IETF Logo Mail Archive

Re: [kitten] Requesting WG adoption of several SCRAM related documents

Dave Cridland <dave@cridland.net> Fri, 05 November 2021 15:42 UTC

Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF0DD3A109A for <kitten@ietfa.amsl.com>; Fri, 5 Nov 2021 08:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15e8Q88xov4H for <kitten@ietfa.amsl.com>; Fri, 5 Nov 2021 08:42:07 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6DFF3A1097 for <kitten@ietf.org>; Fri, 5 Nov 2021 08:42:06 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id y84-20020a1c7d57000000b00330cb84834fso9848995wmc.2 for <kitten@ietf.org>; Fri, 05 Nov 2021 08:42:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=srWjw5YuJVecQsmzYISvdCx10fTgzYjwyG/qyqMDm4k=; b=TPxyZmK9DobTJf6dVH6IeLo/y0XMBbIf7GLMmYjtkL+qovshPswHRoe2OkS2aV+80m toF2PsYk/vqyn2oDJVXrbfeVWQv7tUFEqoDnGMzCb0hIHWLsvhBPwTS6sT6L4AOPzKJt WlQVB8z95tl4SU3/PWSZhYZWWYUUnrho+BWSg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=srWjw5YuJVecQsmzYISvdCx10fTgzYjwyG/qyqMDm4k=; b=k2a85RCJjWY+9yYx2Qukecun5LO+ODGaGTJMN9PB8LZY3XXn2RICqoXOeegCqiIZ39 L3dsEIMu+7ErMmlST99G8724UBSk653KiDVBnZFd1nOUNw1f5+LE1CT8z/vOyq2tC1Ed XP2vfbNw2sjitUh3vPR2S+1Dglhr/deYjtRtZsi0fRQ+3Xymik1ix6TAY6G7Huphu8bI fOnDvCtL/vBGYG9o6vRu3zIMpgntmJ4ZhYpCKvqmKEw/uisfYqT5yFo1TEk7udCLLHA1 LmU3f5HMZwd/YT88Ut2EWVtVkMpMhfjuutNif2QFhBgY7eYftR0rtnCS+w/Zk+jMcqSI TkLA==
X-Gm-Message-State: AOAM532hf8l7RRgZZzeE3DW1pdXFri1eDskljkVpUW7JZWsDaedAzdN2 Rat5p3rVoF/O+K1+dzy0yi2xy4uleM1a6XFSK63hYg==
X-Google-Smtp-Source: ABdhPJyl+Bc1mHdWeQsMU2h9qQwU6qFHUaB3gxcoVhMHd3I6R39sP6Go+GjdmeijaOf/eTE+wk+cxWW1Yu4hbil8EIc=
X-Received: by 2002:a1c:f402:: with SMTP id z2mr31625652wma.53.1636126924587; Fri, 05 Nov 2021 08:42:04 -0700 (PDT)
MIME-Version: 1.0
References: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com>
In-Reply-To: <4a14c16b-644f-ac40-7b3a-a1712c9aa3d2@isode.com>
From: Dave Cridland <dave@cridland.net>
Date: Fri, 05 Nov 2021 15:41:53 +0000
Message-ID: <CAKHUCzwUZJOi0KsSYcyVjHHQkc8EaRHT6=59UhXc2EWDTUi00w@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "kitten@ietf.org" <kitten@ietf.org>, Robbie Harwood <rharwood@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/PvOUVDH3pRpHyl0bpYJCmZK0J70>
Subject: Re: [kitten] Requesting WG adoption of several SCRAM related documents
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 15:42:12 -0000

On Tue, 26 Oct 2021 at 11:43, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>
> Dear Kitten WG participants,
>
> I would like to request WG adoption of several SCRAM related documents:
>
> 1) Extensions to Salted Challenge Response (SCRAM) for 2 factor
> authentication
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-2fa/>
>
> There were some earlier discussions of this document and it seems to be
> in scope for the current charter.
>

Three years ago I was working on a 2FA (and more specifically, TOTP)
approach for XMPP. The route described here was my first approach - a
way of passing both factors in a single exchange seemed like the
optimal path.

But on early implementation, it became obvious that UX factors render
the saved round-trips insignificant, and also the client-driven
approach this design mandates becomes undesirable. Finally, it
necessitates that every mechanism you want to have TOTP used with
needs TOTP added, and while Alexey's approach does side-step the
creation of an actual new mechanism,

The rough outline seems to be:

* Some users will have enrolled in 2FA (and therefore created a TOTP
secret), whereas others will not have.
* Sometimes, administrators will want to enforce TOTP for all users,
other times, they will wish to make it optional.
* If a TOTP secret exists on the server, its use should ordinarily be
mandatory by a client using a password, and this must be enforced by
the server.
* But, if a client is performing some form of subsequent
reauthentication, you don't want to use it or enforce it.
* Except when you do - it can be useful to re-request a TOTP code
every month, or the reverse, and choose not to re-request TOTP even
when a password mechanism is re-requested.
* Where a TOTP is required, the client will always perform some kind
of user interaction; so asking for the TOTP code as an additional RTT
is fine.

Negotiating second factors as an additional negotiation therefore
became the design, since this provided most flexibility in deployment.

Hence XEP-0388 - https://xmpp.org/extensions/xep-0388.html -
colloquially known as SASL2 which replaces the existing XMPP SASL
profile with a newer profile which is not only more extensible (useful
for other reasons in XMPP), but also has a concept of secondary
authentication "tasks".

Originally these were going to be chained mechanisms - so TOTP would
be modelled as a SASL mechanism, and usable in any order. This felt
very clever, but it turns out that "tasks" are different from
"mechanisms" is various ways - mostly in as much as they do not change
the authorization identifier, and so do not need it as an input or
output.

So what XEP-388 provides ends up being a SASL profile that has a
mechanism selection phase for authentication, then the mechanism
exchanges, but then instead of only resulting in success or failure,
also results in a continue, which presents some more tasks, one of
which must be selected and run through.

In practical terms, this gives an opportunity after the initial SCRAM,
PLAIN, etc to use TOTP, or a mandatory password change, or TOTP
initialization.

We defined the TOTP tasks in XEP-0400, and also defined a generalized
"subsequent reauthentication" system which ended up being clientkey
(draft-cridland-kitten-clientkey, and also XEP-0399). Defining
subsequent reauthentication around a SASL mechanism and associated
application-layer support gives useful flexibility, and felt more
generically useful than building it into the mechanisms, but in
retrospect it'd be nice to avoid the necessity for the application
protocol support (even if it's a nice-to-have). An option here would
be to introduce optional tasks in XEP-0388, which the existing design
doesn't have, which could then be used to token initialization.

Finally, to complete the work we were actually trying to do, we also
wrote a "pseudo-mechanism" for clients to request password resets, and
a SASL2 task for mandatory password changes.

The obvious downside of the approach we took is that it requires
changes to the SASL profiles of the application protocols - this is
certainly undesirable. It could be side-stepped by providing a
meta-mechanism, which in turn handled the enhanced exchange
internally, but this is very much a compatibility layer and (I
suspect) less efficient. In any case, XEP-0388 provides a better
profile for XMPP for various unrelated reasons.

The upside of the approach is that - I feel - it matches the
requirements of practical TOTP deployment considerably better, and
provides a flexible framework for 2FA which conforms to the design of
SASL itself.

> 2) SCRAM-SHA-512 and SCRAM-SHA-512-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha-512/>
>
> This is already implemented in Cyrus SASL, so it would be good to have
> stable documentation.
>
> 3) SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS Simple Authentication and
> Security Layer (SASL) Mechanisms
> <https://datatracker.ietf.org/doc/draft-melnikov-scram-sha3-512/>

These two look good, and we should most certainly get them published
on the standards track.

Dave.

v2.23.0 | Report a Bug | By Email