IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos

Nico Williams <nico@cryptonector.com> Fri, 13 January 2023 19:30 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C46C15DD6A for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 11:30:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id INQbMABX83Mq for <kitten@ietfa.amsl.com>; Fri, 13 Jan 2023 11:30:42 -0800 (PST)
Received: from bisque.elm.relay.mailchannels.net (bisque.elm.relay.mailchannels.net [23.83.212.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A73A5C15C509 for <kitten@ietf.org>; Fri, 13 Jan 2023 11:30:42 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A111E101ADE; Fri, 13 Jan 2023 19:30:40 +0000 (UTC)
Received: from pdx1-sub0-mail-a264.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 175AF100727; Fri, 13 Jan 2023 19:30:40 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1673638240; a=rsa-sha256; cv=none; b=Wrc3pMifR1dZKGM8MaMRcPm8LOpKtky7V57HGrR7xbu6UOc5Cpy9q8rUS+MyYL5bIgBeum zpu4WdiHtLwhNN+bQd/n8JT444sLyU90fazpAgMnByvEmHwCAJIYpX/nW0CMsYHIQ2VHTw sbVBFQZoGxYfhXrOdvQ4SxojqXGPfjF/ZJXCwbCRI3srEd9R4SouHUudDb4IJt0KY6klac CExDME30zxpLSz/pudGiz+oIonbeABRJr/7l6FIJAeFNnIngBYezk8BR2qRfZctOf8tw5+ uLG8lviyGCijdsy4IDIuOgjXA9ieNsTEMda0LOfyUbzr4vQ6jmqsPn6D3OK/WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1673638240; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ET/l0Vg+fAy35Wlm4ZgTxA0WaEAJ0O3HYcZAyV6FSIA=; b=c308G6nW5xCHDzSx6VmiDMRSU3bnUD2X8gYzxzQ7PnmLHrROiJ4QVZ+78tuxUnNs+PXfok t6qJJKao3VVda5kN9deAlXXg+cMUXSGDRz5hGxleiiKuE7XRFY5PFDnDGtMZbyNe0jo2v8 cW0bcUU3CmadX38UWjgqA15DqKXfPkt8Qe08mEpqFz1YMoR8GrG/1VL6UP9foH2I+nBYBi E/Mf5RCrtKvuXfLMJwi+LbFIcC5yjLoSBa3d37I3mdndEo/tmwng6ogl2DgrVZtN4vSi6w bQbw28Ha5cCoOFoAqWcaCgnpZxmVacrjGCgJ2jPEx69rVXL3bF1/f9bdr4+x6A==
ARC-Authentication-Results: i=1; rspamd-7cf955c847-n5jdc; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Oafish-Trail: 07a6c0905e6a3588_1673638240451_3201524512
X-MC-Loop-Signature: 1673638240451:2351103228
X-MC-Ingress-Time: 1673638240450
Received: from pdx1-sub0-mail-a264.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.120.227.166 (trex/6.7.1); Fri, 13 Jan 2023 19:30:40 +0000
Received: from gmail.com (cpe-66-25-27-1.tx.res.rr.com [66.25.27.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a264.dreamhost.com (Postfix) with ESMTPSA id 4Nts2j650bzSF; Fri, 13 Jan 2023 11:30:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1673638238; bh=ET/l0Vg+fAy35Wlm4ZgTxA0WaEAJ0O3HYcZAyV6FSIA=; h=Date:From:To:Cc:Subject:Content-Type; b=kFSgYxCx5IrNlkjpilY31fhqA732iDOpU9q6N3iNn5Opi82VWKDE/DoWrraMMP5vw 5Z6avd2FqI5lMa+9/uhhUXxF7qwQquRzeDaxYHEzi6dOrs9inxhj81PlmqESi7Whtv elweGbu8+2NW7gA4y6QAmaxwKJZ0qTdfvtQ84WUS/4cs0OeikK6zCIDCNdCqc2s6Z1 llEoe3wbQzLpSoRzsmCxAQBxU3EF7LF5SfTsVxh7DuJdVmIp+rqVTRbtml+BE60AnD gkxhHy5XU4uzDEQqkU2WgTVWHnv6/8OKw3dQoDwKjOujzoGpuaBUvVxwgjIbSq6jDX ydo4mb21m/g1A==
Date: Fri, 13 Jan 2023 13:30:34 -0600
From: Nico Williams <nico@cryptonector.com>
To: "Steve Syfuhs (AP)" <Steve.Syfuhs=40microsoft.com@dmarc.ietf.org>
Cc: Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>, Jeffrey Altman <jaltman@secure-endpoints.com>, "Olga Kornievskaia (aglo@umich.edu)" <aglo@umich.edu>, "kitten@ietf.org" <kitten@ietf.org>
Message-ID: <Y8GxWuvJRhrYO7X4@gmail.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <MW4PR21MB1970090CC5E20FC4BADA0B469CFA9@MW4PR21MB1970.namprd21.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MW4PR21MB1970090CC5E20FC4BADA0B469CFA9@MW4PR21MB1970.namprd21.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/GdXpW9j3_IMAcaFzjzLgD2aoWlE>
Subject: Re: [kitten] [EXTERNAL] Re: Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 19:30:47 -0000

On Thu, Jan 05, 2023 at 01:39:42AM +0000, Steve Syfuhs (AP) wrote:
> Us Windows folks are vaguely interested. With our RC4 deprecation work
> winding down, it'd be nice to get something going for post-sha256.
> That said we don't have a need for GCM yet. Just looking at it from a
> crypto-agility perspective.

I've no problem with AES-GCM-SIV for general use in Kerberos, but if
AES-GCM is better performing, then I also support a GSS-only AES-GCM
enctype.

Nico
--

v2.23.0 | Report a Bug | By Email