[kitten] review of draft-ietf-kitten-krb-spake-preauth-00
Benjamin Kaduk <kaduk@mit.edu> Fri, 18 August 2017 18:10 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02FA5126B71; Fri, 18 Aug 2017 11:10:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6BFmleC71kV; Fri, 18 Aug 2017 11:10:52 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5393A120727; Fri, 18 Aug 2017 11:10:49 -0700 (PDT)
X-AuditID: 1209190d-cb3ff700000030cd-d9-59972da7ca0e
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id CF.FC.12493.7AD27995; Fri, 18 Aug 2017 14:10:47 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id v7IIAkjn002617; Fri, 18 Aug 2017 14:10:47 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v7IIAh2q029231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 18 Aug 2017 14:10:45 -0400
Date: Fri, 18 Aug 2017 13:10:43 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: kitten@ietf.org
Cc: draft-ietf-kitten-krb-spake-preauth@ietf.org
Message-ID: <20170818181043.GC35188@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrLIsWRmVeSWpSXmKPExsUixG6nrrtcd3qkwbluQ4vHWz4zWhzdvIrF gcljyZKfTAGMUVw2Kak5mWWpRfp2CVwZvy4/Zip45lPx+HNFA+MUuy5GTg4JAROJU4/62LsY uTiEBBYzSfQ0HYRyNjJKnP38hwXCucok8b31IiNIC4uAqsTd5onsIDabgIpEQ/dlZhBbREBY YvfWd2A2s4CBxL6mOWwgtrCApcTuV01gcV6gdYsXbmGHsAUlTs58wgJRryVx499Lpi5GDiBb WmL5Pw6QsKiAssS8favYJjDyzULSMQtJxyyEjgWMzKsYZVNyq3RzEzNzilOTdYuTE/PyUot0 jfRyM0v0UlNKNzGCQo1TkncH47+7XocYBTgYlXh4X/ycFinEmlhWXJl7iFGSg0lJlPf3rCmR QnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR4U7WnRwrxpiRWVqUW5cOkpDlYlMR5xTUaI4QE0hNL UrNTUwtSi2CyMhwcShK8s3SAGgWLUtNTK9Iyc0oQ0kwcnCDDeYCG+4DU8BYXJOYWZ6ZD5E8x KkqJ80aDJARAEhmleXC9oFQgkb2/5hWjONArwrw7Qap4gGkErvsV0GAmoMGGrdNABpckIqSk GhjdA6M4Trt4zraSDO95Z7srYM9myd0Xd5+ot9ix6e7v2zMZQ06XMdWsNwxzktL4n71qegun +BQLxRMVem+PZJ+rebZL6O08be0O3qssD76mmRm3pmrHWD58zpFc+NAzaPXCN4XC9j66Ftsf aC7rPlfkeZXx0j4XZmG29pmJOptaGOexGhuWLVJiKc5INNRiLipOBABelHS74AIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Eymk0G8wUYW2pXNEjkSv0OE3WyU>
Subject: [kitten] review of draft-ietf-kitten-krb-spake-preauth-00
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 18:10:55 -0000
Hi all, With no hats. Big-picture questions: Our transcript hash covers just the SPAKE negotiation messages (and excludes the rest of the AS-REQ/AS-REP bodies, even the SPAKE second factor messages as well?!), though the final KDC-REQ-BODY does get included in the key derivation. I haven't thought too hard about whether this is potentially problematic, but are there reasons why it would be difficult to hash everything for the transcript? Oh, or is the claim that since the KDC-REQ-BODY goes into the K' calculation that we get confirmation of "everything" anyway? We do reply key strengthening with K'[0] at present. It seems like using K'[last-n-of-proper-parity] would include more transcript checksum and thus nominally be "better"; is that flawed reasoning? We should have test vectors before final publication. I'm not sure that the registry policies make sense, most notably with respect to marking things as Required (to implement). That would seem to be effectively updating this document, and as such require standards action. In a weaker sense, anything adding values in these registries could be seen as adding to the ASN.1 module, but since it does so in a way that is clearly intended to be extensible this seems less problematic to me. Do we want to add padding to any of the ASN.1 structures to provide a way to limit side channels, or leave that to the specifications of individual factors? General review comments: In section 1.1, item (4) (either side can store password or equivalent) makes it sound like only one side needs to store anything. Maybe it's supposed to say that "Each side has freedom to pick whether to store a password or password-equivalent"? I'll also note that OpenSSL has recently changed its documentation to refer to the more-vague "randomness" since it can be hard to use "entropy" in a technically correct way. But that decision seems to fall squarely within editorial discretion, even if I had a strong opinion about it (which I don't). I wonder to some extent whether all of section 1.2 is needed for a final document. Perhaps a shorter statement noting that there are multiple different PAKEs available, DH-EKE's requirement for indistinguishable-from-random keys makes it unsuitable, and JPAKE is less preferred due to the extra round trip and server computation would suffice, before launching into the description of the actual PAKE being used. Section 1.2 should probably compare the single-round-trip nature of SPAKE against the round-trip count of ENC_TIMESTAMP. Section 1.3 notes that we allow secure transfer of material from client to KDC for verification; while reviewing I noted that (the initial challenge) from KDC to client remains unauthenticated; do we want to mention that limitation explicitly here? The last paragraph of section 1.4 left me a little puzzled, possibly just because of the word "also". It seems like we're mostly just justifying the scheme here, using a parallel to the normal RFC3961 key derivation, as well as a (not-very-clear) reference to the key derivation scheme used in the original SPAKE2 draft which is where the term "K'" originates. So, I think this could be reworded some, assuming I am understanding it properly. (We could also call out that this derivation is step (3) of the list.) In section 3.1, should we give a RFC+section reference for the "initail KDC preauthentication state" we are relying on? I thought a little bit about proposing to exclude the ASN.1 extension marker from PA-SPAKE, but the argument for doing so is fairly weak and it doesn't really have a downside, so I guess it should stay. (We could perhaps be clear that an "empty" value is a zero-length OCTET STRING.) Section 4.1 seems like it could be read as saying that the client should send an AS-REQ with no PA-DATA, and then the KDC responds with a KRB-ERROR and only the PA-SPAKE METHOD-DATA (and no others), so that a clilent that doesn't support SPAKE is stuck. We should probably clarify that METHOD-DATA is expected to contain other things, too. We could also justify the SHOULD with a claim that this preauth scheme is currently believed to be the best/strongest one that is possible when passwords are used. (PKINIT could be argued to be stronger; is there anything else for which we could make that claim?) Section 4.2 lets ("MAY") the KDC pick a group not listed by the client; do we ever expect this to result in a working connection? In section 4.6, a forward reference to section 6 when mentioning the transcript hash could be helpful. At the end of section 5 we prevent certain reuse of x and y values; it might be nice if the security considerations were subsectioned so that this could have a forward reference to the justification for this restriction. I would consider moving the note that the PRF+ used here is the RFC6113 one earlier, perhaps even to the introduction if not the start of section 7 where we talk about "PRF+ input". Should section 8 note that the value 0 is reserved? Section 9 fourth paragraph could perhaps say a bit more about why the client cannot be a signing oracle. Also in section 9, now on page 14, second paragraph, I'm not entirely sure what is at risk of compromise, which also leaves me confused as to whether the "non-" part of "non-negligible" is correct. Just below, for the paragraph after the list of forbidden checksum types, we talk of the EncryptedData messages having potential side channels. It seems that this may apply to both the encdata arm of the PA-SPAKE CHOICE and the SpakeResponse factor; should we make this more explicti? The next paragraph talks of an attacker being able to replay the final message to any of the realm's KDCs, but does not comment on whether multiple replays are possible at a given KDC. (As I understand it, MIT's lookaside cache would be expected to trigger and not incur additional authentication being logged, but I don't know that that's universal.) In section 11, I think you're not supposed to mention a list that doesn't exist yet, at least without asking for a list to be created and suggesting a name. While here, "end of the review" could get "period" after it, and "the list" could be expanded out as to the review list or kitten or other, as well as clarifying the expected membership of the review list (i.e., public or just the experts). Also, the URI or unique identifier should probably specifically be stable as well. The ASN.1 module includes an OID for spake; is that officially assigned? Some nits appear below. Thanks, Ben Nits: In the abstract, "secure second factor" is really vague about what the "secure" means. Perhaps it's best to just drop it, or otherwise clarify. The wording of Section 1 could probably be tightened up some -- "this method" (PA-ENC-TIMESTAMP) is not the only thing vulnerable to passive brute-forcing, what the passive attacker needs to see can be clarified, and we could emphasize that the offline attacks require comparatively modest effort (in the face of weak passwords): When a client uses PA-ENC-TIMESTAMP (or similar schemes, or the KDC does not require preauthentication), a passive attacker that observes either the AS-REQ or AS-REP can perform an offline brute-force attack against the transferred ciphertext. When the client principal's long-term key is based on a password, especially a weak password, offline dictionary attacks can successfuly recover the key, with only modest effort needed in the case of a weak password. In section 1.2, we say "markedly smaller key sizes with equiavlent security to a finite-field Diffie-Hellman key exchange", which is somewhat awkward. It might be better to say something like ", which is believed to provide equivalent security levels as finite-field DH key exchange at much smaller key sizes". In section 1.3, first sentence, we talk about being "coupled with" 2FA. But PAKE is one of the two factors, so it's probably better to say "part of 2FA" or "along with additional authentication factor(s). Section 1.3, second paragraph says that protectiong the OTP ("second") factor "has been mitigated" via FAST; I might consider using a less complex verb tense like "is" or "was". Later in the same paragraph, maybe s/instead/in contrast/, and specify that the key exchange is an asymmetric one, since we do a lot of symmetric key exchange in Kerberos. In section 2, when mentioning ASN.1 and DER, please add ", respectively" to bind the term to the document in question. In section 4, first pargaraph, please note that the indicated facilities are FAST facilities. The first paragraph/sentence of section 5 is rather ungainly; could it be reworded and/or split in twain? Also in section 5, I'd consider adding an "as" before "defined" in item 1 and before "a big-endian" in item 2. Item 2 should probably also clarify that there is no trailing 0 included. The phrase "registry created by this document" could change to "registry (created by this document)" in multiple places. But maybe we should just leave that to the RFC Editor's stylebook. In section 6, the initial transcript checksum is said to contain "all zero values"; would something like "the initial value consists of of all bits set to zero" be better? Page 15, second-to-last paragraph, "is weaker than the secret key" could include a secret key derived from a weak password, whose brute-force resistance is quite low (and part of the justification for this behavior). It's probably better to talk about the key size of the secret key and the strength attributed to keys of that size, than just the strength of the key itself.
- [kitten] review of draft-ietf-kitten-krb-spake-pr… Benjamin Kaduk
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Greg Hudson
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Robbie Harwood
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Greg Hudson
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Benjamin Kaduk
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Benjamin Kaduk
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Greg Hudson
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Nathaniel McCallum
- Re: [kitten] review of draft-ietf-kitten-krb-spak… Robbie Harwood