Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
Simo Sorce <simo@redhat.com> Wed, 20 September 2017 15:09 UTC
Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38B4C134217 for <kitten@ietfa.amsl.com>; Wed, 20 Sep 2017 08:09:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJ0fV3ZNd_Wo for <kitten@ietfa.amsl.com>; Wed, 20 Sep 2017 08:09:46 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852A813318C for <kitten@ietf.org>; Wed, 20 Sep 2017 08:09:46 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0B7BF2C9746; Wed, 20 Sep 2017 15:09:31 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0B7BF2C9746
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=simo@redhat.com
Received: from ovpn-116-78.phx2.redhat.com (ovpn-116-78.phx2.redhat.com [10.3.116.78]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9C6AF5C8B7; Wed, 20 Sep 2017 15:09:30 +0000 (UTC)
Message-ID: <1505920169.1143.15.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Greg Hudson <ghudson@mit.edu>
Cc: kitten@ietf.org
Date: Wed, 20 Sep 2017 11:09:29 -0400
In-Reply-To: <20170919015937.GN96685@kduck.kaduk.org>
References: <x7d1sn5zyl8.fsf@equal-rites.mit.edu> <20170919015937.GN96685@kduck.kaduk.org>
Organization: Red Hat, Inc.
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 20 Sep 2017 15:09:31 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/6na4Fzt9P5Ll0_zc9qHaaOC-c04>
Subject: Re: [kitten] SPAKE and non-deterministic RFC 3961 checksums
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2017 15:09:49 -0000
On Mon, 2017-09-18 at 20:59 -0500, Benjamin Kaduk wrote: > On Sun, Sep 17, 2017 at 01:24:51AM -0400, Greg Hudson wrote: > > RFC 3961 says about the checksum profile get_mic operation: "This > > function is not required to return the same deterministic result > > for > > each use; it need only generate a token that the verify_mic routine > > can > > check." In practice, only the oldest checksum types (used with > > single-DES keys) are non-deterministic. > > > > The SPAKE preauth transcript checksum is computed independently by > > the > > client and KDC using the RFC 3961 checksum operation (iterated > > several > > times). In hindsight, this design obviously requires a > > deterministic > > checksum operation, so the pieces don't currently fit. I > > unfortunately > > only realized this mismatch today when I started doing integration > > tests > > using DES keys in a prototype implementation. > > > > The potential remedies I can think of fall into these bins: > > > > 1. Don't change the SPAKE design. Instead, update RFC 3961 to > > specify > > that new checksum types must be deterministic, and specify that > > SPAKE > > preauth can't be used with single-DES keys. Aside from the > > standards-space cost of pushing our problem down into a lower > > layer, the > > prohibition against using SPAKE with single-DES keys could make it > > harder for clients to be configured to refuse encrypted timestamp > > preauth on a pre-realm basis. That is perhaps not a large cost as > > Kerberos implementations are moving away from single-DES support > > anyway. > > > > 2. A relatively quick fix: use PRF instead of checksum. (Or PRF+, > > in > > which case we have to decide how much length of output we want.) I > > think PRF has the requisite properties, but I would want to think > > on it > > more. > > This is probably the most appealing option, provided we can > accurately > state which properties we need (and they are provided by PRF(+)). Why is this more appealing than just saying no to DES ? Do we have any concern we may get future enc types that have non- deterministic checksums ? > > 3. We could use a hash (it doesn't need to be keyed) independent of > > RFC > > 3961. The hash algorithm could be specified in the group profile, > > perhaps, but I believe the rejected-optimistic-challenge case poses > > a > > difficulty for that design. > > The hash algorithm could also be negotiated independently (so that in > practice, e.g., sha256 is always used, at least in the initial > deployments). > For the rejected-optimistic case there is still an issue, but if the > KDC > only supports O(2) hash algorithms during a hash transition, then the > amount of state needed in the cookie is bounded by a number that > might > be smaller than the number of supported groups (but then again, might > not). The nice thing about using the enctypes is that as new ones will come out with new, stronger checksums, we'll get those automatically, without adding a new thing to negotiate ... > > 4. The most open-ended option is to back up and reconsider the > > purpose > > of the transcript checksum, which is to bind at least the public > > keys > > into key derivation. The current transcript also binds in group > > negotiation and the initial factor challenge. I can't immediately > > think > > of an alternative design which doesn't require the KDC to store a > > lot of > > information in the cookie. > > I agree that we are likely to end up with something resembling a > "transcript hash", even if it does not directly use a hash primitve. I have to say that between PRF and a separate Hash I would rather use a separate hash. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Robbie Harwood
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- [kitten] SPAKE and non-deterministic RFC 3961 che… Greg Hudson
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Simo Sorce
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Henry B (Hank) Hotz, CISSP
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Simo Sorce
- Re: [kitten] SPAKE and non-deterministic RFC 3961… Benjamin Kaduk