Re: [authmeth] effect of StartTLS on authentication state

[Alexey Melnikov <Alexey.Melnikov@isode.com>]

"Kurt D. Zeilenga" wrote:

> The obvious security consideration is that a client which does:
>         StartTLS+simple
> and a client which does
>         simple+StartTLS
>
> would (assuming both provided the same credentials and the negotiated
> the same security layers, association state diagram were followed)
> achieve the same apparent authorization state and protection levels when,
> in fact, the latter approach is prone to a number of obvious attacks.
>
> For the life of me, I cannot imagine why a client would do
>     simple+StartTLS+modify
> or even
>     simple+StartTLS+search-for-user-application-objects
>
> If the exchanged information is sensitive enough to warrant starting TLS,
> then it follows that password which provides access to that 
> information is
> equally sensitive and should be protected by TLS.
>
> It's my opinion that the RFC 2830, section 5.1.1 absolute
> imperative is inappropriate and actually in conflict with section 3.1.
> Authorization state diagram aside (its not normative), if a client does
> simple+StartTLS+X, the server is free, per section 3.1, to return
> strongAuthRequired for X.  And if 3.1 isn't enough, please consider
> access and administrative control models behavior is a local matter and
> servers are free to return security codes as necessary to implement
> the model they support.  Also, nothing in the LDAP TS should be viewed
> as precluding from lowering the effective access rights or otherwise
> placing restrictions upon clients for this or any other reason.
>
> It is not only reasonable that servers treat StartTLS+simple differently
> than simple+StartTLS, it makes good sense from a security perspective.  I
> believe that the OpenLDAP behavior (which is policy driven) of forcing 
> the
> session to anonymous upon StartTLS has significantly improved the 
> security
> of the Internet.  There are a lot less clients doing simple+StartTLS now
> and that is, IMO, a good thing.
I agree with what Kurt is saying about simple+StartTLS.

However I would like to comment on the original message. IMHO, it would 
be wrong to require that StartTLS will cause the return to anonymous 
state with any SASL mechanism (with the exception of PLAIN). Imagine 
that GSSAPI is used to authenticate and then the client decided to start 
TLS. GSSAPI but itself will be able to protect credentials, and it might 
be more secure than certain TLS ciphers.

> Kurt
>
> At 04:18 PM 7/1/2003, Roger Harrison wrote:
> >A WG member has asked whether the server should drop all knowledge of 
> the connection, i.e. return to anonymous state, if it gets a StartTLS 
> request on a connection that has successfully bound using the simple 
> method. I believe that the intent of section 5 the authmeth draft is 
> clear on this point: if the association is in state S4 (authenticated 
> but no TLS) and the client performs action A3 (sends a Start TLS 
> request), then the next association state is S5 (authenticated with TLS).
> >
> >My understanding of existing implementations leads me to believe that 
> this is the generally accepted understanding of the way this should 
> work.  I can't see any serious security issues with maintaining this 
> behavior. Therefore, I propose that we do not change this 
> requirement.  I will consider adding wording to clarify this point if 
> WG members request it.
> >
> >Please respond with your opinions.

Alexey Melnikov
__________________________________________
Home Page: http://orthanc.ab.ca/mel
IETF standard
related pages: http://orthanc.ab.ca/mel/devel/Links.html
__________________________________________