IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Tue, 07 February 2023 22:38 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A99DAC14F747 for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 14:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EC1FGEw4t3-i for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 14:38:05 -0800 (PST)
Received: from dragonfly.birch.relay.mailchannels.net (dragonfly.birch.relay.mailchannels.net [23.83.209.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E5D7C14E514 for <kitten@ietf.org>; Tue, 7 Feb 2023 14:38:04 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 97EBB3E2220; Tue, 7 Feb 2023 22:38:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1ED9F3E21B2; Tue, 7 Feb 2023 22:38:03 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1675809483; a=rsa-sha256; cv=none; b=9aZyqqkxfhUNOeyiyBTA/8L+Nt+vOCznGWWWM1jKP0CGbwCqtejzOFyJ34nXg4KnssZgK9 /jTkRW3oZln4nOE9f1U2l/6Xf3YgCNkg0r2BeEVwoVuikXbfGEb83AFD/mrOf5TAWgagDx OruoHeK/tT+0Pk98KRqZhzP5pC6cADJ1GyWopJ+eFzSqhHMX6KaYkHCbTes5zzCY3EsrN0 7WgisyCml4SH3fGvrB8QU99M8PCW1CvM1O7n29BQNTUhMP1EaCl+DxfQvCt5TOuy7MSA3V z7oFzhM+7WFyVaD6hfh8sFCdGeFMfEnbxo53Ktn61f9obuSilBqkJkj8zY2ltw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1675809483; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=LJ53nZsCCuCXo20q0qJzMZC5MTwkCrOMciOxJCVKx9w=; b=fn2vFUBHKv530Jn6A32QivGneoIJRDdn0KP1RJQh5QAVM0CWpI8Oa/8NcQ3LvX5Cgq+oBR FWdA3EkgsFq8DymW2cEfDVI32cXUKS5fpqdNtW5o4KYzADNrg9VLBSuNwG5LWrsHzrqxhq oNDVY/B9T2KhB42lNDpXhmqrZMBhWXwH4naM/JkEX9X1Ga3EjHAS7thFzn7enuQfLMw0lK fijz+r5MlMuEOX48BKwh7WfD1fZoTsRfo6/+jCY7kUSNPURHE+uYZ4ZLn37rmzSSqzIyIW O7ApqKkYYbXem3ylgU0aizrWtmDvS3Y+vaA7HSa+SWeF8GBkQBPbN3xfutLjzA==
ARC-Authentication-Results: i=1; rspamd-98dc9695d-76p8g; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Irritate-Whispering: 306b5d957b08bcab_1675809483424_1209059948
X-MC-Loop-Signature: 1675809483424:272142130
X-MC-Ingress-Time: 1675809483423
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.123.200.117 (trex/6.7.1); Tue, 07 Feb 2023 22:38:03 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PBJ1Q1gSJz9g; Tue, 7 Feb 2023 14:38:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1675809482; bh=LJ53nZsCCuCXo20q0qJzMZC5MTwkCrOMciOxJCVKx9w=; h=Date:From:To:Cc:Subject:Content-Type; b=J7RaH3lggSNmM8w4giy1VUaAnQO32kvdy5jJspuBQADnc8gmZLk3QX59u7R2giJOk HgAag82uT23uOKrmAd2PTF9XpzZbTS3nDQcenXN/nNORkJPtxclPZQQw/97IrZPUbA 28dsJywPMXpK4O5UUP8u6YJpPnR59g58/9mo9GAYVjYJiyq3BAtNjUEY0NxK6oHUb4 YqPjswhSWasbwvQ47xJM9pQ8vjjHWeMzNK7rNE6bdAKFwjDEKPcT/5LO1300MsG5bY 0BjOPZpAQZ2rfkzgxY3uZg6Lbmna+ObYGRT2rhf98ltEdg/b6lBSJzbPCblz/CTBc/ c0C6vyABdUbrg==
Date: Tue, 07 Feb 2023 16:37:59 -0600
From: Nico Williams <nico@cryptonector.com>
To: Simo Sorce <simo@redhat.com>
Cc: Rick van Rein <rick@openfortress.nl>, Russ Allbery <eagle@eyrie.org>, kitten@ietf.org
Message-ID: <Y+LSxzIrjkTuaDKk@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com> <20230128215854.629841D6333@pb-smtp20.pobox.com> <87a622tdd1.fsf@hope.eyrie.org> <875ycqtcmd.fsf@hope.eyrie.org> <20230207104841.GE30583@openfortress.nl> <01a7f7acc91b3ac1a865c006f4d883ab38d07178.camel@redhat.com> <Y+K/q3JmJ3/Ry33a@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Y+K/q3JmJ3/Ry33a@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/3jPzWZR_hxXFG0iyga_eKcW-k_k>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 22:38:09 -0000

On Tue, Feb 07, 2023 at 03:16:27PM -0600, Nico Williams wrote:
> > This requires, in some cases, that the crypto state is fully
> > exportable.
> 
> It is almost invariably the case that the context is software-only.
> Even when it's not, it still can be as explained below.
> 
> > Although possible, in many cases this is simply not available,
> > especially when hardware tokens (HSMs, SmartCards, TPMs) are used to
> > deal with the cryptography.
> 
> Most HW token resident keys will be asymmetric keys that a mechanism
> will use just once per-context.  Even on a clustered server it is
> possible to have either the same key shared to all the cluster members'
> tokens, or different-but-equivalent keys (e.g., N keys each with
> certificates for the same name(s)).

I'd like to expand on that a bit.

First we might like to have a precise definition of what mechanism
design feature can make it difficult to implement with non-session keys
stored in HW tokens.  Then we could use that to analyze whether we have
any security mechanisms for which there would be an incompatibility
between partially-established security context export and HW tokens.

Here's my first attempt at a precise definition of security mechanism
design points that lead to special considerations regarding HW tokens:

 - for each non-session key used in security context establishment:

    - if any of the following is true, then using the mechanism with
      non-session keys stored in HW tokens will have some complications:

       - condition #0:

          - the client/initiator knows and uses the public keys of the
            server/acceptor a priori

            (mech_dh has this)

       - condition #1:

          - that key is used in the consumption of more than one
            security context token

         and

          - that key is used in the production of more than one security
            context token

         and

          - that key cannot change during the time that a security
            context is being established

       - condition #2:

          - that key is used in the consumption of one security context
            token

         and

          - that _same_ key must be used in the construction of another
            security context token which is not the immediate reply
            token to the first one

For all those conditions it suffices to be able to duplicate the
relevant keys to all the HW tokens of the members of the server cluster,
though other ways exist to handle the problem (see previous post).

The PKI-based GSS/SASL mechanisms I know about:

 - SChannel (i.e., TLS as a GSS-API mechanism)
 - PKU2U
 - the never-really-finished SPKM
 - the never-standardized mech_dh

Of these, TLS 1.3 w/ ESNI meets condition #0 for the ESNI key, but
neither condition #1 nor condition #2.  For ESNI keys there is the
obvious workaround mentioned above.  The ESNI keys are not as important
as the other keys, so I suspect that duplicating ESNI keys to the tokens
of all cluster members is a non-issue.

TLS 1.3 w/o ESNI meets none of the above conditions.

mech_dh has condition #0.  That's sad, but there's the above-described
workaround.

Neither PKU2U nor SPKM meet any of the above conditions.

I don't know of any _other_ GSS or SASL mechanisms that use PKs,
therefore I don't know of any GSS or SASL mechanisms that use PKs in
ways that would be incompatible with the [wrapped] export of security
contexts on account of those keys being in HW tokens.

I believe the TLS 1.3 ESNI condition #0 case is a non-issue.  We can
dismiss mech_dh (it's dead, though it is interesting) or accept the
mentioned workarounds as sufficient.

That leaves mechanisms where a symmetric key is used in context
establishment, mechanisms like:

 - SCRAM, DIGEST
 - Kerberos
 - various PAKEs

I believe none of SCRAM, DIGEST, or Kerberos meet any of the design
conditions I listed above, therefore these mechanisms also have no
special concerns regarding non-session keys stored in HW tokens.

That leaves the PAKEs to consider.  All the client-initiated PAKEs I'm
familiar with (which is not the CFRG PAKEs) do not meet any of the
conditions listed above, therefore there should be no special
considerations for those PAKEs w/ HW tokens except the obvious one: that
the shared secret (the password) -or verifier for it for augmented
PAKEs- has to be duplicated to all the HW tokens for servers that need
to be able to use it.  We should check that this is also true of the
CFRG PAKEs.

Unless I missed something, that fully disposes of the concerns w.r.t.
non-session keys in HW tokens.

GSS-API specifically rejects exporting of partially established security
contexts, and that appears to be motivated by the HW token concerns
we're discussing (and Martin Rex has chimed in in the past about that),
but I think that's just because in the early 90s it wasn't clear that
all mechanisms could and would be built in such a way that these are
non-concerns.

GSS-API _does_ specifically allow exporting of fully-established
security contexts, which implies that no one in the early 90s imagined
wanting to use HW tokens to store _session_ keys.  I think that is still
the case for the reasons I gave in a previous post.

And with that I think we can say that there are really no concerns at
all regarding keys that live on HW tokens.  Except one concern: maybe we
ought to have an RFC saying "don't design security mechanisms that have
any of the conditions [listed above]"!

Nico
--

v2.23.0 | Report a Bug | By Email