Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
Hubert Kario <hkario@redhat.com> Thu, 26 April 2018 11:46 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: curdle@ietfa.amsl.com
Delivered-To: curdle@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D129B1275FD for <curdle@ietfa.amsl.com>; Thu, 26 Apr 2018 04:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hyxYNzWpX4Tj for <curdle@ietfa.amsl.com>; Thu, 26 Apr 2018 04:46:31 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C79A31270FC for <curdle@ietf.org>; Thu, 26 Apr 2018 04:46:31 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0A79640201A4; Thu, 26 Apr 2018 11:46:31 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-19.brq.redhat.com [10.40.200.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id 05C4A10EE964; Thu, 26 Apr 2018 11:46:29 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Simo Sorce <ssorce@redhat.com>, curdle <curdle@ietf.org>
Date: Thu, 26 Apr 2018 13:46:24 +0200
Message-ID: <1822880.CWREsZFPS8@pintsize.usersys.redhat.com>
In-Reply-To: <CABcZeBPeNGVy51uz78dk2REYKG8yugFvB3XdZ5PBLLFnrALTRA@mail.gmail.com>
References: <CABcZeBNCUSpGihHz6bPBSALS4-34Tm7W36BCZ_Ev8OQz3KtVag@mail.gmail.com> <3446969.zDdGGYQIsg@pintsize.usersys.redhat.com> <CABcZeBPeNGVy51uz78dk2REYKG8yugFvB3XdZ5PBLLFnrALTRA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart13994016.ibiGuppVKr"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 26 Apr 2018 11:46:31 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Thu, 26 Apr 2018 11:46:31 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/curdle/2JUXie5r5J15Qr4RWvDtnxBFrIM>
Subject: Re: [Curdle] AD Review of draft-ietf-curdle-gss-keyex-sha2-05
X-BeenThere: curdle@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of potential new security area wg." <curdle.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/curdle>, <mailto:curdle-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/curdle/>
List-Post: <mailto:curdle@ietf.org>
List-Help: <mailto:curdle-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/curdle>, <mailto:curdle-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 11:46:34 -0000
On Wednesday, 25 April 2018 21:55:21 CEST Eric Rescorla wrote: > On Wed, Apr 25, 2018 at 11:53 AM, Hubert Kario <hkario@redhat.com> wrote: > > On Friday, 13 April 2018 15:41:37 CEST Eric Rescorla wrote: > > > On Thu, Apr 12, 2018 at 11:29 AM, Hubert Kario <hkario@redhat.com> > > > > > > > > This section defers to [RFC7546] as the source of information > > > > on > > > > > > GSS- > > > > > > > > > > API context establishment operations, Section 3 being the > > > > > > most > > > > > > relevant. All Security Considerations described in [RFC7546] > > > > > > > > apply > > > > > > > > > > here too. > > > > > > > > > > > The Client: > > > > > This section should be refactored to put all the EC mechanics (which > > > > > are symmetrical) in one place. > > > > > > > > I don't think I understand what changes you'd like to see > > > > > > > > both FFDH and ECDH are symmetrical... both client and server need to > > > > perform > > > > the same operations... > > > > > > Yes, That's why it's confusing to describe their operations in order > > > > rather > > > > > than > > > the behavior that a DH peer does and then just the points where they are > > > inserted in the protocol. Compare, for instance, the TLS 1.3 > > > > specification, > > > > > where both KeyShare (https://tools.ietf.org/html/d > > > raft-ietf-tls-tls13-28#page-53) and > > > the DH computations (https://tools.ietf.org/html/d > > > raft-ietf-tls-tls13-28#section-7.4) are > > > described in an endpoint agnostic manner. DH is inherently symmetrical. > > > > the actions performed in context of GSSAPI-infused key exchange aren't > > Neither are they in TLS, but we managed to put the DH part in one place. That's not true: https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-7.4 https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.2.8.1 https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.2.8.2 > > > > > > 7. C verifies that the key Q_S is valid the same way it is > > > > done > > > > > > in > > > > > > > > > > step 3. If the key is not valid the key exchange MUST fail. > > > > > > > > > > > > 8. C computes the shared secret K and H and verifies that it > > > > is > > > > > > > > valid the same way it is done in step 5. It then calls > > > > > > > > > > This check only applies to CFRG curves. > > > > > > > > no, for CFRG curves the invalid value is a point at infinity, for > > > > X25519 > > > > > > invalid value is an all-zero string > > > > > > > > so the check if the shared secret is valid must be performed > > > > irrespective > > > > > > of > > > > curve used > > > > > > Hmm... TLS 1.3 does not specify that one must validate the output of the > > > > DH > > > > > computation. So, the IETF should be consistent on this point. If you > > > > think > > > > > that > > > TLS 1.3 is wrong, please explain why. > > > > > > Second, the specific check you are requiring for the CFRG curves is the > > > one applicable if you do the recommended DH computations. Here's the > > > relevant text for TLS 13. > > > > > > For X25519 and X448, implementations SHOULD use the approach > > > specified in [RFC7748 <https://tools.ietf.org/html/rfc7748>] to > > > > > > calculate the Diffie-Hellman shared secret. > > > > > > Implementations MUST check whether the computed Diffie-Hellman shared > > > secret is the all-zero value and abort if so, as described in > > > Section 6 of [RFC7748] > > > > > > <https://tools.ietf.org/html/rfc7748#section-6>. If implementors use > > > an alternative > > > > > > implementation of these elliptic curves, they SHOULD perform the > > > additional checks specified in Section 7 of [RFC7748] > > > > > > <https://tools.ietf.org/html/rfc7748#section-7>. > > > > Section 4.2.8.1: > > Peers MUST validate each other's public key Y by ensuring that 1 < Y > > < p-1. This check ensures that the remote peer is properly behaved > > and isn't forcing the local system into a small subgroup. > > > > and section 4.2.8.2 of draft-28: > > For the curves secp256r1, secp384r1 and secp521r1, peers MUST > > validate each other's public value Q by ensuring that the point is a > > valid point on the elliptic curve. The appropriate validation > > procedures are defined in Section 4.3.7 of [X962] and alternatively > > in Section 5.6.2.3 of [KEYAGREEMENT]. This process consists of three > > steps: (1) verify that Q is not the point at infinity (O), (2) verify > > that for Q = (x, y) both integers x and y are in the correct > > interval, (3) ensure that (x, y) is a correct solution to the > > elliptic curve equation. For these curves, implementers do not need > > to verify membership in the correct subgroup. > > > > seem to me to be more relevant and quite detailed. > > > > > > > > RFC 7748 says that the verification is optional, I don't see why making it > > mandatory is incorrect for SSH. For nist curves, the verification is about > > public key, not shared secret, it's just performed in the same step. > > I think we're talking past each other. The TLS spec requires that: > > - You do public key validation for FFDHE and NIST curves > - You do output validation for CFRG curves. > > Unless I am misreading your text, you are requiring that you also do output > validation for the NIST curves. Is that correct? If so, can you provide a > source for why? http://www.secg.org/sec1-v2.pdf Section 3.3.1. step 2 of the "Calculate a shared secret value as follows" algorithm. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- [Curdle] AD Review of draft-ietf-curdle-gss-keyex… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Salz, Rich
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Russ Housley
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Mark Baushke
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Benjamin Kaduk
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… denis bider
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Mark D. Baushke
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Daniel Migault
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Salz, Rich
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Hubert Kario
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Eric Rescorla
- Re: [Curdle] AD Review of draft-ietf-curdle-gss-k… Simo Sorce