Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums

"Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu> Thu, 21 September 2017 02:59 UTC

Return-Path: <hbhotz@oxy.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32737132193 for <kitten@ietfa.amsl.com>; Wed, 20 Sep 2017 19:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRWRVKym_QCm for <kitten@ietfa.amsl.com>; Wed, 20 Sep 2017 19:59:13 -0700 (PDT)
Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.200.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 357FD124B18 for <kitten@ietf.org>; Wed, 20 Sep 2017 19:59:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 49BE7210A3; Thu, 21 Sep 2017 02:59:12 +0000 (UTC)
Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo02-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1COPDrKKDuth; Thu, 21 Sep 2017 02:59:12 +0000 (UTC)
Received: from [10.178.253.119] (unknown [204.89.11.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 6E1A3210A2; Thu, 21 Sep 2017 02:59:09 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <hbhotz@oxy.edu>
In-Reply-To: <x7d1sn5zyl8.fsf@equal-rites.mit.edu>
Date: Wed, 20 Sep 2017 18:14:31 -0700
Cc: kitten@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <A61D313D-EE1A-48AA-A3F0-7600927BF623@oxy.edu>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu>
To: Greg Hudson <ghudson@MIT.EDU>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/3wcbkjVOtpXDnRIVQZpNULu3-cg>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2017 02:59:15 -0000

Seems like a lesser of evils question. I don’t like backing up at this late stage, so I favor 1,2 over 3,4. No strong preference between 1 and 2, just don’t want to let single-DES drive the future. If we’re sure we’ll never want non-deterministic checksums, then go with 1.

> On Sep 16, 2017, at 10:24 PM, Greg Hudson <ghudson@MIT.EDU>; wrote:
> 
> RFC 3961 says about the checksum profile get_mic operation: "This
> function is not required to return the same deterministic result for
> each use; it need only generate a token that the verify_mic routine can
> check."  In practice, only the oldest checksum types (used with
> single-DES keys) are non-deterministic.
> 
> The SPAKE preauth transcript checksum is computed independently by the
> client and KDC using the RFC 3961 checksum operation (iterated several
> times).  In hindsight, this design obviously requires a deterministic
> checksum operation, so the pieces don't currently fit.  I unfortunately
> only realized this mismatch today when I started doing integration tests
> using DES keys in a prototype implementation.
> 
> The potential remedies I can think of fall into these bins:
> 
> 1. Don't change the SPAKE design.  Instead, update RFC 3961 to specify
> that new checksum types must be deterministic, and specify that SPAKE
> preauth can't be used with single-DES keys.  Aside from the
> standards-space cost of pushing our problem down into a lower layer, the
> prohibition against using SPAKE with single-DES keys could make it
> harder for clients to be configured to refuse encrypted timestamp
> preauth on a pre-realm basis.  That is perhaps not a large cost as
> Kerberos implementations are moving away from single-DES support anyway.
> 
> 2. A relatively quick fix: use PRF instead of checksum.  (Or PRF+, in
> which case we have to decide how much length of output we want.)  I
> think PRF has the requisite properties, but I would want to think on it
> more.
> 
> 3. We could use a hash (it doesn't need to be keyed) independent of RFC
> 3961.  The hash algorithm could be specified in the group profile,
> perhaps, but I believe the rejected-optimistic-challenge case poses a
> difficulty for that design.
> 
> 4. The most open-ended option is to back up and reconsider the purpose
> of the transcript checksum, which is to bind at least the public keys
> into key derivation.  The current transcript also binds in group
> negotiation and the initial factor challenge.  I can't immediately think
> of an alternative design which doesn't require the KDC to store a lot of
> information in the cookie.
> 
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten

Personal email.  hbhotz@oxy.edu