logo_kerberos.gif

Difference between revisions of "Projects/GSSAPI DCE"

From K5Wiki
Jump to: navigation, search
(Add more details on DCE style)
(include api)
Line 81: Line 81:
   
 
==API details==
 
==API details==
  +
<code>
  +
/*
  +
* Sign and optionally encrypt a sequence of buffers. The buffers
  +
* shall be ordered HEADER | DATA | PADDING | TRAILER. Suitable
  +
* space for the header, padding and trailer should be provided
  +
* by calling gss_wrap_iov_length(), or the ALLOCATE flag should
  +
* be set on those buffers.
  +
*
  +
* Encryption is in-place. SIGN_ONLY buffers are untouched. Only
  +
* a single PADDING buffer should be provided. The order of the
  +
* buffers in memory does not matter. Buffers in the IOV should
  +
* be arranged in the order above, and in the case of multiple
  +
* DATA buffers the sender and receiver should agree on the
  +
* order.
  +
*
  +
* With GSS_C_DCE_STYLE it is acceptable to not provide PADDING
  +
* and TRAILER, but the caller must guarantee the plaintext data
  +
* being encrypted is correctly padded, otherwise an error will
  +
* be returned.
  +
* While applications that have knowledge of the underlying
  +
* cryptosystem may request a specific configuration of data
  +
* buffers, the only generally supported configurations are:
  +
*
  +
* HEADER | DATA | PADDING | TRAILER
  +
*
  +
* which will emit GSS_Wrap() compatible tokens, and:
  +
*
  +
* HEADER | SIGN_ONLY_DATA | DATA | PADDING | TRAILER
  +
*
  +
* for AEAD.
  +
*
  +
* The typical (special cased) usage for DCE is as follows:
  +
*
  +
* HEADER | SIGN_ONLY_DATA_1 | DATA | SIGN_ONLY_DATA_2
  +
*/
  +
OM_uint32 KRB5_CALLCONV gss_wrap_iov
  +
(
  +
OM_uint32 *, /* minor_status */
  +
gss_ctx_id_t, /* context_handle */
  +
int, /* conf_req_flag */
  +
gss_qop_t, /* qop_req */
  +
int *, /* conf_state */
  +
size_t, /* iov_count */
  +
gss_iov_buffer_desc *); /* iov */
  +
/*
  +
* Verify and optionally decrypt a sequence of buffers. To process
  +
* a GSS-API message without separate buffer, pass STREAM | DATA.
  +
* Upon return DATA will contain the decrypted or integrity
  +
* protected message. Only a single DATA buffer may be provided
  +
* with this usage. DATA by default will point into STREAM, but if
  +
* the ALLOCATE flag is set a copy will be returned.
  +
*
  +
* Otherwise, decryption is in-place. SIGN_ONLY buffers are
  +
* untouched.
  +
*/
  +
  +
OM_uint32 KRB5_CALLCONV gss_unwrap_iov
  +
(
  +
OM_uint32 *, /* minor_status */
  +
gss_ctx_id_t, /* context_handle */
  +
int *, /* conf_state */
  +
gss_qop_t *, /* qop_state */
  +
size_t, /* iov_count */
  +
gss_iov_buffer_desc *); /* iov */
  +
  +
  +
/*
  +
* Query HEADER, PADDING and TRAILER buffer lengths. DATA buffers
  +
* should be provided so the correct padding length can be determined.
  +
*/
  +
OM_uint32 KRB5_CALLCONV gss_wrap_iov_length
  +
(
  +
OM_uint32 *, /* minor_status */
  +
gss_ctx_id_t, /* context_handle */
  +
int, /* conf_req_flag */
  +
gss_qop_t, /* qop_req */
  +
int *, /* conf_state */
  +
size_t, /* iov_count */
  +
gss_iov_buffer_desc *); /* iov */
  +
  +
/*
  +
* Release buffers that have the ALLOCATED flag set.
  +
*/
  +
OM_uint32 KRB5_CALLCONV gss_release_iov_buffer
  +
(
  +
OM_uint32 *, /* minor_status */
  +
size_t, /* iov_count */
  +
gss_iov_buffer_desc *); /* iov */
  +
</code>
  +
  +
  +
   
 
==Testing plan==
 
==Testing plan==

Revision as of 15:59, 25 November 2008

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


The GSS-API DCE project proposes to add functionality found in SSPI to MIT Kerberos; this functionality includes support for AEAD and support sufficient to implement DCE RPC on top of MIT Kerberos. This project depends on and is a companion to Projects/AEAD encryption API.


Background

SSPI architecture

The SSPI for connection-oriented contexts provides the following service model for per-message protection:

  • Security mechanisms may add small fixed-size padding (less than 8 bytes) to a message.
  • Security mechanisms add fixed size mechanism-specific tokens to messages.
  • Messages may contain data chunks that are encrypted and read_only chunks that are integrity protected but not encrypted.
  • So a message looks like (data+ readonly* pad token), although all the components can be reordered. In particular, when interoperating with GSS-API the token comes at the front.
  • The application gets to control the placement of token, data, read_only and pad chunks both in the input and output; chunks cannot change size.

GSS-API architecture

  • Application passes in a token for per-message protection
  • Gss-API returns a token, typically of a different size.
  • No support for AEAD
  • The application does not control placement or order of chunks.

Supporting DCE RPC

We want to make it easy to implement DCE-RPC against MIT Kerberos:
  • DCE RPC separates the security token information from the confidentiality protected information and places it elsewhere in the network PDU
  • DCE uses AEAD to integrity protect parts of the message that are not confidentiality protected.
  • DCE requires two separate AEAD buffers.
  • DCE manages its own padding.

There are also changes to the context establishment procedure signaled by a DCE_STYLE flag; RFC 4757 briefly describes these changes.

AEAD support

DCE requires adding AEAD support to the GSS mechanism. However an application implementing DCE RPC will typically want in-place encryption APIs that expose significant detail about the structure of the GSS token. For some classes of application, this is desirable. However it is highly undesirable to force an application to pay attention to the details of GSS tokens in order to take advantage of features like AEAD. Doing so increases the probability that the application will depend on some semantic of the token and thus will not be portable across mechanisms.

Basic approach

Two new sets of APIs will be introduced. The first, the gss_iov API is similar to the AEAD encryption API and to SSPI. The second adds support for AEAD while minimizing differences with the original GSS-API.

gss_iov

A new structure is introduced:

typedef struct gss_iov_buffer_desc_struct {

   OM_uint32 type;
   OM_uint32 flags;
   gss_buffer_desc buffer;

} gss_iov_buffer_desc, *gss_iov_buffer_t;

  1. define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0)
  1. define GSS_IOV_BUFFER_TYPE_EMPTY 0
  2. define GSS_IOV_BUFFER_TYPE_DATA 1 /* Packet data */
  3. define GSS_IOV_BUFFER_TYPE_HEADER 2 /* Mechanism header */
  4. define GSS_IOV_BUFFER_TYPE_TRAILER 7 /* Mechanism trailer */
  5. define GSS_IOV_BUFFER_TYPE_PADDING 9 /* Padding */
  6. define GSS_IOV_BUFFER_TYPE_STREAM 10 /* Complete wrap token */


  1. define GSS_IOV_BUFFER_FLAG_ALLOCATE 1 /* indicates GSS should allocate */
  2. define GSS_IOV_BUFFER_FLAG_ALLOCATED 2 /* indicates gss_release_iov_buffer should free */
  3. define GSS_IOV_BUFFER_FLAG_SIGN_ONLY 4 /* indicates associated data */

A set of APIs is created that takes an array of gss_iov_buffer_desc structures for per-message operations. Several types of buffers are defined. The header buffer represents mechanism-specific headers added to a security token. In SSPI, this buffer is called the token. The trailer buffer is mechanism-specific security information added to the end of application data; this buffer typically does not exist in SSPI applications. The padding buffer contains padding bytes necessary for block-cipher alignment. Data buffers contain application data to be integrity or confidentiality protected. If the header, data buffers, padding and trailer buffers are concatenated in that order, the resulting token should be a valid input to gss_unwrap.

The SIGN_ONLY flag indicates that a particular data buffer is integrity protected but not encrypted. This buffer can be sent over the wire, or reconstructed by the remote application.

SSPI compatible applications will typically be unable to pass in a trailer buffer. Mechanisms should try to function even when no trailer is available. The Kerberos mechanism can always produce valid output without a trailer, although if a trailer is provided, it may be used.

DCE-RPC is expected to pass in a header, three data buffers (two of them SIGN_ONLY), and potentially padding.

Applications will typically set up their data buffers along with placeholder entries for the other buffers they need and then call gss_wrap_iov_length.

gss_*_aead

API details

/*

* Sign and optionally encrypt a sequence of buffers. The buffers
* shall be ordered HEADER | DATA | PADDING | TRAILER. Suitable
* space for the header, padding and trailer should be provided
* by calling gss_wrap_iov_length(), or the ALLOCATE flag should
* be set on those buffers.
*
* Encryption is in-place. SIGN_ONLY buffers are untouched. Only
* a single PADDING buffer should be provided. The order of the
* buffers in memory does not matter. Buffers in the IOV should
* be arranged in the order above, and in the case of multiple
* DATA buffers the sender and receiver should agree on the
* order.
*
* With GSS_C_DCE_STYLE it is acceptable to not provide PADDING
* and TRAILER, but the caller must guarantee the plaintext data
* being encrypted is correctly padded, otherwise an error will
* be returned.
* While applications that have knowledge of the underlying
* cryptosystem may request a specific configuration of data
* buffers, the only generally supported configurations are:
*
*  HEADER | DATA | PADDING | TRAILER
*
* which will emit GSS_Wrap() compatible tokens, and:
*
*  HEADER | SIGN_ONLY_DATA | DATA | PADDING | TRAILER
*
* for AEAD.
*
* The typical (special cased) usage for DCE is as follows:
*
*  HEADER | SIGN_ONLY_DATA_1 | DATA | SIGN_ONLY_DATA_2
*/

OM_uint32 KRB5_CALLCONV gss_wrap_iov (

   OM_uint32 *,        /* minor_status */
   gss_ctx_id_t,       /* context_handle */
   int,                /* conf_req_flag */
   gss_qop_t,          /* qop_req */
   int *,              /* conf_state */
   size_t,             /* iov_count */
   gss_iov_buffer_desc *);    /* iov */

/*

* Verify and optionally decrypt a sequence of buffers. To process
* a GSS-API message without separate buffer, pass STREAM | DATA.
* Upon return DATA will contain the decrypted or integrity
* protected message. Only a single DATA buffer may be provided
* with this usage. DATA by default will point into STREAM, but if
* the ALLOCATE flag is set a copy will be returned.
*
* Otherwise, decryption is in-place. SIGN_ONLY buffers are
* untouched.
*/

OM_uint32 KRB5_CALLCONV gss_unwrap_iov (

   OM_uint32 *,        /* minor_status */
   gss_ctx_id_t,       /* context_handle */
   int *,              /* conf_state */
   gss_qop_t *,        /* qop_state */
   size_t,             /* iov_count */
   gss_iov_buffer_desc *);    /* iov */


/*

* Query HEADER, PADDING and TRAILER buffer lengths. DATA buffers
* should be provided so the correct padding length can be determined.
*/

OM_uint32 KRB5_CALLCONV gss_wrap_iov_length (

   OM_uint32 *,        /* minor_status */
   gss_ctx_id_t,       /* context_handle */
   int,                /* conf_req_flag */
   gss_qop_t,          /* qop_req */
   int *,              /* conf_state */
   size_t,             /* iov_count */
   gss_iov_buffer_desc *); /* iov */

/*

* Release buffers that have the ALLOCATED flag set.
*/

OM_uint32 KRB5_CALLCONV gss_release_iov_buffer (

   OM_uint32 *,        /* minor_status */
   size_t,             /* iov_count */
   gss_iov_buffer_desc *); /* iov */



Testing plan