Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Thu, 21 September 2017 02:59 UTC
Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32737132193 for <kitten@ietfa.amsl.com>; Wed, 20 Sep 2017 19:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRWRVKym_QCm for <kitten@ietfa.amsl.com>; Wed, 20 Sep 2017 19:59:13 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 357FD124B18 for <kitten@ietf.org>; Wed, 20 Sep 2017 19:59:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 49BE7210A3; Thu, 21 Sep 2017 02:59:12 +0000 (UTC)
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1COPDrKKDuth; Thu, 21 Sep 2017 02:59:12 +0000 (UTC)
Received: from [10.178.253.119] (unknown [204.89.11.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 6E1A3210A2; Thu, 21 Sep 2017 02:59:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <x7d1sn5zyl8.fsf@equal-rites.mit.edu>
Date: Wed, 20 Sep 2017 18:14:31 -0700
Cc: kitten@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A61D313D-EE1A-48AA-A3F0-7600927BF623@oxy.edu>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/3wcbkjVOtpXDnRIVQZpNULu3-cg>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2017 02:59:15 -0000
Seems like a lesser of evils question. I don’t like backing up at this late stage, so I favor 1,2 over 3,4. No strong preference between 1 and 2, just don’t want to let single-DES drive the future. If we’re sure we’ll never want non-deterministic checksums, then go with 1. > On Sep 16, 2017, at 10:24 PM, Greg Hudson <ghudson@MIT.EDU> wrote: > > RFC 3961 says about the checksum profile get_mic operation: "This > function is not required to return the same deterministic result for > each use; it need only generate a token that the verify_mic routine can > check." In practice, only the oldest checksum types (used with > single-DES keys) are non-deterministic. > > The SPAKE preauth transcript checksum is computed independently by the > client and KDC using the RFC 3961 checksum operation (iterated several > times). In hindsight, this design obviously requires a deterministic > checksum operation, so the pieces don't currently fit. I unfortunately > only realized this mismatch today when I started doing integration tests > using DES keys in a prototype implementation. > > The potential remedies I can think of fall into these bins: > > 1. Don't change the SPAKE design. Instead, update RFC 3961 to specify > that new checksum types must be deterministic, and specify that SPAKE > preauth can't be used with single-DES keys. Aside from the > standards-space cost of pushing our problem down into a lower layer, the > prohibition against using SPAKE with single-DES keys could make it > harder for clients to be configured to refuse encrypted timestamp > preauth on a pre-realm basis. That is perhaps not a large cost as > Kerberos implementations are moving away from single-DES support anyway. > > 2. A relatively quick fix: use PRF instead of checksum. (Or PRF+, in > which case we have to decide how much length of output we want.) I > think PRF has the requisite properties, but I would want to think on it > more. > > 3. We could use a hash (it doesn't need to be keyed) independent of RFC > 3961. The hash algorithm could be specified in the group profile, > perhaps, but I believe the rejected-optimistic-challenge case poses a > difficulty for that design. > > 4. The most open-ended option is to back up and reconsider the purpose > of the transcript checksum, which is to bind at least the public keys > into key derivation. The current transcript also binds in group > negotiation and the initial factor challenge. I can't immediately think > of an alternative design which doesn't require the KDC to store a lot of > information in the cookie. > > _______________________________________________ > Kitten mailing list > Kitten@ietf.org > https://www.ietf.org/mailman/listinfo/kitten Personal email. hbhotz@oxy.edu
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Robbie Harwood
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- [kitten] SPAKE and non-deterministic RFC 3961 che… Greg Hudson
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Simo Sorce
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Simo Sorce
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk