Re: [kitten] Question about AES mode in Kerberos
Luke Howard Bentata <lukeh@padl.com> Mon, 09 January 2023 22:03 UTC
Return-Path: <lukeh@padl.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3424C14CF12 for <kitten@ietfa.amsl.com>; Mon, 9 Jan 2023 14:03:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=padl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4d5_DVD3LbX for <kitten@ietfa.amsl.com>; Mon, 9 Jan 2023 14:03:27 -0800 (PST)
Received: from us.padl.com (us.padl.com [216.154.215.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7EF4C14CF0C for <kitten@ietf.org>; Mon, 9 Jan 2023 14:03:27 -0800 (PST)
Received: from auth (localhost [127.0.0.1]) by us.padl.com (8.14.7/8.14.7) with ESMTP id 309M3MdA006979 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 9 Jan 2023 22:03:24 GMT
DKIM-Filter: OpenDKIM Filter v2.11.0 us.padl.com 309M3MdA006979
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=padl.com; s=default; t=1673301806; bh=ObMpeaCc0HDVQCduMusnVqAVi/5lV49zXeeGbYMZbIk=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=nA/aWJ2N/Nt/ozsmOK5S5on7M0WfLJ8k+iTUe1Kg40A8hg/vkApWlbfK/3HtSdrMC qsqgQGJy4Y1B5cuDEo+QleHm2M+DR+RwFs0jheo9DuYPq28+ektnmS8z65j6FBKiGC oBDyUXujFRnrP0b1pL9pkyEA+dTJAJijoJP10kfnsCssjncLlOa/cFrkBOSX5++IuW yaFEq8kEzQbmm9Sj7I24MS/4UrBqlK9z7wivLXxbfMftxcQ+nKrvMMe76+/mFyJGr+ z3/T6zW+mk94ALe+FZYDPsAOVQxaP5eusuwyTwDLXtg3KvMlNtQDQwXe6lAMPcxlMw YBsTZJmD7CJmQ==
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: Luke Howard Bentata <lukeh@padl.com>
In-Reply-To: <CAN-5tyFA41VMz_3tBmh+FeefBBJOxfi1AoUCqUkRHR3z43qrKg@mail.gmail.com>
Date: Tue, 10 Jan 2023 09:03:10 +1100
Cc: Greg Hudson <ghudson@mit.edu>, "kitten@ietf.org" <kitten@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E609A07B-61AA-481E-A068-4B0AFBC0AFC9@padl.com>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com> <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu> <CAN-5tyFA41VMz_3tBmh+FeefBBJOxfi1AoUCqUkRHR3z43qrKg@mail.gmail.com>
To: Olga Kornievskaia <aglo@umich.edu>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/KheQPOiWYafOdsQFVMucpyOlWD4>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jan 2023 22:03:32 -0000
Hi Olga, No stupid questions – I’m certainly not a cryptography expert. The difference vs TLS is that Kerberos has long-term symmetric keys as well as session keys. Care needs to be taken using the former with AES-GCM because nonce reuse breaks the algorithm (and, with random nonces, there is an invocation limit of 2^32 which is a limit not otherwise present in RFC3961). That’s why I chose to disallow so-called “native” AEAD modes with long-term keys (see draft for a definition of “native”). The draft I wrote is similar to RFC9325 in that it places the GSS-API sequence number in the nonce. As for why CTS was used instead of GCM in Kerberos, as Jeff points out, it’s because GCM wasn’t around at the time. Re: GCM-SIV, nothing has been proposed yet. Cheers, Luke > On 10 Jan 2023, at 7:25 am, Olga Kornievskaia <aglo@umich.edu> wrote: > > May I ask a stupid question? Is there something inherently different > about nonce handling/producing in Kerberos that's different from TLS? > TLS community seems to have chosen AES-GCM as their AES mode and do > acknowledge that nonce-reuse would lead to catastrophic failures. I'm > not familiar with a solution they've chosen to adapt to avoid nonce > reuse but it seems they are not discouraged from using GCM. > > I'm not sure what kind of conclusions I should draw from the > statement: "The enctype can't fit within the RFC 3961 framework (I > believe) because it requires nonce information from an upper layer." > But say NFS wanted AES-GCM it would need to negotiated it with RFC > 4537 (support for this is btw I'm not sure is implemented in an MIT > library, correct?), but to do so there needs to an IANA enctype for it > (like aes128-gcm-hmac-sha256-128, aes256-gcm-hmac-sha384-192) which > there isn't one? But there are IANA numbers for AEAD_AES_128_GCM_SIV, > AEAD_AES_256_GCM_SIV? Also, you note that mixed different security > properties is problematic. > > I have no performance claims about AES-GCM over AES-CBC except for > what I've read from the web. Statements such as that because each > block can be processed individually (in parallel) that it "can" allow > for better performance over AES-CBC. I can see that an implementation > can code it up serially and then no performance gains will be had. > Also, perhaps the performance gains are very small even when > implemented in parallel and that would be useful to know. > > For what it's worth, I found this -- > https://calomel.org/aesni_ssl_performance.html -- which is various > CPU's performance of AES-GCM, AES-CBC, and ChaCha which seem to say > that AES-GCM is faster? > > My quest was simply trying to understand why TLS has decided on GCM > (which seem to be more performant, according to some) and Kerberos did > not. All of this in hopes of improving NFS over Kerberos performance. >
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata