IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]

IPP> Minutes of IPP Working Group Meeting [about Validate-Job security challenges]

Carl Kugler kugler at us.ibm.com
Mon Mar 19 11:45:39 EST 2001


Ira-

I'm still not following you.

Ira wrote:
>
>Hi Carl,
>
>Right, "WWW-Authenticate" as you say is a (server-generated)
>response element.
>
So, I think we've established that 1) and 2) below are wrong as written.  Could you please rewrite them to make sense?

>The point about (1) below (client acquiring an initial 'nonce'
>value by a Get-Printer-Attributes initial operation) is that
>HTTP/1.1 Digest (according to RFC 2617) ONLY providesprotection
>realms at the level of the Request-URI (the IPP Printer in our
>case) and NOT at the level of individual operations within that
>URI.
>
But the nonce is opaque to the client, and the server is free to construct
the nonce such that it may only be used from a particular client, for a
particular resource, for a limited period of time or number of uses, or any
other restrictions.   So a nonce acquired for a Get-Printer-Attributes MAY
be useless for a Print-Job.

>So if an IPP Printer is going to ever require authentication
>on ANY operation via a particular IPP/HTTP URL, then it MUST
>require authentication for EVERY operation (not just selectively),
>although the IPP Printer can choose to only require authentication
>on the FIRST operation.  But it's not conformant to RFC 2617 to
>allow the first operation without any authentication (Digest
>challenge in our case) and then issue a challenge on some
>subsequent operation in the same HTTP connection/session.
>
I can't find this in the spec.  In particular, depending on sever (Printer)
policy, a client MAY be able to supress a challenge by preemptively
including an "Authorization" header reusing credentials cached from an
earlier request (whether or not that request was on the same connection).

     -Carl

>Cheers,
>- Ira McDonald, consulting architect at Sharp and Xerox
>  High North Inc
>
>
>-----Original Message-----
>From: Carl Kugler [mailto:kugler at us.ibm.com]
>Sent: Friday, March 16, 2001 2:31 PM
>To: McDonald, Ira
>Cc: Hastings, Tom N; ipp at pwg.org
>Subject: RE: IPP> Minutes of IPP Working Group Meeting [about
>Validate-Job security challenges]
>
>
>
>Umm, I think I mistakenly substituted "WWW-Authenticate" for
>"Authorization" in my last message.  WWW-Authenticate is a response header,
>while Authorization is a request header, right?  I'm not sure I understand
>what the client is sending in 1) below.
>
>     -Carl
>
>
>
>
>"McDonald, Ira" <imcdonald at sharplabs.com> on 03/16/2001 02:57:03 PM
>
>To:   Carl Kugler/Boulder/IBM at IBMUS, "Hastings, Tom N"
>      <hastings at cp10.es.xerox.com>
>cc:   ipp at pwg.org
>Subject:  RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job
>           security challenges]
>
>
>
>Hi Carl,
>
>I think there's some merit in your "Expect: 100-continue" proposal.
>
>I spent several hours yesterday reading RFC 2617 (HTTP Basic and
>Digest Authentication) in its entirety.  Taking legal behavior
>from RFC 2617, let me suggest the following:
>
>1)  An IPP Client always acquires a (server-side) 'nonce' at
>    the beginning of a new session/connection by sending a
>    "WWW-Authenticate" header with a Get-Printer-Attributes
>    request (for example).
>
>2)  When the IPP Client wants to print a job (or cancel a job
>    or whatever), it uses your "Expect: 100-continue" but it
>    ALSO forces a new challenge (if the server requires one)
>    by unilaterally sending a "WWW-Authenticate" header using
>    the previously acquired (server-side) 'nonce' (which is
>    always legal, per RFC 2617).
>
>3a) If the (server-side) 'nonce' has _not_ expired (time-based
>    or single use), the IPP Printer simply accepts the new
>    Print-Job, Cancel-Job, etc., HTTP request and sends the
>    continue back to the IPP Client and the IPP Client proceeds.
>
>3b) If the (server-side) 'nonce' _has_ expired, then the IPP
>    Printer issues a new challenge with a new 'nonce' value
>    in the continue response, and again the IPP Client proceeds.
>
>There are many weak points in HTTP Digest (as RFC 2617 clearly states),
>but MOST of the worst weak points are fixed by the IPP Client using
>the optional (client-side) 'cnonce' additional nonce in the authenticate
>exchange (e.g., man-in-the-middle attacks are defeated entirely).
>
>I think we want to strongly recommend that IPP Clients use (and
>IPP Printers expect to see used) the 'cnonce' option for better
>authentication, in the IIG.
>
>Comments?
>
>Cheers,
>- Ira McDonald, consulting architect at Sharp and Xerox
>  High North Inc
>
>-----Original Message-----
>From: Carl Kugler [mailto:kugler at us.ibm.com]
>Sent: Wednesday, March 14, 2001 4:07 PM
>To: Hastings, Tom N
>Cc: ipp at pwg.org
>Subject: RE: IPP> Minutes of IPP Working Group Meeting [about
>Validate-Job security challenges]
>
>
>
>Tom-
>
>Re:  1. Authorization vs. authentication
>The trouble is, authorization and authentication are not necessarily
>mutually independent.  When authorization is not required, neither is
>authentication.  For example, a Printer may not challenge a
>Get-Printer-Attributes request, if anyone is authorized to
>Get-Printer-Attributes.  But a one-shot client needs to know in advance
>whether or not it will be challenged for a Print-Job request.  One solution
>is to require authentication for every request with a given URI prefix,
>whether or not authorization is required.  This is what I was calling
>URI-based authorization:  the philosophy is that you are authorized to
>access a particular resource, regardless of what operation you want to do
>to that resource.  Maybe I should have said that you are authenticated
>based on the resource you are trying to access, regardless of what
>operation you want to do to that resource.  One problem with that approach
>is that you must be authenticated regardless of whether or not
>authorization is required for the operation you want to perform, which
>could be inefficient or inconvenient.
>
>Re:  2. Does Validate-Job force the Printer to perform the same
>authentication
>and authorization as Print-Job?
>Those words in the spec come close, but there is more to this problem than
>checking that the Printer security requirement can be met.  A one-shot
>client needs to be able to form a valid WWW-Authenticate request header
>BEFORE it sends the Print-Job request body.  So, for Digest, it needs a
>nonce value that it can use in order to form a valid WWW-Authenticate
>header.  Here, again, authorization and authentication may not be separate,
>because (in general) a Printer may generate different nonces for different
>operations.
>
>Re:  3. Question about Digest nonce:
>> If the implementation only allows the nonce value to good for one request
>only, how does the client get another one?
>Well, if certain conditions are met, it could issue another Validate-Job to
>get a fresh nonce and then send a Print-Job request using that nonce.  This
>bait-and-switch approach is a little exceptional from a security point of
>view, but as long as it's explicitly documented I guess it'll work.
>
>It's easy to say the client must be prepared to accept a challenge at any
>time, but this is a problem for those clients that are unable to retry
>Print-Job requests (typically because they generate document data
>on-the-fly and are unable to back up the content generator for a retry).
>Not to mention that it's inefficient to retry complete Print-Job requests.
>This is the motivation for the "Expect:  100-continue" solution.
>
>
>     -Carl
>
>
>
>"Hastings, Tom N" <hastings at cp10.es.xerox.com> on 03/14/2001 01:47:11 PM
>
>To:   Carl Kugler/Boulder/IBM at IBMUS
>cc:   ipp at pwg.org
>Subject:  RE: IPP> Minutes of IPP Working Group Meeting [about Validate-Job
>       security challenges]
>
>
>
>Carl,
>
>Good discussion.  Several comments:
>
>1. Authorization vs. authentication
>
>We need to keep authorization and authentication clearly separate.  You
>used
>the former term below, when I think you meant the latter, correct?
>
>As I understand it, authentication is the Printer determining that you are
>who you say you are and authorization is the Printer determining whether or
>not to allow you to do what you want to do to the specified object
>according
>to the Printer's configured policy for you, that operation, and that
>object.
>For example, the Printer authenticates you as being the real Carl Kugler,
>while authorization checks whether the Cancel-Job operation that the real
>Carl Kugler issued for job 100 can be done to job 100, i.e., (a) does the
>real Carl Kugler have operator privileges on this Printer or (b) did the
>real Carl Kugler submit job 100.
>
>If you cannot be authenticated, i.e., the Printer has never heard of the
>real Carl Kugler, or you gave a wrong password, the Printer rejects the
>request with not-authenticated.  [Probably at the HTTP layer, with an HTTP
>'client-error-not-authenticated' status code, not the IPP layer with the
>IPP
>'client-error-not-authenticated", correct?]
>
>If you were authenticated as the real Carl Kugler, if either answers to
>questions (a) or (b) are yes, the Printer (at the IPP layer) accepts the
>request, otherwise, the Printer rejects the request with the IPP
>'client-error-not-authorized' status code.
>
>
>2. Does Validate-Job force the Printer to perform the same authentication
>and authorization as Print-Job?
>
>That was certainly the IPP WG intent.  We made it a REQUIRED operation.
>[With hind-sight, we should have made Create-Job REQUIRED (whether or not
>the Printer supported multi-document jobs).  Then we wouldn't have needed
>Validate-Job.]  And we wrote the semantics for Validate-Job as:
>
>3.2.3     Validate-Job Operation
>
>This REQUIRED operation is similar to the Print-Job operation (section
>3.2.1) except that a client supplies no document data and the Printer
>allocates no resources (i.e., it does not create a new Job object).  This
>operation is used only to verify capabilities of a printer object against
>whatever attributes are supplied by the client in the Validate-Job request.
>By using the Validate-Job operation a client can validate that an identical
>Print-Job operation (with the document data) would be accepted. The
>Validate-Job operation also performs the same security negotiation as the
>Print-Job operation (see section 8), so that a client can check that the
>client and Printer object security requirements can be met before
>performing
>a Print-Job operation.
>
>About the only thing we didn't say was:  The Printer MUST perform the same
>authentication and authorization as for a Print-Job operation.
>
>
>3. Question about Digest nonce:  If the implementation only allows the
>nonce
>value to good for one request only, how does the client get another one?
>Is
>this the case where the Printer would issue a challenge on every request in
>order to generate a new nonce?  If so, this is the case that REQUIRES the
>client to be prepared to accept a challenge any time, correct?
>
>Tom
>
>-----Original Message-----
>From: Carl Kugler [mailto:kugler at us.ibm.com]
>Sent: Wednesday, March 14, 2001 09:32
>To: ipp at pwg.org
>Subject: IPP> Minutes of IPP Working Group Meeting
>
>
>> Bill Wagner noted that this issue revolves around the interpretation of
>allowable HTTP behavior?and
>> perhaps should be out of scope for the IPP WG. Since the group has
>already resolved that sending a
>> zero-length POST is invalid, he believes that the interoperability issue
>should be closed.
>
>I don't believe that we ever reached a consensus on whether authorization
>is always on the basis of URI.  If we allow authorization on the basis of
>IPP operations, then you can't limit this issue to the HTTP layer.
>Remember that a request can be rejected at either the HTTP OR IPP layers.
>For example a request might be rejected with HTTP 401 (Unauthorized) OR IPP
>client-error-not-authenticated (0x0402).
>
>>  It was noted that a Validate Job command will successfully generate a
>challenge?regardless of how the HTTP security might be implemented.
>
>I doubt that this statement is always true, unless some other conditions
>are in place.  For printers that authorize on the basis of the request URI,
>this is true if the request URI refers to a protected resource.  For
>printers that authorize on the basis of the IPP operation (or operation AND
>URI), this won't work unless the spec guarantees that Validate-Job MUST be
>authorized identically to Print-Job.  Without such a requirement in the
>spec, it's not obvious to me that Validate-Job would be authorzed
>identically to Print-Job, since Validate-Job, unlike Print-Job, consumes
>virtually no resources.  Also, for Digest, since the "nonce" value in the
>challenge may be good for only one request, the spec would have to
>guarantee that the response to a Validate-Job challenge will authorize a
>Print-Job request.
>
>     -Carl
>
>
>
>




More information about the Ipp mailing list