IETF Logo Mail Archive

Re: [kitten] complementary OPAQUE SASL mechanism draft

Simon Josefsson <simon@josefsson.org> Fri, 14 October 2022 18:48 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A431C14F738 for <kitten@ietfa.amsl.com>; Fri, 14 Oct 2022 11:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b=MHodWjpQ; dkim=pass (2736-bit key) header.d=josefsson.org header.b=iVu2p1xM
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WC5dusiuuD5w for <kitten@ietfa.amsl.com>; Fri, 14 Oct 2022 11:48:05 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B94BC14F734 for <kitten@ietf.org>; Fri, 14 Oct 2022 11:48:04 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2110; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=3KTYWFw85QW2PaiNxvEzppXp+kOto98qRKa5NBJx1pA=; t=1665773284; x=1666982884; b=MHodWjpQD3X5xwgCxg/PCgULGvQ/7Dqf2IASHIY4hOO/dqLgIgbXBo+vqdKFvtRfStXRGYSYJsx sb9ELLE18Cw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2110; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=3KTYWFw85QW2PaiNxvEzppXp+kOto98qRKa5NBJx1pA=; t=1665773284; x=1666982884; b=iVu2p1xMuo0hn29uGU7/X4Hoaiu/0eqHjxGZADvuO80IjO63LmUJ5Te+1VOrYr16Kxoh3A73toS +WStnrhatF8s3MMRA+DZMinB0wTRKFCGVDCP/TZLDYeDacTpRwxu1v8jOAEYe60MIY4hb9h8HJQgK lktwQt3EdUetI1yg0vQ+7PtrwX2TIZYtCpkInhEpjiB0MZSuKJvhBi9D2XfuaOvLbBJqHoe9iS08s 6+GRPwp5wHwDgy5nx3n6LjeXlSmM1/pngIVnGqev6E8tjkAsgNDhNZ6WxCREyN9d8CftSmBUP9aJY z5jdH86aqleMUzgUPjAsZ2Gh7RHFydMZcJaYDgUT1RvfY098/GGR9LY2OMZXSn09qyF8dQeJNumss X2JH6Cqc1rCyq1l2J+SfGmjWsC64BFAX4T8J4JJzTURg7nFUqQNao23rKCJyUohqQH089ro5b;
Received: from [2001:9b1:41ac:ff00:e58a:4297:c77f:c1dd] (port=41668 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <simon@josefsson.org>) id 1ojPiz-0063yU-LW; Fri, 14 Oct 2022 20:48:01 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Stefan Marsiske <03cx8i55f6@ctrlc.hu>
Cc: kitten@ietf.org
References: <Y0mWXEZYl2d6/32Z@localhost>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:221014:kitten@ietf.org::CMXroGs1mk9INPA+:7hWO
X-Hashcash: 1:22:221014:03cx8i55f6@ctrlc.hu::H67tUxi2+mu7ocGq:Z5Gs
Date: Fri, 14 Oct 2022 20:48:00 +0200
In-Reply-To: <Y0mWXEZYl2d6/32Z@localhost> (Stefan Marsiske's message of "Fri, 14 Oct 2022 19:03:24 +0200")
Message-ID: <878rlinswv.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/NT_UWOH8SBUHl5Y21LERj-xWTA0>
Subject: Re: [kitten] complementary OPAQUE SASL mechanism draft
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 18:48:10 -0000

Stefan Marsiske <03cx8i55f6@ctrlc.hu> writes:

> this draft by far less ambitious than the other introduced a few days ago on
> this list. this one only specifies a simple OPAQUE mechanism for SASL and
> mostly only the wireformat. there is no channel binding, and no secure layer.
> it also does not support cryptographic agility[1], similar to wireguard and
> other modern solutions, eliminating footguns, negotiations and other
> complexity. it only specifies one configuration, one of the two specified by
> the IRTF CFRG draft[2] with one change, the usage of argon2i for the KSF
> instead of scrypt (for which i have an issue open to change[3]).

<rant>

I really prefer this kind of security protocol design.  Experience with
other protocols, and even SASL (remember DIGEST-MD5?), has shown too
many times that negotiation and parameter choices is harmful to
security.  I wish we made GS2 and SCRAM less complex.  I understand some
poeple want to continue the practice for SASL mechanisms, given the
responses on my suggestion to hard-code parameters for OPAQUE*.  However
I think the arguments for kind of design are weak at this point.  It is
easy to ask for an optional feature, and give some rationale for the
request that makes sense in isolation, but the hard part of security
protocol design is to say NO to that feature creep.  When we don't, we
all end up with ASN.1/PKIX hell and it takes years to recover.
Premature parametrization is the root of many security flaws.

/Simon

v2.23.0 | Report a Bug | By Email