IETF Logo Mail Archive

Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list

Nico Williams <nico@cryptonector.com> Tue, 07 February 2023 21:16 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D993BC1522A4 for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 13:16:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4rp7D7qH8N7 for <kitten@ietfa.amsl.com>; Tue, 7 Feb 2023 13:16:37 -0800 (PST)
Received: from buffalo.tulip.relay.mailchannels.net (buffalo.tulip.relay.mailchannels.net [23.83.218.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38676C14E515 for <kitten@ietf.org>; Tue, 7 Feb 2023 13:16:35 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DD6718C15E1; Tue, 7 Feb 2023 21:16:31 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 666168C13C6; Tue, 7 Feb 2023 21:16:31 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1675804591; a=rsa-sha256; cv=none; b=Pm2DLGDL7qfvmVZPZ+8iTHtWrhaNdb1Zipu8MLd8aYRfFneIo5IMbOiBlfpiLSmtRmDvZT mL8lxiMc5uhnrKmSgWuMaWn1ACDTzTXOddKUnbGXY3zVhy4qW0feEYLtpIUFzEBoB8sp3/ K3NtAu80TJRCB1j+nI/1m4wZ0Mulb+JxDZbC+l62DelayJ9wbovBUKQnKiEQOdKW1FVd3h 9L16aiMVE8n4YDNqidHMQG8gUhIlbnhUNVbmMCT5jzsrTMIR7w+n4Xp75SmDJX9JRsecxI y1sekFey2laYYokDf7vvonIQjUhjzRPcqz1rKz82zMPNQRiJccyKZ3YKDB9V7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1675804591; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=yM8or98CEa6iZc3K7ArfWQ/tTIPlnFokbD71oSg5F/A=; b=xLo8wsYJNaA0GQIe1Ez7NZYxRcHVKOH6oxrSvc1vM3mjLXPAUbQvZBt/F9NwO1lFkN+5hU 8b9C02m3ZqHwfvfgPvRLdhEYHJ17cUBh0YIKkJYwDUUh2O+MmNtZPb4Gp1xdkTrhV3FbwR GDktbhYdrH7RIyaBdZBIkL43lzIAA5OgOgTxJeyTtfPIrdLQtXJYnwUwS89HGOLBnJ12lJ rYEDO093gthyqIx19M6Wsalf/L7xzE7a1MH8in9h3ovjMYZ39sP64tYG5488RjUstlzM6o kFlb1DkirwlxU5xivNRv/6LxZD5ONqtYUHCaicinQwIfWC8I/0fB37JsxAFMHQ==
ARC-Authentication-Results: i=1; rspamd-98dc9695d-82qjh; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Soft-Towering: 6431a2e22545fe07_1675804591727_1848961639
X-MC-Loop-Signature: 1675804591727:1562807800
X-MC-Ingress-Time: 1675804591727
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.116.179.108 (trex/6.7.1); Tue, 07 Feb 2023 21:16:31 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PBGCL3SbnzFM; Tue, 7 Feb 2023 13:16:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1675804591; bh=yM8or98CEa6iZc3K7ArfWQ/tTIPlnFokbD71oSg5F/A=; h=Date:From:To:Cc:Subject:Content-Type; b=NsE7CI32qrrEWgHwF+nhMWbVZ+Aww7Lrcl7PaRUmNtEgH7S7Wp8ikk7gD2hvHBx9x 7LMgJR9gv9Zg0C4TC+RcJFVukpz7h/yITXoNeusz8qJ69TRjZVeFOgp9kQVaz1mT0B 9X8EpnSZjfiVb7S4AlNa/PV0zgt2SlnaDgT8dfJ05wmOAr6ge6hT77z+5GvoZ0DJSS bTybs3helEnCTfCxjoCNAZu9ulZnjOBhFesccqgbgfdRsaSBeYGFlnLz3ppoKRXj4z hIgFz3OGOqstlMUzYeVkbAkRaTPm4YzoZDs1kDTohdctT2JQ6wjR4G7CfRPM9/gNVA B7zCLBUl2o99g==
Date: Tue, 07 Feb 2023 15:16:27 -0600
From: Nico Williams <nico@cryptonector.com>
To: Simo Sorce <simo@redhat.com>
Cc: Rick van Rein <rick@openfortress.nl>, Russ Allbery <eagle@eyrie.org>, kitten@ietf.org
Message-ID: <Y+K/q3JmJ3/Ry33a@gmail.com>
References: <20230127160101.GB635@openfortress.nl> <048e6943f02302bb5cf7b8c55521931ce3748d30.camel@redhat.com> <20230128215854.629841D6333@pb-smtp20.pobox.com> <87a622tdd1.fsf@hope.eyrie.org> <875ycqtcmd.fsf@hope.eyrie.org> <20230207104841.GE30583@openfortress.nl> <01a7f7acc91b3ac1a865c006f4d883ab38d07178.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <01a7f7acc91b3ac1a865c006f4d883ab38d07178.camel@redhat.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/F7qlfn3x37oJwdL8FWnKhU-Fv0Q>
Subject: Re: [kitten] Stating support for HTTP-SASL on the HTTP WG list
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 21:16:41 -0000

On Tue, Feb 07, 2023 at 03:03:46PM -0500, Simo Sorce wrote:
> On Tue, 2023-02-07 at 10:48 +0000, Rick van Rein wrote:
> > To do this well, Cyrus SASL leaves a few things to be desired, actually;
> > namely, a state export/import facility.  This is indeed a conflict that we
> > are aware of -- SASL is stateful and HTTP is stateless.  This is the reason
> > that an earlier attempt to HTTP-SASL did not make it.  There is much more
> > clarity now, with the HTTP Authentication framework being written, and the
> > answer is bouncing the "s2s" value to allow for a fully stateless server.
> 
> This requires, in some cases, that the crypto state is fully
> exportable.

It is almost invariably the case that the context is software-only.
Even when it's not, it still can be as explained below.

> Although possible, in many cases this is simply not available,
> especially when hardware tokens (HSMs, SmartCards, TPMs) are used to
> deal with the cryptography.

Most HW token resident keys will be asymmetric keys that a mechanism
will use just once per-context.  Even on a clustered server it is
possible to have either the same key shared to all the cluster members'
tokens, or different-but-equivalent keys (e.g., N keys each with
certificates for the same name(s)).

It will never really be the case that symmetric _session_ keys are
stored on hardware tokens for the fairly obvious reasons that: a) that's
just too slow, b) the plaintext of the sessions necessarily ends up
available outside the HW token anyways, and c) it's session keys --
meaning that they lose their value when the session is closed and they
have no value before the session is opened.  Compromised session keys
can be used to decrypt previously recorded ciphertext for the
corresponding sessions, but then, an attacker that can recover session
keys can probably do much worse things without bothering to use those
keys.

Also, SASL session keys will not be used in the HTTP w/ SASL proposal
because the SL part of SASL won't be used either.  That means all the
concerns about [partially- or fully-]established security context export
w/ HW tokens are non-issues as described above.

Still, for more general cases there are two options for dealing with
session keys in HW tokens:

 - for some tokens there may be a way to export the state wrapped in a
   token-local secret key (e.g., TPMs can do this), with the wrapping
   key possibly shared to other cluster members' tokens

 - where that's not possible one can use an authenticated index into a
   table of open token object handles

The second option doesn't play well with clustered servers because then
if you resume at some server other than the one that created the state
then the other server will have to call on the first to complete the
exchange, but that's workable, and there's always the option to use a
hardware token type that can export state wrapped in a key shared with
the other cluster members' hardware tokens.

But again, none of this is ever going to be needed because the HW token
keys will be asymmetric keys used once each during a context token
exchange.

This is really a non-concern.

> > > My first reaction is that this is asking a lot of the SASL library on the
> > > server side to be able to reconstitute and continue a halfway-constructed
> > > SASL session that was negotiated by a different server, but maybe that
> > > first reaction is erroneous.
> > 
> > You are right, this is a new design aspect, and this is why we did not test
> > on round-robin HTTP servers.  I am not sure if it is so difficult to build
> > into a simpler library that has collected less history, though.  SASL can
> > come along, but some implementations are bound to make an easier link to
> > HTTP than others.
> 
> It seem you have a few uses cases in mind, do they all work in a
> distributed/load balanced environment?

There's no proposal here to use the SL part of SASL -- there couldn't be
as otherwise each HTTP request would require setting up a brand new SASL
context due to the fact that SASL's SLs are octet streams.  So the only
concern is multi-round trip context establishment w/ HW tokens being
involved, which is addressed above.

Nico
--

v2.23.0 | Report a Bug | By Email