[kitten] PA-ENC-TIMESTAMP is worse than we thought; fix in aes-cts-hmac-sha2?
Nico Williams <nico@cryptonector.com> Tue, 12 April 2016 21:46 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2341112E3F9 for <kitten@ietfa.amsl.com>; Tue, 12 Apr 2016 14:46:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.691
X-Spam-Level:
X-Spam-Status: No, score=-2.691 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, T_TVD_FUZZY_SECURITIES=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwLUZ1wAN3-C for <kitten@ietfa.amsl.com>; Tue, 12 Apr 2016 14:46:02 -0700 (PDT)
Received: from homiemail-a90.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4B1212DA8C for <kitten@ietf.org>; Tue, 12 Apr 2016 14:46:02 -0700 (PDT)
Received: from homiemail-a90.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTP id 9A6722AC09E; Tue, 12 Apr 2016 14:46:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=LzpDRzMgDgbAJRkn7d1Di/FAuYg=; b=ACKEhnWAfwQ CRfNK2vyxrP2/VgJcvknrB/OWGd/UPatK/TkR7ooR9kSqcsJql7xjYZNu4hx8OU5 L0IJizTVDfZj6Ne1KDdK4fZnYO892Dw1IlMX708yPDz6iHcSdcdytiyR1Ib0TtZQ eKi8Ih1EUyBIERUhbo5qMuG4wTuBzuCI=
Received: from localhost (me65a36d0.tmodns.net [208.54.90.230]) (Authenticated sender: nico@cryptonector.com) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTPA id 5233F2AC092; Tue, 12 Apr 2016 14:46:00 -0700 (PDT)
Date: Tue, 12 Apr 2016 16:45:59 -0500
From: Nico Williams <nico@cryptonector.com>
To: kitten@ietf.org
Message-ID: <20160412214556.GE19617@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/9gWqBdb5JPyiAAHfhEG1BwWc6y8>
Cc: "Michael J. Jenkins" <mjjenki@tycho.ncsc.mil>, "Kelley W. Burgin" <kelley.burgin@gmail.com>
Subject: [kitten] PA-ENC-TIMESTAMP is worse than we thought; fix in aes-cts-hmac-sha2?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2016 21:46:04 -0000
draft-ietf-kitten-aes-cts-hmac-sha2 wants randomly generated salts. That's nice, but... why did we ever have non-randomly-generated salts? "Convenience" seems like a nice explanation, but I suspect it wasn't just that: it may have been a half-baked security feature. C->AS: AS-REQ AS->C: KRB-ERROR w/ PA-ETYPE-INFO2 w/ a random salt C: string2key() w/ the AS's salt C->AS: AS-REQ w/ PA-ENC-TIMESTAMP using string2key() called with the server's choice of salt Do you see the problem? What if the AS is an active attacker? They can then use a single salt for all clients, one that they have a computed rainbow table for. The victim clients will happily use this salt. Mallory: <choose salt, compute rainbow table> C->Mallory: AS-REQ Mallory->C: KRB-ERROR w/ PA-ETYPE-INFO2 w/ Mallory's rainbow table salt C: string2key() w/ Mallory's choice of salt C->Mallory: AS-REQ w/ PA-ENC-TIMESTAMP using string2key() called with Mallory's choice of salt Mallory: <start off-line rainbow table attack on C's PA-ENC-TIMESTAMP> <disappear or be MITM and pass through further exchanges between C and AS> <profit> So randomizing the salt doesn't help at all. It makes things worse even: clients now can't sanity check the salt. But if the salt *must* start with an unambiguous encoding of the client's principal name and realm, _and_ if the client checks that this is so, then the attacker can no longer have a single raibow table for all victims. And we can have a random suffix in the salt to add some additional security (especially if this suffix is changed every time the user changes their password). Now, PA-ENC-TIMESTAMP is just awful and we know it, and this is NOT a new attack: RFC3962's Security Considerations describes this attack as to the iteration count (but not the salt, but the idea follows). Though it does feel like a new attack: it seems likely that RFC3962 would have mentioned salt spoofing in addition to iteration count spoofing, if the authors had thought of salt spoofing... Back then the WG did have a chance to improve some things for "newer" enctypes, and we did, so we might have done that for salts too, if we'd thought of it. Anyways, we've got two ways of addressing this problem _today_, and we're working on a third: - (existing) PKINIT (look ma', no passwords; but not trivial to deploy) - (existing) FAST tunnel (requires a bit more configuration on the clients) - (upcoming) SPAKE So maybe we just don't care about this problem. But we could perhaps plug the above hole by requiring clients to check that the salt is prefixed with an unambiguous encoding of the client principal's name and realm name at least when using the new AES-CTS HMAC-SHA2 enctypes or _newer_. (Clients should probably _not_ require this for older enctypes, not by default, for interop reasons.) This has some consequences for principal renames, but pretty much nothing else, I think. Either principal renames cannot be supported without an administrative password reset, or the KDC must force the user to change their password after a rename _and_ the client must prompt the user to confirm the rename and the previous principal name (which further means that the client must be able to extract and decode the principal name and realm name prefix from the salt). I think this is mostly a non-issue. Do we care? Enough to fix this? Now? Ever? Now's the time for the new enctypes. If not now, never (because the SPAKE will take care of this problem). If we're inclined to fix this now, I'll implement for Heimdal. Nico --
- [kitten] PA-ENC-TIMESTAMP is worse than we though… Nico Williams
- Re: [kitten] PA-ENC-TIMESTAMP is worse than we th… Henry B (Hank) Hotz, CISSP
- Re: [kitten] PA-ENC-TIMESTAMP is worse than we th… Paul Miller (NT)
- Re: [kitten] PA-ENC-TIMESTAMP is worse than we th… Nico Williams