Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kerberos PKINIT: what, why, and how (to break it) [FOSDEM 2023]

Fraser Tweedale
February 04, 2023
Technology
0
48

Kerberos PKINIT: what, why, and how (to break it) [FOSDEM 2023]

The Kerberos PKINIT extension replaces password authentication with X.509 PKI. This bring some advantages but also new risks. This presentation explains and demonstrates how PKINIT works, and presents a novel attack against FreeIPA's PKINIT implementation.

Kerberos is an authentication and single sign-on protocol based on symmetric cryptography. To avoid the drawbacks and risks of passwords, the PKINIT protocol extension enables clients to authenticate using public key cryptography and X.509 certificates. To further improve security, private keys can reside and signing/decrytion operations can be performed on hardware cryptographic tokens (smart card, PIV, TPM, etc).

I will start the talk with a brief overview of the core Kerberos protocol. Next I will explain how the PKINIT extension works, and demonstrate how to set up and use PKINIT in a FreeIPA environment. (FreeIPA is a free software identity management system that includes MIT Kerberos and Dogtag PKI.)

Finally I will discuss some of the risks that arise when using PKINIT, and security considerations for implementers and deployers. I will present and demonstrate a recently discovered PKINIT security flaw in some older (but still supported) versions of FreeIPA.

Fraser Tweedale

February 04, 2023
Tweet

More Decks by Fraser Tweedale

See All by Fraser Tweedale
A tax combinator library could be useful for Rules-as-Code [lightning talk]
frasertweedale
0
23
Kerberos PKINIT: what, why, and how (to break it) [Everything Open 2023]
frasertweedale
0
18
Send in the chown()s - systemd containers in user namespaces
frasertweedale
0
22
systemd containers on OpenShift
frasertweedale
0
150
Clevis and Tang: Securing your Secrets at Rest
frasertweedale
0
880
Lazy lists in the Brick TUI library
frasertweedale
1
160
Defect to Doctrine: Security Bug Case Studies
frasertweedale
0
110
Taming the C Monster: Haskell FFI Techniques
frasertweedale
2
660
No Way JOSE: Lessons for authors and implementers of open standards
frasertweedale
1
67

Other Decks in Technology

See All in Technology
カーネルコードの歩き方
sat
PRO
3
2.5k
ChatGPTがもたらす新しいチーム開発の現場
satoshirobatofujimoto
0
160
C# の async/await は実際にどうやって動いているか
nenonaninu
3
9.8k
Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence
heirhabarov
1
480
CloudWatch複合アラームでELBの5XXをいい感じに検知しようとしたらうまくいかなかった話 / cloudwatch alarm elb 5xx
gotok365
0
280
SWEBOK V3からV4への改訂に見るソフトウェアエンジニアリングの発展とソフトウェア保守・進化
washizaki
0
290
ChatGPTを聞き手にしよう
niryuu
0
370
Enabling Developers in a Multi-Cloud World :: GOTO Aarhus 2023
salaboy
0
120
ハッカソンにおけるiOSアプリ開発での学びと楽しさ
ojun9
1
170
Technologists around the campfire: Social audio as a vector for engineering wisdom
bcantrill
0
300
Design insights from unit tests @ itkonekt 2023
victorrentea
0
110
20230525_経営者・マーケティング担当必見!ChatGPTがもたらすマーケティング革命(45min版)_v1.02_共有用・後半パート.pdf
doradora09
0
150

Featured

See All Featured
Happy Clients
brianwarren
90
5.9k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
A designer walks into a library…
pauljervisheath
199
17k
Web Components: a chance to create the future
zenorocha
304
41k
Visualization
eitanlees
130
12k
Docker and Python
trallard
31
2.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
The Invisible Side of Design
smashingmag
292
49k
The Cult of Friendly URLs
andyhume
70
5.2k
Three Pipe Problems
jasonvnalue
89
9.1k

Transcript

  1. Kerberos PKINIT
    what, why and how (to break it)
    Fraser Tweedale
    @[email protected]
    February 4, 2023

    View Slide

  2. Agenda
    Kerberos overview
    Kerberos PKINIT: overview and demo
    PKINIT security considerations
    Attack demo: CVE-2022-4254

    View Slide

  3. Kerberos - overview
    Authentication protocol based on symmetric cryptography
    Single sign-on: authenticate once, access many services
    Started at MIT (1988), v5 (1993), RFC 41201 (2005)
    Major implementations: MIT Kerberos2, Microsoft Active Directory,
    Heimdal3, FreeIPA4 / Identity Management in RHEL
    1https://www.rfc-editor.org/rfc/rfc4120
    2https://web.mit.edu/kerberos/
    3https://github.com/heimdal/heimdal
    4https://www.freeipa.org

    View Slide

  4. Kerberos - protocol
    Parties: client, Key Distribution Centre (KDC), service
    KDC = Authentication Service (AS) + Ticket Granting Service (TGS)
    Users, services, KDC are represented as principals in a realm
    Each principle has a long-term secret key, shared with the KDC
    users derive it from a password
    hosts/services store it in a file ("keytab")
    Authentication tokens are called tickets

    View Slide

  5. Kerberos - protocol

    View Slide

  6. Kerberos - protocol

    View Slide

  7. Kerberos - protocol

    View Slide

  8. Kerberos - protocol

    View Slide

  9. Kerberos - protocol

    View Slide

  10. Kerberos - protocol

    View Slide

  11. Kerberos - protocol

    View Slide

  12. Kerberos - protocol

    View Slide

  13. Kerberos - protocol

    View Slide

  14. Kerberos - extensions and integrations
    Pre-authentication framework5
    integrate additional authentication mechanisms e.g. OTP6
    GSSAPI mechanism7
    SASL mechanism8
    HTTP authentication (SPNEGO)9
    Authentication Indicator10
    Cross-realm authentication (trusts)
    5RFC 6113 - https://www.rfc-editor.org/rfc/rfc6113
    6https://web.mit.edu/kerberos/krb5-devel/doc/admin/otp.html
    7RFC 4121 - https://www.rfc-editor.org/rfc/rfc4121
    8RFC 4752 - https://www.rfc-editor.org/rfc/rfc4752
    9RFC 4178 - https://www.rfc-editor.org/rfc/rfc4178
    10RFC 8129 - https://www.rfc-editor.org/rfc/rfc8129

    View Slide

  15. Kerberos - advantages
    Single sign-on: improve efficiency, reduce password fatigue
    Client exposes long-term secret only once (until TGT expires)
    Resistant to replay attacks
    Works well for HTTP and "bare" network protocols

    View Slide

  16. Kerberos - problems
    Passwords are not great
    Password / keytab rotation is burdensome

    View Slide

  17. PKINIT - overview
    Public Key Cryptography for Initial Authentication in Kerberos11
    Client uses asymmetric cryptography to authenticate to KDC
    Client presents X.50912 certificate and signs message
    KDC verifies certificate, signature and client binding
    KDC encrypts response using either:
    Diffie-Hellman (DH) or analogous key agreement algorithm
    other public-key encryption algorithm
    11RFC 4556 - https://www.rfc-editor.org/rfc/rfc4556
    12RFC 5280 - https://www.rfc-editor.org/rfc/rfc5280

    View Slide

  18. PKINIT - protocol

    View Slide

  19. PKINIT - protocol

    View Slide

  20. PKINIT - protocol

    View Slide

  21. PKINIT in FreeIPA
    Default: exact certificate match only
    Optional: certificate mapping rules
    ipa certmaprule-add certmap \
    --maprule "(fqdn={subject_dns_name})"
    Client certs can be signed by internal or third-party CA

    View Slide

  22. PKINIT - user experience
    CLI: kinit -X X509_user_identity=FILE:cert.pem,key.pem
    SSSD can integrate with Linux login managers
    Nice UX for smartcards and 2FA
    Windows offers a similiar experience

    View Slide

  23. Demo

    View Slide

  24. PKINIT - advantages
    No more passwords / client shared secret
    Key can reside on smart-card (e.g. Yubikey) / TPM / HSM
    The rest of the protocol is unchanged

    View Slide

  25. PKINIT - complexities
    X.509 PKI required
    Renewal considerations
    Revocation checking is hard (or time consuming)
    Hardware (e.g. smart cards) → additional cost
    Binding the public key to the principal - how?

    View Slide

  26. PKINIT - key binding
    In addition to validating the client’s signature, the KDC MUST also
    check that the client’s public key used to verify the client’s
    signature is bound to the client principal name specified in the AS-
    REQ as follows:
    1. If the KDC has its own binding between either the client’s
    signature-verification public key or the client’s certificate and
    the client’s Kerberos principal name, it uses that binding.
    2. Otherwise, if the client’s X.509 certificate contains a Subject
    Alternative Name (SAN) extension carrying a KRB5PrincipalName
    (defined below) in the otherName field of the type GeneralName
    [RFC3280], it binds the client’s X.509 certificate to that name.

    View Slide

  27. PKINIT - key binding
    Encode principal name in certificate (KRB5PrincipalName SAN)
    Associate certificate/key with principal in database
    administrative overhead due to renewal/rekey
    Other heuristics; for example:
    if certificate has dNSName SAN, look for that host principal
    if certificate has rfc822Name (email address) SAN, look for the corresonding
    user principal
    Better not mess this up!

    View Slide

  28. CVE-2022-4254

    View Slide

  29. CVE-2022-4254 - what happened?
    LDAP filter injection13
    FreeIPA not vulnerable in default configuration
    only exact certificate match is enabled by default
    Bug introduced in SSSD v1.15.3 and resolved in v2.3.1
    Will also be fixed in of v1.16.6, if/when released
    13CWE-90 - https://cwe.mitre.org/data/definitions/90.html

    View Slide

  30. CVE-2022-4254 - LDAP filter
    (&
    (|
    (objectClass= krbprincipalaux )
    (objectClass=krbprincipal)
    (objectClass= ipakrbprincipal )
    )
    (|
    ( ipaKrbPrincipalAlias = host/[email protected] )
    ( krbPrincipalName : caseIgnoreIA5Match := host/rhel78 -0. [email protected]
    )
    ( fqdn=*.ipa.test )
    )

    View Slide

  31. What if your email address is
    "bogus)(uid=admin)(cn="@ipa.test

    View Slide

  32. . . . and your certmap rule looks like
    (|(mail={subject_rfc822_name})(entryDN={subject_dn})

    View Slide

  33. CVE-2022-4254 - domain takeover
    (&
    (|
    (objectClass= krbprincipalaux )
    (objectClass=krbprincipal)
    (objectClass= ipakrbprincipal )
    )
    (|
    ( ipaKrbPrincipalAlias = [email protected] )
    ( krbPrincipalName : caseIgnoreIA5Match := [email protected])
    )
    (|
    (mail =" bogus)
    ( uid=admin )
    (cn=" @ipa.test)
    (entrydn=CN=alice ,O=IPA.TEST 202211171708)
    )

    View Slide

  34. CVE-2022-4254 - mitigations
    Upgrade to fixed/patched releases of SSSD
    and-list rules are harder to exploit than or-list
    Audit what data get included in certs, and how
    Use exact certificate matching

    View Slide

  35. PKINIT - security considerations
    Properly escape/sanitise all inputs, always.
    Review CA trust, profiles, and validation behaviour
    Which CAs do you trust? Who can issue certificates?
    How do you validate the data that go into a certificate?
    Can attributes be influenced by users or other parties?
    Just because a value is valid does not mean it’s benign
    Key/principal binding is a critical aspect of PKINIT security

    View Slide

  36. Links
    Writeup: https://is.gd/CVE_2022_4254
    Red Hat CVE database:
    https://access.redhat.com/security/cve/CVE-2022-4254

    View Slide

  37. © 2023 Red Hat, Inc.
    Except where otherwise noted this work is licensed under
    http://creativecommons.org/licenses/by/4.0/
    Slides speakerdeck.com/frasertweedale
    Blog frasertweedale.github.io/blog-redhat
    Email [email protected]
    Fediverse @[email protected]

    View Slide