IETF Logo Mail Archive

Re: [kitten] New Version Notification for draft-howard-gss-sanon-01.txt

Nico Williams <nico@cryptonector.com> Mon, 06 April 2020 15:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44A913A0AEC for <kitten@ietfa.amsl.com>; Mon, 6 Apr 2020 08:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BXX3c58S0GA for <kitten@ietfa.amsl.com>; Mon, 6 Apr 2020 08:43:34 -0700 (PDT)
Received: from blue.elm.relay.mailchannels.net (blue.elm.relay.mailchannels.net [23.83.212.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D1053A0B1F for <kitten@ietf.org>; Mon, 6 Apr 2020 08:43:34 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 74F033405F5; Mon, 6 Apr 2020 15:43:33 +0000 (UTC)
Received: from pdx1-sub0-mail-a94.g.dreamhost.com (100-96-14-17.trex.outbound.svc.cluster.local [100.96.14.17]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id E68B4341107; Mon, 6 Apr 2020 15:43:32 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a94.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.6); Mon, 06 Apr 2020 15:43:33 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-White-Shade: 1bcbcb99221152f3_1586187813245_3301995541
X-MC-Loop-Signature: 1586187813245:1089538907
X-MC-Ingress-Time: 1586187813245
Received: from pdx1-sub0-mail-a94.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a94.g.dreamhost.com (Postfix) with ESMTP id 9E55BB1A06; Mon, 6 Apr 2020 08:43:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=FX3+63wCrIJUxDMEc67tPzgwgng=; b=BislKzSVvFv pOAim0RYSJpeEIW+lAo4AqGuTESqhTVVYdtXYBrDv8rppg0GxDRP8N1ms9jFidj4 ursrdw9QN1CCQEzAXNzueWF00MDys4wMVingpmUoAeKWY4gE6Z1qv/g3xEBg8JTk ypg2Lq0bD2vmvFzpRbQO7qfYggv+GO+0=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a94.g.dreamhost.com (Postfix) with ESMTPSA id A27FEB19F5; Mon, 6 Apr 2020 08:43:30 -0700 (PDT)
Date: Mon, 06 Apr 2020 10:43:27 -0500
X-DH-BACKEND: pdx1-sub0-mail-a94
From: Nico Williams <nico@cryptonector.com>
To: Luke Howard <lukeh@padl.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Jeffrey Altman <jaltman@auristor.com>, Greg Hudson <ghudson@mit.edu>
Message-ID: <20200406154326.GL18021@localhost>
References: <158604472122.27168.16112727090339772628@ietfa.amsl.com> <B2497A4F-81B3-42F9-AED1-CFECF1D9F7C0@padl.com> <20200405234929.GD18021@localhost> <20200406004444.GE18021@localhost> <DB682CC6-808B-45A6-998E-9EFBF50702B0@padl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <DB682CC6-808B-45A6-998E-9EFBF50702B0@padl.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduhedrudefgdekhecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggugfgjfgesthekredttderjeenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucfkphepvdegrddvkedruddtkedrudekfeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhm
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/PsBohyaP_xtrkR29BLZLp2EcPgM>
Subject: Re: [kitten] New Version Notification for draft-howard-gss-sanon-01.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2020 15:43:36 -0000

On Mon, Apr 06, 2020 at 11:24:31AM +1000, Luke Howard wrote:
> Agreed. I would like to implement mech_ecdh. :) But I would also like
> to avoid scope creep for SAnon due to time and funding constraints.

Understood.  SAnon will be a trivial base for a new mech_dh.

> > - Section 6.1.2
> > 
> >   The acceptor should also send a MIC along with the key, thus proving
> >   it has possession of the shared secret.  This is important, otherwise
> >   reply tokens could be replayed, and though it wouldn't be much of an
> >   attack, it's worth doing.
> 
> Happy to add this, but is it much of an attack? Both parties are
> anonymous, so (as we discovered with GS2) this mechanism is completely
> superfluous unless you intend to use a message protection service (or
> PRF), which will fail in a replay attack.

For pure GSS/SAnon apps it probably makes no difference, but it might
for future stacks combining SAnon with other things.

> Having said that: is there value in the putative MIC being of the
> public keys (as opposed to a constant) given the public keys are
> already input to the KDF?

It can be a MIC over the empty string.

> > - If you allow a target name to be imported as an anonymous name whose
> >   value is the base64 encoding of a raw public key, then the initial
> >   context token should send two public keys, and the response token
> >   should be just a MIC.
> > 
> >   [...]
> 
> How does the initiator learn of the acceptor’s public key? It seems to
> me this is useful for mech_ecdh but not SAnon?

There's two options: the mech_dh method (add a directory) and
leap-of-faith (learn the keys once, keep reusing them.

You wanted to leave the mech_dh thing out of scope, so let's do that.

In Sun's mech_dh there were pluggable name service switch modules for
the "publickey" DB, with files, nisplus, and ldap shipping in Solaris.
That was... a long time ago.  Today we'd use DNS w/ DNSSEC (DANE).

The leap-of-faith thing would work like this: the initiator uses
well-known anon names to set up a security context with some acceptor,
then inquires the resulting initiator and acceptor names, and later sets
up new contexts using the same keys (which might not work if the private
keys are gone).  To make this work at all we'd need a bit on the wire
for indicating that you want the keys to be less-ephemeral.

Anyways, forget the leap-of-faith case for now too.

> > - Section 7
> > 
> > |  The session key K1 is used as the base key for the generation of per-
> > |  message tokens and the GSS-API PRF.  The encryption type of K1 is
> > |  aes128-cts-hmac-sha256-128 as defined in [RFC8009].
> > 
> >   There should be a reference here to RFC4121.  Also, RFC4121 doesn't
> >   mention a K1.  I suspect you need to state how to derive a key of the
> >   enctype (aes128-cts-hmac-sha256-128) that would be equivalent to the
> >   AcceptorSubkey.  You might want to mention that four keys are to be
> >   derived from that per RFC4121 section 2, plus the GSS_Pseudo_random()
> >   key (GSS_C_PRF_KEY_FULL) [RFC8009].
> 
> How about:
> 
>    This session key is equivalent to the acceptor-asserted subkey
>    defined in [RFC4121] Section 2 and is used as the base key for
>    generating keys for per-message tokens and the GSS-API PRF.
> 
>    The session key encryption type is aes128-cts-hmac-sha256-128 as
>    defined in [RFC8009].  The [RFC3961] algorithm protocol parameters
>    are as given in [RFC8009] Section 5.
> 
> I’ll also add a note in 6.2 that AcceptorSubkey MUST be set.

Works for me!

> > - Test vectors?
> 
> I will add.
> 
> > - Section 10
> > 
> >   This section should repeat something about the importance of SAnon
> >   not being negotiated when it's not appropriate.
> 
> “It MUST not be selected if either party requires identification of
> its peer.” – is that OK? I would prefer not to use the word
> negotiated, as SAnon can be explicitly selected outside of
> SPNEGO/NegoEx.

Works for me!

Nico
--

v2.23.0 | Report a Bug | By Email