Re: [apps-discuss] APPSDIR review of draft-ietf-krb-wg-des-die-die-die-04
Sean Turner <turners@ieca.com> Wed, 18 April 2012 21:52 UTC
Return-Path: <turners@ieca.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C013F21F8471 for <apps-discuss@ietfa.amsl.com>; Wed, 18 Apr 2012 14:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.282
X-Spam-Level:
X-Spam-Status: No, score=-102.282 tagged_above=-999 required=5 tests=[AWL=-0.017, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHwACaTzEQph for <apps-discuss@ietfa.amsl.com>; Wed, 18 Apr 2012 14:52:11 -0700 (PDT)
Received: from gateway04.websitewelcome.com (gateway04.websitewelcome.com [69.93.154.2]) by ietfa.amsl.com (Postfix) with ESMTP id 6682921F846D for <apps-discuss@ietf.org>; Wed, 18 Apr 2012 14:52:09 -0700 (PDT)
Received: by gateway04.websitewelcome.com (Postfix, from userid 5007) id EB8033BEF274E; Wed, 18 Apr 2012 16:51:55 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway04.websitewelcome.com (Postfix) with ESMTP id DDC953BEF2726 for <apps-discuss@ietf.org>; Wed, 18 Apr 2012 16:51:55 -0500 (CDT)
Received: from [71.191.9.245] (port=48617 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1SKcn5-0003HR-9F; Wed, 18 Apr 2012 16:51:55 -0500
Message-ID: <4F8F377A.4010809@ieca.com>
Date: Wed, 18 Apr 2012 17:51:54 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Tom Yu <tlyu@MIT.EDU>, Tobias Gondrom <tobias.gondrom@gondrom.org>
References: <4F8E377D.2010601@gondrom.org> <ldvmx68x6ja.fsf@cathode-dark-space.mit.edu>
In-Reply-To: <ldvmx68x6ja.fsf@cathode-dark-space.mit.edu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-71-191-9-245.washdc.east.verizon.net (thunderfish.local) [71.191.9.245]:48617
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 12
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
X-Mailman-Approved-At: Thu, 19 Apr 2012 07:48:55 -0700
Cc: draft-ietf-krb-wg-des-die-die-die.all@tools.ietf.org, iesg@ietf.org, apps-discuss@ietf.org
Subject: Re: [apps-discuss] APPSDIR review of draft-ietf-krb-wg-des-die-die-die-04
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 21:52:12 -0000
On 4/18/12 2:02 PM, Tom Yu wrote: > Tobias Gondrom<tobias.gondrom@gondrom.org> writes: > >> Major Comment: >> Agree that we should/must deprecate the weak cryptographic algorithms >> in Kerberos. >> However IMHO, I do not agree with the reasoning "to not actively >> discourage the use of RC4-HMAC" in section 7. >> I understand that interoperability is of major importance, but at some >> point a very weak algorithm will give users a false sense of security >> while exposing them to malicious attacks. And keeping RC4-HMAC >> supported does also expose the majority of the community (who is not >> using the deprecated Windows Versions) at possible risks to downgrade >> attacks. > > I believe RC4-HMAC (note: _not_ the 56-bit RC4-HMAC-EXP, which we > _are_ deprecating) is stronger than the DES enctypes that we are > deprecating. It has a 128-bit keysize, but might be somewhat weaker > than AES of the same keysize. I know of no reason yet to characterize > RC4-HMAC as "very weak"; it might very well be stronger than > triple-DES, which we are not deprecating at this time. > > Do you believe that RC4-HMAC poses anywhere near the level of risk > that single-DES does? If not, I prefer to handle deprecating RC4-HMAC > separately so that we avoid confusing the issues. > >> I believe even though the support of the complete Internet community >> is vital for standards, the support of deprecated (and AFAIK no longer >> supported OS versions) should not be the deciding argument behind our >> decisions here. Even old OS can be patched or fixed by the vendor or >> other service providers and it should not justify to keep a weak >> algorithm. > > Extended support is still available for some of the Windows operating > systems in question, but I believe Microsoft finds it uneconomical to > implement support for new crypto algorithms in these older versions of > Windows (which could very well still be around until 2015). > > RFC 4757 already mentions known weaknesses of RC4-HMAC, and we refer > to that RFC in the document's Security Considerations. Do you believe > that there should be a stronger warning? I'm *NOT* a cryptographer. While authoring RFC 6150 (https://datatracker.ietf.org/doc/rfc6150/), we had to come up with some text about RC4-HMAC. Here's what we ended up with: o The RC4-HMAC is supported in Microsoft's Windows 2000 and later versions of Windows for backwards compatibility with Windows 2000. As [RFC4757] stated, RC4-HMAC doesn't rely on the collision resistance property of MD4, but uses it to generate a key from a password, which is then used as input to HMAC-MD5. For an attacker to recover the password from RC4-HMAC, the attacker first needs to recover the key that is used with HMAC- MD5. As noted in [RFC6151], key recovery attacks on HMAC-MD5 are not yet practical. *If* you really need some more text, pointing to RFC 6150/6151 might be enough for this particular point. spt