IETF Logo Mail Archive

Re: [kitten] Murray Kucherawy's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)

Nico Williams <nico@cryptonector.com> Thu, 18 January 2024 20:37 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBDFC15152E; Thu, 18 Jan 2024 12:37:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTAIx7Ao0KcT; Thu, 18 Jan 2024 12:36:58 -0800 (PST)
Received: from buffalo.tulip.relay.mailchannels.net (buffalo.tulip.relay.mailchannels.net [23.83.218.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E777C151525; Thu, 18 Jan 2024 12:36:58 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id AC5AB2C39E9; Thu, 18 Jan 2024 20:36:57 +0000 (UTC)
Received: from pdx1-sub0-mail-a293.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 01E1C2C3C4D; Thu, 18 Jan 2024 20:36:56 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1705610217; a=rsa-sha256; cv=none; b=lZorLPSzVV7/5IdzX0ohpeI4Wk61gjQbSpceXcfYU+zULn/7sLbOaGoo7E1vdELrssjlnK Ka4+zr+Tx9OoWzaXGs7qRU7RAgClfV7LtreEgPxSs9i5iQxu7jojO266ro6LFeLfGWVHDL v3lnRpBerAWE39TQP8vsVpR1LJi58/yazgq9zzXIuzcletGl36dJXoOIAiLYSa2kDqoXPI /zOPGVP8nq6lZm1U/vZJtfxRSZPFbl74Z2sBcmrShYKPLzDCM5qNaCqTYXqdaIhnhMb5Tm cS02MeydvXOwGosRfqXSsT7kNls5Eql1XzI8Zdv12h+cnMklQ4uIsob8WWX02A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1705610217; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=q9RE9j4eWahrK3vkYPZEbdrDoTCRm2vxCiygPAzTr9k=; b=kQkRU1s2ulorpv/2bygAkaH+5sIfeIPpCQRfMLVeQWb1ROhJbAQHDlEWaKMJpQMXftJC3P toYKTCU9w79MZAK71EQyumnMP0/cY72xlVWJThNieTo8WUK2frKWO5OZVN/WB/dqcM3ONf 59FujvlbkwWfPB+1y9XVFpn8OMtVpueuGJ0Ri+rJ1oiNsD7ykdik0Ho7DoPM274Qi+57ZN 3H9L1nJN+Ju0AhQA1fIXCKMDYrETaDUAQgmymtDmAaz5VwEqgI2Yg2oevnkUdwGW2pTU0j RywpkhzSQwwEqidvLvEdmAkSWYKkFF7jntCxzsvQE+DbfMAsWX8dU7vdFB/bxQ==
ARC-Authentication-Results: i=1; rspamd-88587c4b9-j5f7k; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Battle-Lonely: 14c543c4569f18bd_1705610217325_3197326762
X-MC-Loop-Signature: 1705610217325:758448232
X-MC-Ingress-Time: 1705610217325
Received: from pdx1-sub0-mail-a293.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.105.150.252 (trex/6.9.2); Thu, 18 Jan 2024 20:36:57 +0000
Received: from ubby (unknown [129.222.79.118]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a293.dreamhost.com (Postfix) with ESMTPSA id 4TGF0R5XxTz21; Thu, 18 Jan 2024 12:36:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1705610216; bh=q9RE9j4eWahrK3vkYPZEbdrDoTCRm2vxCiygPAzTr9k=; h=Date:From:To:Cc:Subject:Content-Type; b=M2d4eW+QSgY3nybvPJaP14aNqdm6SJ1X0aKyk3Hq6GCa/tHGhmWsa4d6WiMSrJUzb u4conPd8ywiYe2Ik81PIHX0jjannad2mugPiJpOV9JVqxd7cmYoBonA9Uoqv8HiznL vxSoLMfp6Hm93fVfJ/+UHWdWlEfv/QYPIxQ1V+gEGY4yHA502U4+8wGMvZsj85shfl u1IBqEEpfqer/KNWiOGWDQUQ+kM9e0GUJVd7kzbmxaIqsqJHGzSTnSkjRcziYTTLyF 9gR5H1Ny+4XIj2g9Wja++RBWOYVk44SJxRbebQhmb+DXoG31WrFAM0RAf4WYOfZStQ Vcf6KeDGi3Uvg==
Date: Thu, 18 Jan 2024 14:36:52 -0600
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>, draft-ietf-kitten-krb-spake-preauth@ietf.org, kitten-chairs@ietf.org, kitten@ietf.org
Message-ID: <ZamL5HSXQIIJsaFP@ubby>
References: <170559100930.21281.8142882686300667918@ietfa.amsl.com> <d5d9e798-c6c1-4f15-a1f2-4e08580a70c4@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <d5d9e798-c6c1-4f15-a1f2-4e08580a70c4@mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/0bnOZXmskPoEprk_58gshTPOezM>
Subject: Re: [kitten] Murray Kucherawy's No Objection on draft-ietf-kitten-krb-spake-preauth-11: (with COMMENT)
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 20:37:02 -0000

On Thu, Jan 18, 2024 at 01:15:08PM -0500, Greg Hudson wrote:
> > It would be nice to see clearer recommendations on achieving forward secrecy,
> > and on rotating the cookie.
> 
> SPAKE pre-authentication provides forward secrecy against post-compromise of
> the principal long-term key (typically a user password), but does not help
> against post-compromise of the KDC's own krbtgt keys.  I don't really
> anticipate KDC implementations trying to achieve forward secrecy against the
> latter threat.  Accordingly, I will remove the sentence talking about
> rotating the cookie encryption key.

This I-D is specifically targeted at using the existing password-
equivalent symmetric keys in the new pre-authentication mechanism.

Nothing in this I-D precludes the subsequent addition of a pre-
authentication mechanism that uses an augmented PAKE such that KDC
compromise does not immediately compromise user passwords.  Stolen
augmented PAKE password verifiers would then be subject to offline
dictionary attack, but sites would have time to make users change their
passwords.

Recovery from KDC compromise would further require changing all
services' long-term symmetric keys, and also would require changing the
realm's public keys for PKINIT.  It would be very useful if services'
long-term keys were all key agreement shared keys, with the realm's KDC
database storing both the shared keys and the services' public keys.
With such a service long-term symmetric key establishment scheme site
operators could change and publish the realm's key agreement public keys
and then all shared symmetric keys could get recomputed quickly
site-wide.  However such an extension is fully out of scope for this
I-D.  Further, I'm not sure that any implementor has the energy to
improve Kerberos in this way at this time.

Nico
--

v2.23.0 | Report a Bug | By Email