revisions to the model (or schema,
>> or admin protocol).
>
> Well I think Nicos point was that you can't even implement the attribute
> in question wo transactions across all KDCs in a realm.

But Greg's is that our concern here should be about interop w.r.t.
administration.  I think that's clarifying.  I think we want to say
that there should be a way to set a policy indicating what action to
take when password guessing attacks are detected, and roughly how to
detect them while not being prescriptive about implementation.  In
other words, maybe we need a max number of failed password pre-auth
attempts as a *policy*, and we should refrain from specifying any
attributes regarding how the KDCs keep track of that number.  I'd be
happy with that.

Nico
--
_______________________________________________
ietf-krb-wg mailing list
(Continue reading)

Permalink | Reply |
headers
Leif Johansson | 11 Jun 2012 11:52
Picon
Gravatar

Re: KDC model and atomicity


On 06/11/2012 02:47 AM, Nico Williams wrote:
> On Sun, Jun 10, 2012 at 5:08 PM, Leif Johansson <leifj <at> mnt.se>
> wrote:
>> On 06/10/2012 10:25 PM, Greg Hudson wrote:
>>> I agree that N-strikes lockout, implemented through counters in
>>> the KDB, is not the final word on how one should respond to a 
>>> password-guessing attack, and we don't want to carve it in
>>> stone.
>>> 
>>> The simplest, and possibly best, thing to say about lockout in
>>> the information model is nothing.  Of course, that doesn't help
>>> us get to the point of interoperating on administrative
>>> operations related to lockout (policy-setting and
>>> administrative unlock)--but that can always be the subject of
>>> future revisions to the model (or schema, or admin protocol).
>> 
>> Well I think Nicos point was that you can't even implement the
>> attribute in question wo transactions across all KDCs in a
>> realm.
> 
> But Greg's is that our concern here should be about interop w.r.t. 
> administration.  I think that's clarifying.  I think we want to
> say that there should be a way to set a policy indicating what
> action to take when password guessing attacks are detected, and
> roughly how to detect them while not being prescriptive about
> implementation.  In other words, maybe we need a max number of
> failed password pre-auth attempts as a *policy*, and we should
> refrain from specifying any attributes regarding how the KDCs keep
> track of that number.  I'd be happy with that.
(Continue reading)

Permalink | Reply |

Gmane