Re: [kitten] Question about AES mode in Kerberos
Greg Hudson <ghudson@mit.edu> Sat, 07 January 2023 17:33 UTC
Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB44BC14EAA3 for <kitten@ietfa.amsl.com>; Sat, 7 Jan 2023 09:33:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.213
X-Spam-Level:
X-Spam-Status: No, score=-10.213 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.114, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_HBFfjknxW8 for <kitten@ietfa.amsl.com>; Sat, 7 Jan 2023 09:33:43 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9DCC14F720 for <kitten@ietf.org>; Sat, 7 Jan 2023 09:33:43 -0800 (PST)
Received: from [18.30.131.140] ([18.30.131.140]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 307HXcJB007369 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 7 Jan 2023 12:33:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1673112821; bh=2NRTuunCAA5J7lJnBESBXO3LwZN5IawknSwGQEdf+Iw=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=Ro+9cmFPeGk4UjLZrE7r5AayJtidgxcx6ASugubMLg9vq7FaV+ngPFwiy0dfubbkt yV1zu9wj40h5N636OTquidw2J5pNUSk89VJGbGdNrFkfhRlDiaMih5AQ4QHZd8febC xwl3Z1ew5lVSAT+bEb6LduVxQGnt6JsYOf816yyN2/0bQPkpeywnI/Bo5xGl8/zm7c u06ahV8ROQ0juWwVv0FLcg8RJtbahSPJ9P+z+iE8XZ24oIF3i+JmAvKu8h13/Wpxhy t1z0xvFHOX54Ww6nzoIPiQow1agsPA5I9Aci3Vt5rHipPeKRL/Gwy1xM4yCQTKswzQ /5womgknnGEaQ==
Message-ID: <cb3ff38f-7e62-0711-9a6c-50a96b571e2d@mit.edu>
Date: Sat, 07 Jan 2023 12:33:38 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
Content-Language: en-US
To: Olga Kornievskaia <aglo@umich.edu>, Luke Howard Bentata <lukeh=40padl.com@dmarc.ietf.org>
Cc: "kitten@ietf.org" <kitten@ietf.org>
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com> <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com> <7B46A5A4-4415-4627-B964-44F2516D84FE@padl.com> <9464B1FF-6784-4D59-A4F6-1B5D58C2B94F@padl.com> <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com>
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <CAN-5tyE4eau116TkDLbvn+pTOjK_C+WEvi9SnUELr+4riTpZcw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/NiAsH9jiJjZ7QW7FzCs9jjoIL8w>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2023 17:33:47 -0000
On 1/6/23 09:48, Olga Kornievskaia wrote: > I know you can't speak for them but what are the chances that MIT's > implementation would support it as well. Speaking for MIT krb5, I have several concerns about this direction: * The motivation appears to be performance, but meaningful performance gains have not been demonstrated in the context of a GSS application. * GCM is a fragile encryption mode; any mistakes in the nonce input would lead to a catastrophic security vulnerability. * This work creates an enctype unsuitable for general use, but which would require an entry in the IANA enctypes registry to be negotiable with RFC 4537. Putting algorithms with very different security properties registered in the same registry has proven to lead to security issues (such as CVE-2010-1324). * The enctype can't fit within the RFC 3961 framework (I believe) because it requires nonce information from an upper layer. * Microsoft's reason for interest ("something [...] for post-sha256") doesn't seem to match up with a GSS-only enctype. A general-purpose enctype using AES-GCM-SIV (RFC 8452) and random nonces would be a better fit for Kerberos, but I don't see a good reason to specify it unless compelling performance gains can be demonstrated.
- [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Jeffrey Altman
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Paul Miller (NT)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Ken Hornstein
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Greg Hudson
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Steve Syfuhs (AP)
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] [EXTERNAL] Re: Question about AES mo… Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Nico Williams
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Luke Howard
- Re: [kitten] Question about AES mode in Kerberos Olga Kornievskaia
- Re: [kitten] Question about AES mode in Kerberos Luke Howard Bentata