Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Kerberos Preauth
Nathaniel McCallum <npmccallum@redhat.com> Fri, 13 February 2015 15:30 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B88C01A8701 for <cfrg@ietfa.amsl.com>; Fri, 13 Feb 2015 07:30:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.912
X-Spam-Level:
X-Spam-Status: No, score=-5.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KTg02EX-RfBy for <cfrg@ietfa.amsl.com>; Fri, 13 Feb 2015 07:30:46 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A37C1A0276 for <cfrg@irtf.org>; Fri, 13 Feb 2015 07:30:46 -0800 (PST)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t1DFUi5M012003 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 13 Feb 2015 10:30:44 -0500
Received: from vpn-59-90.rdu2.redhat.com (vpn-59-90.rdu2.redhat.com [10.10.59.90]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t1DFUhe3023243 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO); Fri, 13 Feb 2015 10:30:43 -0500
Message-ID: <1423841441.2447.30.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 13 Feb 2015 10:30:41 -0500
In-Reply-To: <CACsn0ckioB-h9hiEMj2Vw7dMa6fU8dUVU6p9b+wmOt2sGmJeSw@mail.gmail.com>
References: <1422460388.26683.62.camel@redhat.com> <CACsn0ckv09951WZ3d46ScoKVdSEs-GekQG55cSOmH+BSGx5Diw@mail.gmail.com> <1422468737.26683.110.camel@redhat.com> <1423573062.7427.11.camel@redhat.com> <CACsn0cmg8z-3AvW57RiQGs4v0bWsUvWBqD9zMWKB+-hX_Tm0Zw@mail.gmail.com> <1302158230.13244609.1423747504306.JavaMail.zimbra@redhat.com> <CACsn0ckioB-h9hiEMj2Vw7dMa6fU8dUVU6p9b+wmOt2sGmJeSw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/S7DON4a3IQbNpvxStlDBSL01aBY>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Kerberos Preauth
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 15:30:49 -0000
On Thu, 2015-02-12 at 07:44 -0800, Watson Ladd wrote: > On Thu, Feb 12, 2015 at 5:25 AM, Nathaniel McCallum < > npmccallum@redhat.com> wrote: > > > > > > ----- Original Message ----- > > > On Tue, Feb 10, 2015 at 4:57 AM, Nathaniel McCallum < > > > npmccallum@redhat.com> wrote: > > > > On Wed, 2015-01-28 at 13:12 -0500, Nathaniel McCallum wrote: > > > > > On Wed, 2015-01-28 at 08:06 -0800, Watson Ladd wrote: > > > > > > On Wed, Jan 28, 2015 at 7:53 AM, Nathaniel McCallum < > > > > > > npmccallum@redhat.com> wrote: > > > > > > > I've only just now joined the mailing list, so I'm a bit > > > > > > > late to the party (though I see my name has been brought > > > > > > > up in the > > > > > > > previous discussions). > > > > > > > > > > > > > > I am currently implementing a PAKE preauthentication > > > > > > > mechanism for Kerberos. > > > > > > > https://github.com/npmccallum/krb5-pake > > > > > > > > > > > > > > One of the PAKEs we have chosen to use is SPAKE2. The > > > > > > > aforementioned program that I am using to generate M and > > > > > > > N > > > > > > > constants is here: > > > > > > > https://github.com/npmccallum/krb5-pake/blob/master/src/pake/spake_constants.c > > > > > > > > > > > > > > This program uses two seed strings: > > > > > > > "OID point generation seed (M)" > > > > > > > "OID point generation seed (N)" > > > > > > > > > > > > > > OID is replaced by the OID of the curve. Since some > > > > > > > curves have multiple aliases, the use of OIDs removes > > > > > > > any ambiguity to the seed. > > > > > > > > > > > > > > The method use to generate the constants is fairly > > > > > > > similar to > > > > > > > that used by Chromium, but differs in several ways: > > > > > > > http://src.chromium.org/viewvc/chrome/trunk/src/crypto/p224_spake.cc > > > > > > > > > > > > > > First, we calculate the length of the encoded value of a > > > > > > > single point on the curve. I'll call this $CURVE_SIZE. > > > > > > > > > > > > > > Second, we determine which is the smallest hash function > > > > > > > (of SHA- 1, SHA-2-*) which outputs at least $CURVE_SIZE > > > > > > > bytes. So, for > > > > > > > instance, given P256, SHA-2-256 will be used. If no hash > > > > > > > function is larger than $CURVE_SIZE, we use the largest > > > > > > > hash. > > > > > > > For example, P521 uses SHA-2-512. > > > > > > > > > > > > > > Third, we generate the seeds by filling in the OID value. > > > > > > > > > > > > > > Fourth, we begin a recursive process whereby we hash the > > > > > > > seed > > > > > > > (or the previous hash of the seed) until the output of > > > > > > > the hash yields an X coordinate on the curve. The Y > > > > > > > coordinate (+/-) is chosen using the right-most bit of > > > > > > > the hash. > > > > > > > > > > > > I don't think this is what your C code is doing, or if it > > > > > > is, I can't figure it out because of the way it uses > > > > > > OpenSSL internals. I may try coding that up in SAGE and > > > > > > seeing if it agrees in the output. (In particular I think > > > > > > the first byte of the digest might get mangled to have the > > > > > > decode function work). > > > > > > > > > > What internals? > > > > > > > > > > EC_GROUP *g = EC_GROUP_new_by_curve_name(NID_secp521r1); > > > > > EC_POINT *p = EC_POINT_new(); > > > > > BIGNUM *x = BN_new(hash(seed)); > > > > > int y = seed[-1] & 0x1; // Last bit > > > > > EC_POINT_set_compressed_coordinates_GFp(g, p, x, y); > > > > > > > > > > That seems straightforward to me. > > > > > > > > Attached is a (slightly different) method implemented in Java > > > > using Bouncy Castle. It depends on no system internals and > > > > only one hash. It should be sufficiently simple to grok. A > > > > description is given in a comment in the top of the file. This > > > > method is easily repeatable on every crypto-system I have > > > > tried (including both OpenSSL and libnss). > > > > > > I read that file and description of the method. It depends on > > > details of SEC1 encoding, as it mungs the hash function value in > > > strange ways. Stretching the hash function is ad hoc. > > > > I'm not thrilled about the stretching of the hash function. > > However, without it we have a significant distribution problem. > > SHA512 into a curve >511bits has insufficient range. > > > > An arbitrary sized Keccak may be a good fit here. It is > > implemented in Bouncy Castle, but only for the SHA3 sizes. Neither > > OpenSSL nor libnss support it yet. > > > > > It's not as easy to describe as "generate a random x coordinate > > > taking bytes from HKDF seeded with this particular string, then > > > see if it is on the curve, and if so take the smaller y value". > > > I'll implement that this weekend. > > > > Except that this is (almost) precisely what the SEC1 encoding hack > > does. It takes the x coordinate from bytes from the hash. Your > > proposal (to take the smaller hash value) reduces distribution by > > one bit. My methodology has an advantage of range here. > > > > The other problem is that standard libraries don't appear to > > expose similar methods for the type of mechanism you are > > proposing. This is precisely why I implemented the SEC1 hack: it > > can be easily implemented by all libraries. > > > > The SEC1 hack isn't dirty because both the point encoding and the > > hash are octet strings. The only difference is that the SEC1 > > encoding has some magic bits. We just toggle those. This proposal > > isn't crazy. > > I think how we generate the points doesn't matter, so I'll follow > your suggestion. Is this the list of generated points you sent me > earlier? > > Note that complaints about range etc. don't really matter. For > instance, over primes, we just take 2 and 3. No, it is not the same list. I don't really care about the method that is used (mine or another). I just want it to be: 1. secure 2. easy to implement on all major crypto libraries 3. establishing an unambiguous method for future curves > > > I've decided to modify the key generation procedure to make it > > > integrate better into higher-level protocols, > > > > What in the world does this mean? I'm an experienced protocol > > implementer and I seriously have no idea what you're talking about > > here. If you have a proposal, please state it explicitly so it can > > be properly reviewed. > > This is about a different issue, which you pointed out. In the > current version, K is a shared group element, and the generated K is > a hash of K and the values used to generate it. But in some cases we > can trust the higher level protocol to do that hashing, such as TLS > 1.3. In those cases having to retain the values sent adds complexity. > > I think it will be clearer when I upload the new version what I mean. Sure. But I don't see that having anything to do with how we generate the constants. > > > but will preserve the current method as an option, > > > > There is no need to do this. Let's agree on a method and all use > > it. No backwards compatibility is a requirement at this point. I'm > > happy to update krb5-pake to whatever method we decide on. I just > > want it to happen soon so that we can start the Kerberos PAKE > > Preauth Mechanism draft. > > So you would be happy if I mandated hashing the values used to > generate K into K? I'm not talking about hashing K. I'm talking about generating constants. > > > and try to come up with security > > > considerations information that drives home how critical it is > > > to pick the right one. > > > > The most important consideration is range. All possible x/y values > > need to be possible outputs of the hash value. > > Are you talking about the point generation? Because that isn't > actually a requirement. I'm talking about the M/N constants. > > Another idea I had was to have a "version" qualifier. Basically, > > it is just a counter value used in generating the seed. The > > purpose is that if a constant is successfully attacked, we can > > just increment the counter to the next number and get two new > > seeds. > > If someone can compute a discrete logarithm, you probably shouldn't > use that group. Fair enough. > > > Does this seem good to everyone? > > > > It does sound (mostly) good. I'd also like to see the draft > > include Boneh's (S)PAKE2+ augmented variant. > > Despite much work, I have not been able to find a reference. It does > appear in a draft book. I sent him an email asking for a reference. He has not (yet) responded. Nathaniel
- [Cfrg] Using draft-irtf-cfrg-spake2-00 in Kerbero… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Dan Harkins
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Watson Ladd
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum
- Re: [Cfrg] Using draft-irtf-cfrg-spake2-00 in Ker… Nathaniel McCallum