Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums

"Henry B (Hank) Hotz, CISSP" <> Thu, 21 September 2017 02:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 32737132193 for <>; Wed, 20 Sep 2017 19:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tRWRVKym_QCm for <>; Wed, 20 Sep 2017 19:59:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 357FD124B18 for <>; Wed, 20 Sep 2017 19:59:13 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49BE7210A3; Thu, 21 Sep 2017 02:59:12 +0000 (UTC)
Received: from ([]) by localhost (emo02-pco.easydns.vpn []) (amavisd-new, port 10024) with ESMTP id 1COPDrKKDuth; Thu, 21 Sep 2017 02:59:12 +0000 (UTC)
Received: from [] (unknown []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 6E1A3210A2; Thu, 21 Sep 2017 02:59:09 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: "Henry B (Hank) Hotz, CISSP" <>
In-Reply-To: <>
Date: Wed, 20 Sep 2017 18:14:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Greg Hudson <ghudson@MIT.EDU>
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Sep 2017 02:59:15 -0000

Seems like a lesser of evils question. I don’t like backing up at this late stage, so I favor 1,2 over 3,4. No strong preference between 1 and 2, just don’t want to let single-DES drive the future. If we’re sure we’ll never want non-deterministic checksums, then go with 1.

> On Sep 16, 2017, at 10:24 PM, Greg Hudson <ghudson@MIT.EDU> wrote:
> RFC 3961 says about the checksum profile get_mic operation: "This
> function is not required to return the same deterministic result for
> each use; it need only generate a token that the verify_mic routine can
> check."  In practice, only the oldest checksum types (used with
> single-DES keys) are non-deterministic.
> The SPAKE preauth transcript checksum is computed independently by the
> client and KDC using the RFC 3961 checksum operation (iterated several
> times).  In hindsight, this design obviously requires a deterministic
> checksum operation, so the pieces don't currently fit.  I unfortunately
> only realized this mismatch today when I started doing integration tests
> using DES keys in a prototype implementation.
> The potential remedies I can think of fall into these bins:
> 1. Don't change the SPAKE design.  Instead, update RFC 3961 to specify
> that new checksum types must be deterministic, and specify that SPAKE
> preauth can't be used with single-DES keys.  Aside from the
> standards-space cost of pushing our problem down into a lower layer, the
> prohibition against using SPAKE with single-DES keys could make it
> harder for clients to be configured to refuse encrypted timestamp
> preauth on a pre-realm basis.  That is perhaps not a large cost as
> Kerberos implementations are moving away from single-DES support anyway.
> 2. A relatively quick fix: use PRF instead of checksum.  (Or PRF+, in
> which case we have to decide how much length of output we want.)  I
> think PRF has the requisite properties, but I would want to think on it
> more.
> 3. We could use a hash (it doesn't need to be keyed) independent of RFC
> 3961.  The hash algorithm could be specified in the group profile,
> perhaps, but I believe the rejected-optimistic-challenge case poses a
> difficulty for that design.
> 4. The most open-ended option is to back up and reconsider the purpose
> of the transcript checksum, which is to bind at least the public keys
> into key derivation.  The current transcript also binds in group
> negotiation and the initial factor challenge.  I can't immediately think
> of an alternative design which doesn't require the KDC to store a lot of
> information in the cookie.
> _______________________________________________
> Kitten mailing list

Personal email.