IETF Logo Mail Archive

Re: [kitten] New EncTypes?

Benjamin Kaduk <kaduk@MIT.EDU> Fri, 20 November 2015 06:04 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 595FC1A9173 for <kitten@ietfa.amsl.com>; Thu, 19 Nov 2015 22:04:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Level:
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBhUsRlS5SJO for <kitten@ietfa.amsl.com>; Thu, 19 Nov 2015 22:04:40 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id BF84C1A9171 for <kitten@ietf.org>; Thu, 19 Nov 2015 22:04:39 -0800 (PST)
X-AuditID: 12074422-f79c46d000006aa7-98-564eb7f60bb5
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 55.F7.27303.6F7BE465; Fri, 20 Nov 2015 01:04:38 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id tAK64cT7000580; Fri, 20 Nov 2015 01:04:38 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tAK64Yfk029406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 20 Nov 2015 01:04:37 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tAK64XBV008908; Fri, 20 Nov 2015 01:04:33 -0500 (EST)
Date: Fri, 20 Nov 2015 01:04:33 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <564D7A8A.2070208@openfortress.nl>
Message-ID: <alpine.GSO.1.10.1511200059500.26829@multics.mit.edu>
References: <FEF7E228-3AF4-4D12-B4B0-CFB935B5ABB5@oxy.edu> <564D7A8A.2070208@openfortress.nl>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixCmqrPttu1+YQftBK4ujm1exWDx9dY/N gcljyZKfTB4b/jWxBTBFcdmkpOZklqUW6dslcGXMfDqJreAdX8WSSX/ZGxg/cHcxcnJICJhI TL9wkA3CFpO4cG89kM3FISSwmEli28ebLBDORkaJ5xf+MkI4h5gk3nzthCprYJTY+vgtaxcj BweLgLbEl1NqIKPYBFQkZr7ZCDZWREBD4vOvqWA2s4ClxN5FP5lAyoUFlCVefFMCCXMK6Euc mXyFBcTmFXCUuLVwIyuILSQQK/Goq4sdxBYV0JFYvX8KVI2gxMmZT1ggRmpJLJ++jWUCo+As JKlZSFILGJlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zrq5WaW6KWmlG5iBAUqu4vSDsafB5UO MQpwMCrx8N6Q9AsTYk0sK67MPcQoycGkJMprvgkoxJeUn1KZkVicEV9UmpNafIhRgoNZSYR3 qR9QjjclsbIqtSgfJiXNwaIkzjv3i2+YkEB6YklqdmpqQWoRTFaGg0NJgnfLNqBGwaLU9NSK tMycEoQ0EwcnyHAeoOE3QGp4iwsSc4sz0yHypxgVpcR5p4MkBEASGaV5cL3gRLKbSfUVozjQ K8K8b0GqeIBJCK77FdBgJqDBv2t8QQaXJCKkpBoYBWU0+J5dOXeunve+eL/JSrfep42mv0tE VDbNtxd00Uuavmrm4TvTt3wRM+ndv2rmmi+6HjGGx0XlihJute6xff0sx/Dh4oC6J6+6D7XM m+0jeWtlSMT7hU8ceI9YNq3VV3mYZmi7UruflXMF5w6Fg1I3mRt3lNYuXq+e63NU/tVudkb7 xys7lFiKMxINtZiLihMBKRjOtf8CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/AZy7Kjk4UonQ8uuR8Pv_QGeXsbI>
Cc: "kitten@ietf.org <kitten@ietf.org>" <kitten@ietf.org>
Subject: Re: [kitten] New EncTypes?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 06:04:41 -0000

On Thu, 19 Nov 2015, Rick van Rein wrote:

> Hello,
>
> > It seems to be time to do housecleaning on algorithms selections. Is
> > anyone interested in adding a new enctype to Kerberos?
> >
> One thing I would like to bring into any such discussion is that it
> would be possible to use through PKCS #11, the de-facto standard for
> storing keys on tokens, including hardware keys that will never share
> keys directly but allow their use through the API.  This extends the
> range of possible uses for Kerberos, I think.

It is probably premature to insist on this as a requirement, but it can
certainly be a part of the discussion.

> For instance, AES-CTS-HMAC uses plain standard AES and HMAC, and CTS can
> be implemented in terms of standard CBC, so it ought to be possible to
> implement with PKCS #11 (not that I've already actually tried, but it
> looks possible).

The argument would be more compelling if there was some prior art for it,
though -- I don't know of any hardware devices implementing such a scheme
at present.

> Of a similar stance, I've been wanting to see more Checksum Types, such
> as SHA256/384/512, for use with my TLS-KDH work.

Registering a new Checksum type is not particularly difficult, but seeing
that it gets implemented and used can be harder.  The de facto state of
affairs at present seems to be that Checksum types go hand-in-hand with
encryption types, and the required checksum for a given encryption type is
the only one ever used with it.  There may not be full support for using a
non-required checksum type with a given encryption type, but of course
use of checksums outside of traditional encryption types will require new
code anyway, so adding use of Checksums without encryption would not
present additional implementation effort other than that needed to
actually implement the new protocol feature.

-Ben

v2.23.0 | Report a Bug | By Email