Re: Shishi and Ca certificate

[Simon Josefsson]

Alberto Fondi <address@hidden> writes:

> Hi group,
>
>    i have a question. When i start shishid with gnutls to support
> authentication with certificates i must provide the paths for shishid
> certificate, its private key and the ca certificate. But shishi, (the
> client) looks for only his certificate and private key and not for the
> CA certificate. In this way the client can autheticate torward the
> KDC, the KDC torward the client, but while the KDC can verify that the
> client certificate was issued by a valid CA, the client can't!
>
> Is it correct ?

Hi!  Yes, that's right.  The X.509 authentication stuff in Shishi is
experimental.  I have improved this somewhat in CVS, it will now read
a CA cert from "client.ca" and tries to verify the server cert after
connections.

> Can the client be exposed to impesonification of KDC attack?
>
> If it is wrong can you explain me please?

I'm not sure this conclusion holds.  You can't fully impersonate the
KDC without knowing the client's Kerberos encryption key (to build the
proper response, which is what the client trusts) and maybe even the
client's private key (which would be needed when talking to the real
KDC).  Right now, the Kerberos encryption key is still used to encrypt
the response from the KDC within the TLS channel.

You can become a man in the middle, yes, but that is equivalent of
being a man in the middle for Kerberos today, which is possible but
doesn't gain you anything that Kerberos was designed to protect
against.  However, Kerberos over TLS was intended to protect against
passive snooping, and that property would be violated here!

When this part of Shishi mature, when the TLS channel is used
(together with a channel binding, and essentially a NULL encryption in
the Kerberos layer), verification of the CA certificate in the client
will become important for correct and secure operation.

Thanks,
Simon