Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
Eric Rescorla <ekr@rtfm.com> Wed, 25 April 2018 19:56 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90566129C6D for <curdle@ietfa.amsl.com>; Wed, 25 Apr 2018 12:56:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KK9hrvb5M9Sm for <curdle@ietfa.amsl.com>; Wed, 25 Apr 2018 12:56:08 -0700 (PDT)
Received: from mail-ot0-x243.google.com (mail-ot0-x243.google.com [IPv6:2607:f8b0:4003:c0f::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6655312702E for <curdle@ietf.org>; Wed, 25 Apr 2018 12:56:02 -0700 (PDT)
Received: by mail-ot0-x243.google.com with SMTP id h8-v6so23021904otb.2 for <curdle@ietf.org>; Wed, 25 Apr 2018 12:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4KQvz1gifTSRQKGsYMrmrmJDq0vwv1Voq2JvlQ26x8M=; b=hQvclm2q2MDnFzUiXrh5pXHTpCAHpdRZ3eixn7nZ7EzteosJTRFEIIPN1kuEVkrqe4 q9pdqCe7SiDgvflGROiWAx96M+SwYiJPAnFeU+oHgiB54Q+Jnh7jZMEXmqKkGm8xEtt+ eE01GZiwAks/CJ7q01GZsWG/SFoEPGQQIzToX19saa+jOCGQJF9Tw879p86c1FiteYcg SinD7zZQFEnZF0P3FakgsMI2aGFOuX7O32i8uqWFv1R1/O5PsosHZBkKRazdKpZZQUII NcPi614Fhe4C/FPfnZ57jStL0+YPmPdNTvlPMTGCnocIMPXVCa7p0lKxqJ4oBk5tLsSJ PL/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4KQvz1gifTSRQKGsYMrmrmJDq0vwv1Voq2JvlQ26x8M=; b=YlKeYTVXfmRNHlzd4UC2Hwq9tGZdY4AedqujqNQTjCvJhiXT3t9KWYxsVwryd9+3qE RasHi5OVIlPonZWON6Ip/bE+RI0tUKXIixYGHb/So8bxiqPbjseXoVAnegTQc+T8rWox 0kqs5VdMzMBC3GeWurJsFRGpitdRmSrVgh4YdsHZnBjYAZ/HsBxVwh63SCIEVufZuFh0 spNHgVdv0xOgFFlM2c3UQXBdG0WALLRs1DtryQORrIl2l63Sfor/3erQGaepagrqdBEW /oC2DgTY1NFE6ENw3X4WX++tKgtPE15bcJVpzgSsRdzTZee0acnFxn4WrDhoaMHFTn1h PmsA==
X-Gm-Message-State: ALQs6tDbg1MvBxA0TStZVOIOw84AQFphuVyIARwgLsF1/UxqsLFyO1KY lsEJSWBKgSbdJYnx/WmZYDcjMg0BsYxn+fH6Y/zuWA==
X-Google-Smtp-Source: AB8JxZqzucwDSepEDu4vpmciv7sR5Q9hW2S4KTiT35ipTAcGCeRBCoeLD0gn0+Q21R7/Z2Coz1htmyrl8BZgcVHJrI4=
X-Received: by 2002:a9d:4a4a:: with SMTP id d10-v6mr13959693otj.176.1524686161723; Wed, 25 Apr 2018 12:56:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Wed, 25 Apr 2018 12:55:21 -0700 (PDT)
In-Reply-To: <3446969.zDdGGYQIsg@pintsize.usersys.redhat.com>
References: <CABcZeBNCUSpGihHz6bPBSALS4-34Tm7W36BCZ_Ev8OQz3KtVag@mail.gmail.com> <1555475.KUsr8aTfev@pintsize.usersys.redhat.com> <CABcZeBP5LRFuH37166YMiXKce-GgJhnji_msYMrac=eQ531AMQ@mail.gmail.com> <3446969.zDdGGYQIsg@pintsize.usersys.redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 25 Apr 2018 12:55:21 -0700
Message-ID: <CABcZeBPeNGVy51uz78dk2REYKG8yugFvB3XdZ5PBLLFnrALTRA@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: Simo Sorce <ssorce@redhat.com>, curdle <curdle@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000105806056ab1a944"
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/19Z1mhU8n3Hrc0LD1w-YWDKQTCc>
Subject: Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2018 19:56:12 -0000
On Wed, Apr 25, 2018 at 11:53 AM, Hubert Kario <hkario@redhat.com> wrote: > On Friday, 13 April 2018 15:41:37 CEST Eric Rescorla wrote: > > On Thu, Apr 12, 2018 at 11:29 AM, Hubert Kario <hkario@redhat.com> > wrote: > > > Sorry for the delay in replying was swamped with other work, I should > have > > > no > > > problem replying quickly now. > > > > > > On Saturday, 7 April 2018 01:24:27 CEST Eric Rescorla wrote: > > > > Rich version of this review at: > > > > https://mozphab-ietf.devsvcdev.mozaws.net/D4544 > > > > > > > > This document has a huge amount of duplicated material which makes it > > > > very hard to read. Please refactor so that the common material is in > > > > one place. > > > > > > > > > > > > > > > > > > > > COMMENTS > > > > > Each of these methods specifies GSS-API-authenticated > > > > > > Diffie-Hellman > > > > > > > > key exchange as described in Section 2.1 of [RFC4462] with > > > > > > SHA-512 > > > > > > > > as HASH, and the group defined in Section 7 of [RFC3526] The > > > > > > method > > > > > > > > name for each method is the concatenation of the string "gss- > > > > > group18-sha512-" with the Base64 encoding of the MD5 hash of > the > > > > > ASN.1 DER encoding of the underlying GSS-API mechanism's OID. > > > > > > > > These all seem to be boilerplate. is there a way to refactor into a > > > > single paragraph with a table that describes the substitutions? > > > > > > while valid point, it follows the style established in RFC 4462 > > > > > > for a programmer familiar with the old gss KEX methods and general IETF > > > terminology, the names of the new algorithms alone are sufficient to > > > implement > > > them > > > > > > for a programmer just learning it, it's sufficiently detailed to > hand-hold > > > the > > > implementation process (and resolve disputes in case of minor > differences) > > > > Well, I'm a pretty experienced programmer, and I find it pretty hard to > > follow. > > It's exactly this kind of boilerplate that leads to confusion. > > done > > > > > > This section defers to [RFC7546] as the source of information > on > > > > > > GSS- > > > > > > > > API context establishment operations, Section 3 being the most > > > > > relevant. All Security Considerations described in [RFC7546] > > > > > > apply > > > > > > > > here too. > > > > > > > > > The Client: > > > > This section should be refactored to put all the EC mechanics (which > > > > are symmetrical) in one place. > > > > > > I don't think I understand what changes you'd like to see > > > > > > both FFDH and ECDH are symmetrical... both client and server need to > > > perform > > > the same operations... > > > > Yes, That's why it's confusing to describe their operations in order > rather > > than > > the behavior that a DH peer does and then just the points where they are > > inserted in the protocol. Compare, for instance, the TLS 1.3 > specification, > > where both KeyShare (https://tools.ietf.org/html/d > > raft-ietf-tls-tls13-28#page-53) and > > the DH computations (https://tools.ietf.org/html/d > > raft-ietf-tls-tls13-28#section-7.4) are > > described in an endpoint agnostic manner. DH is inherently symmetrical. > > the actions performed in context of GSSAPI-infused key exchange aren't > Neither are they in TLS, but we managed to put the DH part in one place. > I think you're misunderstanding me. My point is that there are already > > documents > > which describe how to generate the private and public keys for EC. You > > should > > be referring to them, not recapitulating their contents here. > > proposed in https://github.com/simo5/ietf/pull/24 I will review this. > > Well, in TLS 1.3 this was an unfortunate concession to backward > > compatibility > > with a very widely deployed installed base. I'm trying to determine if > > that's true > > here. As for negotiation, this can be fixed by creating a new code point. > > or can be fixed by mandating the most-widely supported format, and if > somebody > is interested in supporting compressed, he or she can propose that > extension > Yes, but then you have both. > > > > > by 31 zero octets for curve255519 and as an octect of > value > > > > > 0x05 followed by 55 zero octets. > > > > > > > > > > Calculating Q_C as the result of the call to X25519 or > X448 > > > > > function, respectively for curve25519 and curve448 key > > > > > exchange, with parameters d_C and g. > > > > > > > > This material all seems to be in RFC 7748 S 6.1 and 6.2. > > > > > > we do need local nomenclature for the inputs and outputs though > > > > > > also, having all the necessary checks in a single document allows for > > > easier > > > code review and verification if they are performed. > > > > It's also an opportunity for new mistakes to be made as these documents > are > > less thoroughly reviewed than RFC 7748, as well as having two normative > > specifications for ostensible the same algorithm, which we try not to do. > > Please > > defer the algorithms to the original sources. > > https://github.com/simo5/ietf/pull/24 > > > Why is this text here? It describes the client's behavior. > > > > > > both client and server need to perform that operation > > > > Yes, that's why it's very confusing to have it in the middle of the > > server's operations. > > the client part is referencing the server part > Yes, that's why I said you should put all the DH operations in one place. > > > > > > > > 7. C verifies that the key Q_S is valid the same way it is > done > > > > > > in > > > > > > > > step 3. If the key is not valid the key exchange MUST fail. > > > > > > > > > > 8. C computes the shared secret K and H and verifies that it > is > > > > > valid the same way it is done in step 5. It then calls > > > > > > > > This check only applies to CFRG curves. > > > > > > no, for CFRG curves the invalid value is a point at infinity, for > X25519 > > > invalid value is an all-zero string > > > > > > so the check if the shared secret is valid must be performed > irrespective > > > of > > > curve used > > > > Hmm... TLS 1.3 does not specify that one must validate the output of the > DH > > computation. So, the IETF should be consistent on this point. If you > think > > that > > TLS 1.3 is wrong, please explain why. > > > > Second, the specific check you are requiring for the CFRG curves is the > > one applicable if you do the recommended DH computations. Here's the > > relevant text for TLS 13. > > > > For X25519 and X448, implementations SHOULD use the approach > > specified in [RFC7748 <https://tools.ietf.org/html/rfc7748>] to > > calculate the Diffie-Hellman shared secret. > > Implementations MUST check whether the computed Diffie-Hellman shared > > secret is the all-zero value and abort if so, as described in > > Section 6 of [RFC7748] > > <https://tools.ietf.org/html/rfc7748#section-6>. If implementors use > > an alternative > > implementation of these elliptic curves, they SHOULD perform the > > additional checks specified in Section 7 of [RFC7748] > > <https://tools.ietf.org/html/rfc7748#section-7>. > > Section 4.2.8.1: > > Peers MUST validate each other's public key Y by ensuring that 1 < Y > < p-1. This check ensures that the remote peer is properly behaved > and isn't forcing the local system into a small subgroup. > > and section 4.2.8.2 of draft-28: > > For the curves secp256r1, secp384r1 and secp521r1, peers MUST > validate each other's public value Q by ensuring that the point is a > valid point on the elliptic curve. The appropriate validation > procedures are defined in Section 4.3.7 of [X962] and alternatively > in Section 5.6.2.3 of [KEYAGREEMENT]. This process consists of three > steps: (1) verify that Q is not the point at infinity (O), (2) verify > that for Q = (x, y) both integers x and y are in the correct > interval, (3) ensure that (x, y) is a correct solution to the > elliptic curve equation. For these curves, implementers do not need > to verify membership in the correct subgroup. > > seem to me to be more relevant and quite detailed. > > RFC 7748 says that the verification is optional, I don't see why making it > mandatory is incorrect for SSH. For nist curves, the verification is about > public key, not shared secret, it's just performed in the same step. > I think we're talking past each other. The TLS spec requires that: - You do public key validation for FFDHE and NIST curves - You do output validation for CFRG curves. Unless I am misreading your text, you are requiring that you also do output validation for the NIST curves. Is that correct? If so, can you provide a source for why? -Ekr
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- [Curdle] AD Review of draft-ietf-curdle-gss-keyex… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Salz, Rich
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Russ Housley
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Mark Baushke
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Benjamin Kaduk
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Mark D. Baushke
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Daniel Migault
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Salz, Rich
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce