IETF Logo Mail Archive

Re: [kitten] Question about AES mode in Kerberos

Nico Williams <nico@cryptonector.com> Fri, 13 January 2023 18:42 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3010EC159527 for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 10:42:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijYQVTtX8NVR for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 10:42:19 -0800 (PST)
Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05816C1522DD for <kitten@ietf.org>; Fri, 13 Jan 2023 10:42:18 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id EBE38141C36; Fri, 13 Jan 2023 18:42:17 +0000 (UTC)
Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 600AE141ADB; Fri, 13 Jan 2023 18:42:16 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1673635336; a=rsa-sha256; cv=none; b=StDEHNIMFzZGlyhHVrLATOKG+kADKw7/Qz6OGUHzFGuRumV3r2uU7cCaK5B5uP8d3+n8FI Hab3loLeEC0rlGldFH2OScKH/nE2Kioc6CB7txyq59LsAwaOkfE38ekujtyMoKzPZUwmgl Okt9cwATtx3X5lWMra0KqTZuIsjNI9WsPm0JD5xpL1/kUVF3vYyPGXQPPTqMSux2hDj38Z 3HjXo9ArDfvYQnyHHEkTdltRqxgIRBHzMj+WbnaGAUmv++c/pVlM+NvtIxEcQHLYnlBDIF LOrr8j97pVHBXqISTCTm4f9uStAP5Hl12FNXFV/+1JQcJ9RFIV4DcRC+YHyukA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1673635336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Y5k04/k23ZQMs8qf/3s5eQJwDVuuP1+pGGJTAxqTPDw=; b=mQ6v2tTpdLVMLXg+5Pk/8utqCExxnLxfm68YZuUwpVHxBqGVv/YH8wwOztb22pQ3ehEGGu HJqBvTxZibvPsLy0NYgaLpnoMLwe3DfmIrFZnv+oGnfZQpzwCD0mS8qsVlPT7HWeV10FXh uFakQOtpfTEpt6sYbLrGqKWA8SkJ3HS2pBregPvmNFI78wXexHMy32X/zWBkeYU8JyfuiF Btw/eF3Z0RP2KjMK3f0CAvWQWkHd87w4ZcHdcJqUsRVU/P21JO+WtQYZHTwk2tVNWcbW9g opXoYvrwE3IxaeQhZj8IxfuPK1NjnVYeapceU+HQH0wYGbYZaHEWbtXCIvFmRA==
ARC-Authentication-Results: i=1; rspamd-7cf955c847-n68xl; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Bubble-Eight: 6214c2ab493782e6_1673635337720_879591716
X-MC-Loop-Signature: 1673635337720:2232310464
X-MC-Ingress-Time: 1673635337720
Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.120.227.166 (trex/6.7.1); Fri, 13 Jan 2023 18:42:17 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4Ntqyv32LwzM4; Fri, 13 Jan 2023 10:42:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1673635336; bh=Y5k04/k23ZQMs8qf/3s5eQJwDVuuP1+pGGJTAxqTPDw=; h=Date:From:To:Cc:Subject:Content-Type; b=YU/vk8cfmh/Z9cLSdYN1FLkglmjG7+iY8RkzvqIqd0kd7/wROcC/WglvrfnuBtPTZ Ffs4SYVeeUC3Cfrnz3q3L4bhTcqDG1BfKd/DuINcb0CSj05GgZ6wtIRBIYcICchOLa YUtBWtr/BcezmLaw0lI5wEDp6Wy6+DrG2fB5bXLs2XsUJQxivFsySG4BC+mo6Y7IIV GgTlHPySh6SXvDmbPNBP/a4w3r/5t9tZ3dPgQvuLp+c2gGxFFRNmIsLlnfkFObtFh2 TswGmKjU3gnadfNEsPZjybModFGtPtX3b/853vY6GTjNrt1zW6+fkDXhsso1D/Ypbd Y80KumXiXzc+g==
Date: Fri, 13 Jan 2023 12:42:12 -0600
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Olga Kornievskaia <aglo@umich.edu>, Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y8GmBG3bNauJ2Pih@gmail.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com> <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/GVvpu4yMwrErq5ziVoY1pCdkCYc>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 18:42:23 -0000

On Sat, Jan 07, 2023 at 12:33:38PM -0500, Greg Hudson wrote:
> On 1/6/23 09:48, Olga Kornievskaia wrote:
> > I know you can't speak for them but what are the chances that MIT's
> > implementation would support it as well.
> Speaking for MIT krb5, I have several concerns about this direction:
> 
> * The motivation appears to be performance, but meaningful performance gains
> have not been demonstrated in the context of a GSS application.

I've seen a GSS-based RPC converted to TLS 1.3 w/ AES in GCM mode and
the performance improvement was ~3x.  There was no other change.

I don't think sequence number window management overhead would account
for that, and all other differences in overhead between GSS and TLS are
minimal.

> * GCM is a fragile encryption mode; any mistakes in the nonce input would
> lead to a catastrophic security vulnerability.

This is not a problem for GSS (sub-)session keys.  (Sub-)session keys
have enough entropy that we don't have to worry about their reuse, and
the IV will never be reused for obvious implementation reasons.

Because GCM is limited to 2^32 blocks of ciphertext with one key we'd
have to derive new sub-session keys before rolling over the block
counter.

> * This work creates an enctype unsuitable for general use, but which would
> require an entry in the IANA enctypes registry to be negotiable with RFC
> 4537.  Putting algorithms with very different security properties registered
> in the same registry has proven to lead to security issues (such as
> CVE-2010-1324).

I've no problem with having enctypes that are not usable outside the
Kerberos GSS mechanism.

> * The enctype can't fit within the RFC 3961 framework (I believe) because it
> requires nonce information from an upper layer.

Correct.  This is not a problem.

> * Microsoft's reason for interest ("something [...] for post-sha256")
> doesn't seem to match up with a GSS-only enctype.

A GSS-only enctype wouldn't be a general solution for that, but that
does not preclude having a GSS-only enctype.

Performance matters.

> A general-purpose enctype using AES-GCM-SIV (RFC 8452) and random nonces
> would be a better fit for Kerberos, but I don't see a good reason to specify
> it unless compelling performance gains can be demonstrated.

How does AES-GCM-SIV perform relative to AES-GCM?  If the two modes'
performance is roughly equal I'll take AES-GCM-SIV, otherwise I don't
see any reason not to have a GSS-only AES-GCM enctype.

Nico
--

v2.23.0 | Report a Bug | By Email