[AFS3-std] draft-wilkinson-afs3-rxgk-afs-03 addresses SetCallBackKey

Benjamin Kaduk kaduk@MIT.EDU
Fri, 16 Aug 2013 18:39:30 -0400 (EDT)


I have made an update to the rxgk-afs integration document, but the 
internet-draft submission tool is not letting me finish the submission, 
at the moment.  In particular, the update has the SetCallBackKey now 
providing both a token and a key (and some other details for the 
connection).

For now, I've put the rendered copy up at 
http://web.mit.edu/kaduk/Public/draft-wilkinson-afs3-rxgk-afs-03.txt

On Mon, 4 Mar 2013, Simon Wilkinson wrote:

>
> On 4 Mar 2013, at 17:27, Benjamin Kaduk wrote:
>
> There are other approaches, but they involve you either having to store 
> a key for every user who is accessing the fileserver (rather than just 
> every CM), or having to store which FID was last accessed by which key 
> in order to determine how to encrypt the callback. Neither of these are 
> desirable from an implementation stand point. Using CM identities has 
> the big advantage that the volume of information being tracked by the 
> fileserver for each client isn't dramatically larger, or more complex, 
> than it is today.

I have mostly convinced myself that the server does need to associate a 
key/token with the host entry for a given callback, and in particular the 
callback list for a given fid could contain multiple entries for the same 
host with different keys.

The scenario is: legitimate cache manager calls SetCallBackKey and then 
acquires a callback for the fid, then an attacker spoofs the host/uuid to 
call SetCallBackKey and (re-)acquire a callback for that fid.  The 
fileserver can either break the existing callback when the new 
SetCallBackKey call is made, or store a list of keys for the host and 
accept the new callback.  Clearly, in the latter case, we need to have two 
callback entries for the fid, one for the real host and one for the 
attacker.  The former case is less clear-cut, but having the key handy 
might make breaking just those callbacks easier.  The latter case might 
limit the scope of damage an attacker could perform, though I'd need to 
think about it more.

In any case, I am inclined to require that calls generating extended 
callback promises must be performed using a combined token including the 
cache manager identity, and only the cache manager identity (a 
single-identity token) should be used for the SetCallBackKey.  We may need 
to adjust the AFSCombineTokens text slightly to enforce this; I think we 
currently only say that cache managers with multiple users SHOULD provide 
token1 as a CM token, but do not restrict other uses of token1.  Requiring 
that token1's identity be a single host-based name seems like a matter for 
application policy, not a protocol-level constraint, so I did not add 
any text of that nature.

A solution that required an exact match between the identities for 
SetCallBackKey and XCB-generating calls (that is, one which requires a 
combined token to be used for SetCallBackKey when combined tokens are in 
use, so that there would be as many XCB connection keys as users on the 
machine) should be functional, but seems to add a potentially large amount 
of overhead for minimal (if any?) benefit.

-Ben