Re: [kitten] Fwd: New Version Notification for draft-howard-gss-sanon-00.txt

Nico Williams <nico@cryptonector.com> Mon, 06 April 2020 00:57 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0BA43A0A6A for <kitten@ietfa.amsl.com>; Sun, 5 Apr 2020 17:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iIduVYsDbhrV for <kitten@ietfa.amsl.com>; Sun, 5 Apr 2020 17:57:48 -0700 (PDT)
Received: from caracal.birch.relay.mailchannels.net (caracal.birch.relay.mailchannels.net [23.83.209.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8ED13A0A68 for <kitten@ietf.org>; Sun, 5 Apr 2020 17:57:47 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id AAD081E0E18; Mon, 6 Apr 2020 00:57:46 +0000 (UTC)
Received: from pdx1-sub0-mail-a32.g.dreamhost.com (100-96-12-20.trex.outbound.svc.cluster.local [100.96.12.20]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id E1D0A1E0835; Mon, 6 Apr 2020 00:57:45 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a32.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.6); Mon, 06 Apr 2020 00:57:46 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Whispering-Hook: 26bc4e4f56045050_1586134666354_4111020548
X-MC-Loop-Signature: 1586134666353:204886046
X-MC-Ingress-Time: 1586134666353
Received: from pdx1-sub0-mail-a32.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a32.g.dreamhost.com (Postfix) with ESMTP id 823EE7FF10; Sun, 5 Apr 2020 17:57:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=3LzWLKRORAeLkC gi2KicTzmjcxw=; b=sfCZ+ZUYRQV0tICYCZYyDoyTT1gcuXPcBTsC8rNfiLEiFb I24xWTh5SkgA4HZoQDhlSpuOLqztH2Lm83sSEXWq64f2vqdgzv50PuKQhemArfS/ Ui9dOlyVH1yj0EvbNzjldKmsZePRBeemVm/DzvLf2PQZvijIiO28RWlDlz4pA=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a32.g.dreamhost.com (Postfix) with ESMTPSA id 00D467FF0E; Sun, 5 Apr 2020 17:57:42 -0700 (PDT)
Date: Sun, 05 Apr 2020 19:57:40 -0500
X-DH-BACKEND: pdx1-sub0-mail-a32
From: Nico Williams <nico@cryptonector.com>
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Cc: Luke Howard <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <20200406005739.GF18021@localhost>
References: <158562149038.11496.7234948048087895644@ietfa.amsl.com> <03F73286-C983-44C6-B10D-7E826AE2C609@padl.com> <87pncnbisr.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <87pncnbisr.fsf@latte.josefsson.org>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedruddvgdegudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjfgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/-Xm8WupNFZBqkDhrPHbNYITNjZM>
Subject: Re: [kitten] Fwd: New Version Notification for draft-howard-gss-sanon-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 00:57:51 -0000

On Sat, Apr 04, 2020 at 01:18:44PM +0200, Simon Josefsson wrote:
> Luke Howard <lukeh=40padl.com@dmarc.ietf.org> writes:
> > Below is a specification for a simple anonymous mechanism based on
> > curve25519 that does not authenticate either initiator or acceptor.
> 
> Interesting!  When would this be useful in SASL?  GS2 requires that the
> mechanism supports mutual authentication, so while I definitely see
> value in having this as a GSS-API mechanism I don't understand when it
> would provide value for a SASL application, and how it would actually
> work in GS2.

Add an option to use previously-agreed peer PKs and you have
authentication.

Add a way to lookup a peer's PK by name and you have a modern version of
mech_dh.

For those who don't know or don't remember, mech_dh is a GSS version of
AUTH_DH, and both are premised on using long-term DH keys for key
agreement and authentication, with a directory mapping "netnames"
(principal names) to public keys.  The directory had a files backend
(/etc/publickey) as well as a NIS+ and LDAP backends -- today we'd use
DNSSEC as well, naturally.

(For human principals, their mech_dh private keys could be stored in the
directory encrypted in their passwords, which then allows the equivalent
of "kinit" -- this, however, is a very bad idea, as it allows anyone to
mount off-line dictionary attacks.  Instead, a login protocol should be
required to obtain user private keys.)

Mech_dh even has a half round-trip variant, naturally.  It's remarkably
similar to Kerberos while having nothing like a KDC/AS/TGS -- just a
passive directory instead.

This was the original way that DH was intended to be used by its
inventors!

SAnon can trivially be extended to be the new mech_dh: just allow the
use of  raw public keys as desired_names for credential acquisition and
for acceptor target_names.  The initial context token has to more than
double in length: so the desired acceptor can be identified and a nonce
be conveyed.  A nonce is important in this construction, as otherwise
we'd have key reuse, though in the Kerberos cryptosystem, that's not so
important given that we use confounders, but still, it would be
essential for GSS_Pseudo_random().

Nico
--