Re: [kitten] New EncTypes?
Benjamin Kaduk <kaduk@MIT.EDU> Fri, 20 November 2015 06:04 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 595FC1A9173 for <kitten@ietfa.amsl.com>; Thu, 19 Nov 2015 22:04:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Level:
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBhUsRlS5SJO for <kitten@ietfa.amsl.com>; Thu, 19 Nov 2015 22:04:40 -0800 (PST)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id BF84C1A9171 for <kitten@ietf.org>; Thu, 19 Nov 2015 22:04:39 -0800 (PST)
X-AuditID: 12074422-f79c46d000006aa7-98-564eb7f60bb5
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 55.F7.27303.6F7BE465; Fri, 20 Nov 2015 01:04:38 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id tAK64cT7000580; Fri, 20 Nov 2015 01:04:38 -0500
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tAK64Yfk029406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 20 Nov 2015 01:04:37 -0500
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id tAK64XBV008908; Fri, 20 Nov 2015 01:04:33 -0500 (EST)
Date: Fri, 20 Nov 2015 01:04:33 -0500
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Rick van Rein <rick@openfortress.nl>
In-Reply-To: <564D7A8A.2070208@openfortress.nl>
Message-ID: <alpine.GSO.1.10.1511200059500.26829@multics.mit.edu>
References: <FEF7E228-3AF4-4D12-B4B0-CFB935B5ABB5@oxy.edu> <564D7A8A.2070208@openfortress.nl>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDIsWRmVeSWpSXmKPExsUixCmqrPttu1+YQftBK4ujm1exWDx9dY/N gcljyZKfTB4b/jWxBTBFcdmkpOZklqUW6dslcGXMfDqJreAdX8WSSX/ZGxg/cHcxcnJICJhI TL9wkA3CFpO4cG89kM3FISSwmEli28ebLBDORkaJ5xf+MkI4h5gk3nzthCprYJTY+vgtaxcj BweLgLbEl1NqIKPYBFQkZr7ZCDZWREBD4vOvqWA2s4ClxN5FP5lAyoUFlCVefFMCCXMK6Euc mXyFBcTmFXCUuLVwIyuILSQQK/Goq4sdxBYV0JFYvX8KVI2gxMmZT1ggRmpJLJ++jWUCo+As JKlZSFILGJlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zrq5WaW6KWmlG5iBAUqu4vSDsafB5UO MQpwMCrx8N6Q9AsTYk0sK67MPcQoycGkJMprvgkoxJeUn1KZkVicEV9UmpNafIhRgoNZSYR3 qR9QjjclsbIqtSgfJiXNwaIkzjv3i2+YkEB6YklqdmpqQWoRTFaGg0NJgnfLNqBGwaLU9NSK tMycEoQ0EwcnyHAeoOE3QGp4iwsSc4sz0yHypxgVpcR5p4MkBEASGaV5cL3gRLKbSfUVozjQ K8K8b0GqeIBJCK77FdBgJqDBv2t8QQaXJCKkpBoYBWU0+J5dOXeunve+eL/JSrfep42mv0tE VDbNtxd00Uuavmrm4TvTt3wRM+ndv2rmmi+6HjGGx0XlihJute6xff0sx/Dh4oC6J6+6D7XM m+0jeWtlSMT7hU8ceI9YNq3VV3mYZmi7UruflXMF5w6Fg1I3mRt3lNYuXq+e63NU/tVudkb7 xys7lFiKMxINtZiLihMBKRjOtf8CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/AZy7Kjk4UonQ8uuR8Pv_QGeXsbI>
Cc: "kitten@ietf.org <kitten@ietf.org>" <kitten@ietf.org>
Subject: Re: [kitten] New EncTypes?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 06:04:41 -0000
On Thu, 19 Nov 2015, Rick van Rein wrote: > Hello, > > > It seems to be time to do housecleaning on algorithms selections. Is > > anyone interested in adding a new enctype to Kerberos? > > > One thing I would like to bring into any such discussion is that it > would be possible to use through PKCS #11, the de-facto standard for > storing keys on tokens, including hardware keys that will never share > keys directly but allow their use through the API. This extends the > range of possible uses for Kerberos, I think. It is probably premature to insist on this as a requirement, but it can certainly be a part of the discussion. > For instance, AES-CTS-HMAC uses plain standard AES and HMAC, and CTS can > be implemented in terms of standard CBC, so it ought to be possible to > implement with PKCS #11 (not that I've already actually tried, but it > looks possible). The argument would be more compelling if there was some prior art for it, though -- I don't know of any hardware devices implementing such a scheme at present. > Of a similar stance, I've been wanting to see more Checksum Types, such > as SHA256/384/512, for use with my TLS-KDH work. Registering a new Checksum type is not particularly difficult, but seeing that it gets implemented and used can be harder. The de facto state of affairs at present seems to be that Checksum types go hand-in-hand with encryption types, and the required checksum for a given encryption type is the only one ever used with it. There may not be full support for using a non-required checksum type with a given encryption type, but of course use of checksums outside of traditional encryption types will require new code anyway, so adding use of Checksums without encryption would not present additional implementation effort other than that needed to actually implement the new protocol feature. -Ben
- Re: [kitten] New EncTypes? Benjamin Kaduk
- [kitten] New EncTypes? Henry B (Hank) Hotz, CISSP
- Re: [kitten] New EncTypes? Henry B (Hank) Hotz, CISSP
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Benjamin Kaduk
- Re: [kitten] New EncTypes? Viktor Dukhovni
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Nico Williams
- Re: [kitten] New EncTypes? Nico Williams
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Nico Williams
- Re: [kitten] New EncTypes? Henry B (Hank) Hotz, CISSP
- Re: [kitten] New EncTypes? Benjamin Kaduk
- Re: [kitten] New EncTypes? Benjamin Kaduk
- Re: [kitten] New EncTypes? stephen.farrell
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Jeffrey Altman
- Re: [kitten] New EncTypes? Simo Sorce
- Re: [kitten] New EncTypes? Henry B (Hank) Hotz, CISSP
- Re: [kitten] New EncTypes? Luke Howard
- Re: [kitten] New EncTypes? Luke Howard
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Rick van Rein
- Re: [kitten] New EncTypes? Luke Howard
- Re: [kitten] New EncTypes? Benjamin Kaduk